The ISO is developing specific new security standards for cloud services, which are expected to be published in 2015. This is another welcome step towards ensuring compliance with the principles in the Data Protection Act and further boosting customer confidence in in cloud computing technologies.
Why the new standard?
The development of the new standard is a direct response to one of the key goals announced in the 2012 European Cloud Computing Strategy (the “Strategy”). The Strategy was published by the European Commission with the aim of promoting the rapid adoption of cloud computing in all sectors of the economy in order to boost productivity. The Commission’s own Cloud Standards Roadmap talks about concerns over security as often being cited as a barrier to migrating data to the cloud. Under current rules, liability for breach of data protection rules rests with the data controller therefore, an auditable standard for cloud service providers who process personal data is crucial to demonstrate the supplier’s resilience and hence enable a customer to meet its own regulatory obligations on data security. The need for a recognised benchmark was further endorsed by the Information Commissioners’ guidance on Cloud Computing, published in 2012. The guidance states that when selecting a cloud service provider, the data controller must choose a processor providing sufficient guarantees about the technical and organisation security measures governing the processing to be carried out, and must take reasonable steps to ensure compliance with those measures. Audited compliance to a standard would be the appropriate method to ensure that data controllers comply with its data protection obligations and could be written into the contract between a cloud services supplier and a customer.
The new ISO 27017 and 27018
In response to the need for a cloud computing security standard the International Organisation for Standardisation (“ISO”), which is already responsible for benchmark standards for due diligence on data processors, is developing two cloud specific standards, ISO 27017 and ISO 27018. The two standards are due for official release in 2015.
The new standards are based on the familiar standards of ISO 27001 and 27002. ISO 27001 provides a framework of security controls that can be adapted and applied to an organisation of any size to create a security standards framework. ISO 27002 provides for the practical implementation of the ISO 27001 framework in an organisation. The 27001 and 27002 standards apply generally to the operation of ICT systems. The two new standards under development apply 27002 specifically to cloud computing.
ISO 27017 deals with the application of the ISO 27002 specification to the use of cloud services and to the provision of cloud services. It will recommend cloud-specific information security controls to supplement those recommended by ISO 27002.
ISO 27018 deals with the application of 27002 to the handling of Personally Identifiable Information (“PII”) and will serve as a code of practice for PII protection in public clouds which act as PII processor.
For more detail see this link to the ISO’s website.