ISO 27018 compliance: Here's what you need to know

02.11.2015
You're negotiating a contract for cloud services. To clinch the deal, the cloud provider's rep leans across the table, fixes her gaze and tells you, "By the way, the service is certified ISO 27018 compliant."

ISO 270-what Should you sign, or step back IT execs will be increasingly faced with just such a choice, thanks to the advent of the ISO 27018 standard for protecting personally identifiable information (PII) in the cloud, which was adopted by the International Standards Organization (ISO) in July 2014.

See also: Gartner: Long hard climb to high level of cloud computing security

With data breaches, the loss of PII and identity theft continuing without letup, any measures to stem the tide are of great interest to the IT community. Even so, only Microsoft and Dropbox thus far have announced ISO 27018-compliant cloud services. Microsoft certified its Azure cloud service, Dynamics CRM and ERP cloud-based applications and Office 365 cloud-based business productivity applications in February 2015. Dropbox announced in April 2015 that Dropbox for Business had been certified. Considering the universe of cloud providers and their services, it's a small beginning, but most observers believe it's just a matter of time until most if not all cloud providers announce compliance with the standard.

The benefits of ISO 27018 promise to be profound. These include:

Here's why:

Greater customer confidence in cloud services. Compliance with ISO 27018 means a cloud provider has undertaken a list of procedures (see sidebar) for handling PII. Because compliance requires annual certification, the rigors of that process – and the resulting certificate – should give customers newfound confidence in their providers.

"It demonstrates that your cloud provider has a certain level of maturity handling PII," says Christie Grabyan, enterprise security practice lead at BishopFox, a data security consultancy.

One lawyer asserts that the meaning of the effort goes well beyond the certificate. "The motivation is not just to have a piece of paper on the wall. You're trying not to screw up someone's data -- bottom line -- this is about business and customers and confidence," says Colin Zick, partner at the law firm Foley Hoag in Boston.

For their part, cloud providers hope the message gets through to customers. "Our customers have to be in a position to trust us. It doesn't work for them to audit us individually, so it's important for us to have independent certification," says Patrick Heim, head of trust and security at Dropbox.

Whether or not a cloud provider gains formal certification, key elements of the standard can be included in contracts. "You can still negotiate privately all the provisions of ISO 27018," says Richard Kemp, solicitor and founder of United Kingdom law firm KempITLaw. As those provisions become more widely adopted, common practices for protecting PII in cloud contracts should improve. That should make customers more comfortable across the board.

Faster enablement of global operations. Because ISO 27018 provides common guidelines across different countries, it will be easier for cloud providers to do business globally – and for cloud customers to sign contracts with them for services in many corners of the globe. Since the ISO 27018 standard was based in large part on requirements of the European Community, business should go much smoother there for starters.

"European regulatory folks say they're really excited about the standard coming on line," says Neal Suggs, vice-president and associate general counsel of Microsoft Corp. But the benefits should go much further. "There are over 100 countries that have laws that protect data and privacy," says Deborah Hurley, founder of the consulting firm Hurley and fellow at the Institute for Quantitative Social Science at Harvard University. "It's not just a European thing. Every business should consider itself global. This goes a long way to meeting the requirements of countries around the world," she adds.

From the cloud provider's perspective, it will cut down on the engineering effort needed to adapt cloud services to particular privacy laws. "A standard allows engineers to build once and work for many. It's hard to adapt to localized laws, says Suggs. Adds Heim of Dropbox, "Seventy percent of our customers are global."

Cloud customers often ask providers to complete a questionnaire regarding their practices in handling PII. Filling them out is time-consuming. By obtaining certification, cloud providers may present the certificate as an answer to most if not all those questions, cutting down paperwork and shortening the negotiation process.

"Corporate security slows down many deals. There's a lot of friction," says Dan Greenberg, principal, Integrated Strategies & Tactics, LLC, who negotiates cloud agreements, often for small technology companies. "Instead of 32 questions, a certificate of compliance might take care of 30 of those questions. That's a big deal. "I'm hoping the standard reduces the friction," he says.

One factor that can sometimes impede or halt the contract process is cyber insurance, which insurance carriers write to cover the cost of data breaches and privacy violations. "Cyber insurance is really costly, because there is no standard, unlike having a burglar alarm," says Greenberg. "I've had to walk away from deals because of the cost of cyber insurance," he adds.

One insurance company executive says compliance with the standard is a positive factor in cloud contracts. "If a provider is certified under this standard, we'd prefer to see that, and terms and conditions would reflect that," says Eric Cernak, cyber practice leader for Munich Re U. S. Operations. Because of the newness of the standard, however, relief from high rates won't be immediate he adds, "We would need to have some experience to see if that warrants a lower premium."

Contractual and legal protection. Although it's too early for the establishment of legal precedents, complying with the ISO 27018 standard should give cloud providers and their customers a favorable position with regard to meeting the conditions of a contract with regard to information privacy.

ISO 27018 covers a wide variety of subjects and provides standards that hold up against audits, customer inquiries and government reviews, notes Zick. Adherence enables a cloud service provider (CSP) to show that its privacy policies and practices are reasonable and in conformance with prevailing standards.

"This provides safe harbor from a legal standpoint in case of a breach," says Zick.

The concept of safe harbor means that a cloud provider may not be judged to be negligent or reckless with PII because it has taken the trouble to gain certification. A cloud customer gains a similar benefit. "If you have that standard to fall back on, you can say it's the bad guy's fault and don't blame me," Zick adds. And compliance should pay dividends globally. "Regulators like it because they see it as assurance of compliance with their own country's data protection rules," notes Zick.

With all these benefits, what's holding cloud providers back There appear to be two major factors: the cost and time commitment to obtain certification and the lack of user outcry demanding compliance.

"We have not had any customer demanding it," says Frank Balonis, senior director of technical services at Accellion, a CSP focusing on file sharing, particularly for mobile users.

Both Microsoft and Dropbox are large cloud providers with deep pockets and much to gain in competitive differentiation from compliance. Smaller CPSs are in a different boat. "Most likely it will be a burden for smaller cloud providers," says Cernak. But over time, he says, they may have no choice. "Will this be part of the price of admission to be a cloud provider"

Balonis says Accellion expects to gain a competitive edge when it completes its ISO 27018 audit by early 2016. "It gives an additional layer of assurance to hospitals and legal firms – those customers who put a premium on PII," he says.

Although compliance will always require effort and expense, once the certificate is granted, annual certification should go much easier and be less costly, experts agree. Most also agree that without customer demand for compliance, many cloud providers will hold back.

For cloud customers, the first step is getting informed and asking questions. Zick recommends that customers review their agreements with cloud service providers to see if the providers have plans to conform to ISO 27018. Then they should consider amendments to the agreements to add ISO 27018 compliance. "There really is value in third-party accreditation particularly because it is continuing. It never stops," says Zick. But he does not expect the standard to change the cloud industry overnight. "This is a process that will take years, if not a decade, to put in place."

Because personally identifiable information (PII) can be used for business purposes such as targeted advertising and data analytics that affect an individual, understanding of what that data is and how it might be used by cloud providers is important to everyone. The purpose of ISO 27018 is to establish such an understanding and to give individuals the opportunity to grant or revoke consent over the use of their PII.

Adopted as a standard in July 2014, ISO 27018, while significant in its own right, is part of the ISO 27000 family and an evolutionary addition to previous standards ISO 27001 and ISO 27002. It is not possible to attain ISO 27018 compliance without first surmounting the hurdles of ISO 27001 and ISO 27002 – which many cloud providers have already done.

The ISO 27000 family of standards addresses privacy, confidentiality and technical security issues. The standards outline hundreds of potential controls and control mechanisms. Briefly:

ISO 27018 mandates that compliant cloud service providers (CSPs):

In addition, ISO 27018:

ISO 27018 didn't arise in a vacuum. It is akin to other standards, such as HIPAA, which covers personal health information (PHI), as well as SSAE (Statement on Standards for Attestation Engagements No. 16) and ISAE (International Standards for Attestation Engagement No. 3402), which are audit standards for security controls and effectiveness of security controls established by the American Institute of Certified Public Accountants and the International Auditing and Assurance Standards Board of the International Federation of Accountants.

(www.itworld.com)

Stan Gibson