What It Is

ISO/IEC 27018:2025 is a code of practice extending ISO 27001 and ISO 27002 for protecting personally identifiable information (PII) in public clouds where providers act as PII processors. Its primary scope targets cloud-specific privacy risks like multi-tenancy and cross-border flows, using a risk-based approach integrated into an Information Security Management System (ISMS).

Key Components

• Core domains: transparency, contractual obligations, data subject rights support, breach management, data minimization.
• ~25-30 additional privacy controls mapped to ISO 27001 Annex A (93 controls).
• Built on principles: consent, purpose limitation, accountability.
• Assessed via ISO 27001 audits; no standalone certification.

Why Organizations Use It

Enhances trust, accelerates procurement, aligns with GDPR Article 28, reduces risk in cloud outsourcing. Provides competitive differentiation for CSPs, favorable insurance terms, and evidence of due care.

Implementation Overview

Conduct gap analysis against existing ISMS, update Statement of Applicability, implement controls like subprocessor disclosure. Suited for CSPs of all sizes; requires annual audits post-ISO 27001 certification. Focuses on documentation, training, technical safeguards.

What It Is

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. It provides a principle-based, outcome-oriented approach to cybersecurity governance, focusing on detecting, resisting, responding to, and recovering from cyber threats across information assets.

Key Components

• Four principal **domainsCyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Cyber Security.
• Numerous subdomains with principles, objectives, and control considerations (over 100 subcontrols).
• Six-level maturity model (Level 0-5), with Level 3 (structured/formalized) as regulatory baseline.
• Built on NIST, ISO 27001, PCI-DSS; enforced via self-assessments and SAMA audits.

Why Organizations Use It

• Mandatory compliance for banks, insurers, etc., avoiding penalties and scrutiny.
• Enhances resilience, reduces incident risks, enables efficiency and partnerships.
• Builds stakeholder trust, competitive edge in digital finance.

Implementation Overview

• Phased roadmap: gap analysis, risk assessment, control deployment, monitoring.
• Applies to all SAMA entities; scalable by size.
• Requires self-assessments, evidence portfolios; no external certification.