Last updated: 
1 day 6 hours ago
Blog Manager
One of Janet’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Microsoft cloud adopts ISO27018

Wednesday, February 18, 2015 - 11:34

An interesting announcement from Microsoft that they have adopted the new ISO/IEC 27018 standard across their Azure, Office365 and Intune cloud services.

ISO describe 27018 as a "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors", which "specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services". As a Code of Practice, and like the familiar ISO 27002 information security controls, it’s not possible to be certified as compliant against ISO/IEC 27018; however Microsoft’s Information Security Management System is certified against ISO/IEC 27001.

ENISA’s analysis of national legal requirements on cloud providers has extracted a metaframework of 27 security objectives which are mapped to the guidelines in ISO/IEC 27018 and requirements in ISO/IEC 27001. A cloud provider whose own security measures and processes are based around those standards should find it easier to demonstrate compliance with those legal requirements.