How the New ISO Cloud Service Standard Affects MSPs

By Michael Brown 1

Cloud deployments such as cloud-based file sharing and cloud storage have been growing at such a rapid rate, they are expected to become the largest percent of IT budgets as early as 2016. The industry is keeping up with this rapid growth by creating standards and guidelines for how cloud service providers and MSPs should operate.

A proposed international standard released earlier this year focuses on data privacy in public clouds – specifically in relation to business-to-business cloud usage – and how customers should maintain control of their personally identifiable information.

The new international standard, designated ISO/IEC 27018 is described by ISO as “an important first step for protecting PII in the cloud. It is built on previous ISO guidance and will continue to evolve along with [cloud service providers] to provide more secure services upon which businesses can grow.”

To help MSPs prepare for this new standard of conducting business involving the cloud, here are a few requirements the new standard dictates:

Must be transparent in your privacy practices

Up until now it has just been good business practice to keep your privacy practices above board and not take advantage of your customers. Now this practice will be much more regulated. Personal information can and should not be used by MSPs or your service providers for advertising or marketing purposes without the customer’s explicit permission.

Required to conduct a review if there is any loss of personal information

If one of your customers faces a data breach, your cloud provider could be required to conduct a review to determine if they had any involvement or if any response is required. When a data breach occurs you will need to be aware of this requirement and either conduct a review of your own or facilitate the review of your cloud provider. Either way, be prepared to have your customer looking towards you and know what the appropriate and necessary steps are.

Must list third parties that provide cloud services

In order to remain compliant, you and your service providers may be required to list any third parties that work with you to provide clients with services. This may require you to disclose all partners to your clients and it may require the third parties you work with to disclose your involvement with their clients. This is all another effort to create more transparency in how you deliver your services.

Stronger data retention policies

The new standard also covers privacy issues for your customers in regards to who retains their data, where, and for how long. When your customer puts their PII into your cloud service they need to be able to be sure that it will be secure – even from you.

While some of the requirements of ISO/IEC 27018 will involve you and some only your cloud provider, they will all affect how you do business and how you communicate with your customers. One of the benefits of this new standard for cloud service providers is allowing businesses a way to compare your service to others. If you have done your job to provide excellent, valuable service, these new standards should ultimately make it easier for new clients to see you as a top MSP.