ISO/IEC 27018 : The First International Privacy Standard for the Cloud
Wed 10 Feb 2016 | Michael Mudd

*You can download a free white paper detailing ISO27018 here
The Internet has become pervasive in nearly every society over the past 20 years. This explosion has given considerable benefits; from almost free communication, via email, Instant Messaging (IM) and VoIP, to enabling online commerce for the biggest (think internet banking) to the smallest of businesses (such as online stores on Alibaba or eBay).
The volume of data sent across the internet continues to grow exponentially. Global data has increased fivefold over the past 5 years, and will increase again threefold over the next 5 years. Overall, IP traffic will grow at a compound annual growth rate (CAGR) of 21 percent from 2013to2018. The estimate for growth in mobile data traffic is even more impressive, with a CAGR of 61 percent.
The International Standards Organisation (ISO) indicates that globally more than 22,000 companies have achieved the ISO27001 certificate in Information Security Management as of the end of 2013, an increase of 14% over 2012. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). ISO/IEC 27001:2013 [1] provides a management framework for assessing and treating risks, taking account of past user experiences, improvements in security controls apt for today’s IT environment, addressing Cloud computing, identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems.
ISO/IEC 27001:2013 provides a management framework for assessing and treating risks, taking account of past user experiences, improvements in security controls apt for today’s IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems.
In 2014 an additional voluntary standard within the 27000 series, ISO/IEC 27018 was adopted specifically governing the processing of personally identifiable information (PII) by public Cloud Service Providers (CSP).
ISO/IEC 27018 is the first international privacy standard for the cloud. This new standard incorporates controls that reflect PII considerations specifically for cloud services, and will help a CSP demonstrate that its cloud privacy policies and practices are robust, and in line with best industry practices.
Whilst ISO/IEC 27001:2013 addresses IT security, and in most respects aims to lower risks that unauthorized third parties will gain access to customer information, ISO/IEC27018:2014 specifically addresses what a service provider needs to do to protect the privacy of that data. This has particular importance where a jurisdictions that may have weak or non-existent DP regulations or laws. Other economies may have DP laws that are not applicable to government entities, thus the standard may improve data security there also.
The massive increase in data flows across the Internet poses an additional challenge to data owners (or controllers) related to the privacy of customer information. This challenge is related to appropriate constraints that should be placed on a party (such as a cloud service provider or CSP) who is authorized to access customer data for certain purposes, but only those purposes.
The separation in particular of PII data that is not specifically authorised by the data owner for secondary use, retention policies of PII data and transparent parameters for the return, transfer and secure disposal of personal information, are important considerations to protect PII beyond its approved use or end of life.
This may ensure data security of PII is truly understood and ensure it is implemented in a structured manner within any business, regardless of industry or size. Wide adoption of this Standard will enable customers and providers alike to evaluate what protections are in place and, more importantly, what they need to implement to protect PII. The recently released text of the Trans Pacific Partnership also addresses this issue in Chapter 14.
Thus the need for clear policies or a framework to address privacy – in absence of these frameworks – the ISO Standards may provide such confidence for consumers, customers and service providers alike. This challenge is related to appropriate constraints that should be placed on a party (such as a Cloud service provider) who is authorized to access customer data for certain purposes.
Whilst ISO/IEC 27001:2013 addresses IT security, and in most respects aims to lower risks that unauthorized third parties will gain access to customer information, ISO/IEC 27018:2014 specifically addresses the data privacy issues governing the processing of personally identifiable information (PII) by public CSPs[2].
The Open Computing Alliance has examined this new Standard in order to bring forward a paper which will provide the reader an insight into how it may affect businesses, both public and private.
This summary has only highlighted a few of the many details within the 32 pages of ISO27018, but those discussed illustrate the desire to align global data privacy Standards. It is therefore a suitable reference for globally operating CSP’s to demonstrate their data protection/privacy compliance instead of having to cope with different national standard in various jurisdictions. With data losses on the increase, all companies that handle data need sound advice on how they construct contracts with their service providers and outside vendors as well as comprehensive internal privacy policies. This provides is significant business opportunity for lawyers to advise their client to mitigate data loss and therefore their liability.
I set out at the beginning of this short paper stating that the need to enhance protections for data privacy has never been greater. The world is far more connected now than at any time in history; therefore the need to protect personal information and data from criminal, deliberate or accidental access or loss has never been greater. ISO27018, when correctly implemented and combined with a comprehensive contract for services, goes a long way toward achieving that goal.
oOo
Michael Mudd is an appointed expert to JTC-1 of the ISO. He is the chief representative of the Open Computing Alliance, in the APAC and MEA region. The OCA seeks to encourage productivity, growth and employment through new opportunities arising from standards and principles driven networked computing, together with respect for IPR and care for the environment.
[1] http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1767
[2] http://blogs.olswang.com/datonomy/2014/09/26/new-iso-code-of-practice-for-public-cloud-service-providers-processing-personal-data/