Apparently Microsoft Azure has been confirmed as the first cloud computing platform to comply with ISO/IEC 27018 [1], the cloud-only privacy control international standard. The certification was done by BSI. And it was old news, as it was announced on February 2th of this year. I may have seen it, but I guess it was just leaked.
Furthermore, I noticed this week that Dropbox has also acquired ISO/IEC 27018 certification. BSI is very busy. I wonder if JIPDEC will do it too. Is it impossible because of the P mark?
ISO/IEC 27018 adds privacy aspects not covered by ISO/IEC 27002 in line with the privacy framework of ISO/IEC 29100. The target is PII Processors, or so-called "contractors" in ISO/IEC 29100. A standard for data controllers that are not contractors is being developed as ISO/IEC 29151. Actually, from the beginning of the development of ISO/IEC 27018, not only the Japanese committee members but also the international committee members were saying, "It's a little strange," "Is it really necessary? There's nothing cloud-specific," and "Well, if we're going to do security in 27017, we should do it together for consistency." I think it was at the Nairobi meeting. The discussion was held in SC 27/WG 5 (the WG where I am the domestic chair) [1], but since there wasn't much to do, the decision was made very quickly. Furthermore, the above-mentioned 29151 is in charge of the overall framework, so there is talk of doing it before that is completed. So when someone says "We are ISO/IEC 27018 compliant!" I feel a bit strange, but of course it's better than not doing it at all...
This is the Microsoft Azure Japan Team Blog. This blog provides the latest information on Microsoft Azure and information that is useful for development.
[1] ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
[2] The main person in charge of the domestic committee is Mr. Sato from the HP department.