Microsoft the first to adopt ISO Code of practice for protection in public clouds
Published 17 February 2015
Microsoft has become the first cloud provider to reveal that it has taken on the obligations of ISO/IEC 27018:2014 (Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
According to Microsoft, it decided to adopt the code for a number of reasons including that adherence to ISO 27018 "assures enterprise customers that privacy will be protected" (Source: Microsoft news release).
The code of practice "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services" (Source ISO website).
The code is stated to be applicable to all organisations that carry out, for other organisations, information processing services as PII processors using cloud computing.
To view Microsoft's news release, please click here.
To view the code of practice, please click here.
What action could be taken to manage risks that may arise from this development?
Financial services companies are advised to consider whether, when choosing a cloud provider service, the provider is following the highest standards of best practice. Companies may wish to require that the provider has adopted ISO/IEC 27018:2014 in order to comply.