ISO/IEC 2701841
ISO/IEC 27018:2019 Annex A controls for protecting PII in public clouds, aligned with cloud processor obligations.
Requirements in this framework
- Access to data on pre-used data storage space
- Classification of information
- Cloud service customer user ID contracts
- Confidentiality or non-disclosure agreements
- Contracts regarding PII processing
- Control of data restoration
- Disclosure of sub-contracted PII processing
- Encryption of PII transmitted over public networks
- Event logging
- Geographical location of PII
- Identification of applicable legislation and contractual requirements
- Information backup
- Information security awareness, education and training
- Information security roles and responsibilities
- Information transfer policies and procedures
- Intended destination of PII
- Key management
- Mutually agreed upon PII disposal process
- Notification of a data breach involving PII
- Obligation to cooperate regarding PII principals' rights
- PII disclosure notification
- PII return, transfer and disposal
- Policies for information security
- Policy on the use of cryptographic controls
- Privacy and protection of personally identifiable information
- Protection of log information
- Protection of PII on storage media leaving the premises
- Public cloud PII processor's commercial use
- Public cloud PII processor's purpose
- Recording of PII disclosures
- Responsibilities and procedures
- Restriction of creation of hardcopy material
- Retention period for administrative security policies
- Secure disposal of hardcopy materials
- Secure disposal or re-use of equipment
- Secure erasure of temporary files
- Secure log-on procedures
- Sub-contracted PII processing
- Unique use of cloud service customer user IDs
- Use of unencrypted portable storage media and devices
- User registration and de-registration