In This Guide
- ISO 27018 is not a standalone certification. It is audited as an extension to ISO 27001 by including its controls in the Statement of Applicability (SoA).
- The certification audit covers ISO 27018 PII controls alongside the standard ISO 27001 assessment, adding 0.5-2 days to the total audit duration.
- Combined ISO 27001 + ISO 27017 + ISO 27018 audits are the most efficient approach for cloud providers seeking comprehensive coverage.
- Auditors focus on evidence of operational effectiveness: documented PII handling procedures, contractual arrangements, sub-processor management, and incident response capabilities.
- The certificate references ISO 27018 in the scope statement alongside ISO 27001, providing recognised assurance to customers and stakeholders.
How ISO 27018 Certification Works
Unlike ISO 27001, which is a management system standard with its own certification scheme, ISO 27018 is classified as a code of practice. This means it cannot be independently certified. Instead, ISO 27018 is implemented and audited as an extension to an existing ISO 27001 Information Security Management System (ISMS).
The mechanism for this extension is the Statement of Applicability (SoA) — the document within ISO 27001 that lists all controls the organisation has implemented. When pursuing ISO 27018, the organisation extends its SoA to include the additional PII-specific controls from ISO 27018, and the certification body audits these controls as part of the ISO 27001 assessment.
This approach has several practical implications:
- Prerequisite: You must have an ISO 27001 ISMS in place (or be pursuing it simultaneously)
- Single management system: ISO 27018 controls are integrated into the existing ISMS, not managed as a separate system
- One audit process: The certification body assesses ISO 27018 controls during the ISO 27001 audit (initial certification, surveillance, or recertification)
- One certificate: The resulting certificate references both ISO 27001 and ISO 27018
ISO 27018 certification is more accurately described as "ISO 27001 certification with ISO 27018 controls included in the SoA." The audit and certificate are fundamentally ISO 27001, with ISO 27018 providing additional control requirements that the auditor verifies.
Extending the Statement of Applicability
The Statement of Applicability (SoA) is the central document that connects ISO 27001 to ISO 27018. Here's how to extend it:
Step 1: Identify Applicable ISO 27018 Controls
Review all ISO 27018 controls and determine which apply to your cloud services. Since ISO 27018 is specifically for PII processors in the cloud, all controls are likely applicable if your service processes PII, but some may require different implementation approaches depending on your service model (SaaS, PaaS, IaaS).
Step 2: Map Controls to Existing ISO 27002 Controls
For ISO 27018 controls that enhance existing ISO 27002 controls, document the additional PII-specific requirements alongside the existing control entry in your SoA. For new controls unique to ISO 27018, add new entries to the SoA.
Step 3: Document Implementation Status
For each ISO 27018 control in the SoA, document:
- Whether the control is applicable (with justification if excluded)
- How the control is implemented (policies, procedures, technical measures)
- Where evidence of implementation can be found
- The risk treatment rationale for each control selection
Step 4: Update Risk Assessment
Extend your information security risk assessment to include PII-specific risks. ISO 27018 controls should trace back to identified PII risks, ensuring that the control selection is risk-driven rather than merely compliance-driven.
| SoA Element | ISO 27001 Only | With ISO 27018 |
|---|---|---|
| Control sources | ISO 27001 Annex A (93 controls) | ISO 27001 Annex A + ISO 27018 additional controls |
| Risk context | Information security risks | Information security + PII-specific privacy risks |
| Implementation guidance | ISO 27002 | ISO 27002 + ISO 27018 PII-specific guidance |
| Exclusion justification | Standard risk-based justification | Must justify exclusion of any PII controls with privacy rationale |
The Audit Process
The ISO 27018 audit follows the same structure as ISO 27001 but with additional focus areas. Whether you're adding ISO 27018 to an existing certification or pursuing both together, the audit follows a two-stage process.
Adding ISO 27018 to an Existing ISO 27001 Certification
If you already hold ISO 27001, ISO 27018 can be added during:
- Surveillance audit: The most common approach. The certification body extends the next surveillance audit to cover ISO 27018 controls.
- Recertification audit: Added as part of the three-year recertification cycle.
- Special audit: A dedicated audit outside the normal cycle, though this is less common and more costly.
Pursuing ISO 27001 and ISO 27018 Together
For new implementations, the most efficient approach is to implement both standards simultaneously and undergo a single integrated initial certification audit. This avoids the need for separate assessments and ensures the SoA includes ISO 27018 controls from the start.
Stage 1: Documentation Review
During Stage 1, the auditor reviews your management system documentation to assess readiness for the Stage 2 audit. For ISO 27018, the Stage 1 review covers:
Documentation the Auditor Reviews
- Extended Statement of Applicability: ISO 27018 controls included with applicability justifications and implementation references
- PII processing policies: Policies addressing PII handling, purpose limitation, consent, and disclosure
- Risk assessment: Evidence that PII-specific risks have been identified and treated
- Contractual framework: Sample Data Processing Agreements (DPAs) and controller-processor contracts
- Sub-processor register: List of sub-processors with their roles, locations, and contractual arrangements
- PII processing inventory: Register of PII processing activities including data types, purposes, and data flows
- Incident response procedures: PII-specific breach response and notification procedures
Stage 1 Outcomes
The auditor will assess whether your documentation is sufficient for Stage 2. Common Stage 1 findings for ISO 27018 include:
- SoA does not adequately reference ISO 27018 controls
- PII risk assessment is insufficient or missing
- DPA templates do not address all ISO 27018 contractual requirements
- Sub-processor register is incomplete
- PII-specific incident response procedures are not documented
Stage 2: Implementation Audit
Stage 2 verifies that ISO 27018 controls are not just documented but operationally effective. Auditors will sample evidence across all PII control categories.
Evidence the Auditor Examines
- Contractual evidence: Signed DPAs, service agreements with PII clauses, sub-processor contracts
- Operational records: PII disclosure logs, data subject request handling records, sub-processor assessment reports
- Technical controls: Access control configurations for PII systems, encryption settings, log sanitisation
- Training records: PII-specific training attendance and comprehension assessments
- Incident records: PII breach response records, notification timelines, post-incident reviews
- Audit reports: Internal audits covering ISO 27018 controls, corrective actions taken
Audit Techniques
Auditors use several techniques to verify ISO 27018 control effectiveness:
- Interview: Discuss PII handling procedures with staff who process personal data
- Observation: Watch how PII is accessed, transferred, and deleted in live systems
- Document review: Examine records, logs, and reports for evidence of control operation
- Technical verification: Review system configurations, access logs, and encryption settings
- Sampling: Select specific PII processing activities and trace evidence end-to-end
Combined ISO 27001 + ISO 27017 + ISO 27018 Audits
Many cloud service providers pursue ISO 27001, ISO 27017 (cloud security), and ISO 27018 (cloud PII) together. This "cloud certification stack" provides comprehensive assurance and is the most efficient audit approach.
Benefits of Combined Audits
- Efficiency: Overlapping controls are assessed once rather than separately. Many ISO 27002 controls are referenced by both ISO 27017 and ISO 27018, so combined assessment reduces duplication.
- Cost savings: Combined audit fees are typically 15-25% less than separate audits for each extension
- Consistency: One audit team assesses all controls, ensuring consistent interpretation and evaluation
- Simplified scheduling: One audit visit instead of multiple separate assessments
Additional Audit Days
| Certification Scope | Typical Additional Days (over ISO 27001 base) |
|---|---|
| ISO 27001 only | Base audit days (varies by organisation size) |
| ISO 27001 + ISO 27018 | +0.5 to 2 days |
| ISO 27001 + ISO 27017 | +0.5 to 2 days |
| ISO 27001 + ISO 27017 + ISO 27018 | +1 to 3 days (less than sum of individual additions) |
The combined "cloud stack" audit (27001 + 27017 + 27018) is the industry standard for cloud service providers seeking to demonstrate comprehensive security and privacy. Major cloud providers including AWS, Azure, and Google Cloud all hold this combination.
What Auditors Look For
Understanding the auditor's perspective helps you prepare effectively. ISO 27018 auditors focus on several key areas:
Contractual Framework
Auditors will verify that your contracts with cloud customers include all ISO 27018-required elements: defined processing purposes, processor obligations, sub-processor transparency, breach notification commitments, and PII return/disposal provisions.
Purpose Limitation in Practice
Beyond having policies, auditors want to see technical and organisational measures that enforce purpose limitation. This means verifying that customer PII cannot be accessed for analytics, marketing, or other non-contracted purposes.
Sub-Processor Governance
Auditors examine your sub-processor management closely: Is the register complete and current? Are contracts in place with equivalent PII obligations? Have you assessed sub-processor compliance? Were controllers notified of changes?
Incident Response for PII
The auditor will verify that your incident response procedures have PII-specific components: breach classification criteria, accelerated timelines, controller notification procedures, and evidence of testing through exercises or actual incidents.
Staff Awareness and Competence
Personnel handling PII must demonstrate awareness of their obligations. Auditors will interview staff to verify they understand purpose limitations, confidentiality requirements, and procedures for handling data subject requests.
Common Nonconformities
- DPAs do not address all ISO 27018 requirements
- Sub-processor register is outdated or incomplete
- PII in logs and temporary files is not managed per policy
- No evidence of PII-specific incident response testing
- Staff cannot articulate purpose limitations for customer PII
- Data location documentation is incomplete or inaccurate
- PII disposal processes have not been verified for effectiveness
Certificate Representation
When ISO 27018 is successfully audited, the certificate reflects this in several ways:
Certificate Statement
The certificate typically states that the organisation's ISMS has been assessed and found to conform to ISO/IEC 27001, with the Statement of Applicability referencing controls from ISO/IEC 27018. The exact wording varies by certification body but clearly indicates the inclusion of cloud PII controls.
Scope Statement
The certificate scope statement describes the services and activities covered, including the PII processing scope. For example: "Provision of cloud-based HR management services including processing of personally identifiable information in accordance with ISO/IEC 27018."
Statement of Applicability Reference
The SoA version referenced on the certificate will include ISO 27018 controls, providing auditable evidence that the PII controls have been assessed and found effective.
Certificate Cycle
The ISO 27018 reference follows the same three-year certification cycle as ISO 27001. Surveillance audits (typically annual) include assessment of ISO 27018 controls, and recertification every three years reassesses all controls comprehensively.
Timeline and Planning
Adding ISO 27018 to Existing ISO 27001
| Phase | Duration | Activities |
|---|---|---|
| Gap Assessment | 2-4 weeks | Evaluate current PII controls against ISO 27018 requirements |
| Control Implementation | 2-4 months | Implement additional controls, update SoA, revise policies |
| Internal Audit | 1-2 weeks | Audit ISO 27018 controls within ISMS internal audit |
| Management Review | 1 week | Review readiness and approve SoA extension |
| Certification Audit | Aligned with next surveillance or recertification | Stage 1 + Stage 2 (or extended surveillance) |
Pursuing ISO 27001 + ISO 27018 Together
For new implementations, allow 8-14 months total depending on organisation size and complexity. The ISO 27018 controls are implemented alongside the ISO 27001 ISMS, adding approximately 15-25% to the overall implementation effort.
Key Planning Considerations
- Certification body selection: Ensure your chosen certification body is competent to audit ISO 27018. Not all certification bodies have auditors qualified for cloud PII standards.
- Scope alignment: The ISO 27018 scope must align with your ISO 27001 scope. All cloud services processing PII should be included.
- Auditor availability: Combined audits require auditors qualified in ISO 27001, ISO 27017, and ISO 27018. Book early to secure appropriate auditor resources.
- Evidence maturity: Auditors expect evidence of control operation over time, not just recently created documentation. Plan implementation early enough to accumulate operational evidence.
Frequently Asked Questions
Can ISO 27018 be certified as a standalone standard?
No. ISO 27018 is a code of practice, not a management system standard. It cannot be certified independently. Instead, its controls are included in the ISO 27001 Statement of Applicability and audited as an extension to ISO 27001 certification.
How does ISO 27018 appear on the certificate?
The certificate typically states ISO/IEC 27001 certification with reference to ISO/IEC 27018 controls in the Statement of Applicability. The exact wording varies by certification body but confirms the ISMS includes PII protection controls per ISO 27018.
How much additional audit time does ISO 27018 add?
ISO 27018 typically adds 0.5 to 2 days to an ISO 27001 audit, depending on the scope of PII processing, number of services, and complexity of sub-processor arrangements. Combined ISO 27017+27018 audits are more efficient than auditing each extension separately.
Do I need ISO 27017 before ISO 27018?
No. ISO 27017 (cloud security) and ISO 27018 (cloud PII) are independent extensions to ISO 27001. You can implement either or both. However, many cloud providers implement both together as part of a comprehensive cloud security and privacy certification stack.
What happens during the Stage 2 audit for ISO 27018?
During Stage 2, auditors verify the operational implementation of ISO 27018 controls. They review evidence including signed DPA agreements, sub-processor registers, PII disclosure logs, data location documentation, access controls for PII systems, incident response procedures for PII breaches, and staff training records.