It is my distinct honor to announce that CyberArk has officially achieved ISO/IEC 27018:2019 certification – the first privacy-specific international standard for cloud service providers focused on safeguarding personally identifiable information (PII), one of the most mission-critical components of cloud security.
Today, more than 8,000 organizations across 110 countries – including more than half of the Fortune 500 – trust CyberArk to protect their most critical assets. Maintaining this trust is our highest priority and we hold ourselves to stringent security and compliance standards. Part of this ongoing commitment involves rigorous reviews of our information security systems and infrastructure. With this ISO/IEC 27018:2019 certification, CyberArk has achieved significant, independent recognition for protecting data privacy and exceeding customer, partner and regulatory requirements for cloud security, transparency and accountability.
The ISO/IEC 27018 standard outlines specific guidelines to reduce information security risks pertaining to PII in public cloud offerings. It supplements and strengthens controls outlined in ISO/IEC 27002 and provides specific security guidance for protecting PII, which NIST defines as “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” This includes sensitive information such as a person’s full name, address, phone number or social security number.
CyberArk has built the following key guidelines into our security control framework to demonstrate conformance with ISO/IEC 27018:2019, emphasize our responsibility in handling sensitive data and show our customers how their data is securely stored, processed and managed in our cloud computing systems:
- CyberArk does not use customer data for business marketing or advertising unless the customer consents to such use. The customer has control over their own data and CyberArk only processes PII in accordance with the customer’s instructions.
- CyberArk handles PII in a specific manner when transmitting over public networks, storing on mobile devices or recovering or restoring data. Relevant CyberArk staff must also sign a confidentiality agreement and CyberArk provides specialized training for employees directly processing PII.
- In the event of a breach affecting customer data, CyberArk will notify the customer without undue delay, maintain a clear record of the incident and assist the customer in remaining compliant with their own security obligations.
- CyberArk must disclose the names of any sub-processors (and any location information about where PII may be processed). If we change sub-processors mid-contract, we must also disclose this information and provide the customer with the right to object to the change.
We remain committed to ensuring that all customer and partner information, in any form, is protected from unauthorized access, modification, disclosure or deletion.
You can learn more about CyberArk’s security practices and industry certifications in our Trust Center.
Omer Grossman is the global chief information officer at CyberArk.
