■ ISO27018 public cloud personal identifiable information protection management system certification
cloud technology have led to the rapid growth of the global cloud service market, the popularity of cloud service applications at the individual and enterprise organization level is fast, and there is a large market prospect for cloud service applications in government and public facilities scenarios. While cloud technology drives the rapid growth of the market, the information security and data security risks arising from the characteristics of cloud services are increasingly concerned by the society and regulatory authorities. Whether IaaS, PaaS or SaaS, the compliance and trustworthiness of cloud services have become key considerations for customers.
Personally identifiable information (Personally identifiable information ,PII) refers to any information that can be used to identify a specific user, such as personal name, account and password, email, web browsing records, online shopping records, etc. ISO 27018 is aimed at the control of personally identifiable information in the cloud scenario. It provides control requirements and implementation guidelines for implementing measures to protect personally identifiable information, it is consistent with the privacy principles under the ISO/IEC29100 Privacy Framework and national regulations on personal data privacy.
■ As a professional certification body in the domestic IT field, ZOHOCERT provide you with one-stop, comprehensive privacy information management and improvement services.
the ISO27018 management system certification
The ISO27018 special assessment and gap analysis.
Interpretation of ISO27018 Standards Training
ISO27018 internal auditor training
■ ISO 27018 certification process
1. Pre-assessment (optional)
2. Submit an application for certification
3. Sign the certification contract
4. Certification site audit
5. Issue certificates
6. Annual supervision and audit
■ Benefits of ISO 27018 Certification
to protect your personal information and data in the process of cloud services, reduce the risk of leakage
The compliance of your cloud services business
Deliver your better trust to your customers and partners
Gives you a better chance of getting more orders and customers
Improve your credibility and business image, making you more competitive in cloud services
■ Certification standards
ISO/IEC 27018:2019 Information technology-Security techniques-Practical rules for the protection of personally identifiable information (PII) for public cloud processors
■ Characteristics and value of ZOHOCERT
Is a professional service organization that has been deeply involved in the IT information industry for many years.
Has a number of senior academic management experts with more than 20 years of practical experience.
certification is based on ISO/IEC 27018 and applies to public cloud service providers and organizations that provide information processing services as a processor of personally identifiable information (PII) through cloud computing.
Category | Professional category | Category Name |
---|---|---|
01 Government Affairs | 01.01 | National institutions |
01.02 | Tax authorities | |
01.03 | Customs | |
01.04 | Other | |
02 Public | 02.01 | communication, radio and television |
02.02 | Press and Publication | |
02.03 | scientific research | |
02.04 | social security | |
02.05 | Medical Services | |
02.06 | education | |
02.07 | Other | |
03 Business | 03.01 | Finance |
03.02 | Electronic Commerce | |
03.03 | Logistics | |
03.04 | Consulting Intermediary | |
03.05 | tourism, hotels, restaurants | |
03.06 | Other | |
04 Production of products | 04.01 | Power |
04.02 | Railway | |
04.03 | civil aviation | |
04.04 | chemical industry | |
04.05 | Aerospace | |
04.06 | water conservancy | |
04.07 | Transportation | |
04.08 | Information and Communication Technology | |
04.09 | Metallurgy | |
04.10 | Mining | |
04.11 | Food, medicine, tobacco | |
04.12 | Agriculture, forestry, animal husbandry, by-products and fisheries | |
04.13 | Other |
1 Scope of application
This certification scheme is applicable to Shanghai Zhonghao Certification Co., Ltd. (hereinafter referred to as: ZOHO) to implement the information field management system certification, to meet the requirements of the third-party certification system, as a standard for providing certification services. If necessary, the relevant technical requirements shall be supplemented in the certification contract.
The information field management system certification catalogue and certification basis standards applicable to this certification scheme are shown in Annex 1. This certification scheme does not apply to information technology service management system certification and information security management system certification, information technology service management system and information security management system certification scheme see "information technology service management system and information security management system certification implementation plan".
This certification scheme shall be confirmed and adopted when the two parties sign the contract.
2 Authentication Mode
ZOHO first audit the auditee's management system for the first time, after assessment, to confirm whether the certification is approved; after certification, in the validity period of the certification certificate of the certified customer's management system to monitor, to confirm whether continue to meet the certification requirements.
3 Certification Process Flow Chart
4 Basic Conditions for Certification Applications
a. Certified customers have clear legal status. Customers have business licenses, corporate certificates of public institutions, registration certificates of social organizations, registration certificates of non-corporate legal persons, establishment documents of party and government agencies, etc., and can apply for certification independently; other types of customers, Should be applied on behalf of qualified units;
b. When required by the state, local or industry, the certification customer has the prescribed administrative accreditation documents, and the scope of application for certification shall be within the scope approved by the legal status documents and administrative accreditation documents;
c. Certified customers have established a documented management system according to the corresponding management system standards, and have been running steadily for at least 3 months before the initial certification on-site audit, and promise to continue to operate the management system effectively within the validity period of the certificate;
d. Certification customers promise to comply with the laws, regulations and other requirements of the country, promise to always comply with the relevant provisions of certification, bear the legal responsibilities related to certification, and have the obligation to assist the supervision and inspection of certification regulatory authorities, and provide relevant materials and information truthfully for inquiries and investigations of relevant matters;
e. The certified customer has not been ordered by the law enforcement and supervision department to suspend business for rectification, or has been included in the "list of serious illegal enterprises" in the national enterprise credit information publicity system, or has violated relevant national laws and regulations, falsely reported or concealed the information required for obtaining the certificate;
f. The certification customer shall explain to ZOHO the requirements for the qualification of the certification body or the background of the certification personnel, as well as the applicable laws and regulations related to the protection of state secrets or the maintenance of national security, and explain whether there are any management system documents or records that cannot be provided to the audit team for verification because they contain confidential or sensitive information.
g. The certification customer submits the application materials to ZOHO in accordance with the requirements of the Application for Certification of Zhonghao Logo Management System and the corresponding annex;
h. Certification Customers promise to use certification certificates, certification marks and related information according to regulations after obtaining ZOHO certification, and shall not mislead the public into thinking that their products or services have passed the certification by using the words and symbols of the management system certification certificate without authorization. Pay the certification fee according to the contract and accept the supervision according to the regulations;
I. The certified customer promises to inform ZOHO of the information on the changes of the management system and other matters that may affect the ability of the management system to continuously meet the requirements of the certification standards according to ZOHO requirements after obtaining the certification, generally including: the major complaints from the customer and relevant parties; The products and services provided are listed in the "blacklist" by the law enforcement and supervision departments; Major accidents related to the management system occur; Changes in relevant circumstances (including: legal status, production and operation status, change of organization or ownership, change of qualification certificate; change of legal representative, top management and management representative; change of service workplace; change of scope of activities covered by management system; major change of management system and important process, etc.); other important situations affecting the operation of management system;
j. During the certification audit, the certification customer is able to provide products/services/activities related to the scope of the proposed certification.
5 Audit Implementation
5.1 Audit Guidelines
certification parties is as follows:
a. Certification basis standards (see Annex 1);
b. Audit criteria also include procedures, standards, laws and regulations, codes of practice, contractual requirements or industry norms applicable to the audited party.
5.2 audit process
5.2.1 Initial certification audit
Usually, the initial certification audit is implemented in two stages: the first stage and the second stage.
5.2.1.1 First stage audit
audit team, in combination with the professional characteristics of the auditees' management system coverage activities, confirms the auditees' understanding of the standard and the degree of implementation, the key points that have an important impact on the realization of the goal, the compliance of relevant laws and regulations and the scope of the management system according to the management system documents, system operation process, operation place and site conditions provided by the auditees, review whether the allocation of resources required for the second-stage audit and the degree of implementation of the management system can prove that it is ready for the second-stage audit, and agree with the applicant on the details of the second-stage audit to determine the second-stage audit arrangements.
the results of the Phase 1 audit may result in the postponement or cancellation of the Phase 2 audit.
5.2.1.2 Phase II Audit
audit team shall conduct on-site evaluation of the implementation of the auditees' management system, including compliance and effectiveness. The second phase of the audit includes at least the following aspects:
a. Compliance with all requirements of applicable management system standards and other regulatory documents;
b. Monitoring, measurement, reporting and review of performance based on key performance objectives and indicators;
c. aspects of the management system and performance relating to compliance with the law;
d. Operational control of the auditees' processes;
e. Implementation of management responsibilities, including policy-specific management responsibilities;
f. The planning and realization of the functional level objectives established to achieve the overall objectives;
g. Linkages between normative requirements, policies, performance objectives and targets, applicable legal requirements, responsibilities, personnel capabilities, operations, procedures, performance data and internal audit findings and conclusions.
5.2.2 Monitoring activities
5.2.2.1 Manner of oversight activities
ZOHO adopts a combination of on-site supervision and audit and daily supervision (such as paying attention to the quality information bulletin issued by relevant national departments, paying attention to the information of relevant parties of certified customers, daily tracking of relevant information of certified customers, reviewing certified customers and their operation instructions, and requiring certified customers to provide documents and records, etc.).
5.2.2.2 Contents of post-certification supervision and audit
a. System maintenance and any changes (e. g. resources, processes, organizational structure, identified critical control points, etc.);
b. Customer complaints;
c. the scope of the change;
d. Effectiveness of management system implementation;
e. Progress of activities planned for continuous improvement;
f. Measures and effects taken in response to non-conformities identified in the previous audit;
g. the use of certificates and marks and/or any other reference to qualification;
h. Other selected ranges as appropriate.
Certified customers should keep all complaint records and provide them to ZOHO when required. Based on the above information, ZOHO will re-evaluate the certified customer management system to confirm whether it continuously meets the certification requirements. For the certified organizations that have passed the supervision and audit, the decision to maintain their certification qualifications will be made; otherwise, the suspension or revocation of certification disposal will be made.supervision audit, if the certification customer does not close the non-conformity as required, it may lead to the suspension of the certification certificate.
5.2.2.3 Frequency of supervision and audit
During the validity period of the certificate, the certified customer shall be subject to a supervisory audit. The first supervisory audit after the initial certification and recertification shall be carried out within 12 months from the date of the certification decision, and the subsequent supervisory audit shall be carried out at least once every calendar year (except the year in which recertification shall be carried out) and the maximum time interval from the previous supervisory audit shall not exceed 15 months.
If the certification certificate is suspended due to the failure of the certified customer to carry out the supervision audit within the specified time, after the resumption of the supervision audit, the next audit time shall be calculated according to the originally planned time.
shall increase the frequency of supervision or arrange the audit with short notice in advance:
a. The certified customer has made major changes to the management system or has major problems;
b. There is sufficient information to show that the certified customer has changed the organization, management system and other changes that affect the certification basis;
c. Major accidents related to the management system of certified customers;
d. Other considerations.
5.2.3 Re-certification
Certified customers must apply for recertification at least three months before the expiration of the certificate. The purpose of the recertification audit is to verify the overall continuing conformity and effectiveness of the organization's management system as a whole, and the continuing relevance and suitability of the scope of certification.
will arrange special audit or arrange recertification audit with certified customers in advance when it is found that the certified customers have significant changes that seriously affect the operation of the management system, or when the complaint analysis and other information of certified customers show that certified customers no longer meet the certification requirements. The recertification audit also needs to focus on the performance of the management system during the certification cycle, including access to previous supervisory audit reports.
For multi-site or combined audit certification, the recertification audit should ensure that the on-site audit has sufficient coverage to provide confidence in the management system certification.
a phase audit may not normally be conducted during recertification, a phase one audit may be required when there are significant changes in the certified client's management system and the certified client's internal and external operating environment. During the re-certification audit, the certification customer shall accept the ZOHO audit before the expiration of the current certification certificate, and close the non-conformity issued by the audit team within the specified time. Otherwise, if ZOHO cannot make a certification decision within 6 months after the expiration of the original certification certificate due to the certification customer, the re-certification audit will be invalid.
5.2.4 Special Audit
5.2.4.1 Audit to expand the scope of certification
For certified customers, ZOHO reviews the application to expand the scope of certification and determines the audit activities required for the decision to expand, which can be carried out at the same time as the supervisory audit.
5.2.4.2 Review with short notice
audits that require short notice to certified customers in order to investigate complaints, respond to changes, or follow up on suspended certified customers.
1. Explain to the certified customer and make them aware in advance of the conditions under which such audits will be carried out;
2. Assign experienced auditors to form an audit team.
5.3
audit team shall communicate with the audited party before the on-site audit to confirm the audit arrangement and explain the agenda of the first and last meetings. The audit team shall carry out the audit according to the schedule in the audit plan, collect and verify the relevant information on a sample basis through appropriate methods such as consulting the documents and records of the audited party, interviewing with the post personnel of the process and activities, and observing the service formation process and activities. If necessary, the audit team shall conduct technical tests to form audit findings and confirm the audit situation.
During the audit process, the audit team communicates with the audited party in a timely manner, informs the audit process, confirms the audit evidence, and resolves differences. When the audit findings indicate that the purpose of the audit cannot be achieved, the reasons shall be explained and follow-up measures shall be agreed. If it is necessary to change the purpose and scope of the audit or terminate the audit, it shall be implemented after review and approval by the audit dispatching agency.
audit team leader shall communicate the information of the on-site audit with the auditee, ask the auditee to confirm the problems found and the non-conformance report, and agree on the arrangement of follow-up measures for non-conformance and confirm the audit conclusion. The audit team shall prepare the audit report and submit it to the audited party.
the audit report belongs to ZOHO, if there is any change in the audit follow-up activities (including ZOHO's certification decision period), ZOHO will provide the audit report to the audited party again. The audited party shall properly keep the audit report, non-conformity report and its correction materials and other corresponding materials.