Is your Data Safe in the Cloud? How do you know? ISO 27018

Cloud Security


  • New Standard for Protecting Personal Information in the Cloud.
  • ISO 27018:2014 part of ISO 27000 Family.
  • Extends ISO 27001.

Original Author: Robert Clements from Assent Risk Management
Original Link:


Life in the Clouds

If you have not come across the term yet, the Cloud is a terms for services located on the internet rather than on your computer.

You might not think you are using any cloud services or storing any personal information in the cloud, but you probably are.

A web based email address, the Apple iCloud, your online car tax application are just three examples of your data stored in the Cloud.

A Tale from Shoreditch

One of the first companies I worked with who identified themselves as a “Cloud’ service were based in East London. They were a small company, less than 10 people, but they had big ambitions. This was both an advantage and a disadvantage.

Highly skilled staff in a small office could easily communicate and solve problems, but as more customers joined the service, their limited time resources were put under pressure and risks increased.

While they managed these risks well, and with our help to implement ISO 27001, most of their customers had no idea about where their data was actually stored or who was handling it.

Cloud Doubts

While I believe ‘the cloud’ is far from mature, I do know from talking to people from all kinds of industries that the basic principle is now better understood and people are worried.

High profile data leaks involving celebrity photographs and other personal data have brought cloud security in to the public consciousness and people are starting to ask questions.

How do we know we can trust the cloud services we use?

Having confidence in the governance of our data is key and although there are other schemes around, see CSA STAR scheme or CIF Code of Practice, perhaps it takes an international standard to achieve household credibility.

Enter ISO 27018!

Recently released standard
ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

Clearly related to the popular ISO 27001:2013, ISO 27018 extends to provide cloud-specific controls to help govern how personal data is processed in the cloud.

Ultimately ISO 27018 provides additional tools for an organisation to manage the specific risks inherent in a cloud environment, and provides a structure that can be incorporated into an existing, or new, audit programme.

Where to Start.

ISO 27001 the standard for information security is a good place to start as this provides a framework for managing information security risks. There is also the benefit of achieving a recognised certification to this standard.

If ISO 27001 is already embedded in the organisation, then ISO 27018 is a good progression to focus in on the risks related to personal data in the cloud.

About Assent Risk Management

Assent Risk Management is a UK wide consultancy specialising in several areas of business risk including information security.

Our consultants can help you understand ISO standards, implement the recommended controls and measure/reduce risk to personal data. Then it’s easy to benefit from the positive marketing that comes with assuring clients their data is safe.

Contact Us for more information.  Call Assent on 020 3432 2854