Michael Fuller, Director, Coalfire ISO

Covering both Sides of the PII fence with ISO 27001 and 27018. The rapid expansion of Cloud-based services clearly points to the convenience of these services in the market. In a few short years, CIOs and CTOs have had to relinquish more control of their data because the efficiencies of the Cloud are impossible to ignore. The global ubiquity of the Cloud, however, can cause major cross-border and cross-state headaches, especially for massively scaled systems such as Google and Facebook. Many companies and consumers are still nervous and suspicious, driven by a lack of confidence in information security as it relates to personally identifiable information (PII). The issue is significant for Cloud Services providers and their customers both in the U.S. and internationally, as demonstrated by the recent Safe Harbor/Privacy Shield debacle. Businesses are used to dealing with specific classes of information like credit card or healthcare information, as there are clear controls required for the protection of those specific types of data. But PII and the concept of Privacy is more nebulous and not as clear-cut for companies that are used to taking the usual controls-based approach to information security. ISO 27001 provides an excellent framework for the management of information security within the organization. It provides a solid baseline for any class of information, and it is well-respected for the rigor of its application as attested to in formal certification. ISO 27018 extends that baseline for Cloud Service Providers and their customers, providing help and clarity around the critical question of chain-of-custody, in information security. In other words, who’s responsible for what? This paper is about the the value proposition offered by ISO 27001 and ISO 27018 in tandem, for both the information security community, and consumers whose information is under siege.