Microsoft cloud services now meet International Cloud Privacy Standard 27018

By  | 

Microsoft on Monday announced its cloud services namely Microsoft Azure, Intune, Office 365 and Dynamics CRM Online now meet the world’s first international standard for cloud privacy.

Brad Smith, the company’s general counsel and executive vice president of Legal and Corporate Affairs, in a blog post noted that Microsoft has become the first major cloud provider to adopt the ISO/IEC 27018 certification, set by the International Standards Organisation.

He said that Azure, Office 365 and Dynamics CRM Online have all been evaluated for compliance by the British Standards Institute, and Microsoft Intune has been verified compliant by Bureau Veritas. The Redmond hopes that compliance to the international standard will make companies more confident to opt for Microsoft’s cloud offerings when they think of moving workloads online.

Issued in July 2014, the standard aims to “establish commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment”.

It is to be noted that a cloud service provider (CSP) in order to be ISO 27018 compliant, must meet the below mentioned five principles:

Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.

Control: Customers have explicit control of how their information is used.

Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.

Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.

Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.

“Customers will only use services that they trust,” Smith wrote in the blog.

“The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online.”