Cloud service providers (CSPs) often claim that their customers’ personal data is secure in their clouds. You can now check to see whether that is the case, thanks to a global standard published in 2014. People often refer to the standard as ISO 27018 but its official title is “ISO/IEC 27018:2014 — Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.”
Standard Ensures Privacy and Data Protection
CSPs can use ISO 27018 to prove they are handling personal data in a manner that not only safeguards customers’ data but also protects customers’ privacy. For example, when CSPs follow this standard, they are guaranteeing that they will:
- Give customers control over their personal data
- Not use customers’ personal data for marketing or advertising purposes
- Not let third parties access customers’ personal data, unless a customer allows it
- Let customers know about any unauthorized access to their data as soon as possible
- Let customers know when subcontractors will handle their data
ISO 27018 has many other guidelines about how CSPs should protect customers’ privacy and data. They include the need for restrictions that limit or ban transmitting customers’ personal data over public networks and storing it on transportable media. CSPs even need to have proper data backup and recovery procedures in place to achieve ISO 27018 certification.
To become ISO 27018 certified, CSPs must go through an assessment process. During this process, independent third parties verify that the CSPs are properly handling their customers’ personal data. Once a CSP achieves certification, it must undergo annual audits to maintain that certification.
In 2015, Microsoft and Dropbox for Business were the first two major providers to achieve ISO 27018 certification. Other big-name companies are expected to follow their lead.
A Mark of Trust
When a CSP is ISO 27018 certified, you have some assurance that it is protecting its customers’ privacy and data. If your business is looking to store data in a public cloud, make sure you talk to potential CSPs about their efforts to adhere to the ISO 27018 standard.