Storage and processing of data is moving away from local machines and in to the ‘cloud’, data centres that could be located anywhere.
This has put emphasis on where data is located and who has access to it; and many of the large corporations are amending their contracts accordingly.
ISO 27001:2013 has a set of controls focusing of supplier relationships.
The controls require a formal agreement between both parties which might include the requirements for reporting incidents, providing resilience, use of certain cloud services or which countries data can be stored & processed in.
Legal and Contractual Requirements
Different countries approach data protection and investigatory powers in different ways, and this is an evolving field.
The recent Data Retention and Investigatory Powers Act 2014m hurriedly passed by the UK government in response to a European Court of Justice ruling, is a prime example of this.
The U.S National Security Agency has also come under the spotlight over surveillance schemes such as PRISM.
This can make some EU corporations feel vulnerable and trigger contractual obligations to keep data within the EU.
Discovering where ‘cloud’ data actually is can be difficult and it’s surprising how data becomes dispersed over different data centres around the world when you consider just a few of the following services you might have:
– File Storage.
– Hosted Email Services.
– Website / Web Ordering.
– Off-site backup services.
An informations security management system to ISO 27001:2013 will not solve all the problems, but it does provide a structured frame work to risk assess and prioritise these issues, and is widely recognised as a benefit in the tendering process.
More information: https://www.assentriskmanagement.co.uk/iso27001/