It has not been a widely publicised event, but as of earlier this year, cloud service providers have had their own global industry standard for data security. In July 2014, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) formally adopted ISO/IEC 27018, the first international standard governing the processing of personal information by cloud service providers.
ISO/IEC 27018 is voluntary, and is intended to provide a best practice standard for service providers in an area that has concerned many businesses and individuals: security and integrity of information in the cloud. Whilst there are existing data security standards such as ISO 27001 and ISO 27002 that address data security generally, ISO/IEC 207018 is a first that focuses specifically on cloud data security.
Service providers who are certified under ISO/IEC 27018 must demonstrate that they have established or implemented (amongst other things):
- tools that enable customers to comply with data access, data correction and data removal requirements;
- processes to ensure that they will process personal information as directed by the customer;
- processes to ensure that they will only process personal information for marketing activities with the customer's express consent – an important step as many legal jurisdictions (including Australia) have moved towards tightening up the use of personal information for marketing;
- processes to limit disclosure of personal information to law enforcement authorities only when legally obliged to do so;
- a policy under which they will disclose to a customer the identity of subcontractors and possible locations where personal information may be processed prior to entering into a services contract with that customer;
- processes to assist their customers in complying with notification obligations in case of a data breach;
- a policy for the return, transfer or erasure of personal information, which must specify the period for which the information will be retained.
- regular security audits by an independent accredited third party to maintain the ISO/IEC certification; and
- processes to ensure that staff are bound by confidentiality undertakings and undergo appropriate training.
An ISO/IEC 27018 certification is therefore intended to give a customer increased comfort concering the practices and contractual obligations of a certified cloud service provider. It may also offer customers in regulated sectors, such as financial services and insurance, a better quality of assurance to their respective regulators when subcontracting the processing of personal information to a cloud services provider.