Monday, 27 October 2014

ISO/IEC 27018 – the New Cloud Security Standard

This post was written by Douglas McMahon, a solicitor in McCann FitzGeralds's Technology & Innovation practice.


In its 2012 European Cloud Computing Strategy document the European Commission identified the absence of an internationally accepted, robust and auditable framework for the processing of personal data by cloud services providers as a key barrier to the adoption of cloud computing in Europe.  In response to this absence the International Organization for Standardization (“ISO”) and the International Electrotechnical Commission (“IEC”) began work on developing a cloud specific standard for the processing of personal data based on existing information security standards, such as ISO/IEC 27001 and ISO/IEC 27002.  This work culminated in the adoption of ISO/IEC 27018 earlier this summer, the first privacy-specific international standard for the cloud.

Under EU data protection law, as implemented in Ireland by the Data Protection Acts 1988 and 2003, a data controller must ensure that its data processors (e.g. cloud service providers) implement appropriate technical and organisational security measures to protect the security of the personal data they process.  A data controller is also required to ensure that it takes appropriate steps to ensure that its data processors comply with those security measures.  In addition to these specific obligations, a data controller is responsible for the processing of personal data that is undertaken on its behalf by a data processor.  This means that a data controller must ensure that its cloud service providers only process personal data in accordance with its instructions, and that its cloud service providers do not process that personal data in a manner which would place the data controller in breach of its obligations under data protection law.
Data controllers have commonly found it difficult to comply with their data protection obligations when using cloud services providers.  Particular issues have arisen in relation to visibility of sub-processors used by cloud services providers, the transfer of personal data outside of the EEA, and the return/deletion of personal data when a cloud services contract comes to an end.  It has also been impractical for individual data controllers to audit cloud services providers’ compliance with obligations to implement appropriate technical and organisational security measures.

ISO/IEC 27018 creates a privacy compliance framework for cloud services providers that addresses the key data protection obligations that a cloud services provider should comply with when processing personal data on behalf of a data controller.  More specifically, ISO/IEC 27018 requires cloud services providers to, among other things:

·         Process personal data in accordance with customers’ instructions.
·         Ensure that contracts with customers specify the minimum technical and organisational measures necessary to ensure that adequate security arrangements are in place and that personal data is not processed otherwise than in accordance with customers’ instructions.  Such measures should not be subject to unilateral reduction by the cloud services provider.
·         Provide information in relation to the use of any sub-processors and the locations where personal data may be processed prior to entering into a cloud services contract.  Where a sub-processor is used, the contract with that sub-processor should include the minimum technical and organisational security measures necessary to meet the requirements that apply to the cloud services provider.
·         Notify customers in the event of unauthorised access to personal data, or unauthorised access to processing equipment or facilities resulting in loss, disclosure or alteration of personal data.
·         Assist customers in responding to data subject access requests.
·         Disclose personal data to law enforcement authorities only when legally bound to do so and, where legally permissible, to notify the customer in advance of any such disclosure.
·         Only process personal data for marketing or advertising purposes with customers’ express consent.  Such consent cannot be made a condition for receiving the cloud services.
·         Implement a policy for the return, transfer or deletion of personal data, such as when the relevant cloud services contract terminates or expires.
·         Ensure certain security measures are undertaken when processing personal data, such as the use of encryption when transmitted over public data networks, restrictions on the creation of hard copy material containing personal data, maintenance of logs of data access and usage, user ID management, and use of secure destruction and deletion techniques.

In order to gain certification under ISO/IEC 27018 a cloud services provider must submit itself to auditing by an accredited certification body, and thereafter to periodic third party reviews.  This allows data controllers to rely on certification under ISO/IEC 27018 as the basis for compliance with their obligations in respect of engaging data processors under data protection law.  As such, certification under ISO/IEC 27018 may increasingly become a key factor for data controllers when they assess the suitability of cloud services providers.