ISO 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. This is a widely-recognized international security standard in which Data Controllers (e.g. HSE) are showing significant interest, this includes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
The most widely recognized international standard for information security compliance is ISO/IEC 27001 which can include national variants and well developed certification regimes.
ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO 27002 control set.
- Must not use data for advertising or marketing unless express consent is obtained
- Must be transparent about where data is stored and how it is handled
- Must provide customers with control over how their data is used
- Must notify customers of their policy on return and deletion of customer data
- Must communicate to customers a breach that affects personal data
- Can have services independently audited to document compliance
ISO 27017 is the newest code of practice released……