In December 2017, Tencent Cloud attained the ISO/IEC 27018 international certification in relation to public cloud information protection, becoming the pioneering batch of cloud service providers to achieve such a high accolade, and this signifies that the Tencent Cloud Personal Information Management System meets the stipulations of stringent foreign laws and regulations on Personal Information Protection. Tencent Cloud's Personal Information Management System has entered the advanced ranks of cloud service providers worldwide, providing Tencent Cloud customers with added trust and assurance on its cloud security.
What is the ISO27018 Certification?
ISO27018 is an international standards agreement promulgated by the International Organization for Standardization (ISO) in 2014 and has upgraded to the second edition in January of 2019, and is the first set of international criterion that is dedicated to Personal Information Protection in the Cloud.
ISO27018 is based on the ISO27002 Information Security Standard, and sets out guidelines applicable to the ISO27002 control system pertaining to Personal Identifiable Information (PII) in the cloud. The purpose of the same is to satisfy the requirements of the Public Cloud PII that the current ISO27002 standards have fallen short of. Passing the ISO 27018 certification proves that Tencent Cloud's security protection system meets international standards to protect personal identity information in the public cloud from infringement.
What does the evaluation for the ISO27018 certification comprise of?
The Tencent Cloud certification extends to its global business lines in key countries and territories. Tencent Cloud makes use of its professional resources to collect and analyze the personal information laws and regulations in its overseas IDC, such as the GDPR in the European Union and the PDPA in Singapore. This is integrated with the requirements of the ISO27018 standard, whereupon an analysis is conducted on numerous laws and regulations from multiple countries in concert with the Tencent Cloud product data flow, so as to comprehensively identify Personal Identifiable Information (PII) with regard to its various products. Subsequently, the effectiveness of its control measures are enhanced, so that they have the ability to meet the requirements of strict international personal information protection laws and regulations, thereby improving the Tencent Cloud personal information protection system.
In China, the Cybersecurity Law was implemented on 1 June 2017, whose main scope encompasses “one system, four areas”. In particular, reinforcing personal information protection takes center stage. Articles 40 and 42(2) state that, “network operators shall keep the personal information they collect strictly confidential and shall establish an all-inclusive user information protection regime. Network operators shall adopt technological and other necessary measures to ensure that the personal information they have collected is secure as well as to prevent information leakage, destruction and loss”.
What is the significance of the ISO27018 certification?
The Tencent Cloud Personal Information Management System has fully interpreted the requirements on personal information protection that the Cybersecurity Law and other relevant laws stipulate. A protection framework is enacted with the life cycle of personal information in mind, with particular emphasis on beforehand, in-process and afterwards data protection. Before the event, an evaluation is carried out on personal information risk according to certain applicable scenarios and corresponding protective strategies are put in place. During the event, the purpose and use of data is restricted so as to limit any data re-disclosures. After the event, if encrypted data was leaked, emergency plans are activated to contain the damage. The Tencent Group will leverage its years of accumulated security experience and together with its professional security team, create a compliant and reliable cloud service for users.