Privacy in clouds

PREPARE FOR ISO 27018:2014 PRIVACY OF PII* IN CLOUDS CERTIFICATION

1

  • Certify for ISO 27001 first
  • Also ISO 27017 recommended
  • PID (Project Initiation Doc)
  • Drivers, business Case
  • Project sponsor, Project manager
  • Buy-in of all stakeholders

2

  • Define scope
  • Gap assessment
  • Recommendations
  • Road map to address gaps

3

  • Base controls from ISO 27002

plus

  • Provider Customer RACI
  • Privacy controls from ISO 29100
  • PII encryption controls
  • Time bound PII deletion
  • Restrict process to stated purpose
  • PII principal regulatory rights

4

  • Internal audit 
  • Management review
  • Corrective action plan, ATR
  • Certification audit stage 1
  • Certification audit stage 2
  • Address NCs
  • Achieve ISO 27018 certification
*Personally Identifiable Information