This course is aimed at assisting cloud service providers and their customers understand the additional guidance and controls contained within ISO/IEC 27018.The additional controls will enable providers and their customers to comply with any applicable legislation and regulations and better protect information when processing PII in the Cloud.

Course description

The protection of PII from both internal and external threats is a major concern for every organization, irrespective of size or market sector.  Furthermore, if that PII information is held in the Cloud, information security risks can increase and the requirement to have effective and specific cloud security controls in place is critical.

The purpose of ISO/IEC 27018, when used in conjunction with the information security objectives and controls in ISO/IEC 27002, is to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. The Standard does not replace applicable legislation and regulations, (e.g. EU GDPR and HIPAA), but provides a common compliance framework for public cloud service providers, in particular those that operate in a multinational market.

This course is aimed at both cloud service providers and customers who are engaging with a cloud service provider. The course will help to ensure that the appropriate information security controls are in place for protecting PII processed by cloud service providers under contract to their customers.

How will I benefit?

This course will help cloud service providers:

• Identify key benefits associated with using ISO/IEC 27018 for protecting PII within the cloud services they provide, alongside an effective ISMS
• Consider Cloud and PII specific risks and associated ISO/IEC 27018 controls
• Understand the rationale behind the controls, their usage and implementation
• Establish an appropriate level of protection for PII within the cloud services they provide

This course will also help cloud service customers discuss and negotiate a suitable contract with a cloud service provider, ensuring that the latter implements appropriate controls. It will also help in developing a mechanism for exercising audit and compliance rights and responsibilities.

What will I learn?

You will be able to explain:

• Typical information security risks for PII in cloud services
• Background and purpose of ISO/IEC 27018
• Scope and structure ISO/IEC 27018
• The benefits of implementing ISO/IEC 27018
• Typical ISO/IEC 27018 control implementation and integration with ISO /IEC 27001 and 27002
• How the key concepts and requirements of ISO/IEC 27001 work when implementing ISO/IEC 27018
• And explore/select ISO/IEC 27018 controls, relevant to your risk assessment, through practical scenarios
• Specific guidance for cloud service providers

Who should attend?

Anyone who wants to learn what controls and measures can be implemented in order to protect PII in a cloud computing environment.

The course is applicable to representatives from cloud service providers who plan, implement, maintain, supervise or assess information security controls, as part of an information security management system.

Equally, the course is applicable to customers who are seeking reassurances that their provider is adopting well-governed cloud-based PII processing services.

Duration

1 day

How will I learn?

Our unique accelerated approach fast tracks learning, improves knowledge retention and ensures you get the skills to apply your knowledge straight away. This course involves practical activities, group discussions and classroom learning to help you develop a deeper understanding of the material and have a greater impact on job performance.

What will I gain?

On completion, you’ll be awarded an internationally recognized BSI Training Academy certificate.

Prerequisites

You should have a good knowledge of ISO/IEC 27002:2013 and ISO/IEC 27001:2013, as well as the key principles of an ISMS.

Many delegates on this course will have already attended our Information Security Management System (ISMS) Requirements of ISO 27001:2013, or Information Security Management System (ISMS), or Implementing ISO/IEC 27001:2013 course.

We also recommend an understanding of the different types of cloud services (e.g. IaaS, PaaS, SaaS, etc.), as well as the cloud deployment models (Private, Public, Hybrid, etc.).

Further information

Detailed course notes and lunch are provided.

Related training

You may also be interested in the ISO/IEC 27001 Requirements, Implementing or Auditing courses, and our Information Security Controls for Cloud Services Course (ISO/IEC 27017:2015). BSI also delivers a wide range of data protection related courses including a series of GDPR Foundation, Implementation and Auditing/Maintenance courses, a series of ISO/IEC 27701:2019 Requirements, Implementation and Auditing courses and a series of BS 10012:2017 Requirements, Implementation and Auditing Courses.