Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.

ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.




Taking the next step with the new ITIL® Practitioner Qualification


Axelos, the ITIL course owner has announced the most significant evolution for ITIL – the new ITIL Practitioner qualification.

ITIL Practitioner is being developed in collaboration with Practitioners worldwide to help organizations and individuals increase the value they obtain from using ITIL by offering additional practical guidance to adopt and adapt the framework to support the business. It will be the next step after ITIL Foundation for professionals who have already learned the basics of IT Service Management (ITSM) and the business value of well-designed and delivered services. It will help guide them through the practical side of successfully applying the theory in the workplace.

A specific amount of credit points will be assigned to ITIL Practitioner that will count towards ITIL Expert the same way as Foundation, Intermediate and Managing Across the Lifecycle (MALC) do today.

thinkWhy was this introduced?

The demands organizations are putting on their IT teams and IT service providers have changed significantly in the recent years. In many cases, we have moved from “let’s keep everything as stable as possible” to “let’s be as agile as possible (and make sure we can recover instantly)”. The technological capabilities – such as those enabled by rapidly evolving cloud computing – and associated practices have made it possible to better answer those demands. The detailed ‘how’ of all of this depends, though – what works for a Bay Area start-up might not work for a large multinational enterprise, and the expectations from existing customers of 10+ years differ from those acquired yesterday. For ITSM professionals, there is an ever-growing demand for more practical guidance on how to design fit-for-purpose and fit-for-use services and supporting processes.

That is where ITIL and other philosophies, frameworks and methodologies – such as Lean, DevOps and Agile – need to intersect for the best results. There are no silver bullets – organizations need to wisely choose the best ways to address specific challenges. ITIL helps with this by providing the framework where good practice of the ‘how’ can be plugged into. Additional, practical guidance was needed to bring this to life.

Enter… ITIL Practitioner

Setting what is often (mistakenly!) considered to be the last ITIL lifecycle stage, almost a nice-to-have feature – Continual Service Improvement (CSI) – as the backbone of the new qualification, ITIL Practitioner brings what is one of the most under-used and under-valued parts of ITIL to the real world. It is CSI that helps organizations to focus on the improvements delivering most value and to make sure the services and the practices supporting these can keep up with the needs from the ever-changing organization, and continually improve.

ITIL Practitioner equips ITSM professionals with the tools to identify the improvement needs and priorities in their organization, to successfully start and run the improvement initiatives and to deliver the value expected. The qualification – and the guidance supporting it – brings together various parts of ITIL, adding more detail as required, and combines this with the practical ‘how to’. The good practice from ITSM professionals from around the world is distilled into concepts, models and capabilities, and complemented with tools and methods to place it in the context of a specific organization. This is ITIL Practitioner.

For more information, please check this ITIL Practitioner page.


Servicing ICT – Merging Security and Service Management

A broad range of ISO/IEC (International Electrotechnical Commission) standards are addressing key issues faced by the world’s fast- growing information and communications technology (ICT) industry. These include preventing cyber attacks, ensuring information security and maintaining business continuity.

A common business tool in most organizations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organization, for example through an internal ICT services department, or through a third party.

 Up and running

Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service and infrastructure as service.

An example is data storage in a third- party cloud server. This can reduce an organization’s costs as it does not need to manage and maintain its own server. There is a possible downside too: can the cloud provider manage the ICT and data storage service efficiently, securely and effectively?

This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?

ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times and improve quality of service. To achieve these benefits, information security plays a key role in ensuring effective service delivery.

In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling and information security.

To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility and emergency services. Most of these rely on ICT-based systems to keep services up and running.

In cyber attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection and monitoring systems in place.

 Best practice guidelines

The delivery of effective ICT service management is being addressed by the ISO/IEC 20000 (Information technology – Service management) family of standards; and information security issues are being addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of standards.

There are also sector and application specific information security standards such as ISO/IEC 27011 for telecom services; ISO/IEC 27017 and ISO/IEC 27018 for cloud computing; and a standard for integrating information security with ICT service management, ISO/IEC 27013.

One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:

What level of customer service does the service level agreement guarantee?

What does the service provider need to do to deliver this level of service?

What does the service provider need to do to withstand an online denial-of- service attack?

What if the service provider experiences a malware attack on its systems?

Does the service provider have the information security controls in place to deal with these cyber attacks and maintain its services?

ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management and information security management.

In the case of information security, ISO/IEC 20000 is linked with the information security management system standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.

One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.

ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.

Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.

The “ other ” business options

Additional standards in the ISO/IEC 27000 series provide guidance and service and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organization developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.

ISO/IEC 27035 provides organizations with guidance on information security incident management. This standard describes a basic set of documents, processes and routines. It also gives guidance to external organizations supplying information security incident management services.

ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.

In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new standards: ISO/IEC 27017 covers cloud-specific information security controls; and ISO/IEC 27018 considers controls for personal data. Both of these standards are being designed and developed to work alongside ISO/IEC 27001.

This article was originally published in ISO Focus  by Edward Humphreys.

Make Your Organization’s Security Program Relevant in 2012

By: Chris Hinkley, from

Today more than ever, organizations are examining existing security programs. Those that don’t have a formal security plan in place are thinking about, if not scrambling, to make one. Great security means first identifying your needs and then making a resolution to revamp or create your company’s plan for the New Year. Here are some tips to help lay the groundwork.

  • Assess your technology. While technology should be a major (but not the only) focus of your security program, chances are your software might not be totally up to date, or in some cases even relevant to your company anymore depending on how the business has grown. Revamping or creating a security program is a great time to look at all of the technology you have in place, from servers to software, and see what needs an upgrade, a patch, or a replacement. A small patch missed, can mean a large breach. And a solution you passed on a year ago may have a better feature set and fit better with your organization now than what you currently have in place. If you’re working with regulatory compliance mandates, there are likely new protocols that you need to follow and become current on. This is because compliance standards and regulations change quite frequently, sometimes too quickly for us to keep up with. Remember though that compliance follows security and not the other way around. Don’t mistake following a compliance mandate as sufficient security.
  • Define Your Company’s Security DNA.There is no one-size-fits-all approach to security. Every organization has different structures, both physically and logically. This translates to unique risks and vulnerabilities.Don’t overlook the physical facilities such as the office building and back up facilities. No matter what size of business you have, if you’re dealing with sensitive and critical customer data, then the easiest way for a thief to access that data is to walk into your building and take it. Do you have a security system? Do you need security cameras or new lighting around the building? Is your business big enough where it makes sense to move into a building with a security guard, or hire a few of your own?

    Next is your hardware.

    Few employees sit at their office desk 9-5, Monday through Friday. How is information protected on laptops that go to work in coffee shops, home offices, airports, and trade shows? This measure mostly involves training for the people who carry the devices. There are policies you should develop and enforce on those devices and with your personnel as an added layer of protection. You can also invest in specific software (back to my earlier point) that will lock up mobile devices and programs automatically on a scheduled basis when they’re not in use.

    Also, be logical about who in the organization has access to certain physical areas and information. Not everyone should be allowed in the server room. Not everyone, even certain management, should have access to back end systems, financial software, and any other data where a leak would be devastating. Make sure you have checks and balances in place so the risk of fraud is minimized and the possibility of any kind of internal threat possibility is reduced. Be sure to establish a policy for when employees quit or are let go that their administrative rights are revoked immediately – before they can take data with them.

  • Make Security Part of the Culture.Just like anything else in leadership, it has to come from the top down to work. Start by getting the whole c-suite engaged with the program. Impress upon them that wide spread adoption throughout the company is critical to keeping the company safe from both internal and external threats. If you sense that the leadership is just nodding their heads but doesn’t understand the level of importance, share with them use cases of other companies that have experienced attacks in the last year and the consequences that were suffered because of these actions. Without management and executive approval, you are essentially dead in the water.Share the plan with the entire company. Add into your plan a budget to do company-wide training, that’s the best-case scenario. Corporate training and engagement can greatly boost the likelihood that employees will learn and retain what they need to know to do their part. It also sends a message of the importance of the security plan.

    If formal training isn’t an option, then create content that will explain the program in a simple way, using relatable scenarios that make sense to everyone from IT to marketing. Training doesn’t have to happen in a formal settings, sometimes training is even more effective in informal avenues. Think of a company screensaver that is constantly cycling through updates, announcements, and security news. Intranet landing pages and Yammer posts (if you use a social system like this internally) are also a good place to disseminate information.

    Finally, don’t make security education a one-time thing. Your organization’s employees can either be the biggest vulnerability or the biggest security asset. They won’t know what a suspicious email that contains a virus looks like unless you teach them. Continual participation and education on how to create a safe, secure business is ultimately what will make it a success. Send out quarterly reminders, put posters up in the break room, whatever you have to do to make it visible. Above all else, make sure the IT team and entire leadership of the company lead by example.

Philippine firms view compliance as complicated maze

MANILA–While the global market, thanks to the Internet, has undoubtedly been a boon to the Philippine outsourcing industry, ensuring compliance to various regulations is proving to be a headache for local companies in the borderless business era.

With reports of security breaches and data leaks making headlines around the world, the Philippines is in the midst of implementing a host of measures that can benefit, or constrict, local businesses.

Recently, in the Senate deliberations for the proposed Data Privacy Act, a top-ranking senator cautioned the chamber against enacting an excessively strict law that could hamper the ease of access that companies need to operate efficiently.

IT companies, such as software maker ECCI Group, also have to consider the data privacy policies in the markets they target. “Each country has a different Data Protection Act that we need to be in compliance to,” said Chenthil Kumar, sales director of the ECCI. “The other thing that needs to be considered is how we are protecting critical customer transactions.”

Local companies have acknowledged that compliance is a necessary task, but also agree that applying numerous regulations remains an enormous challenge to most.

Source: ZDNet Asia. Read the full article here.

Security Techniques

ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).

ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance, and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, and nonprofit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.

Bringing information security under management control is a prerequisite for sustainable, directed, and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities, and impacts of information security failures, using review and improvement activities specified within the management system.

According to JTC1/SC27, the ISO/IEC committee responsible for iso 27000 and related standards, ISO/IEC 27001 “Is intended for different types of use.”

The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.

ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It was revised by the British Standards Institute (BSI) in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cycle, and was adopted by ISO/IEC in 2005.
Since ISO/IEC 27001 is an active certification standard, major/structural changes are likely to be difficult and even minor changes will have to be justified in order to retain “backwards compatibility” with the existing standard wherever possible. Nevertheless, there is pressure to realign 27001 with 27000, 27002, 27003, and 27005, reducing duplication and potential conflict, and to realign with other ISO management systems standards such as ISO 9000 and ISO 14000. Hopefully, confusion around the meaning and purpose of “Statement of Applicability,” “ISMS Policy,” and “Information Security Policy” will be resolved.

Oracle and other companies ‘punkd’ in hacking contest | BusinessWorld Online Edition

LAS VEGAS — A weekend contest at the world’s largest hacking convention in Las Vegas showed one reason why big corporations seem to be such easy prey for cyber criminals: their workers are poorly trained in security.

Amid a spate of high-profile cyber assaults on targets ranging from Sony Corp. to the International Monetary Fund, one would think that many companies would be paying special attention to security these days.

But hackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest US companies to reveal information that can be used in planning cyberattacks against them.

Oracle and other companies ‘punkd’ in hacking contest | BusinessWorld Online Edition.