The Cronofy team is pleased to announce that we have completed our yearly ISO27001 surveillance audit whilst successfully adding ISO27018 to the scope of our Information Security Management System (ISMS). The International Organization for Standardization who provide these security and data handling benchmarks is known as ISO.
What is ISO27018:2019?
ISO27018:2019 is a code of practice specifically related to the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors. Alongside ISO27001, ISO27018 provides a set of objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII). This is in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
ISO27018 is not a standard that organizations can be certified against. It is a set of controls and guidelines, which specify how to protect PII in the cloud. ISO27018 is used to enhance an organization’s overall information security management system.
What is Personally Identifiable Information (PII), and why do we need to protect it?
PII is information that could be used to identify an individual. Some examples of PII are:
- A person's name
- Their date of birth
- Their address
- Bank details
- IP addresses
- Medical records
- And more...
Businesses like Cronofy must protect PII because when that data is not protected, a threat actor or malicious party could use the data to commit fraud or steal an individual’s identity. The increased usage of PII online has led to an increase in threat actors looking to exploit businesses’ vulnerabilities, steal sensitive information, and the sale of PII on the dark web.
Data breaches can of course have adverse effects for organizations. These effects can result in a range of consequences monetary damage (fines) to reputational damage and customer loss. It is the responsibility of businesses to protect PII and ensure that data is safe and secure at all times.
What does ISO27018 mean for Cronofy customers?
Annex A of ISO27018 sets out controls and guidelines, created to ensure that PII is protected at all times. Here's a list of these controls:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
The news of the implementation of ISO27018, alongside Cronofy's existing ISO27001, SOC2, GDPR, HIPAA and CCPA compliance is another important milestone for Cronofy's customers and their users. It provides them with assurance that PII, data, and information are processed and stored appropriately, prioritising the importance of keeping this data secure at all times.
What's coming up next?
As part of running an effective information security program, Cronofy is committed to continual improvement. We are working towards ISO27701:2019, which is an extension to ISO27001 and involves Cronofy establishing a Privacy Information Management System (PIMS). We aim to start the audit process for ISO27701 in March 2022.
If you have any further questions, please do not hesitate to reach out to us at privacy@cronofy.com.