ISO/IEC 27018:2014

This Standard is designed to use as a reference for selecting PII protection controls within the process of implementing a cloud computing ISMS based on ISO/IEC 27001, or as a guidance document for implementing commonly accepted PII protection controls for CSPs. In particular, this International Standard has been based on ISO/IEC 27002, taking into consideration the specific risk environment(s) arising from those PII protection requirements which might apply to CSPs acting as PII processors.

 

 

Why is ISO/IEC 27018:2014 required?

CSPs who process Personally Identifiable Information (PII) under contract to their customers have to operate their services in a fashion that allow both the contracting parties to adhere to the requirements of legislation which governs how PII is allowed to be processed (i.e. collected, used, transferred and disposed of) is sometimes referred to as data protection legislation.

 

  • A cloud service provider is a ‘PII processor’
  • The cloud service customer can range from a natural person, a ‘PII principal’, or
  • An organization, a ‘PII controller’, processing PII relating to many PII principals

 

The additional list of controls include:

DescriptionControls
Consent and choiceObligation to co-operate regarding PII principals’ rights
Purpose legitimacy and specificationPublic cloud PII processor’s purpose
Public cloud PII processor’s commercial use
Data minimizationSecure erasure of temporary files
Use, retention and disclosure limitationPII disclosure notification
Openness, transparency and noticeDisclosure of sub-contracted PII processing
AccountabilityNotification of a data breach involving PII
Retention period for administrative security policies and guidelines
PII return, transfer and disposal
Information securityConfidentiality or non-disclosure agreements
Restriction of the creation of hardcopy material
Control and logging of data restoration
Protecting data on storage media leaving the premises
Use of unencrypted portable storage media and devices
Encryption of PII transmitted over public data-transmission networks
Secure disposal of hardcopy materials
Unique use of user IDs
Records of authorized users
User ID management
Contract measures
Sub-contracted PII processing
Access to data on pre-used data storage space
Privacy complianceGeographical location of PII
Intended destination of PII

 

Is Tata Communications ISO/IEC 20000-1:2011 certified?

Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for protection of PII (Personally Identifiable Information) processed by GSMC for Managed Cloud Services – IZO Private Cloud and IZO Cloud Storage.

 

 

ISO/IEC 27018: 2014 in-scope services:

IZO Private Cloud & IZO Cloud StorageIn-Scope services
ComputeCloud services, Virtual Services, Auto Scaling
NetworkVPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV
Storage/BackupBlock, File and ICS (Object) backup
Scheduled data backup and data restoration
DatabaseManaged Oracle, MS-SQL, DB2 or MySQL database administration
MiddlewareManaged Middleware service is offered on applications including JBOSS; TOMCAT; Apache
Application maintenance
HypervisorVMware, Hyper-V and KVM
Load balancerStatic, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance
SecuritySIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth

 

Review all of our global compliance programs


Contact us

Contact us to learn how we can help you unleash collaboration, creativity, and commercial innovation.