Common agreed Standards help the conversation by, at the very least, providing the right questions that should be asked by fiduciaries.
The value of many Standards can be as simple as knowing that they exist; knowing that they may be applicable; and knowing who to ask about whether they apply and are applied.
We know that the ISO/IEC 27018 Standard exists (at least from reading this, if not before!); we know that it applies to privacy in cloud-based services and helps protect personal information. You are in the Board meeting and your duty as a fiduciary is to ask questions. How about starting simply with “Do we use ISO/IEC 27018?”. “Yes? Great…” – now what? The CIO, the CTO, the procurement manager, whoever it might be, is telling you that the Standard is used. You are no technology specialist but is it really enough to take their word for it?
Maybe. As a comparison, in a small organization it might be enough to know that the accountant uses double-entry bookkeeping and pays all taxes. In more substantial undertakings, those assertions are checked, audited, internally and often externally – again, using commonly accepted standards.
Back to our Board, and in a similar vein, you will be exercising due diligence by asking more: “what can you show, to a lay Board member like me, that what you say about our use of technology Standards has some weight here?”.
This is where compliance and certification come in to the picture. First of all, compliance.
Showing compliance with a standard helps demonstrate an organization’s trustworthiness. Providing current and potential customers the clear signal of compliance with ISO/IEC 27018 is an easy way to confirm that personal information handled by a cloud service provider will be used only as they approve and that is being held securely. Nowhere is this more important than in the public sector, where government agencies are often subject to stricter obligations to protect information in their care. When it comes to navigating the difficult waters of European Union data protection rules, 27018 also means that customers can count on the provider of the cloud service to help them meet their obligations.
What does compliance involve?
A cloud service’s compliance with ISO 27018 controls means that a customer will know that the service provider:
- will keep them informed where their data is stored and who is handling it, including all “sub-processors”;
- will ensure that their staff and contractors are bound by confidentiality agreements and receive appropriate training in handling sensitive data;
- will not use their personal data for marketing or advertising without their explicit consent;
- will return, transfer or destroy customer personal data at their request;
- will help the customer with requests for accessing, correcting or deleting personal data;
- will notify the customer promptly of any data breach and of the measures being taken to make amends, so that customers can comply with their own obligations to their users;
- will only comply with legally required requests for disclosure of personal data;
- will subject their services to independent and regular review.
Customers are sometimes subject to information security rules that restrict where data can be stored. Because 27018 requires certified cloud providers to inform customers of the countries where their data may be stored, customers will have the visibility they need to ensure compliance with applicable data transfer and public procurement rules. 27018 also requires cloud providers to be upfront about the identities of any sub-contractors they engage to help with data processing before customers enter into a contract. And if any of this changes, the cloud service provider is required to inform customers promptly to give them an opportunity to object or terminate their agreement.
Some cloud providers use cloud customer data for their own independent commercial purposes, including for targeted advertising. This worries customers, who often handle sensitive data that shouldn’t be re-used by third parties. To make sure that the customer is always in control, 27018-compliant providers may not use customer data for their own independent purposes, and cannot use that data for advertising or marketing purposes absent explicit consent from the customer, which cannot be a condition for receiving the cloud service. The choice should always be with the customers.
Customers are often concerned that cloud services will lead to “lock in”, reducing flexibility and nimbleness over time and creating a culture captive to a single standard, software tool, or system. ISO/IEC 27018 requires the cloud service provider to implement a policy to allow for the return, transfer and/or secure disposal of personal information, within a reasonable period of time. In this way, the customer can be confident they won’t be “caught” by lock in.
EU data protection law imposes certain requirements on cloud customers – including to allow individuals whose personal information they hold to access that information, to correct it, and even to delete it. Fulfilling these obligations can be a challenging task where an organization has its data stored in a third-party’s cloud. But ISO 27018-compliant providers are required to help customers meet these obligations. This includes offering tools that help customers comply with their data protection obligations to their own end-users – including obligations to allow end-users to access, correct and/or erase their personal information
ISO 27018-compliant providers must specify how quickly they will notify their customers of an unauthorized disclosure of PII and how they will help their customers fulfil their notification obligations. ISO 27018 also requires cloud service providers to record the type, timing and consequences of any security incidents, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident, etc. – creating a record that will in turn assist customers in meeting their reporting obligations.
Customers can be confident that a 27018 compliant cloud service provider will only comply with legally binding requests for disclosure of their data. In the age of major data breaches and revelations about the role of intelligence agencies, this addresses a real concern. An ISO/IEC 27018-compliant cloud service provider must reject any requests for the disclosure of customers’ personal data that are not legally binding. And if it needs to comply with a legally binding disclosure request (e.g., in relation to criminal investigations), it must always notify the relevant customer, unless prohibited from doing so by law.
Certification, simply stated, is the externally validated proof that something or someone is compliant with a standard. ISO/IEC 27018 certification will help a cloud service provider demonstrate that its cloud privacy policies and practices are robust, and in line with best industry practices. Cloud providers who adopt the new standard may be preferred over cloud providers who lag behind in implementing ISO 27018 – particularly vis-à-vis government customers who are often subject to strict procurement, security and auditing rules.
Organizations won’t certify directly their compliance with ISO/IEC 27018. Instead, it provides an additional statement of the applicability of ISO 27001 and certification against the controls covered in ISO 27002 and the additional controls in 27018. Certification will therefore still be against ISO 27001 and 27002 – but customers and suppliers alike should be looking in the future to see whether certification covers the additional controls covering protection of PII in the cloud, as covered by ISO 27018.
The new standards helps organizations assess potential risks and proposes additional controls for the protection of personal information that may be stored or managed in a cloud-based service.
The new standard will strengthen privacy by adding key protections for sensitive information stored in the cloud, the so called “Personally Identifiable Information” (or PII for short). This is the first international privacy standard for the cloud, incorporating privacy controls specifically for cloud services, and will help a cloud service provider demonstrate that its privacy policies and practices are robust, and in line with best industry practices.