Posts by eccinternational

ECCI is an innovative knowledge-based solutions provider. We partner with organizations and help them achieve performance excellence through our portfolio of process improvement consulting, organizational learning solutions, technology interventions for process automation and managed training services. Headquartered in the Philippines and sporting presence in 6 countries across South and South East Asia, ECCI caters to a wide array of customers across Asia, Europe and the Americas.

NIST Cybersecurity Framework: Keeping Your Business Safe in an Unsafe IT Ecosystem

The Rising Strategic Risk of Cyberattacks

As the world continues to embrace technology and its many advantages, business also has begun to rely more and more on technology, storing large amounts of sensitive data electronically. The ease at which computers can store and access information is a major reason for the shift toward massive electronic storage and with the efficiencies that computers bring to the market, a new area of risk has been inadvertently created.

Evidently, cyber criminals today are increasingly leveraging malware, bots and other forms of sophisticated threats to attack organizations for various reasons – financial gain, business disruption or political agendas. In many cases, they often target multiple sites and organizations to increase the likelihood of an attack’s initial success and viral spread. With new variants of malware being generated on a daily basis, many companies struggle to fight these threats separately and the majority of attacks are often left undetected or unreported.

Cybercriminals are also no longer isolated amateurs. They belong to well-structured organizations with money, motivation and goals, often employing highly skilled hackers that execute targeted attacks. Such organizations can deploy considerable threat intelligence, time and resources in order to execute attacks that can cost cybercrime victims significant amounts of money. Unfortunately, this trend is only growing more complex as businesses experience a surge in internet use, mobile computing and the cloud, creating more channels of communication and vulnerable entry points into the network.

Cybersecurity – A Global Business Concern 

More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become more and more distressing.

Based on 2014 McKinsey and World Economic Forum Research, companies are continuously struggling with their capabilities in cyber risk management and believe that they are losing ground to attackers as visible breaches incessantly occurs in growing scale and severity.

Their findings show that 70% of executives from financial institutions believe that cybersecurity is a strategic risk to companies and considered internal threats (their employees) as big risk as external attacks.  Similarly, product companies such as high-tech firms see the leaking of proprietary knowledge about production process as more damaging than leaks of product specifications given the pervasiveness of “teardown” techniques and the legal protections afforded to product designs. Service companies on the other hand, are more concerned about the loss and release of identifiable information on customers and about service disruptions.

Equally worrisome, executives from various industries perceived that cyber attackers will continue to increase their leads and pace over corporate defenses – more quickly than the ability of institutions to defend themselves, thus, making cybersecurity the top priority of every business of all kinds.

 Why Does Cybersecurity Matter?

If you still haven’t developed a plan to safeguard your company’s information assets, here are the top 5 reasons why cyber security matters:

1 – Your reputation will be at risk.

If your business has an exposure to cyber risk, you can be sure people will find out about it. The fallout can be devastating. Customers may doubt their data is safe with you, prompting them to shop elsewhere as a result. After all, if you’ve had one breach, what are the chances you might have another?

A data breach could even make your vendors wary of working you. Network connections you share with them—for processing payroll, for example, or for transferring email campaign lists—could suddenly be suspect. They have their own data to protect, and a breach might identify your business as the weakest link in the security chain.

– Breaches are a financial burden.

When a breach is discovered, systems are often taken offline to plug the security hole. During that time, you may not be able to process customers’ orders or continue operations. New equipment or software may need to be purchased to prevent a recurrence of the breach.

3 – It’s not a matter of “if,” but “when.”

With the pace of breaches occurring in our hyper-connected, data-intensive world, no business, industry or region is immune. Rather than hoping to simply avoid a data exposure, businesses are learning smarter to protect themselves and be prepared to meet hackers head on.

4 – Insider threats are real.

Dangers may lurk within an organization that is just as disturbing as any cyber criminal. Resentful employees can inflict tremendous harm if they choose to take revenge on the business or a coworker by divulging sensitive information. The same holds true for employees facing financial difficulties who may see the sale of confidential data as a way to solve their money problems. One of the most challenging aspects of an insider threat is how difficult it can be to identify who presents a risk and who doesn’t. Employers often aren’t aware to the danger until a breach has occurred.

5 – A cyber attack puts your customers and partners at risk.

Breach victims could suffer financial losses through the theft of payment card and bank account numbers. It’s also possible they could fall prey to identity fraud later if criminals use their personal information to open new accounts in their name. But the damage doesn’t stop there. With a name or a Social Security number, someone could commit a crime using the victim’s identity, putting that person’s livelihood and reputation in serious jeopardy. Given the danger identity theft and fraud post, protecting customers’ data is part of being a good business.

Some of the largest breaches during the past few years have been due to small businesses serving as vendors to larger companies. As part of the larger business ecosystem, small businesses will be scrutinized for data best practices so long as they serve as third party vendors for other companies.

 Cybersecurity Landscape

Attacks on sensitive IT systems and data increased in 2015, many of which caused substantial financial and reputational damage to the companies involved. Still, a successful attack on the underpinnings of the nation’s critical infrastructure would have far more catastrophic impacts than this.

Based on ISACA 2015 Global Cybersecurity Status Report, 83% of ISACA members across 129 countries say cyberattacks are among the top three threats facing their organization today, and only 38 percent say they are prepared to experience one.

IT departments often found themselves unprepared to patch and mitigate these threats – monetization of credit card data or financial records, rapid replication of product or process, access to strategic or customer information, leaving the window for exploitation wide open and leading to a perfect storm of zero-day attacks, system infiltration and subsequent data loss for many organizations.

Here are the Must Know Cyber Security Statistics in 2015


According to 2015 IBM Business Intelligence Index Report, 55% of attacks came from the people who has physical or remote access to a company’s assets – hard copy documents, disks, electronic files and laptops—as well as non-physical assets, such as information in transit. Although the insider is often an employee of the company, he or she could also be a third party. Think about business partners, clients or maintenance contractors, for example. They’re individuals you trust enough to allow them access to your systems.


Still, it’s important to note that more often than not, breaches caused by insiders are unintentional. In fact, over 95% of these breaches are caused by human error. That can mean accidentally posting information on the company’s public-facing website, sending information to the wrong party via email, fax, or mail, or improperly disposing of clients’ records.

But insiders who set out to take advantage of the company they work for can be much more dangerous. It’s more difficult to thwart these insiders’ malicious actions because they’re willing to take extraordinary measures to circumvent access controls and are typically unconcerned with corporate policies or the potential consequences of their actions.

Taking Action: NIST Cybersecurity Framework

The NIST Framework for Cybersecurity for Critical Infrastructure was approved in February 2014 and is intended to help establish guidelines and best practices for ensuring that our critical systems are adequately protected. Although it is a voluntary framework, it is expected that it will be adopted by many companies in order to strengthen their security posture.

The Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs. It comprises three primary components: Core, Implementation Tiers, and Profile.

NIST framework

Framework Core – A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core represents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

The functions included in the Core include:

  • Identify – develop the organizational understanding to manage cybersecurity risk to systems, applications, and data
  • Protect- implement safeguards to ensure the secure delivery of infrastructure services
  • Detect – implement the appropriate activities to take action on a cybersecurity event.
  • Recover- maintains plans for resilience and to restore any services impacted by a cybersecurity event.

Framework Implementation Tiers – Describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. There are four tiers that can be used to identify the “current state” of your cybersecurity effort.

These tiers and their brief characteristics include:

  • Tier 1 (Partial): Informal cybersecurity risk management practices, ad hoc and reactive approach to risk management.
  • Tier 2 (Risk Informed): Management –approved risk management processes, awareness of risk at organizational level, but lack of organization of organization-wide approach.
  • Tier (Repeatable): Risk management processes expressed as policy, organization-wide approach to manage cybersecurity risk, risk-informed policies, processes and procedures.
  • Tier 4 (Adaptive): Adaptable cybersecurity practices based on lessons learned and predictive indicators, continuous improvement incorporating advanced technologies and practices, active sharing of information with partners both before and after cybersecurity events.

Framework Profile – Describes outcomes based on the business need and risk assessment that the organization has selected from the Core. This information enables you to identify opportunities for improving cybersecurity by moving from “current state” to “target state”. To develop a Profile, an assessment, determine which are most important. The Current Profile can then be used so support prioritization and measurement of progress towards the Target Profile. It can also be used to support communication within the organization.

Benefits beyond Improved Cybersecurity

The NIST Framework was designed with a very high degree of flexibility for organizations that would like to follow its guidelines. It is also technology – neutral, and incorporates existing industry standards and best practices – no “re-inventing the wheel”.  Most importantly, it enables each organization to profile its own cybersecurity efforts, define a target profile, and then put in place a plan to reach that goal.

In this regard, its guidelines should be considered not as requirements but as scorecards that are based on the unique business needs, risk appetite, and security demands for each environment and provide a guide for continuous improvement based on changing risk and threat dynamics.

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. But it also can deliver ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance.

Effective collaboration hinges upon open and meaningful dialogues. To that end, the Framework has created a common language to facilitate conversation about cybersecurity processes, policies, and technologies, both internally and with external entities such as third-party service providers and partners.

Looking Ahead

New technologies, well-funded and determined cyber – attackers, and interrelated business systems have joint to increase your exposure to cyberattacks. Your critical and most confidential digital assets are being targeted at an exceptional rate and the potential impact to your business has never been greater.

NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. This framework is voluntary and when you successfully adapt, you do more than protect your business, you have the potential to reap bottom line benefits.


ISO 20400 – Sustainable Procurement: Purchasing Greener and More Sustainable Products from Greener and More Sustainable Companies

Philippine Procurement Today

The overall consumer expenditure in the Philippines increased to ₱ 1,342,297 Million in the fourth quarter of 2015 from ₱ 1,321,980 Million in the third quarter of 2015. Shifting that spending towards more sustainable goods and services can help drive markets in the direction of innovation and sustainability, thereby enabling transition to a green economy.

Traditional procurement focuses upon value-for-money considerations. Nowadays, procurement go beyond the traditional purchasing criteria of price, performance and quality, taking account also of the environmental and social impacts of your purchasing choices, reducing adverse impacts upon health, social conditions and the environment, thereby saving valuable costs for organizations and the community at large.

Society’s Receptiveness on Sustainable Procurement

Thinking about our purchasing decisions and making informed choices can significantly reduce our environmental and social impacts. Our purchasing power can be used to positively influence supply chains, promoting the productive use of resources and materials and the engagement of ethical and socially responsible suppliers.


According to 2014 Nielsen Report, 55% of global online consumers across 60 countries say they are willing to pay more for products and services provided by companies that are committed to positive social and environmental impact. Asian-Pacific region was the most willing to pay more for products with social-good benefits, surpassing the global average at 64%.

These sustainability-minded consumers based their choice of goods and services on:


Benefits of Responsible Purchasing

Consumers are not the only ones interested in purchasing greener, healthier products. Many organizations from large to small enterprise are looking to make more sustainable choices.

For many of these organizations, responsible purchasing is more than “doing the right thing.” Green purchasing priorities are frequently connected with specific business objectives like:

  • Enhanced Brand Image:An organization that has gone green is seen as a good corporate citizen. This increases its image in the eyes of the public.
  • Customer Satisfaction:An organization that goes green in response to customer concerns increases its levels of customer satisfaction, a key point in customer retention.
  • Reduced Risk:Not only is any company that does not go green risking a run in with the law by failing to comply with green regulations but it is also maintaining more liability than it needs to. Hazardous chemicals are just accidents, and lawsuits, waiting to happen. With green purchasing, you can offset financial and environmental risk, rather than just inheriting it from your suppliers.
  • Cost Reduction:Going green doesn’t cost more. Most of the time it actually saves money, especially when the new products use less energy, generate less waste, and last longer. Plus, sometimes green products work better than their lethal counterparts. Going green can reduce the following costs, among others:
    • hazardous material management costs
    • operational costs
    • repair and replacement costs
    • disposal costs
    • health & safety costs (which often come in the form of liability insurance and expensive settlements)
  • Increased Shareholder Value:A better brand with happy customers who keep coming back and drive up sales while costs keep falling results in significant ROI, interest more shareholders to invest in your company.

ISO 20400 – Sustainable Procurement: Purchasing from Greener and More Sustainable Companies

A purchasing entity, regardless of its location in the world, can now no longer exempt itself from accountability for what occurs at its suppliers. Now, given multiple levels of subcontractors and cross-border procurement, a globally accepted standard will be needed to regulate the best practices of responsible purchasing.

ISO 20400, a standard for Sustainable Procurement provides guidelines on purchasing greener, healthier and more sustainable products from greener and more sustainable companies. Its development started in 2013 with a proposal of France and Brazil. At the moment 33 countries are participating and 7 liaison organizations while 13 countries are observing.

The ISO 20400 Standard is based on several principles, many of which share the intent of SPLC’s Principles for Leadership in Sustainable Purchasing and this includes:

Understanding – Understanding the relevant environmental, social, and economic impacts of its purchasing.

Commitment – Taking responsibility for the relevant environmental, social, and economic impacts of its purchasing by committing to an action plan.

Results – Delivering on its commitment to improve the relevant environmental, social, and economic impacts of its purchasing.

Innovation – Actively promoting internal and external innovation that advances a positive future.

Transparency – Soliciting and disclosing information that supports a marketplace of innovation..

The four main parts of the guidance standard consists of:


Clause 4: Fundamentals

This clause is primarily written for use by top management of an organization to help define the strategy and policies in connection with sustainable procurement. As a result it considers what sustainable procurement is, what the main organizational sustainability issues and drivers are, and how sustainability should be integrated into procurement policies and strategies.

Clause 5: Integrating Sustainability into the Organization’s Procurement Policy and Strategy (Policy and Strategy)

This clause provides guidance about how sustainability considerations should be integrated at a strategic level within the procurement function of an organization to ensure that the intention, direction and key sustainability priorities of the organization are documented and understood by all parties involved in sustainable procurement. This clause is applicable to all but help top management define sustainable procurement policy and strategy.

Clause 6: Organizing the Procurement Function towards Sustainability (Enablers)

Clause 6 is primarily written for use by procurement management and describes the conditions that need to be created and management techniques that should be employed to enable sustainable procurement to be successfully implemented and continually improved. These conditions are key to successfully integrating sustainability considerations into the procurement process described in clause 6. Five enablers are discussed: priority setting, enabling people, governing procurement, engaging stakeholders and measuring performance.

Clause 7. Integrating Sustainability into the Procurement Process (Procurement Process)

This clause addresses the procurement process and is intended for individuals who are responsible for the actual procurement within their organization. This clause may also be of interest to those in associated functions.

When adopting sustainable procurement, it should be integrated into existing procurement process steps like: planning, specifications, supplier selection, contract management and contract review and lessons learnt.

Looking Ahead

Buying greener, healthier, more sustainable products is one way we can all improve our own lives while building a better world. To strengthen this initiative, ISO 20400 was created and launched for a consultation to a wider audience than the experts from the mirror committees of the involved countries. The vote terminates on 2nd of December, 2016 and the final version of the standard is expected to be released on the early 2017. 


Paris Climate Agreement: A Turning Point on Climate Change

Climate Change: Vital Signs of the Planet Today

There is now little doubt that climate change is happening. It is seen as the biggest potential threat and environmental challenge of the 21st Century and it affects us all. The group of 1300 independent scientific experts from around the world concludes that there is more than 90% probability that greenhouse gases (GHG) such as carbon dioxide, methane and nitrous oxide, produced by human activity, have caused much of the observed escalation in Earth’s temperatures over the past 50 years. Scientists from the Intergovernmental Panel on Climate carrying out global warming research have recently predicted that average global temperatures could increase between 1.4 and 5.8 °C by the year 2100.

Adoption of Paris Climate Agreement to Roll Back Global Warming

The world needs “a global deal for climate” that keeps the rise of the global average temperature below 2°C.  At Annual Conference of Parties (COP21) held in Paris last December 7th and 8th of 2015, the United Nations Framework Convention on Climate Change (UNFCC) resolved to achieve for the first time, in over 20 years of UN negotiations, a legally binding universal agreement on climate from all nations of the world.

The Paris Agreement is intended to signal the beginning of the end of more than 100 years of fossil fuels serving as the prime engine of economic development and shows the governments from around the world take climate change seriously. The inclusion of both developed and developing countries, including those that depend on revenue from oil and gas production, demonstrate a unity never seen before on this issue.

The purpose is to hold global warming to below 2 °C degrees over pre-Industrial Revolution levels, and to strive for 1.5 °C if possible. Negotiators from nearly 200 countries reached the world’s most significant agreement to address climate change since the issue first emerged as a major political priority decades ago.

Paris Climate Agreement Key Elements

The Role of Business and Industry in COP21

Business has to play a part in the ongoing shift towards a carbon-clean global economic system.  Some companies have already started to do so, either by changing their global strategy, investing in carbon-free energies or through innovations.

Paris Agreement encouraged businesses to commit and to publicly announce actions aiming at reducing emission, overall. Commitments can, for instance, take the form of:

Individual mitigation targets:

  • GHG emission reduction
  • GHG emission reduction in line with the 2°C objective
  • Carbon neutrality
  • Improved energy efficiency target

Targets related to specific themes:

  • Increased produced renewable energy (low‐carbon energy)
  • Increase consumed renewable energy
  • Reduced deforestation
  • Reduced emission from own property/buildings
  • Reduced emission from own fleet
  • Material use reduction
  • Increase the share of recycling

Finance/Investors targets:

  • Carbon accounting implementation
  • Carbon/climate risks assessments & stress testing generalization
  • Green bounds development
  • Portfolio decarbonization

Resilience/adaptation targets:

  • Funding into public and open scientific risk modelling facilities
  • Efforts to adjust business models to minimize vulnerabilities and risks to climate hazards

After COP21: What Needs to Happen for the Paris Agreement to Take Effect?

What occurred on December 2015 at COP21 was the “adoption” of the Paris Agreement by the Conference of the Parties (COP) to the UN Framework Convention on Climate Change (UNFCCC). Countries still need to take steps so that it takes effect.


Countries must now actually join the Paris Agreement and become Parties to it.  To do this, each country must now sign and indicate their consent to be bound by the Agreement. On April 22, 2016, all Heads of State can sign the Agreement at a high-level signing ceremony at the United Nations in New York.  The Agreement will then be open for signature for one year, until April 21, 2017. After the one-year signing period, the Agreement will be open for what is called “accession” – a country becomes a Party to an international agreement that other countries have already signed.


Only after at least 55 Parties to the UNFCCC representing at least 55 percent of total global greenhouse gases sign on and indicate their consent to be bound will the Agreement “enter into force” and will come into effect and be legally binding.

 Pushing Forward

Our world is getting hotter, and we can see the evidence in loss of ice sea, accelerated sea level rises, warming oceans, more intense heat waves, and an increase in extreme events such as wildfires, drought, tropical storms and floods. The impact of global warming and climate change is already being felt across the planet.

Paris Agreement represents a huge leap forward in terms of reducing the effect of global warming. Taking the action needed to bring this deal into force is an essential next step for countries to build on the momentum from COP21. If they do so quickly, countries can ensure that the critically important provisions and requirements of the Paris Agreement are fully put into motion.



ISO 9001:2015 – Shifting Gears in the New Quality Management Standard

Moving from ISO 9001:2008 to ISO 9001:2015

ISO 9001 is a standard designed for organizations looking to optimize their operational excellence. It helps businesses and organizations to be more efficient and improve customer satisfaction. A new version of the standard, ISO 9001:2015, has just been launched, taking over the previous version.


ISO standards are reviewed every five years and revised if needed to ensure that it maintains its significance in today’s market place. This revision will also serve to bring ISO 9001 up to relevancy with regard to both challenges and opportunities that arise from changing technologies, globalization, and a reinforcement of a risk based approach, as well as structuring the standard to deal with future changes.

What are the Major Differences?

The new ISO 9001 standard aligns with high-level organizational structure, requiring all new ISO management system standards to be aligned on a high-level structure with a set of common requirements. Additionally, there is a greater emphasis on risk-based thinking as a basis for the management system, more focus on achieving value for the company and its customers, increased flexibility regarding use of documentation, and a more approachable structure for service businesses.

There are 10 clauses within the standard and here are the changes clause by clause:

Clause 1 is very similar to the 2008 version covering the scope of the standard and there has been very little change to this clause.

Clauses 2 and 3 cover normative references and term and definitions, both these clauses reference ISO 9000, Quality Management System – Fundamental and vocabulary which provides valuable guidance.

The remainder of the clauses includes some new key elements which need to be considered when implementing the new standard.

Clause 4: Context of the Organization

This is a new clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the QMS.

Clause 5: Leadership

This clause places requirements on top management to demonstrate commitment to the QMS through taking accountability for the effectiveness of the QMS, establishing policies, objectives and promotion of continual improvement.

Clause 6: Planning

When planning the QMS, the organization will need to consider the external and internal issues along with needs and expectations of interested parties.

Clause 7: Support

The organization shall determine and provide the necessary resources to establish, implement, maintain and continually improve the QMS.

Clause 8:  Operation

This clause deals with the execution of the plans and processes that enables organization to meet their quality policy and quality objectives.

Clause 9:  Performance Evaluation

This clause sublimates all requirements for monitoring and measurement related to quality performance and effectiveness of their QMS.

Clause 10:  Improvement

The organization must determine the opportunities for improvement to continually improve the organization’s QMS.


Impact of the New Standard

ISO 9001:2015 is now taking off to replace ISO 9001:2008. Organizations who are already ISO 9001 certified should begin tracking their progress of the revision process and familiarize themselves with the various changes made. To maintain your certification to ISO 9001, you will need to upgrade your quality management system to the new edition of the standard and seek certification to it. You have a three-year transition period from the date of publication (September 2015) to move to the 2015 version. This means that, after the end of September 2018, a certificate to ISO 9001:2008 will no longer be valid.

According to the International Accreditation Forum (IAF), there are a number of recommended actions that organizations can take to successfully transition to the new requirements of ISO 9001:2015. These include:

  • Conduct a gap analysis

Identifying the gaps between current practices and the new requirements is the most effective way to evaluate the changes that are required in your current QMS.

  • Develop an implementation plan and timetable

A formal implementation plan and schedule will help your organization address the required changes within the anticipated three-year transition period.

  • Provide appropriate training for all parties

Ongoing education and training for all relevant personnel are critical to achieving the goals of your transition plan. More important, educated stakeholders are vital in ensuring ongoing compliance once the transition is complete.

  • Update existing QMS documentation

Clear and thorough documentation is essential to demonstrate compliance with the requirements of the revised standard and to help reduce the risk of nonconformities.

  • Involve your certification partner early in the process

An experienced certification body can provide invaluable assistance in the process of transitioning to the requirements of ISO 9001:2015. Its early involvement can help your organization save time and money.


In a nutshell, there are new areas that organization need contemplate in the implementation of the new standard, but it provides opportunity to review your current approach and modify it if necessary. This can help your business to grow, increase profitability and increase customer satisfaction. It is now a powerful business improvement tool for all sizes and types of organizations to help them remain irrepressible and achieve sustainable growth.


Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.

ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.




Taking the next step with the new ITIL® Practitioner Qualification


Axelos, the ITIL course owner has announced the most significant evolution for ITIL – the new ITIL Practitioner qualification.

ITIL Practitioner is being developed in collaboration with Practitioners worldwide to help organizations and individuals increase the value they obtain from using ITIL by offering additional practical guidance to adopt and adapt the framework to support the business. It will be the next step after ITIL Foundation for professionals who have already learned the basics of IT Service Management (ITSM) and the business value of well-designed and delivered services. It will help guide them through the practical side of successfully applying the theory in the workplace.

A specific amount of credit points will be assigned to ITIL Practitioner that will count towards ITIL Expert the same way as Foundation, Intermediate and Managing Across the Lifecycle (MALC) do today.

thinkWhy was this introduced?

The demands organizations are putting on their IT teams and IT service providers have changed significantly in the recent years. In many cases, we have moved from “let’s keep everything as stable as possible” to “let’s be as agile as possible (and make sure we can recover instantly)”. The technological capabilities – such as those enabled by rapidly evolving cloud computing – and associated practices have made it possible to better answer those demands. The detailed ‘how’ of all of this depends, though – what works for a Bay Area start-up might not work for a large multinational enterprise, and the expectations from existing customers of 10+ years differ from those acquired yesterday. For ITSM professionals, there is an ever-growing demand for more practical guidance on how to design fit-for-purpose and fit-for-use services and supporting processes.

That is where ITIL and other philosophies, frameworks and methodologies – such as Lean, DevOps and Agile – need to intersect for the best results. There are no silver bullets – organizations need to wisely choose the best ways to address specific challenges. ITIL helps with this by providing the framework where good practice of the ‘how’ can be plugged into. Additional, practical guidance was needed to bring this to life.

Enter… ITIL Practitioner

Setting what is often (mistakenly!) considered to be the last ITIL lifecycle stage, almost a nice-to-have feature – Continual Service Improvement (CSI) – as the backbone of the new qualification, ITIL Practitioner brings what is one of the most under-used and under-valued parts of ITIL to the real world. It is CSI that helps organizations to focus on the improvements delivering most value and to make sure the services and the practices supporting these can keep up with the needs from the ever-changing organization, and continually improve.

ITIL Practitioner equips ITSM professionals with the tools to identify the improvement needs and priorities in their organization, to successfully start and run the improvement initiatives and to deliver the value expected. The qualification – and the guidance supporting it – brings together various parts of ITIL, adding more detail as required, and combines this with the practical ‘how to’. The good practice from ITSM professionals from around the world is distilled into concepts, models and capabilities, and complemented with tools and methods to place it in the context of a specific organization. This is ITIL Practitioner.

For more information, please check this ITIL Practitioner page.


Data Center Fun Facts

There’s no question that big data plays a huge role in the lives of millions of people as well as countless businesses.

As each year passes, data gets bigger and more storage facilities are built to handle the influx of information and keep it accessible and safe.

Just how big has big data become? How big do data centers have to be to handle that much data? Not surprisingly, with more of the world turning to electronic forms of storage and and ever-increasing amount of data, data centers are becoming a lot more efficient at handling information and compressing it.