The document discusses the importance of ISO/IEC 27018 in enhancing data privacy in cloud services by providing guidance on the processing of personally identifiable information (PII) in public clouds. It highlights the need for data controllers to ensure compliance with data privacy laws, even when outsourcing data processing to cloud providers, by selecting those that adhere to ISO/IEC standards. Overall, the presentation emphasizes that ISO/IEC 27018 helps establish better governance of personal data processing, ensuring customers can more confidently utilize cloud services.

1. Cloud Services & the Development
of ISO/IEC 27018
Adding “privacy” to information security
Alan Shipman
a.shipman@group5.co.uk
Data Privacy, June 2015

2. Processing your personal data in the cloud
• If you have personal data to process you are probably a data controller and
subject to the ‘Data Privacy Law’ 2010. This presentation is about adding
governance for processing personal data (PII, personal information, etc.) to
baseline information security
• Data Privacy legislation does require adequate security (e.g. ISO/IEC 27001
for the management system process and for the controls covering
confidentiality, integrity and availability) but it also demands more
• There are two main scenarios to address:
• process your personal data yourself in a private cloud; or
• outsource that processing to a public cloud acting as a data processor
• This presentation places both scenarios into context but concentrates on
solving some issues raised by processing personal data in a public cloud

3. Processing personal data – in house
Data controller
In-house
Private
cloud
In-house
‘normal’ IT
STANDARDS:
BS 10012:2009 *
ISO/IEC 29151 (draft)
Data controller
whenever you process
for your own purposes
YOU ARE HERE
* BS 10012:2009. Data protection.
Specification for a personal information
management system. For a controller; does not
specify the processor requirements sub-set.

4. Processing personal data – in the public cloud
Data controller
In-house
Private
cloud
Sub-
contractor
Public Cloud
Data
Processor
In-house
‘normal’ IT
STANDARDS:
BS 10012:2009 *
ISO/IEC 29151 (draft)
STANDARDS:
ISO/IEC 27001 plus
ISO/IEC 27018
Data processor(s), only if
they exclusively follow the
controller’s instructions
Data controller
whenever you process
for your own purposes Data processing
agreementYOU ARE HERE
Your cloud service
provider
* BS 10012:2009. Data protection.
Specification for a personal information
management system. For a controller; does not
specify the processor requirements sub-set.

5. Processing personal data in the cloud: how
does this work?
• Data protection obligations remain with a data controller even if
processing is outsourced to a cloud data processor.
• If you want to have your personal data processed by a cloud service
provider, acting solely according to your instructions, then you have to:
• choose a data processor providing sufficient guarantees in respect of the technical
and organisational security measures governing the processing to be carried out
• take reasonable steps to ensure compliance with those measures
• Standards cannot replace the requirements of law but for one good route
towards obtaining the required guarantees, a data controller could:
• select a cloud service provider which complies with ISO/IEC 27001 for security and
also implements all of the data protection controls in ISO/IEC 27018 as part of that
compliance; and
• get a regularly audited commitment to the above from the cloud service provider
(and make that a part of the data processing agreement).

6. How does ISO/IEC 27018 help a data controller
to process personal data in the cloud?
• Select a well-governed cloud data processor: A well-governed cloud data
processor should have independently audited and certified compliance to
ISO/IEC 27001 as extended with all of the controls from ISO/IEC 27018.
• What your cloud data processor should tell you: The implementation
guidance and some of the controls from ISO/IEC 27018 provide information
on what your cloud data processor needs to tell you as a cloud service
customer before you enter into a data processing agreement.
• What you should agree with your cloud data processor: The
implementation guidance and some of the controls from ISO/IEC 27018
provide information on what you and your cloud data processor need to
agree on about matters such as the distribution of responsibilities.

7. What’s in ISO/IEC 27018 (selected)?
• Title: Information technology — Security techniques — Code of
practice for protection of personally identifiable information (PII) in
public clouds acting as PII processors
• Controls: Cloud data processor (CDP) shows that it is a data processor (not a
controller) by processing data only to implement customer instructions
• Controls: CDP knows where data is stored and is sure where it is sending it
• Controls: CDP ensures its sub-contractors also implement relevant security
and data protection measures, and discloses changes in sub-contracting
• Controls: CDP implements the means to cooperate with its customer to allow
the customer to meet obligations to data subjects
• Guidance: issues a CDP should disclose to a prospective customer before
entering into the contract to process personal data
• Guidance: issues where CDP and the customer should agree on the split of
responsibilities

8. How is ISO/IEC 27018 constructed & used?
France
Germany
Spain
UK
Stage 1: Find current EU Data Privacy
laws applying to cloud data processors
ISO/IEC 27002:2013:
existing controls & guidance
Annex A: New controls &
new guidance
Body: New guidance for
existing controls in 27002
Stage 2: Create new controls to
cover EU laws based on the
current Data Protection Directive
Stage 4: Eliminate controls &
guidance already in ISO/IEC 27002
Draft ISO/IEC 27018 with the
remaining new controls & guidance
New controls
and guidance
Stage 3: Analyse Data Protection
Authority cloud opinions and
update the controls for cloud-
specific issues
ISO/IEC 27018:2014
ISO/IEC
27001:2013
management
system
Stage 5: Cloud data
processor uses the
management system
in ISO/IEC 27001 with
the combined control
set in ISO/IEC 27002
and ISO/IEC 27018

9. In summary
• Voluntary standards cannot replace the requirements of law. ISO/IEC
27018 is not a destination. It’s a first step in a journey towards good
governance of personal data processing in the cloud. However …
• For the public cloud data processor:
• ISO/IEC 27018 shows how to add “privacy” to an existing ISO/IEC 27001
certification so that customers who have personal data to process can more
confidently use the service.
• For the cloud service customer with personal data to process:
• Certified ISO/IEC 27001 compliance by a public cloud data processor with
ISO/IEC 27002 controls extended with all of the controls in ISO/IEC 27018
provides a good baseline for doing the essential due diligence; and
• ISO/IEC 27018 also addresses matters a public cloud data processor should be
disclosing to its customers and matters that may need to be addressed in a
data processing agreement.