Assign topic to the user
As we are a public cloud provider I am keen to get an understanding what it would take to get ISO27018:2014 compliant.
Microsoft boost that they are the only 27018 compliant cloud company. If you see the link the refer to ISO 27018 adds controls to the ISO/IEC 27001/27002 standards to address processing personally identifiable information (PII) in a cloud computing environment.
Could we add these "controls" to the SOA and get the same results? Ie get these controls included in the SOA and also say that we are adhering to ISO27018?
You wouldn't happen to have templates that adress these controls?
Answer:
From my point of view, you can use the security controls of ISO 27018 (which is simply a code of best practices, similar to ISO 27002 but focused on the protection of personally identifiable information) and include them in your SoA (obviously if you have implemented an ISMS), specifying that they are included for the compliance with the best practices of ISO 27018. After this, will be recommendable to pass an audit from an exte rnal entity (certification audit), and after this you could say to your customers that your business is compliant with the best practices of ISO 27002 and ISO 27018.
So, if you have an ISMS implemented, you could include the security controls of ISO 27018, but remember, you can not certify ISO 27018 (neither ISO 27002), because it is only a code of best practices.
And I am sorry, but we do not have specific templates for this standard, although you can download the ISO 27018 from the official site of iso.org: https://www.iso.org/standard/61498.html
Comment as guest or Sign in
Jan 12, 2016