ISO 27018 vs. ISO 27701
Published 11/08/2022
Originally published by Schellman.
Written by Danny Manimbo, Schellman.
Famed baseball player and possessor of a great name, Yogi Berra, once said, “When you come to a fork in the road, take it.”
Granted, he was likely being funny, but he obviously never had to pay for an ISO certification. When you're faced with a choice between which one—like that of ISO 27018 or ISO 27701—your budget may not agree with “taking” both roads, and nor is it necessary to do so.
What is necessary though, is to choose the right path forward for your organization. If you’re looking to provide assurances to customers regarding your safeguarding their personally identifiable information (PII), both ISO 27018 and ISO 27701 can do that, albeit in different ways.
So, to help inform your decision, this article will define both standards and their goals, as well as considerations to make as to one or the other. You might be faced with a fork in the road right now, but after reading you’ll be able to decisively take the right path.
Processors vs. Controllers
Before we get into these two privacy standards, let’s rewind back to the basics and define the two different types of organizations concerned with protecting privacy so that those new to privacy compliance understand what type they are:
Processors | Controllers |
Formal Definition: A natural legal person, public authority or agency, or any other body which processes the personal data on the behalf of a controller.
| Formal Definition: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
|
Given these dynamics, the controller bears more responsibility regarding privacy, though processors are obviously not off the hook. But the distinction between will become important as we get into the differences between ISO 27018 and ISO 27701.
What is ISO 27018?
ISO 27018 was most recently updated in 2019 and is intended as an extension to ISO 27001—in fact, 27001 is a prerequisite for this privacy certification. What was the first privacy-specific international standard for cloud providers, ISO 27018 contains extended controls and related implementation guidance that’s particularly helpful to processors of PII using cloud computing.
And while you must have an active ISO 27001 certification (or at least be in progress), it’s important to note that there are no management system requirements within ISO 27018. Rather, 27018 supplements the ISO/IEC 27001:2013 control set within Annex A with 25 extended controls unique to cloud service providers.
These unique controls are associated with the 11 privacy principles within ISO 29100 and address topics such as consent, choice, data minimization and retention, and disclosure limitation.
Early adopters of ISO 27018 included Dropbox and Microsoft, but any organization that processes PII in the public cloud can consider conforming to the guidelines within ISO 27018 to complement their current ISO 27001 certification—which includes private, public, government, and non-profit entities.
While ISO 27018 is specific to the processing of PII in the public cloud, the controls and guidance in the standard can also be relevant to PII controllers, but we should disclose that it’s possible this type of organization may also be subject to additional PII protection legislation, regulations, and obligations, which are not covered in ISO 27018.
What is ISO 27701?
That leads us to ISO 27701, which, like 27018, builds on 27001. But unlike ISO 27018, 27701 does have management system requirements—its objective is to help you flex in a Privacy Information Management System (PIMS) into your existing ISO 27001 information security management system (ISMS).
The good news is, that integrating the 27701 data privacy framework should be pretty straightforward if you’re familiar with ISO 27001 because it's largely based on those requirements and controls—there are just more controls specific to privacy that’ll need to be added. These are detailed within four clauses and Annex A & B:
- Clause 5: PIMS requirements for ISO/IEC 27001 compliance
- Clause 6: PIMS guidance for ISO/IEC 27002 (e.g., additional implementation guidance for ISO 27001 Annex A)
- Clause 7: PIMS guidance for PII Controllers
- Clause 8: PIMS guidance for PII Processors
- Annex A: PIMS-specific control objectives and controls for PII Controllers
- Annex B: PIMS-specific control objectives and controls for PII Processors
When standing up your PIMS alongside your ISMS, you’ll need to follow this guidance that will see you implement rigid, tactical controls for managing PII, including how this information is obtained, used, disclosed, and deleted. That will include creating documentation to support your policies, procedures, and activities regarding privacy.
You can choose which control sets are applicable to your scope, depending on how you classify yourself as an organization—Controller, Processor, or perhaps even both.
As with the ISMS for ISO 27001, 27701 requires you to not only establish a PIMS mechanism that addresses all those specific privacy controls but you’ll also be required to maintain and continually improve it as well.
ISO 27018 or ISO 27701?
Now that we’ve established how both of these standards address privacy protections, which certification is more suited to you? Here’s a direct side-by-side comparison:
| ISO 27018 | ISO 27701 |
Suited To | PII Processors | PII Controllers, Processors, or organizations in or out of the cloud |
Effort Involved | No management system considerations, additional control set (25 controls) | Comprehensive PIMS management system and additional control set mean more preparation and ongoing effort (though your amount of controls depends on your role as PII processor, controller, or both) |
Additional Mappings? | Addresses General Data Protection Regulation (GDPR) requirements |
|
It comes down to this:
- For PII Controllers, it makes sense to get ISO 27701 certified because you’ll be taking a systemic approach to privacy protection. Given the responsibility you bear, it makes sense to take advantage of the customization you’ll be able to do within the PIMS.
- For PII Processors, you’ll need to decide between just adding the 27018 control set to your ISO 27001 ISMS or if you also want to take that more comprehensive approach of 27701 / PIMS.
ISO has become a gold standard to provide assurances regarding security postures, and ISO 27018 and ISO 27701 both represent very good options for additional privacy considerations. Though the latter supports a wider, international range of data protection and privacy legislation, the heavier lift of PIMS implementation may not suit your resources as much as ISO 27018’s control set with its control objectives and guidelines for protecting PII.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024