Microsoft Azure and UK-based cloud hosting provider iomart are among the first companies to adopt the new international standard on cloud privacy, ISO/IEC 27018 – the first international set of privacy controls in the cloud. ISO 27018 was published on July 30, 2014 by the International Organization for Standardization (ISO), as a new component of the ISO 27001 standard.
ISO 27018 sets forth a code of practice for protection of PII in public clouds acting as PII processors. Cloud hosting service providers (CSPs) adopting ISO/IEC 27018 must operate under five key principles:
- Consent – CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Control – Customers have explicit control of how their information is used.
- Transparency – CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
- Communication – In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
- Independent and yearly audit – A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
Trust is ever important to customers leveraging the cloud, according to Lori Woehler,
Principal Group Manager, Compliance & Trust, Microsoft. That is why Microsoft Azure has adopted the stringent privacy principles outlined in ISO 27018, and submitted Azure’s adherence to regular independent audits.
“For many of iomart’s customers data security, privacy and legal compliance is of the utmost importance,” said Angus MacSween, CEO of iomart. “We have therefore worked hard to become one of the first adopters of this new international data security standard. Not only can we can tell our customers exactly where there data is, we can ensure there is no unauthorised access to it and that the way it is handled meets all relevant privacy obligations.”
