In December 2017, Tencent Cloud attained the ISO/IEC 27018:2014 international certification in relation to public cloud information protection, and in the process, became the pioneering batch of cloud service providers to achieve such a high accolade. At the same time, as the first domestic cloud service provider to acquire the ISO/IEC 27018:2014 certification across its global footprint of businesses, this signifies that the Tencent Cloud Personal Information Protection Management System is able to meet the stipulations of stringent foreign laws and regulations on Personal Information Protection. The Tencent Cloud Personal Information Protection Management System has now joined the ranks of other leading global cloud service providers, providing Tecent Cloud customers with added trust and assurance on its cloud security.
ISO27018 is an international standards agreement promulgated by the International Organization for Standardization (ISO) in 2014, and is the first set of international criterion that is dedicated to Personal Information Protection in the Cloud.
ISO27018 is based on the ISO27002 Information Security Standard, and sets out guidelines applicable to the ISO27002 control system pertaining to Personal Identifiable Information (PII) in the cloud. The purpose of the same is to satisfy the requirements of the Public Cloud PII that the current ISO27002 standards have fallen short of. Attaining the ISO27018 certification is testament that the enterprise has achieved a high standard and adopted industry best practices in various aspects of its protection of corporate data, intellectual property, documents and cloud IT system security.
The Tencent Cloud certification extends to its global business lines in key countries and territories. Tencent Cloud makes use of its professional resources to collect and analyze the personal information laws and regulations in its overseas IDC, such as the GDPR in the European Union and the PDPA in Singapore. This is integrated with the requirements of the ISO27018 standard, whereupon an analysis is conducted on numerous laws and regulations from multiple countries in concert with the Tencent Cloud product data flow, so as to comprehensively identify Personal Identifiable Information (PII) with regard to its various products. Subsequently, the effectiveness of its control measures are enhanced, so that they have the ability to meet the requirements of strict international personal information protection laws and regulations, thereby improving the Tencent Cloud personal information protection system.
In China, the Cybersecurity Law was implemented on 1 June 2017, whose main scope encompasses “one system, four areas”. In particular, reinforcing personal information protection takes center stage. Articles 40 and 42(2) state that, “network operators shall keep the personal information they collect strictly confidential and shall establish an all-inclusive user information protection regime. Network operators shall adopt technological and other necessary measures to ensure that the personal information they have collected is secure as well as to prevent information leakage, destruction and loss”.
The Tencent Cloud Personal Information Protection Management System has fully interpreted the requirements on personal information protection that the Cybersecurity Law and other relevant laws stipulate. A protection framework is enacted with the life cycle of personal information in mind, with particular emphasis on pre, during and post-incident data protection. Pre-incident, an evaluation is carried out on personal information risk according to certain applicable scenarios and corresponding protective strategies are put in place. During an incident, the purpose and use of data is restricted so as to limit any data re-disclosures. Post-incident, if encrypted data was leaked, emergency plans are activated to contain the damage. The Tencent Group will leverage its years of accumulated security experience and together with its professional security team, create a compliant and reliable cloud service for users.