ISO/IEC 27018:2014

This Standard is designed to use as a reference for selecting PII protection controls within the process of implementing a cloud computing ISMS based on ISO/IEC 27001, or as a guidance document for implementing commonly accepted PII protection controls for CSPs. In particular, this International Standard has been based on ISO/IEC 27002, taking into consideration the specific risk environment(s) arising from those PII protection requirements which might apply to CSPs acting as PII processors.

 

 

Why is ISO/IEC 27018:2014 required?

CSPs who process Personally Identifiable Information (PII) under contract to their customers have to operate their services in a fashion that allow both the contracting parties to adhere to the requirements of legislation which governs how PII is allowed to be processed (i.e. collected, used, transferred and disposed of) is sometimes referred to as data protection legislation.

 

• A cloud service provider is a ‘PII processor’
• The cloud service customer can range from a natural person, a ‘PII principal’, or
• An organization, a ‘PII controller’, processing PII relating to many PII principals

 

The additional list of controls include:

Description	Controls
Consent and choice	Obligation to co-operate regarding PII principals’ rights
Purpose legitimacy and specification	Public cloud PII processor’s purpose
	Public cloud PII processor’s commercial use
Data minimization	Secure erasure of temporary files
Use, retention and disclosure limitation	PII disclosure notification
Openness, transparency and notice	Disclosure of sub-contracted PII processing
Accountability	Notification of a data breach involving PII
	Retention period for administrative security policies and guidelines
	PII return, transfer and disposal
Information security	Confidentiality or non-disclosure agreements
	Restriction of the creation of hardcopy material
	Control and logging of data restoration
	Protecting data on storage media leaving the premises
	Use of unencrypted portable storage media and devices
	Encryption of PII transmitted over public data-transmission networks
	Secure disposal of hardcopy materials
	Unique use of user IDs
	Records of authorized users
	User ID management
	Contract measures
	Sub-contracted PII processing
	Access to data on pre-used data storage space
Privacy compliance	Geographical location of PII
	Intended destination of PII

 

Is Tata Communications ISO/IEC 20000-1:2011 certified?

Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for protection of PII (Personally Identifiable Information) processed by GSMC for Managed Cloud Services – IZO Private Cloud and IZO Cloud Storage.

 

 

ISO/IEC 27018: 2014 in-scope services:

IZO Private Cloud & IZO Cloud Storage	In-Scope services
Compute	Cloud services, Virtual Services, Auto Scaling
Network	VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV
Storage/Backup	Block, File and ICS (Object) backup Scheduled data backup and data restoration
Database	Managed Oracle, MS-SQL, DB2 or MySQL database administration
Middleware	Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance
Hypervisor	VMware, Hyper-V and KVM
Load balancer	Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance
Security	SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth

 

Review all of our global compliance programs