Key Takeaways
| Point |
Summary |
| Purpose |
Code of practice for PII protection in public cloud |
| Scope |
Public cloud PII processors (providers handling customer data) |
| Prerequisite |
Requires ISO 27001 certification as foundation |
| Privacy principles |
Consent, purpose limitation, minimization, transparency |
| GDPR alignment |
Supports data processor obligations under GDPR |
Quick Answer: ISO 27018 is a privacy standard for cloud providers that process personal data on behalf of their customers. It builds on ISO 27001 and provides specific controls for protecting personally identifiable information in cloud environments. This helps cloud customers meet their privacy obligations.
Understanding ISO 27018
What Is ISO 27018?
ISO 27018 is formally titled "Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors." In simpler terms, it tells cloud providers how to protect the personal data their customers entrust to them.
The standard focuses specifically on:
| Aspect |
Scope |
| Environment |
Public cloud computing |
| Role |
PII processors (handling data on behalf of others) |
| Data type |
Personally identifiable information |
| Foundation |
Extension of ISO 27001/27002 |
PII Processor vs. PII Controller
Understanding the distinction is crucial:
| Role |
Definition |
Example |
| PII Controller |
Determines purposes and means of PII processing |
Your company deciding to store customer data |
| PII Processor |
Processes PII on behalf of a controller |
Cloud provider storing your customer data |
ISO 27018 addresses the PII processor role. If you use a cloud provider to store or process personal data, that provider is acting as a PII processor for you.
Relationship to Other Standards
ISO 27018 fits within the ISO 27000 family:
| Standard |
Focus |
Relationship |
| ISO 27001 |
Information security management |
Required foundation |
| ISO 27002 |
Security control implementation |
ISO 27018 builds on this |
| ISO 27017 |
Cloud security |
Complementary (security focus) |
| ISO 27018 |
Cloud PII protection |
Specific to privacy |
| ISO 27701 |
Privacy management system |
Broader privacy scope |
When You Need ISO 27018
For Cloud Service Providers
You should consider ISO 27018 if you:
| Scenario |
Why ISO 27018 Helps |
| Process customer PII |
Demonstrates privacy commitment |
| Serve regulated industries |
Healthcare, finance, government customers expect it |
| Operate in GDPR jurisdictions |
Supports processor compliance |
| Compete with major providers |
AWS, Azure, GCP all have ISO 27018 |
| Handle sensitive data |
Shows mature privacy practices |
For Cloud Customers
ISO 27018 certification from your provider gives you:
| Benefit |
Value |
| Due diligence evidence |
Proof you selected a responsible processor |
| Contractual baseline |
Standard expectations for data handling |
| Regulatory support |
Helps demonstrate GDPR Article 28 compliance |
| Risk reduction |
Provider follows established privacy practices |
| Audit efficiency |
Reduces need for direct provider audits |
Core Privacy Principles
Consent and Choice
ISO 27018 requires cloud processors to:
| Requirement |
Implementation |
| Support controller consent mechanisms |
Technical capabilities for consent management |
| Not use PII for marketing |
No secondary use without explicit permission |
| Respect data subject preferences |
Technical means to implement choices |
Purpose Limitation
| Requirement |
Implementation |
| Process only as instructed |
Follow controller's documented instructions |
| No unauthorized use |
PII used only for contracted purposes |
| Clear service definition |
Documented scope of processing activities |
Data Minimization
| Requirement |
Implementation |
| Collect only necessary PII |
Limit processing to service requirements |
| No excessive retention |
Delete temporary files, logs containing PII |
| Minimize copies |
Limit data duplication |
Use, Retention, and Disclosure Limitation
| Requirement |
Implementation |
| Return or delete PII |
Clear termination procedures |
| Restrict disclosures |
Only as authorized or legally required |
| Document retention |
Clear retention periods |
Transparency
| Requirement |
Implementation |
| Disclose sub-processors |
Identify who else processes the data |
| Data location disclosure |
Inform where PII is processed |
| Processing documentation |
Clear description of activities |
Key ISO 27018 Controls
Enhanced Controls from ISO 27002
ISO 27018 enhances existing controls with PII-specific requirements:
| Control Area |
ISO 27018 Enhancement |
| Access control |
Ensure only authorized personnel access PII |
| Cryptography |
Encrypt PII in transit and at rest |
| Operations security |
Secure deletion, backup encryption |
| Communications security |
Secure data transfers |
| Supplier relationships |
Sub-processor disclosure and management |
PII-Specific Controls
ISO 27018 adds controls unique to PII processing:
Consent and Notification
| Control |
Requirement |
| PII use notification |
Inform controllers of any third-party disclosures |
| Advertising prohibition |
No use of PII for advertising without consent |
| Sub-processor notification |
Alert controllers before using sub-processors |
PII Return and Disposal
| Control |
Requirement |
| Return capability |
Technical means to return PII to controller |
| Secure deletion |
Verified destruction when no longer needed |
| Media disposal |
Secure handling of storage media |
| Retention limits |
Delete PII when retention period expires |
Disclosure Handling
| Control |
Requirement |
| Law enforcement requests |
Notify controller unless prohibited |
| Government access |
Document any legal disclosure requirements |
| Disclosure logging |
Record all disclosures made |
Data Location and Transfer
| Control |
Requirement |
| Processing locations |
Disclose countries where PII is processed |
| Cross-border transfers |
Address transfer mechanisms |
| Sub-processor locations |
Transparency about sub-processor geography |
Sub-Processor Management
Critical requirements for managing sub-processors:
| Requirement |
Implementation |
| Disclosure |
List all sub-processors used |
| Flow-down |
Ensure sub-processors meet same requirements |
| Notification |
Inform controllers of sub-processor changes |
| Assessment |
Evaluate sub-processor security |
| Contracts |
Equivalent contractual protections |
Implementing ISO 27018
Step 1: Establish Foundation
Before pursuing ISO 27018:
| Prerequisite |
Status Required |
| ISO 27001 certification |
Required or in progress |
| PII inventory |
Know what personal data you process |
| Processing activities |
Document your cloud services |
| Customer contracts |
Review processor agreements |
Step 2: Gap Assessment
Assess current state against ISO 27018:
| Assessment Area |
Questions to Answer |
| PII handling |
How is customer PII protected? |
| Sub-processors |
Who else processes the data? |
| Data locations |
Where is PII stored and processed? |
| Retention practices |
How long is PII kept? |
| Deletion capabilities |
Can you return/delete PII? |
| Disclosure procedures |
How are legal requests handled? |
Step 3: Control Implementation
Address gaps with specific controls:
| Gap Area |
Typical Controls |
| Encryption gaps |
Implement encryption at rest and in transit |
| Access controls |
Strengthen PII access restrictions |
| Deletion process |
Create verified deletion procedures |
| Sub-processor management |
Establish assessment and monitoring program |
| Documentation |
Create required policies and procedures |
Step 4: Certification
ISO 27018 certification typically occurs:
| Approach |
Description |
| Combined audit |
With ISO 27001 certification/surveillance |
| Extension audit |
Additional audit scope for existing ISO 27001 |
| Same certification body |
Usually same auditor team |
GDPR Alignment
Supporting Processor Obligations
ISO 27018 aligns with GDPR Article 28 processor requirements:
| GDPR Article 28 Requirement |
ISO 27018 Support |
| Process only on documented instructions |
Purpose limitation controls |
| Ensure authorized personnel confidentiality |
Access control, confidentiality agreements |
| Take appropriate security measures |
ISO 27001/27018 security controls |
| Respect sub-processor conditions |
Sub-processor management requirements |
| Assist controller with data subject rights |
Technical capabilities for requests |
| Delete or return PII after service |
PII return and disposal controls |
| Demonstrate compliance |
Audit rights, certification evidence |
Data Processing Agreements
ISO 27018 certification strengthens DPAs:
| DPA Element |
How ISO 27018 Helps |
| Security measures |
Certified security controls |
| Sub-processor disclosure |
Required transparency |
| Data location |
Geographic disclosure requirements |
| Audit rights |
Independent certification evidence |
| Deletion |
Verified disposal procedures |
Common Questions
Does ISO 27018 apply to private clouds?
ISO 27018 specifically addresses public cloud environments. However, its principles can inform private cloud privacy practices. For private cloud, ISO 27001 and ISO 27701 may be more applicable.
Can cloud customers get ISO 27018 certified?
ISO 27018 is designed for PII processors (cloud providers). Cloud customers using cloud services would pursue ISO 27001, potentially with ISO 27701 for comprehensive privacy management.
How does ISO 27018 differ from ISO 27701?
| Aspect |
ISO 27018 |
ISO 27701 |
| Scope |
Public cloud PII processors |
All privacy roles |
| Role |
PII processor focus |
Controllers and processors |
| Environment |
Cloud-specific |
Any environment |
| Foundation |
Builds on ISO 27001 |
Extends ISO 27001 to PIMS |
Do major cloud providers have ISO 27018?
Yes, all major providers hold ISO 27018:
| Provider |
ISO 27018 Status |
| AWS |
Certified |
| Microsoft Azure |
Certified |
| Google Cloud |
Certified |
| Salesforce |
Certified |
This means customers can leverage provider certifications for their own compliance.
Is ISO 27018 mandatory for GDPR?
ISO 27018 is not mandatory, but it demonstrates good practices that support GDPR compliance. GDPR Article 28 requires appropriate security measures, and ISO 27018 certification is strong evidence of this.
Practical Considerations
Cost and Timeline
| Factor |
Consideration |
| Initial investment |
Moderate (building on ISO 27001) |
| Additional audit days |
1-2 days beyond ISO 27001 audit |
| Ongoing maintenance |
Included in surveillance audits |
| Efficiency |
Combined audit most cost-effective |
Maintaining Certification
Like ISO 27001, ISO 27018 follows a three-year certification cycle:
| Year |
Activity |
| Year 1 |
Initial certification (with ISO 27001) |
| Year 2 |
Surveillance audit |
| Year 3 |
Surveillance audit |
| Year 4 |
Recertification audit |
Business Value
| Stakeholder |
Value Delivered |
| Customers |
Assurance their data is protected |
| Sales teams |
Competitive differentiator |
| Legal/compliance |
Due diligence evidence |
| Regulators |
Demonstration of good practices |
| Partners |
Trust in data handling |
The Bastion Approach
Cloud Privacy Simplified
Bastion helps organizations navigate ISO 27018:
| Challenge |
Bastion Solution |
| Understanding requirements |
Expert guidance on applicability |
| Gap assessment |
Evaluation against ISO 27018 controls |
| Control implementation |
Practical implementation support |
| Sub-processor management |
Vendor assessment frameworks |
| Certification preparation |
Audit readiness review |
Combined Certification Strategy
For organizations pursuing ISO 27018:
| Approach |
Recommendation |
| Starting fresh |
Include ISO 27018 in initial ISO 27001 project |
| Already ISO 27001 certified |
Add ISO 27018 at next surveillance |
| Privacy-focused |
Consider ISO 27018 + ISO 27701 combination |
Ready to protect personal data in your cloud environment? Talk to our team
Sources
