ISO 27018 has a full name as ISO/IEC 27018 which comes for the protection of personally identifiable information in public clouds and offers focus to the protection of personal data in the cloud. The working of ISO 27018 happens in two ways: it augments the existing capacity controls of ISO 27002 with some specific items for cloud privacy and provides complete security controls for personal data.
New Addition to the ISO 27018
In ISO 27018, the Information security policies are kept moderate and different other items are kept low. Some of these items are access controls, asset management, human resource security, organization of information security, cryptography, physical and environmental security, communication security, etc.
New Controls for Cloud Privacy
Annex A of ISO 27018 lists the following additional controls which must be implemented if you want to increase the level of protection of your personal data in the cloud:
- Customer’s right for accessing or deleting the data
- Using customer’s data only for the purpose for which it was provided
- No marketing or advertising through the data
- Deleting the temporary files
- Recording of all the disclosures of personal data
- Notify the customers if their data is being breached
- Management of documents for cloud policies and procedures
- Procedure for data restoration
- Restriction of printing the personal data
- Usage of unique IDs for cloud customers
- Disable the usage of expired user IDs
Which one is better between ISO 27001 AND 27018?
This is all about the question of what is more important to you. If you are interested in the marketing side of the data, then surely ISO 27001 is the answer to that. However, if you are interested in the protection of your data and avoid its use for advertising and marketing purpose, then ISO 27018 is the best option that you can get.
ISO 27018 and Compliance Mapping Software
The Compliance mapping of any documents and data can be done through the ISO 27018 software which makes it easy for anyone to do this job. As you do not have to visit any office or place for such work and you can upload all the data and get things done on the cloud service.
The basic process starts from the Contractual/Legal process in which you can go to the industry data security standard and from there you can move to the data of different departments and businesses.
If you look at Annex A in the table given on the service, you can then view the code and connect the compliance mapping according to it. Once you will click on the code, you can see the different policies it is offering you, such as access control policy or System security policy.
Through this software, you are also linked with the low-level controls as evidence and we comply with other mapped GRCs. So, in this case, ISO 27001 is the main and the middle man between the GRCs and the controls. To make it more simple for you, Annex A is in the software is also known as ISO 27001.
Moreover, you can go to the Access control and from there you can select business requirements of access control to initiate the process of business compliance. Every access control has different codes and all the codes present in them has different policies and you can you either all or any number of codes for your work.
The service will also allow you to view different kind of vulnerabilities and threats that you can face in any code and you can view them with their complete description. You can even get an overview of the network security policy through our mapping Annex A section. Lastly, you can select your own catalogue for the access policy, vulnerabilities, threats and much more and that too online.