In This Guide
- Control Structure Overview
- Consent and Choice Controls
- Purpose Legitimacy and Specification
- Data Minimisation Controls
- Use, Retention & Disclosure Limitation
- Openness, Transparency & Notice
- Individual Participation and Access
- Accountability Controls
- Information Security Controls
- Privacy Compliance Controls
- Control Comparison Table
- FAQ
- ISO 27018 controls are organised around the nine privacy principles from ISO/IEC 29100, providing a structured approach to cloud PII protection.
- The standard enhances existing ISO 27002 controls with PII-specific guidance and introduces approximately 25 additional controls unique to cloud PII processing.
- Each control requires specific evidence: documented policies, technical implementations, contractual clauses, and operational records.
- Controls address the entire PII lifecycle from collection through processing, storage, transfer, and secure disposal.
- Practical implementation requires collaboration between security, legal, operations, and development teams.
Control Structure Overview
ISO 27018 organises its controls using the privacy principles defined in ISO/IEC 29100 (Privacy Framework). This principle-based structure ensures comprehensive coverage of all aspects of PII protection in cloud environments.
The standard takes a two-pronged approach to controls:
- Enhanced ISO 27002 controls: For each applicable ISO 27002 control, ISO 27018 adds cloud PII-specific implementation guidance. This ensures that general security controls are applied with a privacy lens.
- Additional controls (Annex A): New controls that address cloud PII scenarios not covered by ISO 27002, such as notification of government access requests, PII return and disposal, and sub-processor transparency.
Understanding both types is essential for implementation. The enhanced controls modify how you implement existing security measures, while the additional controls introduce entirely new capabilities.
Consent and Choice Controls
These controls ensure that PII processing in the cloud occurs only with proper authorisation from the cloud customer (PII controller) and, where applicable, the PII principal (data subject).
Control: PII Processing Under Contract
What it requires: The cloud service provider must process PII only in accordance with the documented instructions of the cloud customer. Processing must be governed by a legally binding agreement that specifies the scope, nature, and purpose of processing.
Practical implementation:
- Establish Data Processing Agreements (DPAs) with all cloud customers whose PII you process
- Define processing instructions in service agreements with specific, bounded scope
- Implement technical controls that enforce processing boundaries (e.g., role-based access, API scope limitations)
- Document procedures for handling processing instruction changes from controllers
Evidence examples: Signed DPA templates, service agreements with processing scope clauses, change management records for processing instruction updates, technical architecture documents showing processing boundaries.
Control: Prohibition of Commercial Use of PII
What it requires: The cloud provider must not use PII processed on behalf of customers for any commercial purpose, including advertising, marketing, profiling, or analytics, unless explicitly authorised by the controller.
Practical implementation:
- Establish clear internal policies prohibiting commercial use of customer PII
- Implement technical isolation between customer PII and any analytics or marketing systems
- Conduct regular audits to verify no unauthorised PII usage
- Train all staff on the prohibition and consequences of violations
Evidence examples: Internal policies on PII usage, technical architecture showing data isolation, audit reports, training records, code reviews showing no PII leakage to analytics.
Purpose Legitimacy and Specification Controls
These controls ensure that PII is processed only for legitimate, specified, and documented purposes.
Control: Purpose Specification
What it requires: The cloud provider must document and communicate the purposes for which PII is processed. Purposes must be limited to what is necessary for the contracted service.
Practical implementation:
- Maintain a register of processing purposes for each service or customer category
- Include purpose statements in DPAs, privacy notices, and internal documentation
- Implement purpose limitation checks in data processing workflows
- Review processing purposes periodically to ensure continued relevance
Evidence examples: Processing purpose register, DPAs with purpose clauses, privacy impact assessments, processing workflow documentation.
Control: Temporary File Management
What it requires: Temporary files that incidentally contain PII (logs, caches, buffers, debug outputs) must be managed with the same purpose restrictions as the primary PII. They must be deleted within defined timeframes.
Practical implementation:
- Identify all locations where temporary PII may exist (logs, caches, temp storage, queues)
- Define maximum retention periods for each type of temporary file
- Implement automated purging mechanisms for temporary files
- Include temporary files in PII inventory and data flow documentation
Evidence examples: Temporary file inventory, retention schedules, automated purging configurations, monitoring dashboards, data flow diagrams including temp storage.
Data Minimisation Controls
These controls ensure that PII processing is limited to what is adequate, relevant, and necessary for the stated purpose.
Control: Collection Limitation
What it requires: The cloud provider must not collect or process more PII than is necessary for the specific service being provided. This extends to metadata, telemetry, and any incidental data collection.
Practical implementation:
- Conduct data minimisation reviews for all services and features that touch PII
- Implement privacy-by-design principles in development processes
- Review API endpoints and data collection points for excessive PII collection
- Pseudonymise or anonymise PII where full identifiability is not required
Evidence examples: Data minimisation review records, privacy-by-design checklists, API documentation showing minimal data collection, pseudonymisation implementation records.
Control: PII in Diagnostic and Log Data
What it requires: PII appearing in system logs, diagnostics, error reports, and monitoring data must be minimised. Where PII must appear in logs, it should be masked, truncated, or pseudonymised.
Practical implementation:
- Implement log sanitisation to mask or remove PII from operational logs
- Configure monitoring tools to avoid capturing full PII in alerts and dashboards
- Use pseudonymisation for PII in analytics and performance monitoring
- Define retention periods for logs containing residual PII
Evidence examples: Log sanitisation configurations, sample sanitised logs, monitoring tool configurations, retention policies for log data.
Use, Retention, and Disclosure Limitation Controls
These controls prevent PII from being used beyond its intended purpose, retained longer than necessary, or disclosed without proper authorisation.
Control: Retention and Disposal
What it requires: PII must be retained only for as long as necessary for the contracted purpose. When retention is no longer justified, PII must be securely deleted or anonymised. Upon contract termination, PII must be returned or securely disposed of.
Practical implementation:
- Define retention schedules aligned with controller requirements and legal obligations
- Implement automated retention enforcement with secure deletion capabilities
- Establish contract termination procedures for PII return or disposal
- Verify secure deletion across all storage media including backups
Evidence examples: Retention schedules, automated deletion configurations, contract termination PII disposal records, secure deletion certificates, backup purge records.
Control: Notification of PII Disclosure Requests
What it requires: When the cloud provider receives a legally binding request to disclose PII (e.g., from law enforcement or a regulatory authority), it must notify the cloud customer before disclosure unless legally prohibited from doing so.
Practical implementation:
- Establish a process for receiving, evaluating, and responding to legal disclosure requests
- Define notification procedures and timelines for informing controllers
- Maintain a legal team or designated contact for evaluating disclosure obligations
- Document all disclosure requests and actions taken
Evidence examples: Disclosure request handling procedure, notification templates, legal review process documentation, disclosure request register (with redactions as needed).
Control: Recording of PII Disclosures
What it requires: All disclosures of PII to third parties must be recorded, including the identity of the third party, the legal basis for disclosure, the PII disclosed, and the date. Records must be available to the controller upon request.
Practical implementation:
- Maintain a PII disclosure register accessible to authorised personnel
- Record the details of each disclosure event immediately
- Provide controllers with access to disclosure records upon request
- Review disclosure records periodically for patterns or anomalies
Evidence examples: PII disclosure register, disclosure record templates, controller access procedures, periodic review records.
Openness, Transparency, and Notice Controls
These controls ensure that cloud customers and PII principals have adequate visibility into how PII is handled.
Control: Sub-Processor Disclosure and Management
What it requires: The cloud provider must disclose the identity and location of all sub-processors before engagement. Changes to sub-processors must be communicated to controllers with sufficient notice. Contracts with sub-processors must include equivalent PII protection obligations.
Practical implementation:
- Maintain a current register of all sub-processors with their roles, locations, and processing activities
- Implement a sub-processor change notification process with defined lead times
- Include PII protection clauses in all sub-processor contracts
- Conduct regular assessments of sub-processor compliance
Evidence examples: Sub-processor register, notification procedures and records, sub-processor contracts with PII clauses, compliance assessment reports, change notification records.
Control: Data Location Transparency
What it requires: The cloud provider must disclose the countries in which PII may be stored, processed, or accessed. Controllers must be informed in advance of any changes to data processing locations.
Practical implementation:
- Document all data centre locations and processing jurisdictions
- Implement data residency controls where contractually required
- Maintain transparency about remote access locations (e.g., support teams in different countries)
- Notify controllers of planned infrastructure changes affecting data locations
Evidence examples: Data location documentation, infrastructure maps, data residency policy, change notification records, contractual data location clauses.
Control: Processing Activity Transparency
What it requires: The cloud provider must clearly communicate what processing activities it performs on PII, including any automated processing, indexing, or analysis performed as part of the service.
Practical implementation:
- Document all processing activities in service descriptions and DPAs
- Disclose automated processing such as search indexing, caching, and content analysis
- Provide controllers with clear descriptions of data handling processes
- Update processing descriptions when services evolve
Evidence examples: Service processing descriptions, DPA processing annexes, technical documentation of automated processing, version-controlled processing descriptions.
Individual Participation and Access Controls
These controls ensure the cloud provider can support controllers in fulfilling data subject rights.
Control: Data Subject Rights Assistance
What it requires: The cloud provider must provide mechanisms to assist controllers in responding to data subject access, correction, deletion, and portability requests.
Practical implementation:
- Provide APIs or administrative tools for controllers to retrieve, export, correct, and delete PII
- Document the process for controllers to submit data subject rights requests
- Define response timelines that enable controllers to meet regulatory deadlines
- Ensure PII can be exported in a structured, machine-readable format
Evidence examples: API documentation, admin tool user guides, data subject request procedures, response timeline commitments, data export format specifications.
Control: PII Retrieval and Export
What it requires: The cloud provider must enable controllers to retrieve and export PII in a usable format, both during the service period and upon contract termination.
Practical implementation:
- Implement data export functionality in standard, interoperable formats (CSV, JSON, XML)
- Ensure export tools capture all PII including metadata and associated records
- Define export procedures and timelines for contract termination
- Test export processes regularly to ensure completeness and accuracy
Evidence examples: Export tool documentation, format specifications, termination export procedures, export testing records.
Accountability Controls
These controls ensure the cloud provider demonstrates and documents its PII protection responsibilities.
Control: Confidentiality Obligations
What it requires: All personnel with access to PII must be subject to binding confidentiality obligations. These obligations must survive termination of the employment or contractual relationship.
Practical implementation:
- Include PII confidentiality clauses in all employment contracts and contractor agreements
- Ensure confidentiality obligations are legally enforceable and survive termination
- Brief all new staff on their confidentiality obligations during onboarding
- Maintain records of confidentiality acknowledgements
Evidence examples: Employment contract templates with confidentiality clauses, contractor agreement templates, signed confidentiality acknowledgements, onboarding checklists.
Control: PII Privacy Impact Assessment
What it requires: The cloud provider must conduct privacy impact assessments for new services, features, or processing activities that involve PII. Assessments must evaluate risks to PII principals and identify mitigating controls.
Practical implementation:
- Integrate privacy impact assessments into the service development lifecycle
- Define triggers for when assessments are required (new services, significant changes, new data types)
- Involve privacy, security, legal, and technical stakeholders in assessments
- Document findings and track mitigation actions to completion
Evidence examples: PIA procedure document, completed PIA reports, risk registers, mitigation action tracking, change management records showing PIA integration.
Control: Audit and Compliance Support
What it requires: The cloud provider must support controller audits of PII processing practices. This may include providing audit reports, responding to audit questionnaires, or facilitating on-site or remote audits.
Practical implementation:
- Define audit support procedures and communication channels
- Provide ISO 27001/27018 certification reports as standard audit evidence
- Respond to customer audit questionnaires within defined timelines
- Facilitate remote or on-site audits when contractually required
Evidence examples: Audit support procedures, standard audit report packages, questionnaire response templates, audit facilitation records.
Information Security Controls
ISO 27018 enhances multiple ISO 27002 security controls with PII-specific guidance. Key areas include:
Access Control Enhancements
What it requires: Access to PII must follow the principle of least privilege, with access granted only to personnel who require it for their specific job function. Access to customer PII must be logged and auditable.
Practical implementation:
- Implement role-based access control (RBAC) with PII-specific access roles
- Require multi-factor authentication for access to systems containing PII
- Implement privileged access management (PAM) for administrative access to PII
- Log all access to PII with sufficient detail for audit purposes
- Conduct regular access reviews specifically for PII-containing systems
Evidence examples: RBAC configuration, MFA policies, PAM tool records, access logs, access review records.
Encryption and Data Protection
What it requires: PII must be protected using appropriate encryption both in transit and at rest. Key management must ensure that encryption keys are protected and that key access is controlled.
Practical implementation:
- Implement TLS 1.2+ for all PII in transit
- Apply AES-256 (or equivalent) encryption for PII at rest
- Implement key management procedures with separation of duties
- Consider customer-managed encryption keys for sensitive PII
Evidence examples: Encryption standards document, TLS configuration, encryption-at-rest configurations, key management procedures, key rotation records.
Incident Response for PII Breaches
What it requires: Incident response procedures must specifically address PII breaches with accelerated detection, assessment, and notification timelines. Controllers must be notified without undue delay.
Practical implementation:
- Define PII breach classification criteria and severity levels
- Establish accelerated response timelines for PII incidents (e.g., 24-48 hours for controller notification)
- Maintain breach notification templates and communication channels
- Conduct PII breach response exercises and tabletop simulations
Evidence examples: PII breach response procedure, notification templates, incident logs, exercise records, post-incident review reports.
Privacy Compliance Controls
These controls ensure ongoing compliance monitoring and continuous improvement of PII protection measures.
Control: Compliance Monitoring
What it requires: The cloud provider must regularly assess compliance with ISO 27018 requirements, contractual PII obligations, and applicable privacy regulations. Non-conformities must be identified, documented, and remediated.
Practical implementation:
- Include ISO 27018 controls in the internal audit programme
- Conduct periodic compliance assessments against contractual PII obligations
- Monitor privacy regulatory changes and assess impact on existing controls
- Track and remediate non-conformities through the corrective action process
Evidence examples: Internal audit plans and reports, compliance assessment records, regulatory change tracking, corrective action records.
Control: PII Protection Training
What it requires: Personnel handling PII must receive appropriate training on PII protection requirements, the organisation's PII handling policies, and their specific responsibilities.
Practical implementation:
- Develop PII-specific training modules covering ISO 27018 requirements
- Include PII handling in new employee onboarding
- Provide role-specific training for personnel with elevated PII access
- Conduct annual refresher training and assess comprehension
Evidence examples: Training materials, attendance records, assessment results, onboarding checklists, training programme schedule.
Control Comparison: ISO 27002 vs ISO 27018
The following table illustrates how ISO 27018 extends and supplements ISO 27002 controls:
| Control Area | ISO 27002 Coverage | ISO 27018 Enhancement |
|---|---|---|
| Access Control | Role-based access, least privilege | PII-specific access roles, PII access logging, PII-focused access reviews |
| Encryption | Data protection in transit/at rest | PII-specific encryption requirements, customer-managed keys option |
| Incident Response | General incident management | PII breach classification, accelerated notification, controller notification |
| Third-Party Management | Supplier security requirements | Sub-processor PII obligations, disclosure to controllers, consent requirements |
| Data Disposal | Secure media disposal | PII return/disposal on contract end, backup purging, temporary file management |
| Human Resources | General confidentiality, screening | PII-specific confidentiality obligations, PII handling training |
| Compliance Monitoring | Legal and regulatory compliance | PII-specific compliance audits, privacy regulation tracking |
| Purpose Limitation | Not directly covered | New: Processing purpose specification, prohibition of commercial use |
| Disclosure Notification | Not covered | New: Notification of legal disclosure requests to controllers |
| Data Location | Not covered | New: Disclosure of processing countries, advance notice of changes |
| Data Subject Rights | Not covered | New: Mechanisms to support controller in fulfilling data subject requests |
Frequently Asked Questions
How many controls does ISO 27018 have?
ISO 27018 includes enhanced implementation guidance for applicable ISO 27002 controls plus approximately 25 additional controls unique to cloud PII processing. The additional controls are organised across privacy principle categories covering consent, purpose limitation, transparency, and accountability.
What is the difference between ISO 27002 controls and ISO 27018 controls?
ISO 27002 provides general information security controls. ISO 27018 takes applicable ISO 27002 controls and adds PII-specific implementation guidance for cloud environments, plus introduces entirely new controls that address cloud PII scenarios not covered by ISO 27002, such as purpose limitation, disclosure notification, and sub-processor management.
What evidence do auditors expect for ISO 27018 controls?
Auditors expect documented policies and procedures for PII handling, evidence of contractual agreements with controllers (DPAs), sub-processor registers, PII disclosure logs, data location documentation, signed confidentiality agreements, PII return/disposal records, and training records for staff handling PII.
Can I implement ISO 27018 controls without ISO 27001?
You can adopt ISO 27018 controls as best practices without formal certification, but formal ISO 27018 recognition on a certificate requires an ISO 27001 ISMS. The controls are designed to be incorporated into the ISO 27001 Statement of Applicability and managed within the ISMS framework.
How do ISO 27018 controls map to GDPR requirements?
ISO 27018 controls map directly to several GDPR processor obligations under Article 28, including processing under documented instructions, confidentiality of processing personnel, appropriate security measures, sub-processor management, data subject rights assistance, PII deletion/return, and audit support for controllers.