In This Article
- ISO 27018 is focused on cloud PII processors; ISO 27701 covers organisation-wide privacy management for both controllers and processors.
- ISO 27018 provides deeper, cloud-specific controls while ISO 27701 provides a broader privacy management framework.
- ISO 27018 is an ISO 27001 extension only; ISO 27701 (since 2025) can be standalone or an ISO 27001 extension.
- They are complementary, not competing standards. Many organisations implement both for comprehensive coverage.
- The choice depends on your processing role (controller vs processor), delivery model (cloud vs on-premise), and regulatory drivers.
Quick Overview
ISO 27018 and ISO 27701 both address personal data protection within the ISO 27000 family, but they serve different purposes and audiences. Understanding their distinct roles helps you make the right certification decision.
ISO 27018: A code of practice for protecting PII in public cloud computing. It focuses specifically on cloud service providers acting as PII processors and provides detailed, cloud-specific controls.
ISO 27701: A comprehensive Privacy Information Management System (PIMS) standard. It provides the framework for managing privacy across the entire organisation, covering both PII controller and PII processor roles in any context, not just cloud.
Side-by-Side Comparison
| Aspect | ISO 27018 | ISO 27701 |
|---|---|---|
| Full Title | Code of practice for protection of PII in public clouds acting as PII processors | Privacy Information Management System (PIMS) |
| Standard Type | Code of practice (guidelines) | Management system standard (certifiable) |
| Scope | Cloud PII processing only | All PII processing across the organisation |
| Roles Covered | PII processor only | PII controller and PII processor |
| Delivery Model | Public cloud services (SaaS, PaaS, IaaS) | Any (cloud, on-premise, hybrid, outsourced) |
| Certification | Via ISO 27001 SoA extension | Standalone or via ISO 27001 extension |
| Control Structure | Enhanced ISO 27002 + additional cloud PII controls | Clauses 5-8 + Annex A (controllers) + Annex B (processors) |
| Regulatory Mapping | Strong GDPR Art. 28 alignment | Annex D: GDPR mapping; broader regulatory support |
| First Published | 2014 (revised 2019) | 2019 (revised 2025) |
| Relationship | References ISO 27002, extends for cloud PII | References ISO 27018 in Annex E as complementary |
Scope Differences
The most fundamental difference between the two standards is their scope. This determines which standard is relevant for your situation.
ISO 27018: Cloud-Specific, Processor-Focused
ISO 27018's scope is intentionally narrow and deep:
- Applies only to public cloud computing environments
- Addresses only the PII processor role (the cloud provider)
- Provides controls specific to cloud computing challenges: multi-tenancy, data location, sub-processing chains, self-service provisioning
- Does not cover on-premise processing, private clouds (in most interpretations), or controller responsibilities
ISO 27701: Organisation-Wide, All Roles
ISO 27701's scope is broad and comprehensive:
- Applies to all PII processing regardless of technology or delivery model
- Covers both PII controller and PII processor roles
- Addresses privacy management system requirements: governance, risk assessment, policies, procedures, and continuous improvement
- Applicable to cloud, on-premise, hybrid, and outsourced processing contexts
Think of it this way: ISO 27018 is a specialist standard for a specific scenario (cloud processing), while ISO 27701 is a generalist standard for the broader challenge of privacy management.
Controller vs Processor Coverage
A critical distinction between the two standards is how they address the PII controller and PII processor roles defined in data protection regulations.
ISO 27018: Processor Only
ISO 27018 is exclusively designed for organisations in the PII processor role. It assumes the cloud customer (controller) determines the purposes of processing, and the cloud provider (processor) implements controls to protect PII while processing it on the controller's behalf.
If your organisation is a PII controller (you decide why and how to process personal data), ISO 27018 does not directly address your controller obligations.
ISO 27701: Both Roles
ISO 27701 provides separate requirements for controllers and processors:
- Clause 7 + Annex A: Controls for PII controllers (collection limitation, consent, data subject rights, purpose specification, privacy by design)
- Clause 8 + Annex B: Controls for PII processors (processing under instructions, sub-processor management, assisting controllers)
Organisations can certify in one or both roles depending on their activities. Many organisations act as both controller (for employee data) and processor (for customer data).
| Your Organisation's Role | ISO 27018 | ISO 27701 |
|---|---|---|
| Cloud PII Processor only | Directly applicable | Applicable (Clause 8 + Annex B) |
| PII Controller only | Not applicable | Applicable (Clause 7 + Annex A) |
| Both Controller and Processor | Covers processor role only | Covers both roles |
| Non-cloud Processor | Not applicable (cloud-specific) | Applicable |
Certification Approach
The certification mechanisms differ significantly between the two standards.
ISO 27018 Certification Path
- Requires existing ISO 27001 certification (no standalone option)
- Controls added to the ISO 27001 Statement of Applicability
- Audited as part of the ISO 27001 audit cycle
- Certificate references ISO 27018 alongside ISO 27001
- Typically adds 0.5-2 audit days to the ISO 27001 assessment
ISO 27701 Certification Path
- Since 2025, can be certified independently (standalone PIMS)
- Can also be certified as an extension to ISO 27001 (original model)
- Has its own certification scheme under ISO 27706:2025
- Certificate specifies controller and/or processor role
- More comprehensive audit covering the full privacy management system
ISO 27701's 2025 revision made it standalone, providing more flexibility. However, the most common approach for cloud providers remains an integrated certification: ISO 27001 + ISO 27017 + ISO 27018 for cloud security and PII, with ISO 27701 added when broader privacy management is needed.
When to Choose ISO 27018
ISO 27018 is the better choice when:
You Are Primarily a Cloud PII Processor
If your core business is providing cloud services that process personal data on behalf of customers (SaaS, PaaS, IaaS), ISO 27018 directly addresses your role with deep, cloud-specific controls.
You Already Hold ISO 27001
Adding ISO 27018 to an existing ISO 27001 certification is straightforward and cost-effective. The incremental effort is modest compared to implementing a full PIMS under ISO 27701.
Your Customers Ask About Cloud PII Controls
If vendor questionnaires focus on cloud-specific privacy controls such as data location, sub-processor management, and PII isolation, ISO 27018 directly answers these questions with audited evidence.
GDPR Article 28 Is Your Primary Driver
ISO 27018 maps particularly well to GDPR processor obligations under Article 28. If demonstrating Article 28 compliance is your primary goal, ISO 27018 is the most targeted path.
You Want the Cloud Stack
If you're building the cloud certification stack (ISO 27001 + ISO 27017 + ISO 27018), ISO 27018 integrates seamlessly into this combination for comprehensive cloud security and privacy.
When to Choose ISO 27701
ISO 27701 is the better choice when:
You Need Privacy Management Across the Organisation
If privacy is an organisation-wide concern covering employee data, customer data, marketing data, and vendor data across multiple contexts and systems, ISO 27701's comprehensive PIMS framework is more appropriate.
You Act as Both Controller and Processor
ISO 27701 covers both roles in a single framework. If you're a controller for some data (e.g., employee records, website visitors) and a processor for other data (e.g., customer-hosted data), ISO 27701 addresses both.
You Process PII Outside the Cloud
If your PII processing includes on-premise systems, hybrid environments, manual processes, or non-cloud outsourcing, ISO 27018 (cloud-specific) won't cover these contexts, but ISO 27701 will.
You Want a Standalone Privacy Certification
If you don't have ISO 27001 and want a privacy-focused certification, ISO 27701:2025 can be certified independently. ISO 27018 requires ISO 27001 as a prerequisite.
Multi-Regulation Compliance Is the Goal
ISO 27701 includes an Annex D mapping to GDPR and is designed to support multiple privacy regulations simultaneously. If you need to demonstrate compliance across GDPR, CCPA, LGPD, DPDP Act, and other privacy laws, ISO 27701's broader framework is more suitable.
When to Pursue Both Standards
Many organisations find that both standards add value. Consider pursuing both when:
Comprehensive Cloud Privacy Is Required
ISO 27701 provides the privacy management system and governance framework, while ISO 27018 provides the deep cloud-specific PII processor controls. Together, they demonstrate both strategic privacy management and tactical cloud PII protection.
Enterprise Customer Expectations
Large enterprise customers increasingly expect both a privacy management system (ISO 27701) and cloud-specific PII controls (ISO 27018). Having both addresses the full spectrum of vendor assessment requirements.
Dual Role with Cloud Delivery
If you act as a PII controller for some activities and a cloud PII processor for others, ISO 27701 covers both roles while ISO 27018 provides additional depth for the cloud processor role.
Progressive Implementation Strategy
A common approach is to start with ISO 27018 (smaller scope, faster implementation) and add ISO 27701 later as privacy maturity grows. Alternatively, start with ISO 27701 for the management framework and add ISO 27018 for cloud-specific depth.
| Scenario | Recommended Path |
|---|---|
| SaaS provider, ISO 27001 certified, EU customers | Start with ISO 27018, add ISO 27701 later |
| Enterprise with cloud and on-premise, GDPR scope | Start with ISO 27701, add ISO 27018 for cloud services |
| IaaS/PaaS provider, global customer base | ISO 27001 + 27017 + 27018 stack, consider ISO 27701 for completeness |
| Healthcare SaaS, HIPAA + GDPR scope | Both: ISO 27701 for privacy governance, ISO 27018 for cloud PII depth |
| Data analytics company, controller role primary | ISO 27701 (ISO 27018 not applicable for controller role) |
| MSP managing customer cloud environments | ISO 27018 first (cloud processor focus), then ISO 27701 |
Decision Framework
Use this framework to determine the right standard for your organisation:
Question 1: Are you primarily a cloud service provider processing PII for customers?
- Yes: ISO 27018 is directly relevant. Continue to Question 2.
- No: ISO 27018 is likely not applicable. Consider ISO 27701.
Question 2: Do you also act as a PII controller?
- Yes (significant controller activities): You need ISO 27701 for controller coverage. Consider both standards.
- No (processor role only): ISO 27018 may be sufficient.
Question 3: Do you already hold ISO 27001?
- Yes: Adding ISO 27018 is straightforward. It's the natural next step for cloud providers.
- No: If you want privacy without ISO 27001, ISO 27701 (standalone since 2025) is an option.
Question 4: What do your customers and regulators expect?
- Cloud-specific PII controls: ISO 27018
- Comprehensive privacy management: ISO 27701
- Both: Implement both progressively
For cloud service providers processing PII, start with the cloud certification stack (ISO 27001 + ISO 27017 + ISO 27018) as it provides the most recognised and targeted assurance. Add ISO 27701 when your privacy programme matures or when customers specifically require organisation-wide privacy management certification. The standards integrate efficiently because they share the ISO 27001 foundation.
Frequently Asked Questions
What is the main difference between ISO 27018 and ISO 27701?
ISO 27018 is a code of practice specifically for cloud PII processors, providing controls for protecting personal data in public cloud environments. ISO 27701 is a comprehensive Privacy Information Management System (PIMS) standard covering both controllers and processors across all processing contexts, not just cloud.
Can I get both ISO 27018 and ISO 27701?
Yes. Many organisations implement both standards. ISO 27018 provides deep cloud PII processor controls while ISO 27701 provides the broader privacy management framework. They are complementary and share the ISO 27001 foundation, making combined implementation efficient.
Which should I pursue first: ISO 27018 or ISO 27701?
If you are primarily a cloud processor, start with ISO 27018 as it directly addresses your processor role with cloud-specific controls. If you need comprehensive privacy management covering both controller and processor roles across all contexts, start with ISO 27701. If your primary driver is GDPR compliance for cloud services, ISO 27018 provides the most targeted coverage.
Does ISO 27701 replace ISO 27018?
No. ISO 27701 and ISO 27018 serve different purposes and complement each other. ISO 27701 provides organisation-wide privacy management while ISO 27018 provides deep, cloud-specific PII processor controls. ISO 27701 even references ISO 27018 in its Annex E, recognising them as complementary rather than competing standards.
How do the certification approaches differ?
ISO 27018 is certified as an extension to ISO 27001 by including its controls in the Statement of Applicability. ISO 27701 (since 2025) can be certified either as a standalone PIMS under ISO 27706 or as an extension to ISO 27001. Both require audits by accredited certification bodies.