ISO 27018 and its Extensibility

old.reddit.com / @/u/Radishingz, https://old.reddit.com/user/Radishingz

Hi all,

I had a quick question, I am mostly familiar with 800-53. I am helping with some privacy components, and I have a cloud SaaS that has a ISO 27018 certification as well as 27001.

The customer has not completed for example incident response protocols with the cloud provider, etc.. How does the ISO 27018 look at those when they are assessed "just" as a provider.

Everywhere I look it seems that PII processing at the ISO 27018 is assessed considering the customer (I dont have access to the ISO control list, so I am a bit blind)
How do they contuct ISO 27018 audits without a customer, obtain a certification and the certification basically extends to the customer... I am scratching my head a bit on this one. Unless the provider is bound to establish processes with the customer, in which case I would have no evidence for.

Thank you all! Hopefully this was a clear question, I am just a bit questionning my reasoning here.

submitted by /u/Radishingz
[link] [comments]

published 18 days ago


Previous

Advice on GCC High for Small Business. Is it worth it?
published 21 days ago

Next

Cisco STIG Automation with Ansible
published 18 days ago
See all items from the same source