The Growing Role of Standards in Cloud Contracts – Some Perspectives on ISO 27018

Quietly, and away from the headlines, the Standard Setting Organisations (SSOs), the journeymen of the interconnected world, are methodically and painstakingly weaving trust into the fabric of cloud computing.

Driven by innovation and the delivery of cheaper computing, cloud growth is accelerating quickly. But ‘trust’ – a word which resonates in this context with both visceral and specific anxieties about your data in other people’s data centres – has emerged as the single biggest piece of grit in the wheels of growth, generating friction that spikes with every new revelation about hacking and compromise of personal data.

As cloud computing develops, this tension between benefit and risk is being mediated as a practical matter through the contract between the cloud service provider and the cloud customer. Up to now the wide range of approaches to cloud contracts can be characterised as short on customer rights and provider obligations. In a 2012 paper ‘Negotiating Cloud Contracts: Looking at Clouds from Both Sides Now’[1], the writers presented the results of research by the Cloud Legal Project[2] into cloud providers’ standard contract terms. They concluded that “users considered that providers’ standard terms do not sufficiently accommodate customer needs” and cited polls where data security and privacy were ranked by 62% and 55% of respondents respectively as their biggest concern with cloud adoption.

Turning this concern on its head, getting contractual commitments around data privacy and security right represents a huge opportunity for a given cloud provider to steal a competitive march. This is not easy however in a market that is (by definition) international as data privacy law tends to be national[3], laws differ can widely between countries and, as the progress of the draft EU general Data Protection Regulation[4] shows, the law in this area is constantly being overhauled, and through processes that can be unpredictable.

This is where the SSOs come in. ISO (the International Organisation for Standardisation, composed of representatives from 164 national standards organisations), has been spearheading activity in the field of cloud standards around its ISO 27000 family of information security standards[5]. The cloud – IT’s metaphor for the Internet – is quintessentially about interconnectedness, where standards – sets of technical specifications intended to provide a common design for a process or product – are key enablers for compatibility and interoperability.

The growing importance of ISO’s activity is demonstrated by the increase in the numbers of businesses gaining ISO 27001 certification – 22,000 globally in 2013[6] , up 14% over 2012, with certificates in the UK alone doubling from 946 in 2009 to 1923 in 2013. Increasing uptake of standards certification has a number of important consequences in the cloud world.

First, ISO’s efforts are becoming more far reaching as they publish more individual standards in the 27000 family, which now numbers over thirty. The most recent is ISO 27018[7], published on 30 July 2014 and the first international standard focusing on the protection of personal data in the public cloud. ISO 27018 is a great example of a standard ‘filling the gaps’ between the data protection ‘trust’ deficit that cloud customers perceive and the highly fragmented, rapidly evolving, unpredictable world of data protection regulation.

When personal data (‘PII’ or personally identifiable information in the language of the standard) is processed by a public cloud service provider (as a ‘PII processor’), the cloud service customer – either an individual processing their own personal data (a ‘PII principal’) or an organisation (a ‘PII controller’) processing PII relating to many PII principals – retains responsibility for the legal duties arising under data protection law for the PII processing in the cloud. ISO 27018 enables the cloud service customer to demonstrate compliance with its data protection responsibilities by showing that the cloud service provider it is contracting with has been audited and certified as ISO 27018 compliant. This mechanism, painstakingly pieced together by ISO over two years from February 2012, will boost customer and regulatory authority trust and confidence in cloud privacy.

Table – The privacy principles of ISO 29100
1 Consent and choice
2 Purpose legitimacy and specification
3 Collection limitation
4 Data minimisation
5 Use, retention and disclosure limitation
6 Accuracy and quality
7 Openness, transparency and notice
8 Individual participation and access
9 Accountability
10 Information security
11 Privacy compliance

More technically, ISO 27018 builds on ISO 29100[8], which sets out a privacy framework based on eleven substantive privacy principles (see Table) developed to take account of applicable legal and regulatory, contractual, commercial and other relevant factors. ISO 27018 establishes commonly accepted control objectives, controls and guidelines to protect PII in accordance with these principles. It is these control objectives, controls and guidelines as implemented by the public cloud service provider as PII processor that are then audited and certified as compliant with ISO 27018.

The second major consequence of the development of cloud standards is their increasingly widespread adoption in cloud contracts. At government level, the UK has mandated ISO 27001 as a key requirement of its Digital Marketplace (the successor from October 2014 to CloudStore as the home for G-Cloud digital services for the UK public sector). At EU level, the European Commission in June 2014 published guidelines for the standardisation of Cloud SLAs (Service Level Agreements)[9] “to help business users get the most out of cloud computing”. As cloud standards develop, they too are likely to become more interconnected – ISO 27018 is likely to join ISO 27001 as a requirement for G-Cloud, and the Commission Cloud SLA guidelines refer at paragraph 6.1 to ISO 27018 as a key standard for cloud data protection. In the private sector, organisations letting cloud contracts are increasingly mandating ISO 27001, ISO 27018 and European Commission Cloud SLA guideline compliance in their Statements of Requirements that tendering cloud service providers must accept, and providers themselves are using compliance with these and similar standards in their marketing and contracts for cloud computing as selling points for their services.

At a time of rapid acceleration in cloud deployment, ISO’s activities represent a largely unsung but huge effort, and in the publication of ISO 27018, a genuine ‘first’ as an international standard in cloud data protection. These efforts are quickly enabling more efficient and effective cloud contracts and contracting techniques to be developed, in turn reducing the trust deficit and enhancing the benefits of the cloud.


[1] Hon, Millard and Walden, 16 Stan. Tech. L Rev. (2012) 81. A revised version of this paper became Chapter 4 of Cloud Computing Law (Ed. Millard, OUP, October 2013)
[3] There are over fifty specific data protection authorities around the world – see
[4] Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation), COM(2012)11 Final and associated draft Directive, COM(2012) 10 final, 25 January 2012,
[6] See the ISO interactive survey of 2013 at
[7] See the abstract and preview of ISO 27018 at
[8] Available at
[9] Press release of 26 June 2014:; guidelines:


More Posts

Send Us A Message