ISO/IEC 27018 Certification Overview

Certified Information Security Controls for Protecting PII in Public Clouds

Certified Information Security Controls for Protecting PII in Public Clouds

Certification:

Management system certification / Voluntary assessment

Basis of certification:

International standard ISO/IEC 27018

Standard owner: 

ISO International Organization for Standardization

WHAT DOES THE ISO/IEC 27018 STANDARD DEFINE?

The ISO/IEC 27018 standard defines the guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors.

WHAT DO “CERTIFICATION” OR THE ISSUE OF A CERTIFICATION MARK ACCORDING TO ISO/IEC 27018 BY TÜV SÜD SOUTH ASIA PVT. LTD. MEAN?

  • The customer has submitted to voluntary assessment (audit) according to defined criteria (certification standard).
  • A certificate and/or the authorization to use a certification mark are only issued if the assessment (audit) does not reveal any major nonconformities with the requirements of the relevant standard.
  • Certificates and/or certification marks are valid for a restricted period of time. Interested parties can check the validity of individual certificates in the certificate database.
  • To maintain certificate validity, the certificate holder must complete and successfully pass annual surveillance assessments (audits).
  • Certificate of ISO/IEC 27018 shall be always considered valid in conjunction with ISO/IEC 27001 certificate validity.

HOW IS THE ASSESSMENT/AUDIT PERFORMED?

Independent and qualified experts (auditors) apply the following auditing techniques:

  • Document review: 
    - Review the system documentation prepared by the client. 
    - Evaluates the organization location, number of sites and site-specific conditions. 
    - To review client’s status & understanding regarding requirements of standard. 
    - To collect, evaluate & verify the information regarding scope, management review, processes and interactions, objectives of the organization, related statutory and regulatory aspects, internal audits, performance data and risk associated. 
    - To review the allocation of resources for conformation assessment / audit and agree with the client on the details of the audit. 
    - To ensure appropriate planning by gaining sufficient understanding of the client’s management system and site operations in the context of possible significant aspects. 
    - This audit shall identify concerns that could affect the subsequent conformation assessment / audit.
  • On-site audit:
    - System effectiveness with respect to documentation
    - Criticality & Number of deviations 
    - Complaints handling mechanism 
    - Management commitment 
    - Complete failure of an element of the standard 
    - Effect of deviations observed on the control effectiveness

WHAT IS BEYOND THE SCOPE OF CERTIFICATION ACCORDING TO THE ISO/IEC 27018 STANDARD?

  • Applies to all management-system certifications: This certification does not constitute product certification. Certification thus does not provide any direct statements on the quality of a product or service of the certified customer.
  • Certification according to ISO/IEC 27018 does not mean that the company manufactures products or provides services of higher quality.
  • Certification according to ISO/IEC 27018 does not mean that a company's information security controls for protecting PII in public clouds/ information / data cannot be lost, cannot be unlawfully altered or can be accessed at the right time, even though these are key objectives of the security techniques defined for protection of PII in public clouds.
  • A certification does not confirm that the technical and organizational measures taken by the company for information security controls for protecting PII in public clouds are functioning without errors.

Next Steps

Site Selector