1、 ISO/IEC 2014. CSA Group 2015. All rights reserved. Unauthorized reproduction is strictly prohibited.CAN/CSA-ISO/IEC 27018:15(ISO/IEC 27018:2014, IDT)National Standard of CanadaCAN/CSA-ISO/IEC 27018:15Information technology Security techniques Code ofpractice for protection of personally identifiabl
2、einformation (PII) in public clouds acting as PII processors(ISO/IEC 27018:2014, IDT)Legal Notice for StandardsCanadian Standards Association (operating as “CSA Group”) develops standards through a consensus standards development process approvedby the Standards Council of Canada. This process bring
3、s together volunteers representing varied viewpoints and interests to achieve consensusand develop a standard. Although CSA Group administers the process and establishes rules to promote fairness in achieving consensus, it doesnot independently test, evaluate, or verify the content of standards.Disc
4、laimer and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation,implied warranties or conditions concerning this documents fitness for a particular purpose or use, its merchantability, or
5、 its non-infringementof any third partys intellectual property rights. CSA Group does not warrant the accuracy, completeness, or currency of any of the informationpublished in this document. CSA Group makes no representations or warranties regarding this documents compliance with any applicablestatu
6、te, rule, or regulation.IN NO EVENT SHALL CSA GROUP, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS,OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED,INCLUDING BUT NOT LIMITED TO S
7、PECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGEDDATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS,WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHERTHEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMEN
8、T, EVEN IF CSA GROUPHAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In publishing and making this document available, CSA Group is not undertaking to render professional or other services for or on behalf of anyperson or entity or to perform any duty owed by any
9、 person or entity to another person or entity. The information in this document is directedto those who have the appropriate degree of experience to use and apply its contents, and CSA Group accepts no responsibility whatsoeverarising in any way from any and all use of or reliance on the information
10、 contained in this document.CSA Group is a private not-for-profit company that publishes voluntary standards and related documents. CSA Group has no power, nor does itundertake, to enforce compliance with the contents of the standards or other documents it publishes.Intellectual property rights and
11、ownershipAs between CSA Group and the users of this document (whether it be in printed or electronic form), CSA Group is the owner, or the authorizedlicensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and allinventions
12、 and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protected bypatents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this document mayviolate laws that protect CSA Groups an
13、d/or others intellectual property and may give rise to a right in CSA Group and/or others to seek legalredress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA Group reserves all intellectualproperty rights in this document.Patent rightsAttention
14、is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA Group shall not beheld responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity ofany such patent rights i
15、s entirely their own responsibility.Authorized use of this documentThis document is being provided by CSA Group for informational and non-commercial use only. The user of this document is authorized to doonly the following:If this document is in electronic form: load this document onto a computer fo
16、r the sole purpose of reviewing it; search and browse this document; and print this document if it is in PDF format.Limited copies of this document in print or paper form may be distributed only to persons who are authorized by CSA Group to have suchcopies, and only if this Legal Notice appears on e
17、ach such copy.In addition, users may not and may not permit others to alter this document in any way or remove this Legal Notice from the attached standard; sell this document without authorization from CSA Group; or make an electronic copy of this document.If you do not agree with any of the terms
18、and conditions contained in this Legal Notice, you may not load or use this document or make anycopies of the contents hereof, and if you do make such copies, you are required to destroy them immediately. Use of this documentconstitutes your acceptance of the terms and conditions of this Legal Notic
19、e.Standards Update ServiceCAN/CSA-ISO/IEC 27018:15December 2015Title: Information technology Security techniques Code of practice for protection ofpersonally identifiable information (PII) in public clouds acting as PII processorsTo register for e-mail notification about any updates to this publicat
20、ion go to shop.csa.ca click on CSA Update ServiceThe List ID that you will need to register for updates to this publication is 2424073.If you require assistance, please e-mail techsupportcsagroup.org or call 416-747-2233.Visit CSA Groups policy on privacy at www.csagroup.org/legal to find out how we
21、 protect yourpersonal information.Canadian Standards Association (operating as “CSA Group”), underwhose auspices this National Standard has been produced, waschartered in 1919 and accredited by the Standards Council ofCanada to the National Standards system in 1973. It is a not-for-profit, nonstatut
22、ory, voluntary membership association engaged instandards development and certification activities.CSA Group standards reflect a national consensus of producers andusers including manufacturers, consumers, retailers, unions andprofessional organizations, and governmental agencies. Thestandards are u
23、sed widely by industry and commerce and oftenadopted by municipal, provincial, and federal governments in theirregulations, particularly in the fields of health, safety, building andconstruction, and the environment.Individuals, companies, and associations across Canada indicatetheir support for CSA
24、 Groups standards development byvolunteering their time and skills to Committee work and supportingCSA Groups objectives through sustaining memberships. The morethan 7000 committee volunteers and the 2000 sustainingmemberships together form CSA Groups total membership fromwhich its Directors are cho
25、sen. Sustaining memberships represent amajor source of income for CSA Groups standards developmentactivities.CSA Group offers certification and testing services in support of andas an extension to its standards development activities. To ensurethe integrity of its certification process, CSA Group re
26、gularly andcontinually audits and inspects products that bear theCSA Group Mark.In addition to its head office and laboratory complex in Toronto, CSAGroup has regional branch offices in major centres across Canadaand inspection and testing agencies in eight countries. Since 1919,CSA Group has develo
27、ped the necessary expertise to meet itscorporate mission: CSA Group is an independent serviceorganization whose mission is to provide an open and effectiveforum for activities facilitating the exchange of goods and servicesthrough the use of standards, certification and related services tomeet natio
28、nal and international needs.For further information on CSA Group services, write toCSA Group178 Rexdale Boulevard,Toronto, Ontario, M9W 1R3CanadaA National Standard of Canada is a standard developed by an SCC-accredited Standards Development Organization (SDO), andapproved by the Standards Council o
29、f Canada (SCC), in accordancewith SCCs: Requirements and Guidance Accreditation forStandards Development Organizations, and Requirements andGuidance Approval of National Standards of Canada Designation.More information on National Standard requirements can be foundat www.scc.ca.An SCC-approved stand
30、ard reflects the consensus of a number ofexperts whose collective interests provide, to the greatestpracticable extent, a balance of representation of affectedstakeholders. National Standards of Canada are intended to make asignificant and timely contribution to the Canadian interest.SCC is a Crown
31、corporation within the portfolio of Industry Canada.With the goal of enhancing Canadas economic competitiveness andsocial well-being, SCC leads and facilitates the development and useof national and international standards. SCC also coordinatesCanadian participation in standards development, and ide
32、ntifiesstrategies to advance Canadian standardization efforts.Accreditation services are provided by SCC to various customers,including product certifiers, testing laboratories, and standardsdevelopment organizations. A list of SCC programs and accreditedbodies is publicly available at www.scc.ca.Us
33、ers should always obtain the latest edition of a National Standardof Canada from the standards development organization responsiblefor its publication, as these documents are subject to periodicreview.Standards Council of Canada600-55 Metcalfe StreetOttawa, Ontario, K1P 6L5CanadaCette Norme National
34、e du Canada nest disponible quen anglais. Le Groupe CSA publiera la version en franais ds quelle sera produite parlorganisme rdacteur.Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility ofthe users to judge its
35、 suitability for their particular purpose.TMA trade-mark of the Canadian Standards Association, operating as “CSA Group”ICS 35.040ISBN 978-1-4883-0070-7 2015 CSA GroupAll rights reserved. No part of this publication may be reproduced in any form whatsoeverwithout the prior permission of the publishe
36、r.Published in December 2015 by CSA GroupA not-for-profit private sector organization178 Rexdale Boulevard,Toronto, Ontario, Canada M9W 1R3To purchase standards and related publications, visit our Online Store at shop.csa.caor call toll-free 1-800-463-6727 or 416-747-4044.TMA trade-mar k of the Cana
37、dian S tandards Association, operating as “CSA Group”Reviewed byPrepared byInternational Organization for Standardization/International Electrotechnical CommissionApproved byInformation technology Securitytechniques Code of practice for protectionof personally identifiable information (PII) inpublic
38、 clouds acting as PII processors(ISO/IEC 27018:2014, IDT)CAN/CSA-ISO/IEC 27018:15National Standard of CanadaCAN/CSA-ISO/IEC 27018:15Information technology Security techniques Code ofpractice for protection of personally identifiable information(PII) in public clouds acting as PII processorsDecember
39、2015 2015 CSA GroupCSA/5CAN/CSA-ISO/IEC 27018:15Information technology Securitytechniques Code of practice forprotection of personally identifiableinformation (PII) in public clouds acting asPII processors(ISO/IEC 27018:2014, IDT)CSA PrefaceStandards development within the Information Technology sec
40、tor is harmonized with internationalstandards development. Through the CSA Technical Committee on Information Technology (TCIT),Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 onInformation Technology (ISO/IEC JTC1) for the Standards Council of Canada
41、(SCC), the ISO member bodyfor Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of theInternational Telecommunication Union (ITU), Canada participates in the International Telegraph andTelephone Consultative Committee (ITU-T).For brevity, this Standard will be refer
42、red to as “CAN/CSA-ISO/IEC 27018” throughout.At the time of publication, ISO/IEC 27018:2014 is available from ISO and IEC in English only. CSA Groupwill publish the French version when it becomes available from ISO and IEC.This International Standard was reviewed by the TCIT under the jurisdiction o
43、f the Strategic SteeringCommittee on Information Technology and deemed acceptable for use in Canada. From time to time,ISO/IEC may publish addenda, corrigenda, etc. The TCIT will review these documents for approval andpublication. For a listing, refer to the Current Standards Activities page at stan
44、dardsactivities.csa.ca.This Standard has been formally approved, without modification, by the Technical Committee and hasbeen approved as a National Standard of Canada by the Standards Council of Canada. 2015 CSA GroupAll rights reserved. No part of this publication may be reproduced in any form wha
45、tsoever without theprior permission of the publisher. ISO/IEC material is reprinted with permission. Where the words “thisInternational Standard” appear in the text, they should be interpreted as “this National Standard ofCanada”.CAN/CSA-ISO/IEC 27018:15Information technology Security techniques Cod
46、e ofpractice for protection of personally identifiable information(PII) in public clouds acting as PII processorsDecember 2015 2015 CSA GroupCSA/6Inquiries regarding this National Standard of Canada should be addressed toCSA Group178 Rexdale Boulevard,Toronto, Ontario, Canada M9W 1R31-800-463-6727 4
47、16-747-4000http:/csa.caTo purchase standards and related publications, visit our Online Store at shop.csa.ca or call toll-free1-800-463-6727 or 416-747-4044.This Standard is subject to review five years from the date of publication, and suggestions for itsimprovement will be referred to the appropri
48、ate committee. To submit a proposal for change, pleasesend the following information to inquiriescsagroup.org and include “Proposal for change” in thesubject line:a) Standard designation (number);b) relevant clause, table, and/or figure number;c) wording of the proposed change; andd) rationale for t
49、he change.CSA Technical Committee on InformationTechnologyJ. MacFie Microsoft Canada,Ottawa, OntarioCategory: Producer InterestChairF. Coalliercole de technologie Suprieure (Universit duQubec) (TS),Montral, QubecCategory: General InterestVice-ChairS. Michell Maurya Software Inc.,Ottawa, OntarioCategory: General InterestVice-ChairO. Avellaneda Industry Canada,Ottawa, OntarioAssociateW. Badawy Intelliview Technologies Inc.,Calgary, AlbertaAssociateR. Balderston Canadian Banknote Company Limited,Ottawa, OntarioAssociate
