Newly Adopted Privacy Standards for Cloud Service Providers

By Oleg Rivkin
Originally published in Expect Focus, Vol. IV (Fall 2014)

The International Standards Organization’s new cloud standard, ISO 27018, strives to ensure that public cloud service providers (such as Amazon, Google, and Rackspace) “offer suitable information security controls to protect the privacy of their customers’ clients” by securing the personally identifiable information (PII) entrusted to them. The new standard, adopted by ISO and the International Electrotechnical Commission in August, is voluntary. It is expected to be followed by ISO 27017, which will cover non-privacy information security aspects of cloud computing.

According to the ISO, the new standard is intended as “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system ….” Broadly, ISO 27018 addresses the questions of confidentiality and security of the customer’s personal information and the prevention of its unauthorized use.

To be certified under ISO 27018, a cloud service provider must pass an initial audit by an accredited certification entity (and be subject to periodic reviews). Certification’s aim is to achieve full transparency between the cloud service provider and its customer, and to enable the customer to select a provider that has satisfied its legal and regulatory obligations and demonstrated this to the certification body.

Among the new ISO 27018 standards is the requirement that all personal information be processed pursuant to the customer’s instructions; the prohibition against demanding consent to use customer’s information for marketing and advertising purposes as a condition of providing cloud service; restrictions on the disclosure of information to third parties; implementation of policies for the return or disposal of personal data; and disclosure of any sub-processors and possible locations where personal information may be stored or processed before entering into a service contract.

In this age of data privacy concerns, ISO 27018 certification may be an important criteria for many customers who are selecting a public cloud service provider for the first time, or determining whether to switch providers.