New ISO standard for cloud providers

The International Standards Organization (“ISO”) has published a new security standard for cloud services: ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (“PII”) in public clouds acting as PII processors (“ISO 27018”).

Why has a new standard been published?

The development of the new security standard for cloud services: ISO/IEC 27018 is a direct response to one of the key goals announced in the 2012 European Cloud Computing Strategy. The European Commission published this strategy as a part of its drive to promote the adoption of cloud computing in all sectors of the European economy in order to boost productivity. However, there were concerns regarding privacy and security when migrating data to the cloud because this inevitably involves storage (and often processing) of data by the cloud provider. An identifiable standard was required to show the suppliers compliance with data protection laws and enable the customer to meet its regulatory obligations on data security.

In addition, the need for a recognised benchmark, to alleviate these concerns, was recognised in the Information Commissioners’ guidance on Cloud Computing and the European Commission’s Cloud Standards Roadmap.

Who is the new standard aimed at?

The new standard is aimed at suppliers and the ISO have sought to emphasise the breadth of its application by stating that “ISO 27018 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.”

What does ISO 27018 say?

ISO 27018 builds upon the existing security standards, in ISO 27001, providing a voluntary standard governing the processing of personal data in the cloud. It establishes common set of control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles for public cloud computing.

ISO 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet the legal and regulatory concerns of its clients.

BSI has commented that the guidance document seeks to:

• Allow public cloud service providers to comply with applicable obligations;
• Enable transparency in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services;
• Assist all parties when entering into a contractual agreement; and
• Provide a mechanism for exercising audit and compliance rights where individual audits may themselves increase risks to network security controls in place.

OC Comment

The publication of the ISO 27018 comes as a global study from BT, in July 2014, showed that 76% of those surveyed cited security as their main concern when using cloud-based services. Almost half of respondents (49%) admitted that they are “very or extremely anxious” about the security implications of these services.

Emily Jones, a specialist in cloud computing law says:

“The cloud services industry has struggled to overcome concerns about security and this has been a barrier to the wider adoption of cloud. This new standard combined with other initiatives, for example, to create a standard service level agreement for cloud services, should enable companies to make better informed decisions when assessing whether to use a cloud computing solution and to decide which solution best meets its business needs.”

James Mullock, a data protection law specialist added:

“Signing up this new standard won’t provide the silver bullet to all data and cyber compliance issues arising from using cloud based services, but it will offer a credible step in the journey towards compliance and so is a very welcome initiative.”