Image credit PIxabay/Geralt
ISO 27018 – protecting HCM data in the cloud at Ultimate

Ultimate Software has announced that its HCM solution is now certified for ISO 27018. ISO 27018/IEC 27018 is the Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. Its focus is the protection of personal data in those public clouds. It supplements ISO 27001/2 in three key areas, information security policies, information security incident management and compliance

Utimate stamp

Adam Rogers, chief technology officer at Ultimate (Source LinkedIn)
Adam Rogers, chief technology officer at Ultimate

In attaining the standard, Ultimate Software have differentiated themselves from some of their competition. With the recent spate of data breaches across the globe, there is increasing concern from companies about the security of their data in the cloud. For a company to trust a cloud solution partner it will want independent surety that their security is proven. Adam Rogers, chief technology officer at Ultimate commented: “The privacy of our customers and their employees is a top priority. Compliance with ISO 27018 means we are recognized for the sophisticated technologies and processes we use to handle PII. Since compliance requires annual certification, it is also a demonstration of our ongoing commitment to strong data-privacy practices.”

ISO 27018 requirements

There are three main sources of requirements under the standard:

Legal, Statutory, Regulatory and Contractual Requirements: Under the standards, Ultimate will have ensured that any organisation touching the data, be that contractors, hosting partners or others will meet their relevant legal obligations. Those obligations are pertinent to the jurisdictions in which Ultimate operates. With customers in more than 160 countries this makes the hurdle even higher for Ultimate to complete. It will almost certainly have had to meet different criteria for specific countries to attain certification.

Risks: Ultimate should also have carried out a risk assessment of the PII its holds. This will have identified the appropriate threats, vulnerability and likelihood of a breach occurring and its impact. What isn’t clear if this cascades down to the specific data held by each client type. As the certification needs renewing each year it would be interesting to see how the threat landscape evolves. If Ultimate pick up life sciences customers or customers from sometimes controversial industry sectors identifying risks could be complex.

Corporate policies: These are often derived from the legal or socio-cultural obligations. It is an area where many companies have fallen short in data breaches over the last few years. TalkTalk being a case in point. There is little companies can do if subject to a state sponsored attack and their reaction to that attack needs defining clearly.  Companies such as IBM have introduced services such as their Cyber Range to help customers learn how to react to an attack.


Companies look to differentiate their offerings from each other. Ultimate has taken a step that is sensible and puts it ahead of many others in the industry. Workday are another HCM provider that is ISO 27018 certified. As purchasers add it to the list of criteria that they expect their cloud providers to have one can expect a few more companies to apply for and attain certification.


Please enter your comment!
Please enter your name here