The adoption of cloud computing in all sectors is increasing rapidly in order that businesses can better manage their costs and support scalability. However, fundamental concerns over the privacy and security of data remain.
With this in mind, the British Standards Institution (BSI) has just launched a training and certification scheme aimed at the protection of personal data in the cloud.
ISO 27018 Code of Practice for the Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors has been developed to provide cloud service providers and their customers alike with the confidence that any personal data processed in a cloud environment is safe from threats, shared only according to their wishes and maintained in line with local legal requirements.
It’s important to note that the BSI’s certification scheme is relevant for any type or size of organisation providing public cloud computing services.
In order to demonstrate their compliance with the standard, cloud service providers must adopt several practices. These include making customers aware of where their data is stored, ensuring that any major system changes are reviewed by independent third parties at regular interviews and documenting any infringements on data security (including those steps taken to resolve problems and the possible consequences).
In addition, they must identify any local legal requirements and ensure they’re adhered to at all times.
Kaara Pallop, global portfolio manager at BSI, told Risk UK: “Data is a valuable asset for any organisation. Any kind of breach can be pretty costly to a business, not least in terms of the organisation’s reputation. This scheme provides greater reassurance to customers and stakeholders that personal data and information is protected. It helps to manage risk and ensures compliance with regulatory obligations.”
Pallop added: “By choosing an ISO 27018-certified provider, both organisations and customers can be confident that the supplier has taken the technical and legislative steps necessary to protect one of their most valuable assets.”
ISO 27018 incorporates ISO 27001 Information Security Management to ensure that organisations establish “a robust management system” for safeguarding public cloud data.
How does it work?
BS ISO/IEC 27018:2014 seeks to:
*allow public cloud service providers to comply with applicable obligations
*enable transparency in relevant matters such that cloud service customers can select well-governed, cloud-based PII processing services
*assist all parties when entering into a contractual agreement
*provide a mechanism for exercising audit and compliance rights where individual audits may themselves increase risks to network security controls already in place
It’s an essential step towards ensuring compliance with the principles enshrined within the Data Protection Act and boosting overall customer confidence in cloud computing technologies.
BS ISO/IEC 27018:2014 follows the structure of BS ISO/IEC 27002:2013, providing additional guidance specific to public cloud services when acting as PII processors. It also defines an extended control set of additional privacy controls specific to such services.
If applicable, certification bodies operating in accordance with BS ISO/IEC 27006:2015 may reference BS ISO/IEC 27018:2014 when awarding certification.