Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does ISO/IEC 27018 affect cloud provider selection, PII privacy?

Learn what the ISO/IEC 27018 standard is, what it means to PII privacy, and how it should affect cloud provider and product selection.

Microsoft recently adopted the ISO/IEC 27018 standard. What is it, and is it something we should look for in cloud...

services and products?

The ISO/IEC 27018 is a privacy standard designed to help protect personally identifiable information (PII).The standard addresses how public cloud providers -- acting as agents for customers -- process PII on behalf of customers. Formally, cloud providers are known as PII processors. Providers that adhere to the standard must follow established rules regarding how PII is used and shared.

For example, compliant cloud providers agree to process PII only in ways designated by customers. In addition, providers agree to transparency about where customer data is stored and how it is processed. Policies about data retention, transfer and deletion should also be readily available to customers.

As part of the effort to protect customer data, compliant cloud providers adhere to security controls to protect PII. These include restrictions on how PII data is transmitted over public networks, limitations on the use of mobile storage devices and procedures for data recovery.

The standard also includes practices with regards to disclosures. If a customer's data is shared with a government agency, the cloud provider will inform the customer of the release. However, note that there is an exception to this rule if the cloud provider is under a legal order to not disclose this information.

The adoption of ISO/IEC 27018 is part of the fabric of trust developing between cloud providers and their customers. Responsibilities and obligations are documented and disclosed; providers and customers will have the ability to know how PII will be treated. This does not guarantee, however, that cloud provider practices will meet the requirements of all organizations, but it is at least a common baseline.

If your organization is storing PII, it is advantageous to understand the scope of this standard and your cloud providers' level of adherence to it. If you manage data for citizens of the European Union or store data in EU countries, you may be subject to stricter privacy regulations than if you store similar data for U.S. citizens in U.S.-based data centers.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Learn more about building a cloud privacy policy and cloud provider privacy.

This was last published in June 2015

Dig Deeper on Cloud Computing Frameworks and Standards

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Would ISO/IEC 27018 compliance make or break a cloud provider relationship for your enterprise?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close