ISO 27018 Consulting Services for CSPs

Prove You Can Protect Personal Data in Your Cloud

Know the Personal Data in Your Cloud Environment is Secure—and Prove It

Securely processing Personally Identifiable Information (PII) in your cloud environment, and proving you can do so, is becoming more challenging every day. New privacy regulations (like CCPA) coupled with pressure from customers and management have made running a secure cloud environment notably more challenging than it was just a few years ago.

To attract and keep customers and steer clear of data breaches and regulatory penalties, today’s Cloud service providers (CSP’s) need to prove they are securing PII to prospects, shareholders, business partners, their own management and plenty of others.

With Pivot Point Security as your trusted partner, proving conformance with ISO 27018 year over year as an adjunct to your ISO 27001 certification is a guaranteed reality. Our clients demonstrate enhanced cloud security postures, including the ability to provably protect PII. They can prove to any regulator or other stakeholder the PII they handle is secure and their processing of PII is in compliance with applicable regulations.

Quick info on ISO 27018

ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of PII in public clouds acting as PII processors establishes best-practice controls and guidelines for protecting PII in public cloud computing environments. It is based on the privacy principles described in ISO 29100, as well as the information security controls specified in ISO 27002.

ISO 27018 extends both these standards to encompass regulatory requirements for the protection of PII in the context of public cloud services. It is applicable to any organization that processes PII using cloud services under contract to other organizations.

CSP’s can extend the scope of their ISO 27001 compliant Information Security Management System (ISMS) to include additional controls, in order to attain conformance with ISO 27018.

Quick note, you are struggling with multiple standards or running independent privacy and information security programs you may want to look at ISO 27701 which is intended to solve these problems.


Speak with an ISO 27018 expert

Benefits for CSPs to Align with ISO 27018

Cloud services providers that handle PII can gain significant business benefits from demonstrating conformance with ISO 27018 controls. These benefits include:

  • Improved customer and stakeholder confidence that PII is being properly secured
  • Simplified ability to do business globally or in multiple regions/countries
  • Streamlined contract negotiation
  • Improved ability to comply with evolving laws and regulations governing the handling of PII in the cloud
  • Reduce the cost of cyber liability insurance (CLI)

Point Security’s ISO 27018 consulting services will help your CSP strategize, operationalize and certify a robust and effective ISMS with associated controls specific to PII in the public cloud. Our experts have the cloud security experience it takes to guarantee that your environment conforms to the ISO 27018 standard.


Speak with an ISO 27018 expert

ISO 27018 Frequently Asked Questions

What is ISO 27018?

A member of the ISO 27000 family of international information security standards, ISO 27018 provides guidance on information security issues and regulatory requirements specific to protecting Personal Information (PI) in the cloud. It is based on privacy principles described in ISO 29100 and information security guidelines described in ISO 27002. The primary audience for this standard is businesses that process PI in the cloud under contract to other organizations. Organizations considering ISO 27018 should consider ISO 27701 as an alternative, as it is a superset of ISO 27018 and provides the additional advantage of integrating Privacy into the Management System and being a certifiable standard.

Can my business get an ISO 27018 certification?

Because ISO 27018 is not a management standard per se, businesses can’t be certified only against the ISO 27018 controls. Instead, your company can add the ISO 27018 controls to the scope of its ISO 27001 certification audit and include it on the scope statement that is included on your ISO 27001 certificate.

Why should my company consider implementing ISO 27018 controls?

Any cloud service provider that processes personal data on behalf of clients will probably benefit from aligning with ISO 27018. By specifying data protection guidelines specific to cloud environments, ISO 27018 covers the key data protection and data management issues that today’s PII providers face, including compliance with privacy laws like GDPR and CCPA. Organizations that align with ISO 27018 will benefit from a more robust security posture, along with an improved ability to deal with privacy-related processes like individual consent to use PII.

What do the ISO 27018 controls specify?

ISO 27018 mainly specifies processes for the return, transfer or secure disposal of PII. It also mandates disclosure of any “sub-processor(s)” used to process customer data as a contract pre-condition, along with informing existing customers if sub-processor relationships change. Further, ISO 27018 mandates that processors not use customer data for independent advertising or marketing purposes without consent and will not contractually link the use of their services with the processor’s use of personal data for advertising or marketing purposes.

Benefits of Our ISO 27001 + IS 27018 As-A-Service Model

  • Achieve conformance at your own pace– We offer dedicated ISO 27018 expertise on tap, so you’ll have the information, documentation and staff augmentation you need, when you need it.
  • Chart a roadmap and stay on course– Regular status/coordination meetings between our ISO 27018 specialists and your in-house team will keep your project on course.
  • Minimize time and expense – Our dedicated expertise, proven processes and standards-aligned artifacts will save you time and money during your conformance process.
  • Ensure your business meets ISO 27018 requirements– Pivot Point Security will ensure your success by validating that your applicable controls and processes conform to the ISO 27018 guidance.
  • Ensure you achieve ISO 27001 certification – We provide onsite support to ensure a successful ISO 27001 certification audit, including the extended scope of your ISO 27018 controls.
  • Make sure you maintain ISO 27018 conformance– Pivot Point Security can provide whatever ongoing support you need to operate your ISMS in a way that protects PII. We can also help you continually improve your data protection posture, implement your Internal Audit Program, and maintain ISO 27018 conformance over time within the scope of your ISO 27001 certification.