BSI launches certification scheme focused on safety of personal data in the cloud

The adoption of cloud computing in all sectors is increasing rapidly in order that businesses can better manage their costs and support scalability. However, fundamental concerns over the privacy and security of data remain.

With this in mind, the British Standards Institution (BSI) has just launched a training and certification scheme aimed at the protection of personal data in the cloud.

ISO 27018 Code of Practice for the Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors has been developed to provide cloud service providers and their customers alike with the confidence that any personal data processed in a cloud environment is safe from threats, shared only according to their wishes and maintained in line with local legal requirements.

It’s important to note that the BSI’s certification scheme is relevant for any type or size of organisation providing public cloud computing services.

In order to demonstrate their compliance with the standard, cloud service providers must adopt several practices. These include making customers aware of where their data is stored, ensuring that any major system changes are reviewed by independent third parties at regular interviews and documenting any infringements on data security (including those steps taken to resolve problems and the possible consequences).

In addition, they must identify any local legal requirements and ensure they’re adhered to at all times.

Kaara Pallop, global portfolio manager at BSI, told Risk UK: “Data is a valuable asset for any organisation. Any kind of breach can be pretty costly to a business, not least in terms of the organisation’s reputation. This scheme provides greater reassurance to customers and stakeholders that personal data and information is protected. It helps to manage risk and ensures compliance with regulatory obligations.”

Pallop added: “By choosing an ISO 27018-certified provider, both organisations and customers can be confident that the supplier has taken the technical and legislative steps necessary to protect one of their most valuable assets.”

ISO 27018 incorporates ISO 27001 Information Security Management to ensure that organisations establish “a robust management system” for safeguarding public cloud data.

How does it work?

BS ISO/IEC 27018:2014 seeks to:

*allow public cloud service providers to comply with applicable obligations

*enable transparency in relevant matters such that cloud service customers can select well-governed, cloud-based PII processing services

*assist all parties when entering into a contractual agreement

*provide a mechanism for exercising audit and compliance rights where individual audits may themselves increase risks to network security controls already in place

It’s an essential step towards ensuring compliance with the principles enshrined within the Data Protection Act and boosting overall customer confidence in cloud computing technologies.

BS ISO/IEC 27018:2014 follows the structure of BS ISO/IEC 27002:2013, providing additional guidance specific to public cloud services when acting as PII processors. It also defines an extended control set of additional privacy controls specific to such services.

If applicable, certification bodies operating in accordance with BS ISO/IEC 27006:2015 may reference BS ISO/IEC 27018:2014 when awarding certification.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts