This page is currently queued for revision.
Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|IEC||International Electrotechnical Commission|
|ISO||International Organization for Standardization|
ISO/IEC 27018 addresses the privacy aspects of cloud computing for consumers. It is the first international set of privacy controls in the cloud.
ISO/IEC 27018 focuses on five key principles:
CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customers. In addition, a customer should be able to employ the service without having to consent to the use of their personal data for advertising or marketing.
Customers have explicit control over how CSPs are to use their information.
CSPs must inform customers about items such as where their data resides. CSPs also need to disclose to customers the use of any subcontractors who will be used to process PII.
CSPs should keep clear records about any incident and their response to it, and they should notify customers.
To remain compliant, the CSP must subject itself to yearly third-party reviews. This allows the customer to rely upon the findings to support their own regulatory obligations.
Trust is key for consumers leveraging the cloud; therefore, vendors of cloud services are working toward adopting the stringent privacy principles outlined in ISO 27018.