Microsoft has announced it is the first major cloud provider to adopt the ISO/IEC 27018 standard, claimed as the world’s first international standard for cloud privacy.
The standard, which was published by the International Organisation for Standardisation (ISO) last year, sets out to establish “commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information in accordance with the privacy principles in [previous framework] ISO/IEC 29100 for the public cloud computing environment.”
In practical terms, this means vendors only process personally identifiable information as directed by the customer, transparency about policy regarding transfer and deletion of information stored in data centres, and defined restrictions on how personally identifiable information is handled.
Microsoft added that its Azure, Office 365 and Dynamics CRM Online products were in line with the standard.
This standard covers privacy, so differs from the Federal Risk and Authorisation Management Program, commonly known as FedRAMP. Microsoft’s cloud infrastructure passed that test back in October 2013. Since then however there have been plenty of developments in terms of data privacy; not least a US judge ordering Microsoft to give over data from a Dublin data centre in April 2014.
It’s worth noting here that the ISO/IEC 27018 doesn’t appear to be a failsafe for these issues. Microsoft added the new standard forces them to inform users about government access to data, unless the disclosure is prohibited by law.
“Customers will only use services that they trust,” Microsoft EVP legal and corporate affairs Brad Smith wrote in a blog post. “The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online.”
You can find out more the standard here.