AP - Fotolia

How does ISO/IEC 27018 affect cloud provider selection, PII privacy?

Learn what the ISO/IEC 27018 standard is, what it means to PII privacy, and how it should affect cloud provider and product selection.

Microsoft recently adopted the ISO/IEC 27018 standard. What is it, and is it something we should look for in cloud services and products?

The ISO/IEC 27018 is a privacy standard designed to help protect Personally identifiable information (PII).The standard addresses how public cloud providers -- acting as agents for customers -- process PII on behalf of customers. Formally, cloud providers are known as PII processors. Providers that adhere to the standard must follow established rules regarding how PII is used and shared.

For example, compliant cloud providers agree to process PII only in ways designated by customers. In addition, providers agree to transparency about where customer data is stored and how it is processed. Policies about data retention, transfer and deletion should also be readily available to customers.

As part of the effort to protect customer data, compliant cloud providers adhere to security controls to protect PII. These include restrictions on how PII data is transmitted over public networks, limitations on the use of mobile storage devices and procedures for data recovery.

The standard also includes practices with regards to disclosures. If a customer's data is shared with a government agency, the cloud provider will inform the customer of the release. However, note that there is an exception to this rule if the cloud provider is under a legal order to not disclose this information.

The adoption of ISO/IEC 27018 is part of the fabric of trust developing between cloud providers and their customers. Responsibilities and obligations are documented and disclosed; providers and customers will have the ability to know how PII will be treated. This does not guarantee, however, that cloud provider practices will meet the requirements of all organizations, but it is at least a common baseline.

If your organization is storing PII, it is advantageous to understand the scope of this standard and your cloud providers' level of adherence to it. If you manage data for citizens of the European Union or store data in EU countries, you may be subject to stricter privacy regulations than if you store similar data for U.S. citizens in U.S.-based data centers.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Learn more about building a cloud privacy policy and cloud provider privacy.

Dig Deeper on Cloud Computing Frameworks and Standards