ISO 27018: First privacy-specific international standard for the cloud (November 2014)

Although a number of global cloud providers has already started deploying independent audits under ISO or similar standards in order to attest to the reliability and legal compliance of certain functions of their cloud services with data protection laws, until recently, there has been no comprehensive standard designed specifically for the processing of personally identifiable information (“PII”) in the cloud.

In August this year, the International Organization for Standardization and International Electrotechnical Commission published a new set of rules providing the first standard for handling PII in the cloud – ISO/IEC 27018:2014[1]. The standard has the potential to become a new global point of reference for assessing compliance of cloud services with data protection requirements for all organizations considering a move to the cloud and selecting the best provider.

Core requirements

The general requirements set out by ISO 27018 to a large extent reflect those contained in the EU data protection legislation, as further developed by the legally non-binding, but authoritative and widely-recognized, opinions of Article 29 Working Party[2] and relevant case-law. As such, ISO 27018 combines and further elaborates on a number of key data protection requirements already applicable in a number of jurisdictions across the EU and worldwide, and serves as a useful benchmark for cloud customers and cloud providers alike when it comes to the protection of personal data in the cloud virtually anywhere in the world.

The key similarities with EU data protection framework can be found in the following main areas: the requirement that data processors strictly follow their customers’ instructions, respect the purpose limitation of the data processing operations, refrain from processing PII for marketing or advertising purposes without the customer’s express consent (which cannot be made a condition for receiving the service), and maintain transparency regarding the locations where PII is being stored and processed, which includes transparency regarding all subcontractors. The new standard further requires that cloud providers undergo periodic independent information security reviews by a third party, which is also a condition for maintaining the once obtained certification.

Apart from these general requirements, ISO 27018 contains much more detailed specification of standards and controls to be implemented by a cloud services provider. The standard was developed taking into account the requirements already contained in ISO 27002, which is a technical standard providing for a number of requirements and good practices designed to ensure information security of data in general. ISO 27018 sets out additional controls and associated guidance that supplement those prescribed by ISO 27002 and that are tailored specifically to handling PII in the cloud. These controls are listed under several categories, including:

  • Information security policies;
  • Human resource security;
  • Access control;
  • Cryptography;
  • Physical and environmental security;
  • Operations security (including areas such as protection from malware, back-ups, logging, monitoring and technical vulnerability management);
  • Communications security; and
  • Information security incident management.

In addition, Annex A of ISO 27018 lists 11 principles that underpin privacy in cloud and that cover inter alia: the means of obtaining consent for processing PII; purpose legitimacy and specification; data minimization; openness, transparency, and notice; data use and retention; or accountability.

Who can rely on ISO 27018

ISO 27018 is applicable to the processing of PII obtained from a customer for the purposes determined by the customer under its contract with the cloud service provider.[3] Cloud service providers may use it as a “checklist” to verify and demonstrate the compliance of their PII processing practices with the relevant statutory data protection requirements; ISO 27018 certified cloud providers are more likely to win the trust of customers hesitant to entrust their data in the cloud, and thus broaden their customer base. Given the increasingly global nature of data handling in the cloud, the benefit for the customers is that instead of coping with various national data protection standards and performing complex assessments in each jurisdiction, they may reasonably rely on ISO 27018.[4] In this respect, the standard also has the potential to serve as a useful benchmarking tool for assessing privacy compliance when conducting a legal due diligence in international corporate transactions.

ISO 27018 has been designed for all types and sizes of organizations and companies in private and public sector providing information processing services via cloud as PII processors. As it does not account for any sector-specific requirements, organizations in specialized industries such as public defense, financial or health services, may need to apply additional sector-specific sets of controls. Yet, this does not in any way undermine the relevance of ISO 27018 certification, and sectoral cloud providers are encouraged to develop their own protection controls based on the guiding principles contained in ISO 27018, taking their sector’s specifics into account.[5]

Standardization in regulatory outlooks

It is a well-known fact that legislation can never really catch up with the speed of technology innovation. The regulatory trend in cloud computing appears to be a gradual shift from legislative solutions (which will always necessarily lag behind developments in IT) to industry standardization. The European Commission had already in 2012 acknowledged benefits that standardization may bring to the cloud environment in order to fully exploit its potential[6]. While it yet remains to be seen how widely the new ISO 27018 will be adopted, it is certainly a very promising tool for ensuring data protection and privacy compliance in the cloud environment that has a great potential to benefit the cloud customers and providers alike.

 

 

[1] The full text of the standard is available via http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498.

[2] E.g. Opinion 5/2012 on Cloud Computing, available at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf; or Opinion 1/2010 on the concepts of “controller” and “processor”, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf;

[3] The standard does not cover processing of PII in relation to which the cloud service provider acts as a data controller, such as customer´s account data.

[4] It should be noted that while the standard broadly addresses the key obligation in privacy laws world-wide, there are still nuances in national privacy laws that may need to be taken into account and thus require a legal review.

[5] International Organization for Standardization recommends development of such independent controls, including direct cross-references to the relevant parts of ISO 27018. For more information, please see: https://www.iso.org/obp/ui/#iso:std:iso-iec:27018:ed-1:v1:en

[6] “There is a need for a chain of confidence-building steps to create trust in cloud solutions. This chain starts with the identification of an appropriate set of standards that can be certified in order to allow public and private procurers to be confident that they have met their compliance obligations and that they are getting an appropriate solution to meet their needs when adopting cloud services.” See Communication from the Commission no. COM(2012) 529 final of 27 September 2012: Unleashing the Potential of Cloud Computing in Europe, p. 9