Business Cloud News
Microsoft claims to be the first to adopt ISO/IEC 27018

Microsoft claims to be the first to adopt ISO/IEC 27018

Microsoft has adopted a relatively new ISO standard that specifies measures to protect Personally Identifiable Information (PII) in public cloud environments. The company claims it is the first public cloud provider to do so.

The standard, which will apply to Microsoft Azure, Intune, Office 365 and Dynamics CRM Online, specifies guidelines based on ISO/IEC 27002 and “takes into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.”

“Today marks a major milestone, as Microsoft is the first major cloud provider to adopt the world’s first international standard for cloud privacy,” said Microsoft’s general counsel & executive vice president, legal and corporate affairs Brad Smith in a blog post announcing the certification.

Microsoft said the move will protect customer data in new ways and bring more transparency to how the cloud provider handles that data; the standard includes specifications around disclosures to law enforcement, a major issue of contention for Microsoft, as well as how firms handle transmission of that data over public networks, storage on transportable media, data recovery and restoration.

“All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations. We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors,” Smith said. “As we’ve said before, customers will only use services that they trust. The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online.”

Microsoft, a huge advocate of regulatory reform around data privacy rights in the US, is currently embroiled in a court case that has seen the IT giant repeatedly challenge US District Court rulings compelling it to hand over email and contact information stored in its cloud platform in Ireland as part of a drug-trafficking trial. The company is currently supporting a number of recently introduced laws that seek to limit the reach of US courts over data stored in cloud services located outside the US.