Microsoft adopts ISO 27018 cloud code of practice

In Microsoft’s most recent audit for ISO 27001, ISO auditors have verified that Microsoft incorporates controls that comply with the ISO 27018 code of practice for the protection of personal data in the cloud (PL&B International Report October 2014 p.21).

Microsoft’s General Counsel (GC) announced that the company has adopted these controls for Azure, Office 365 and other Microsoft services, all of which are said to be aligned with the new ISO/IEC 27018 code of practice, as part of Microsoft’s certification against ISO 27001.This, in the GC’s words, makes Microsoft “the first major cloud provider to adopt the world’s first international standard for cloud privacy”.It remains to be seen whether other cloud providers take note and follow suit.

Commenting on the news, Fredericka Argent from law firm Covington & Burling LLP’s London office said: “The increase in companies wishing to receive a publicly-recognised privacy stamp of approval is indicative of a general movement towards improving the transparency of corporate data handling practices and reassuring consumers that their data is in trustworthy hands. Indeed, negotiations are still under way in respect of the proposed [EU] General Data Protection Regulation’s Article 39a, which codifies into law the establishment of data protection certification mechanisms in the European Union in order to demonstrate compliance with the Regulation.It is hard to predict where the final text will land, but it is clear from market practice that official accreditation is the future for data protection in Europe.”