ISO/IEC INTERNATIONAL STANDARD 27018 Second edition 2019-01 Information technology Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors Technologies de I'information - Techniques de sécurité Code de bonnes pratiques pour la protection des informations personnelles identifiables (Pll) dans I'informatique en nuage public agissant comme processeur de PI Reference number IS0/IEC 27018:2019(E) IEC IS0/IEC2019 IS0/IEC 27018:2019(E) COPYRIGHTPROTECTEDDOCUMENT @IS0/IEC2019 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may below or Iso's member body in the country of the requester. ISOcopyrightoffice CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Fax: +41 22 749 09 47 Email: copyright@iso.org Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2019 - All rights reserved IS0/IEC 27018:2019(E) Contents Page Foreword ..vi Introduction .vii 1 Scope. .1 2 Normative references 3 Terms and definitions .1 4 Overview .3 4.1 Structure of this document .3 4.2 Control categories .4 5 Information security policies .4 5.1 Management direction for information security 4 5.1.1 Policies for information security.. .4 5.1.2 Review of the policies for information security 5 6 Organization of information security 5 6.1 Internal organization. .5 6.1.1 Information security roles and responsibilities 5 6.1.2 Segregation of duties. 5 6.1.3 Contact with authorities.. 5 6.1.4 Contact with special interest groups 5 6.1.5 Information security in project management 5 6.2 Mobile devices and teleworking. 5 7 Human resource security. 5 7.1 Prior to employment. 5 7.2 During employment. 5 7.2.1 Management responsibilities. 6 7.2.2 Information security awareness, education and training 6 7.2.3 Disciplinary process. 6 7.3 Termination and change of employment 6 8 Asset management 6 Access control. 6 9.1 Business requirements of access control. .6 9.2 User access management 9.2.1 User registration and de-registration 7 9.2.2 User access provisioning. 7 9.2.3 Management of privileged access rights 7 9.2.4 Management of secret authentication information of users.. 7 9.2.5 Review of user access rights 7 9.2.6 Removal or adjustment of access rights .7 9.3 User responsibilities. 9.3.1 Useofsecretauthenticationinformation 9.4 System and application access control. 9.4.1 Informationaccessrestriction 9.4.2 Secure log-on procedures 8 9.4.3 Password management system 8 9.4.4 Use of privileged utility programs. 8 9.4.5 Access control to program source code .8 10 Cryptography. 8 10.1 Cryptographic controls 8 10.1.1 Policy on the use of cryptographic controls 8 10.1.2 Key management .8 IS0/IEC2019-Allrightsreserved iii IS0/IEC 27018:2019(E) 11 Physical and environmental security .8 11.1 Secure areas 8 11.2 Equipment .9 11.2.1 Equipment siting and protection 9 11.2.2 Supporting utilities 11.2.3 Cabling security 9 11.2.4 Equipment maintenance 9 11.2.5 Removal of assets. 9 11.2.6 Security of equipment and assets off-premises 9 11.2.7 Secure disposal or re-use of equipment .9 11.2.8 Unattended user equipment .9 11.2.9 Clear desk and clear screen policy .9 12 Operations security .9 12.1 Operational procedures and responsibilities .9 12.1.1 Documented operating procedures. 10 12.1.2 Change management. 10 12.1.3 Capacity management. 10 12.1.4 Separation of development, testing and operational environments. 10 12.2 Protection from malware. 10 12.3 Backup. 10 12.3.1 Information backup 10 12.4 Logging and monitoring. 11 12.4.1 Event logging. .11 12.4.2 Protection of log information 11 12.4.3 Administrator and operator logs 11 12.4.4 Clock synchronization. 12 12.5 Control of operational software. 12 12.6 Technical vulnerability management .12 12.7 Information systems audit considerations. 12 13 Communications security .12 13.1 Network security management. .12 13.2 Informationtransfer 12 13.2