The ISO 27001 & ISO 22301 Blog

    Rhand Leal

    Data Privacy Protection, ISO 27001 and CISPE Code of Conduct

    With mandated compliance with the European Union (EU) General Data Protection Regulation (GDPR) ever closer, organizations that handle personal data of European citizens are rushing to adapt their operations to new requirements to avoid problems with customers and authorities.

    With respect to cloud infrastructure services, a particular effort may come to aid both providers and their customers. This article will provide an overview of the CISPE Code of Conduct, how it can help ensure personal data processing is done according to the EU GDPR (read the article What is the EU GDPR and why is it applicable to the whole world? to learn more about the EU GDPR), and how the ISO 27001 series is related to it.

    What is CISPE?

    Cloud Infrastructure Service Providers in Europe (CISPE) is a coalition of more than 20 technology companies focused on provisioning of cloud computing infrastructure services, operating in more than 15 European countries. Its work focuses on:

    • Adoption of cloud services as the first option for public procurement
    • Coherent use of EU-wide security requirements and technical standards
    • Support of customers’ privacy requirements through a Code of Conduct
    • Maintenance of a healthy EU cloud infrastructure market
    • Maintenance of a fair level of content monitoring obligations in the EU legal framework


    The CISPE Code of Conduct

    The CISPE Code of Conduct, currently a draft version released on September 26, 2016, has as its purpose to guide customers in assessing whether Cloud Infrastructure Service Providers (CISPs), acting as data processors (do not make decisions regarding data), are suitable for their needs regarding personal data processing, under EU GDPR requirements. It is structured in seven sections and two annexes (Security Responsibilities and Declaration of Adherence Template):

    1. Structure of the code
    2. Purpose
    3. Scope
    4. Adherence
    5. Data processing requirements
    6. Transparency requirements
    7. Governance

    In terms of scope, remarkable aspects of the code are that it is applicable according to service provided, and the service must be provided entirely within the European Economic Area (EEA). Information about adherence will be presented later in this article.

    Data protection requirements cover CISP’s responsibilities through definition of contractual and legal requirements, operational and security conditions, data requests handling, and compliance demonstration.

    Transparency requirements deal with methods that CISPs should consider to provide their customers with information about security controls implemented, like service agreements, security objectives and standards applicable, risk management, and assurance processes, among others.

    Finally, governance requirements establish that conditions of the code be continuously updated and improved, by defining CISPE governing structure, adherence conditions, use of compliance marks, complaints handling, practices enforcement and code, and guidelines review process.

    How can the CISPE Code of Conduct help providers and their clients?

    In an Infrastructure as a Service (IaaS), the CISPs’ core business, there are these situations:

    1. CISPs only provide the virtualized hardware or computing infrastructure.
    2. Customers have the flexibility to choose how to use the infrastructure.
    3. Unless stated by customers, CISPs cannot tell if their infrastructures are being used to process personal data.
    4. The most efficient way to provide infrastructure is by defining common service levels, instead of tailoring them considering individual customers’ cases.

    Situations 3 and 4 clearly represent a business risk for CISPs. Without knowing which customers handle personal data, a provider may incur, in oversizing its security controls, increasing operational costs – or, in undersizing them, putting customers’ data at risk, and becoming liable in case of an incident.

    Considering this scenario, the code of conduct can help with defining:

    • Specific responsibilities for CISPs and customers regarding personal data protection
    • Requirements to ensure CISPs establish proper information security and transparency practices regarding data protection and customers’ relationships
    • A framework by which customers can verify if CISPs comply with their requirements under applicable EU data protection law

    However, is important to note that at no time should this code be used as a substitute for the EU GPDR, contracts, or other applicable law, only as assessment support material.

    Alignment of the CISPE Code of Conduct with the ISO 27001 series

    These are topics I consider interesting when comparing the Code with the ISO 27001 series:

    • The Code’s adoption, like in ISO 27001, is voluntary, and may be applied for one or several services of a CISP, according to its objectives.
    • CISPE’s Code of Conduct, section 7, requires the establishment of a governance structure aimed to support the implementation, management, and evolution of the code, similar to ISO 27001.
    • Regarding security practices, they can make use of ISO 27002, ISO 27017, and ISO 27018 recommendations. For more information, see: ISO 27001 vs. ISO 27017 – Information security controls for cloud services and ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud.
    • Compliance demonstration can be made either by certification, by independent third-party auditors, or by self-declaration of compliance (only until EU GPDR entry goes into force, on May 25, 2018). For ISO 27001, there also is self-declaration (without defined deadline), but most customers look for certified organizations. No requirement can be excluded.

    So, if a CISP already has implemented an ISO management system, or more specifically ISO 27001 and its complementary standards, it will be much easier to comply with the Code.

    Adopting the Code is a wise decision

    Even though cloud infrastructure service providers have little to no contact with customers’ data, upcoming legal requirements, like the EU GPDR, will require them to make their best efforts to help avoid data misuse and breaches.

    In this scenario, I consider the Code to be a great help in understanding how to protect IaaS in general, and in the European Union market specifically. The transparency it brings to the provider-customer relationship can help create a trustful environment that will benefit both CISPs, with more operational efficiency and fewer losses due to incidents, and customers, ensured by a high default level of data protection.

    Regarding the Code’s implementation, operation, and maintenance, those CISPs that already have implemented ISO management standards, especially the ISO 27001 series, will find it easier to achieve compliance, and for those who haven’t, these standards are a great starting point.

    To learn more about ISO 27001 and get an idea of how it fits with other security frameworks, please see our free online training  ISO 27001:2013 Foundations Course.

    If you enjoyed this article, subscribe for updates

    Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

    You may unsubscribe at any time.

    For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.