ISO 27018 is the first international set of cloud computing privacy controls in the previous blog (How many Data Privacy Acts in the world?).
The ISO published ISO 27018 on July 30, 2014, as a new component of the ISO 27001 standard.
Both cloud security professionals and CSPs adopting ISO/IEC 27018 should be aware of the following five key principles:
Cloud Consent: Cloud security professionals must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customers. In addition, a customer should be able to employ the service without having to consent to the use of her data for advertising or marketing.
Cloud Control: Customers have explicit control over how CSPs are to use their information.
Cloud Transparency: Cloud security professionals must inform customers about items such as where their data resides. Cloud security professionals also need to disclose to customers the use of any subcontractors who will be used to process PII.
Cloud Communication: Cloud security professionals should keep clear records about any incident and their response to it, and they should notify customers.
Cloud Independent and yearly audit: To remain compliant, the cloud security professional must subject itself to yearly third-party reviews. This allows the customer to rely upon the findings to support her regulatory obligations.
Trust is key for consumers leveraging the cloud; therefore, vendors of cloud services are working toward adopting the stringent cloud computing privacy principles outlined in ISO 27018