In a monumental first, Microsoft today has announced ISO/IEC 27018 certification for Azure. Published in July 2014 by the International Standards Organization, ISO/IEC 27018 is a compliance milestone for Microsoft and lifts the company's Cloud services ahead of all other providers.
The standard gives Microsoft a strong lead in certification and shows its continuing promise to not only store data safely, but protect the privacy of business and consumer data.
To achieve the certification a provider must adhere to specific principles. The criteria includes:
- Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Control: Customers have explicit control of how their information is used.
- Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
- Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
- Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.