
Office 365, Dynamics and Intune achieve ISO 27018 cloud security standard
Microsoft doing everything it can to entice customers to the cloud

Microsoft has secured independent security accreditation for several of its major cloud services, in a move that could entice more security-conscious firms to use its web-hosted services.
Microsoft has received ISO 27018 compliance, a standard created by the International Standards Organisation, which sets out measures to "protect personally identifiable information [PII] stored in a public cloud environment".
Brad Smith, Microsoft general counsel for legal and corporate affairs, announced the accreditation in a blog post.
“The British Standards Institute has now independently verified that ... Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of PII in the public cloud. And similarly, Bureau Veritas has done the same for Microsoft Intune,” he said.
“Microsoft is the first major cloud provider to adopt the world’s first international standard for cloud privacy. It’s another reason customers can move with confidence to the Microsoft Cloud.”
ISO 27018 contains several important requirements that Smith outlined as key to achieving the certification.
These include the stipulation that Microsoft processes PII in accordance with instructions agreed to with a customer and adheres to the original commitments concerning how it will use data.
“Adherence to the standard ensures transparency about our policies regarding the return, transfer and deletion of personal information you store in our data centres,” Smith wrote.
“We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with.”
Microsoft must also ensure strong security protection for the data it collects, and not use it for advertising purposes.
“The adoption of this standard reaffirms our long-standing commitment not to use enterprise customer data for advertising purposes,” Smith explained.
Lastly the accreditation means that Microsoft must inform the customer if the data is ever requested by law enforcement agencies.
“All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations,” he said.
“We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.”
Microsoft’s move to achieve ISO 27018 accreditation comes during a legal battle with the US government over access to data stored in the cloud overseas.
The case, which is still rumbling on, could have major repercussions for US cloud firms by making it almost impossible to guarantee data sovereignty, regardless of location.
V3 Latest
BT plan to close down conventional fixed-line phone network by 2025 and go all-IP
BT wants to make the public switched telephone network history within eight years
Facebook Login hijacked by hidden web trackers, claim security researchers
Personal data being purloined by third parties via Facebook Login API
Apple: we've no plans to merger iOS and MacOS
MacOS and iOS are better off apart, says CEO Tim Cook
Oracle: Java SE 8 business users must buy a licence from January next year
Or they'll no longer be entitled to updates and bug patches