ISO 27018 (Cloud Security PII)

The new data protection standard for cloud services

So far, there has been no general standard that specifically deals with data protection requirements for cloud computing. In terms of content, the standard builds on existing security standards – in particular ISO / IEC 27002. However, ISO / IEC 27018 specifically deals with regulating the processing of personal data in a cloud environment.

security-1202344_640-min.jpg

So far, there has been no general standard that specifically deals with data protection requirements for cloud computing. In terms of content, the standard builds on existing security standards – in particular ISO / IEC 27002. However, ISO / IEC 27018 specifically deals with regulating the processing of personal data in a cloud environment.

The ISO / IEC 27018: 2014 standard can be used for all types of companies and units that offer the processing of personal data via cloud computing.

Advantages of an internationally certified cloud standard

With the introduction of ISO / IEC 27018, providers of cloud services now have the option of having their management system checked specifically for these requirements, which can make their offering more attractive.

In practice, the use of recognized security procedures is a decisive criterion for the selection of the cloud provider. This applies all the more to the client’s control rights in the context of order data processing in accordance with Section 11 (2) No. 7 BDSG.

ISO / IEC 27018 defines data protection requirements for providers of cloud services and formulates monitoring mechanisms and guidelines for the implementation of measures that are intended to ensure the protection of personal data in a cloud environment. The standard takes into account data protection requirements that already exist in other areas and adapts them specifically to information security risks in the area of ​​cloud computing.

Certifications Process

The process starts with the client’s needs and expectations. DQS wants to learn about the client’s organization, its management system, size and types of operation. Together both parties will define objectives for the assessment and/or certification, including applicable standards and specifications.

DQS will provide a detailed offer for assessment and certification services, tailored to individual client needs, based on the information provided initially. A written contract will specify all relevant deliverables as well as applicable assessment and certification criteria.

A pre-audit can serve as initial performance or gap analysis, identifying strengths and areas for improvement. For larger assessment and certification projects a project planning meeting provides a valuable opportunity for the client to meet the lead assessor and develop a customized assessment plan for all functions and locations involved. Both services are optional.

The assessment procedure itself begins with review and evaluation of system documentation, goals, results of management review and internal audits. During this process, it will be determined whether the client’s management system is sufficiently developed and ready for certification. The assessor will explain findings and coordinate any required activities to prepare for the on-site system assessment.

The assigned auditor team will audit the client’s management system at the place of production or service delivery. Applying defined management system standards and specifications, the assessment team will evaluate the effectiveness of all functional areas as well as all management system processes, based upon observations, inspections, interviews, review of pertinent records, and other assessment techniques. The audit result, including all findings will be presented to the client during the closing meeting. Required action plans will be agreed upon as necessary.

The independent certification function of DQS will evaluate the audit process and its results, and decide independently about issuance of the certificate. The client receives an audit report, documenting the audit results. When all applicable requirements are fulfilled the client also receives the certificate.

Either semi-annually or at least once per year, there will be an on-site audit of the critical components of the management system. Improvement potential will be identified, with a focus on continual improvement and sustained effectiveness.

A management system certificate is valid for a limited period of time, frequently for a maximum of three years. At the end of this cycle, a re-audit will be carried out to ensure the ongoing fulfillment of all applicable requirements. Subject to this fulfillment, a new certificate will be issued.

Why DQS?

DQS is one of the leading Management System Certification, Audits, Assessment & Training organization globally. 

TRULY-GLOBAL-BRAND.png

Truly Global Brand

EXPERT-AUDITORS.png

Expert Auditors with High Emotional Intelligence

LOCAL-CAPABILITIES.png

Local Capabilities & Delivery

INDUSTRY-LEADERS.png

Industry Leaders

CUSTOMIZED.png

Customized, Comprehensive & Actionable Insights

PIONEERING-INNOVATIVE.png

Pioneering Innovative Solutions

PASSION-FOR-QUALITY.png

Passion for Quality & Excellence

INTEGRITY-TRUST.png

Integrity & Trust

Want to Know more?

Ph: (080) 6661-6565 | +91 924 320 3043 | E: Sales.Support@dqs-india.in