Please help me understand ISO 27018

I am kinda confused about the laws governing Privacy in cloud environment. After all cloud can be in more than one location, more than one country (or states/provinces). It might be even distributed across 2 continents.
Please help me understand the following:
1. When Org A in California signs an agreement with a big international cloud provider, which jurisdiction's laws apply?
California's - Where the Org is based.
Canada's - Because Provider's HO is in Vancouver
Hong Kong - Because cloud provider also has cloud facilities located in Hong Kong and Sydney
2. When Org A uploads its data to Cloud, does it need to specify that its data should not be hosted in Africa?
3. In general, is data in Cloud always distributed across continents so users in Japan can access it as fast as users in NY?
I tried looking it up in ISO 27018 but could not find anything specific. Can someone please explain me, briefly as to what exactly are ISO standards for cloud security including ISMS and other international laws regarding data privacy?
Thanks in advance.

Find more posts tagged with

Comments

jcundiff

1). This would be specified in the MSA, really going to depend on who has more juice

I have seen it go both ways with vendors... I know my company (Financial Sector) would not sign an agreement putting us in a non-US jurisdiction for legal matters.

2). Absolutely... I know many US Based company's SOWs clearly state US Based support only/ no offshore hosting

3). Going to depend on the vendor and where their DCs are located.

Privacy can be a very slippery slope, especially in the EU, if you are serving /storing EU people's PII... google GPDR and you'll see what I'm saying

kabooter

jcundiff wrote: »

1). This would be specified in the MSA, really going to depend on who has more juice I have seen it go both ways with vendors... I know my company (Financial Sector) would not sign an agreement putting us in a non-US jurisdiction for legal matters.

2). Absolutely... I know many US Based company's SOWs clearly state US Based support only/ no offshore hosting

3). Going to depend on the vendor and where their DCs are located.

Privacy can be a very slippery slope, especially in the EU, if you are serving /storing EU people's PII... google GPDR and you'll see what I'm saying

Thanks for replying. This is pretty much what I could figure out from ISO 27018. Customer must specify all these conditions upfront. The Certificate simply bounds the CSP to terms of contract and general processing guidelines outlined in 27018

OctalDump

jcundiff wrote: »

Privacy can be a very slippery slope, especially in the EU, if you are serving /storing EU people's PII... google GPDR and you'll see what I'm saying

GDPR - General Data Protection Regulation

I can recommend also a short Udemy course on Cloud Security. It covers the answers to your first 2 questions pretty well, and some of question 3.

ISO Standards tend not to get too deep into technical specifics since those change too rapidly. They tend to be higher level policy type things, that can be applied to multiple technologies, vendors and cloud models.