Earlier in 2014, the International Standards Organisation (ISO) developed a new voluntary standard, ISO 27018 (Standard), establishing commonly accepted control objectives and guidelines to protect personal information for a public cloud computing environment.
The need to create trust in cloud solutions led to the development of the Standard, in accordance with one of the key goals announced in the 2012 European Cloud Computing Strategy. In adopting an appropriate set of standards for cloud service providers who process personal data, providers can give their customers confidence that they meet their own regulatory obligations on data security.
The Standard focuses on practical recommendations to help cloud providers meet the Standard. Examples include:
- Confidentiality agreements and training for those with access to personal information
- Policies for the return, transfer or disposal of personal information at termination
- Policies that allow the processing of personal information for marketing or advertising purposes only with customer’s express consent
- Requirements to disclose the names of sub-processors and possible locations where personal information may be processed prior to entering into a cloud services contract
- Independent security reviews at regular intervals or after significant changes
The Standard could not come at a better time. The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, revealed the extent of mistrust in cloud, with 72% of EU respondents accusing cloud service providers of failing to comply with data protection regulations. Obtaining the ISO cloud certification could go a long way to restoring trust, and could further facilitate the adoption of cloud computing in all sectors.