Mercans achieves ISO 27017 and ISO 27018 certifications

We are pleased to announce that we have been granted certifications for ISO 27017 and ISO 27018,  globally-respected information security standards developed by the International Organization for Standardization (ISO). Mercans was previously awarded the ISO 27000 and ISO 27001 certification in 2023.  These two additional certifications highlight the company’s ongoing commitment to providing its customers with the gold standard in data security and privacy.

What are the ISO 27017 and ISO 27018 standards?

ISO 27017 and ISO 27018 are international standards for protecting personal data in the cloud. Both standards are part of the ISO 27000 series of standards that relate to information security management. They are designed to help ensure the confidentiality, integrity, and availability of personal data stored in the cloud and to protect against unauthorized access or tampering with that data. The main difference between the two standards is their focus. ISO 27017 provides general guidance on the protection of personally identifiable information (PII) in the cloud, while ISO 27018 provides specific guidance on the protection of PII in the context of public cloud services. 

ISO/IEC 27017:2015 provides guidelines for protecting PII in public clouds and covers cloud-specific information security threats, security controls, risk assessments, and incident management.

ISO/IEC 27018:2019 provides guidance on implementing measures to protect PII in the cloud, specifically regarding public cloud services. It covers topics such as data protection, data processing, and data handling.

How Mercans ensures data security and privacy

A rigorous audit that involved a review of Mercans policies, procedures, and practices as well as the assessment of physical and technical controls in place was done to ensure our information security management system (ISMS) meets the requirements of both standards. These certifications reflect Mercans ability to uphold the highest cybersecurity standards and its ongoing commitment to providing the best protection. Here are some specific ways Mercans ISO 27017 and ISO 27018 certifications ensure the security and privacy of personal data in our payroll platform:

• Data protection: The standards provide guidance on how to protect personal data in the cloud, such as customer names, billing addresses, and payment information, including through the use of encryption and other security controls.
• Data processing: The standards outline requirements for how personal data should be processed and handled in the cloud in regard to access controls and data minimization- a privacy principle that involves collecting, using, and retaining only the personal data that is necessary to achieve a specific purpose.
• Risk assessment: Mercans conducts regular risk assessments and vulnerability tests to identify potential threats to personal data in the cloud. These assessments ensure we can address any weaknesses in our systems and processes that could potentially be exploited.
• Incident management: To respond to and manage incidents that could compromise the security and privacy of personal data in the cloud, Mercans has a business continuity plan (BCP) in place for the continuation of critical business processes in the event of a disruption. It includes strategies for maintaining or quickly recovering essential functions and protecting personal data information.