Earlier this month, we highlighted a number of new compliance milestones for Microsoft Azure. Among these developments was that the British Standards Institution (BSI) validated that Azure incorporates controls that are aligned to the ISO/IEC 27018 code of practice for the protection of Personally Identifiable Information (PII) in public clouds acting as PII processors. ISO 27018 is the first international set of privacy controls in the cloud, and Azure is the first cloud computing platform to adopt ISO 27018.
The adoption of ISO 27018 by Azure is part of a broader commitment from Microsoft to protecting the privacy of our customers, as described in today’s Microsoft on the Issue post from Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft. In addition to Azure, Office 365, Dynamics CRM Online, and Microsoft Intune have also adopted ISO 27018.
ISO 27018 was published on July 30, 2014 by the International Organization for Standardization (ISO), as a new component of the ISO 27001 standard. ISO 27018 sets forth a code of practice for protection of PII in public clouds acting as PII processors. Cloud service providers (CSPs) adopting ISO/IEC 27018 must operate under five key principles:
- Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Control: Customers have explicit control of how their information is used.
- Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
- Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
- Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
Trust is ever important to customers leveraging the cloud, that is why Microsoft is working to further this trust by adopting the stringent privacy principles outlined in ISO 27018, and submitting Azure’s adherence to regular independent audits.