ISO/IEC INTERNATIONAL STANDARD 27018 Second edition 2019-01 Information technology Security techniquesCodeofpracticefor protection ofpersonally identifiable information (PIl) in public clouds acting as Pll processors TechnologiesdeI'information-Techniquesdesecurite-Codede bonnes pratiques pour la protection des informations personnelles identifiables(PIl)dansI'informatiqueennuagepublicagissant commeprocesseurdePll Referencenumber IEC IS0/IEC27018:2019(E) @IS0/IEC2019 IS0/IEC27018:2019(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC2019 All rights reserved.Unless otherwise specified,orrequired in the contextofits implementation,no part of this publicationmay be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting beloworIso'smemberbodyinthecountryoftherequester. ISOcopyrightoffice CP401.Ch.deBlandonnet8 CH-1214 Vernier, Geneva Phone:+41227490111 Fax:+41227490947 Email:[email protected] Website:www.iso.org Published in Switzerland ii IS0/IEC2019-All rightsreserved IS0/IEC27018:2019(E) Contents Page Foreword .vi Introduction. .vi 1 Scope.. .1 2 Normativereferences 1 3 Terms and definitions .1 4 Overview .3 4.1 Structure ofthis document .3 4.2 Control categories 4 5 Information security policies. 4 5.1 Management direction forinformation security .4 5.1.1 Policies for information security. 4 5.1.2 Reviewof thepoliciesforinformation security 5 6 Organization ofinformation security 5 6.1 Internal organization. 5 6.1.1 Informationsecurityrolesandresponsibilities 5 6.1.2 Segregation of duties.... 5 6.1.3 Contact with authorities 5 6.1.4 Contact with special interest groups 5 6.1.5 Information security in project management. 5 6.2 Mobile devices and teleworking .5 7 Human resource security 5 7.1 Priorto employment 5 7.2 During employment 5 7.2.1 Management responsibilities. 6 7.2.2 Information security awareness, education and training 6 7.2.3 Disciplinary process. 6 7.3 Termination and change of employment 6 8 Assetmanagement .6 9 Accesscontrol .6 9.1 Business requirements of access control 6 9.2 User access management. 6 9.2.1 Userregistration and de-registration 7 9.2.2 Useraccess provisioning. 7 9.2.3 Managementofprivilegedaccessrights 7 9.2.4 Management of secret authentication information of users. 7 9.2.5 Reviewofuseraccessrights 7 9.2.6 Removalor adjustment of accessrights 7 9.3 User responsibilities. 7 9.3.1 Useofsecretauthenticationinformation 7 9.4 System andapplication access control. 7 9.4.1 Information access restriction .7 9.4.2 Secure log-onprocedures. .8 9.4.3 Passwordmanagement system .8 9.4.4 Use ofprivileged utilityprograms .8 9.4.5 Accesscontroltoprogramsourcecode .8 10 Cryptography .8 10.1 Cryptographic controls .8 10.1.1 Policyontheuseof cryptographiccontrols .8 10.1.2 Keymanagement. .8 IS0/IEC2019-Allrightsreserved ili