Cloud Companies Can Conquer GDPR with ISO 27018 Certification

Almost a year into a post-GDPR world, the question for many cloud service providers is still, “How do I evidence GDPR compliance?” With no meaningful certification in sight, the time is now for cloud service providers to be proactive in showing how they protect customer data in accordance with GDPR.

Our aggregated client data shows that last year, at least 25% of potential customers required GDPR compliance and 15% required ISO 27001 certification as part of ongoing diligence procedures.

In our experience, ISO 27018 is quickly becoming part of the compliance mandate for cloud service providers. ISO 27018 is a standard that is an “add-on” to ISO 27001 (i.e., the ISO 27018 controls are added to the ISO 27001 Information Security Management System in the Statement of Applicability) for cloud service providers. ISO 27018 consists of two parts:

The ISO 27001 Annex A controls, with specific guidance for cloud processors in certain areas;
Annex A, an additional set of controls based on ISO 29100 privacy principles.

Overlap between ISO 27018 and GDPR exists in many key areas, including but not limited to:

Incident response
Encryption
Choice and consent (data collection measures)
Data subject access rights
Defining the purpose of processing
Data minimization
Security standards for sub-processors

Of course, ISO 27018 controls do not provide a full mapping to GDPR requirements. For example, ISO 27018 does not address important elements of GDPR such as privacy by design, defining the lawful basis for data processing, or maintaining records of all processing activities. The ISO 27018 controls should be seen, therefore, as a ready-made, but incomplete foundation of controls to begin demonstrating GDPR compliance. Further controls can be developed, specific to your organization, that address the remaining GDPR elements.

Pursuing an ISO 27018 certification can be a proactive way to evidence GDPR compliance measures that a cloud service provider is already performing. In addition, the associated ISO 27001 certification is a clear indicator that an organization has implemented the security standards required of all processors under GDPR. Thus, pursuing an ISO 27001 certification with added ISO 27018 controls can easily demonstrate a commitment to both security and privacy that gives potential customers comfort and ultimately smooths the sales cycle.

Questions about ISO 27001, ISO 27018, and GDPR? Contact Christian Hyatt at christian.hyatt@risk3sixty.com or Philip Brudney at philip.brudney@risk3sixty.com

About the Author: Philip Brudney

Philip is in charge of Security, Privacy, and Compliance research and quality assurance at risk3sixty. As part of Philip’s duties, he oversees privacy and attestation reporting and is the co-quality assurance manager for the assurance practice (SOC 1, SOC 2, and attestation reporting) where he is responsible for ensuring each engagement meets risk3sixty’s rigorous quality standards in line with AICPA requirements. Philip leads development and peer review of thought leadership, research, and whitepapers. In addition, Philip acts as the Data Protection Officer (DPO) for a wide array of US based firms facing GDPR compliance.