Dropbox for Business has an extra feather in its cap after it was granted the ISO 27018 security certification this week.
Reaching a new Standard
ISO, the International Organization for Standardization, is an independent, non-governmental membership organization. It’s ISO 27018 certification, published in August 2014 to replace the ISO 27001, is the first ever international cloud privacy and data protection standard. ISO states that the standard ‘establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII)’ and ‘is applicable to all types and sizes of organisations.’
The Certification in Practice
Dropbox’s Security Risk and Compliance Manager, Tolga Erbay, explained in a blog post that the standard “lays out many requirements regarding how Dropbox will and won’t use your organization’s information.” This means, he says, that Dropbox for Business will:
- Only use the personal information customers submit to provide the services they sign up for. Customers can add, modify, or delete data from Dropbox when they need to.
- Be transparent about where data resides on their servers, let customers know who Dropbox’s trusted partners are, and tell them happens when they close an account or delete a file.
- Ensure customer data is safe and secure, by following the requirement of ISO 27018 is and ISO 27001 regarding security, privacy, encryption and strict employee access controls.
- Commit to annual audits by an independent third party to confirm it adheres to the ISO 27018 and ISO 27001 certifications.
Not First Past the Post
Of course, it would have been an even bigger feather in Dropbox’s cap had Dropbox for Business been the first service to be granted the certification. Unfortunately, it was beaten to that honour by Microsoft, who announced back in February that their Microsoft Azure, Office 365, and Dynamic CRM Online services had all been granted the ISO 27018 certification.
However, Dropbox is “pleased to be one of the first companies to achieve ISO 27018 certification,” stated Tolga Erbay. “Privacy and data protection regulations and norms vary around the world, and we’re confident this certification will help our customers meet their global compliance needs.”
That’s a belief Richard Kemp, founder of Kemp IT Law, would agree with. In his review of the effectiveness of ISO 27018, Mr. Kemp said: “ISO 27018 is proving effective at bridging the gap between the dizzying pace of Cloud market development and the slow and uncertain rate of legislative change… the biggest practical boon to the CSC (Cloud service customer) is the contractual certainty that ISO 27018 certification provides. In its first year, it is emerging that complying, and being seen to comply, with ISO 27018 is providing genuine assurance for CSCs in managing their data protection legal obligations.”