In 2014, the International Standards Organization (ISO) added to its family of information security standards when it published ISO/IEC 27018, a code of practice that sets forth standards for the protection of personally identifiable information (PII) in the public cloud.
ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII.
The standard requires cloud service providers to, among other things:
- only process PII in accordance with the customer’s instructions;
- only process PII for marketing or advertising purposes with the customer’s express consent;
- implement tools that enable customers to comply with PII access, removal and correction requirements;
- disclose to the customer the identity of subcontractors and any possible locations where PII may be processed;
- ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training;
- only disclose PII to governmental or regulatory authorities when legally obligated to do so; and
- assist customers in complying with notification obligations in the event of a security breach.
The standard may be of particular interest to customers in highly regulated industries, such as financial services and insurance, since compliance by a customer’s service providers with the standard may provide a better quality of assurance to the customer’s regulators.