Home » Useful information » ISO/IEC 27018:2014 – a voluntary international code of practice governing the processing of personal information by cloud service providers
ISO/IEC 27018:2014 – a voluntary international code of practice governing the processing of personal information by cloud service providers
In August 2014, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) adopted ISO/IEC 27018:2014 – a voluntary international code of practice governing the processing of personal information by cloud service providers. The code builds on existing and well-established information security standards, such as ISO 27001 and ISO 27002, which set out general information security principles and controls. However, ISO 27018 is unique in that it is tailored specifically to cloud services, as currently an increasing number of public and private sector organizations start using information services in the cloud in order to achieve efficiency and reduce costs.
Because ISO 27018 is designed for the cloud, it can provide critical transparency for cloud customers that want to better understand and compare the practices of different cloud providers and how they secure and protect personal data. At the present moment a number of cloud providers have been certified under ISO 27018, the first among the major cloud providers is Microsoft, certified in 2015 for its cloud based services Azure, Office 365, Dynamics CRM Online и Microsoft Intunе, in 2014 the company received a confirmation letter on behalf of Article 29 Working Party stating that the enterprise cloud contracts meet the requirements of the EU’s "model clauses".
What does ISO 27018 require?
Among other things, ISO 27018 requires that cloud service providers:
· Process personal information only as instructed by the customer;
· Agree not to process personal information for advertising or marketing purposes without the customer’s express consent;
· Adopt appropriate security and organizational measures;
· Refuse disclosure of information to law enforcement unless required by law;
· Be transparent about data processing practices.
How can a future or an existing customer verify a cloud provider’s compliance with ISO 27018?
Customers should ask their cloud provider whether they comply with ISO 27018 and, if so, whether the provider’s compliance has been independently verified