In 2014, the International Standards Organization (ISO) added to its family of information security standards when it published ISO/IEC 27018, a code of practice that sets forth standards for the protection of personally identifiable information (PII) in the public cloud.

ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII. 

The standard requires cloud service providers to, among other things:

  • only process PII in accordance with the customer’s instructions;
  • only process PII for marketing or advertising purposes with the customer’s express consent;
  • implement tools that enable customers to comply with PII access, removal and correction requirements;
  • disclose to the customer the identity of subcontractors and any possible locations where PII may be processed;
  • ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training;
  • only disclose PII to governmental or regulatory authorities when legally obligated to do so; and
  • assist customers in complying with notification obligations in the event of a security breach.

The standard may be of particular interest to customers in highly regulated industries, such as financial services and insurance, since compliance by a customer’s service providers with the standard may provide a better quality of assurance to the customer’s regulators.