Guidelines 27017 and 27018

ISO/IEC 27017:2015 e ISO/IEC 27018:2014 guidelines - Protection of personal data in the cloud

Cloud computing is spreading more and more; it makes growing customers' concerns about transparency, confidentiality and desire of control over the service providers: customers are often not aware of how the information are stored and protected in the cloud. Where is information physically located? What happens in case of switching to another supplier? What happens in case the current supplier ceases its business?

Furthermore, according to current regulations, the responsibility for violating the rules on the protection of personal data lies with the data controller (customer). Therefore, it is necessary a verifiable standard to demonstrate cloud service providers ability to guarantee security and data protection, including personal data subject to privacy regulations.

So, ISO and IEC have developed the new ISO / IEC 27017: 2015 standards (Information Technology - Security techniques - Code of practice for information security controls based on ISO / IEC 27002 for cloud services) and ISO / IEC 27018 (Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).

ISO / IEC 27017 and 27018 are the first international standards that help public cloud providers to ensure their own compliance: the standards, indeed, are specifically addressed to service providers of public clouds that process personal data (PII - Personally Identifiable Information) and that act as Data (PII) Processor.

They both are defined and based on ISO / IEC 27002, taking into consideration the regulatory requirements for the protection of personal data that may be applicable.

 

Next step ?

SIET is able to integrate an existing ISO / IEC 27001 certificate with the 27017 and 27018 guidelines. The integration demonstrates the ability of the provider to ensure the protection of personal data.