A new standard should give cloud users confidence that their service provider is well-placed to keep data private and secure.
ISO/IEC 27018:2014 Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) is the first-ever standard that deals with the protection of personal data for the cloud.
Prof. Edward Humphreys, Convenor of the ISO working group responsible for information security management standards, believes that creating a climate of trust is the most important prerequisite when outsourcing IT. He says organisations need to have assurance in the underlying cloud provider.
‘Many users may not understand that they need to select a cloud service provider that has good governance over the processing of personal data. Those that do know this may have difficulty knowing how to verify that good governance is in place. This situation can lead to increased risks for the protection of personal data.’
Controls to address the protection of personal data
When considering a cloud computing service, users should double-check that the cloud provider they choose has adopted appropriate security measures and remains transparent about its data processing practices.
Professor Humphreys says cloud service providers should have a system of controls in place to address the protection of personal data.
‘Starting with a data processing agreement, which outlines the governance process and important issues that may be relevant to meeting their legal obligations, will help customers have confidence in selecting the right cloud service provider.
‘Demonstrating compliance to ISO/IEC 27001, extended with controls on the protection of personal data from ISO/IEC 27018 in public clouds acting as PII processors, can add a further level of customer confidence.’
Standards to secure assets and protect data
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements helps companies secure their information assets. It provides the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system.
ISO/IEC 27018:2014 Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors helps cloud providers and organisations to protect Personally Identifiable Information (PII), in accordance with privacy principles for the public cloud computing environment.
The standard specifies security measures that cloud providers should adopt, if applicable, including encryption and access control. It also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider, and the customer) of breaching privacy and security rules.
Summarised from an ISO media release, 6 January 2015.