ISO 27018 Readiness Checklist & PII Cloud Evidence Pack

Evidence Pack Overview

Preparing for an ISO 27018 audit requires assembling a comprehensive evidence pack that demonstrates your cloud service's PII protection controls are documented, implemented, and operating effectively. This guide provides a structured checklist organised by evidence category, with specific items for each control area.

Your evidence pack should include:

• Foundation documents: Policies, SoA, risk assessments, and PII inventories
• Contractual evidence: DPAs, service agreements, sub-processor contracts
• Operational evidence: Logs, registers, records, and reports demonstrating controls in action
• Technical evidence: Configurations, architecture documentation, and security tool outputs
• People evidence: Training records, confidentiality agreements, competence assessments

Foundation Documents Checklist

These documents form the basis of your ISO 27018 implementation and should be available from the start of the audit.

Extended Statement of Applicability

• SoA includes all applicable ISO 27018 controls
• Each control has applicability justification
• Implementation status is documented for each control
• Cross-references to policies, procedures, and evidence are included
• Exclusions have documented privacy-specific justification

PII Processing Policy

• Defines the organisation's approach to PII protection in cloud services
• Addresses all ISO 27018 privacy principles (consent, purpose limitation, minimisation, etc.)
• Is approved by senior management and communicated to relevant staff
• Includes review schedule and version history

PII Risk Assessment

• Extends the ISO 27001 risk assessment with PII-specific risks
• Identifies threats and vulnerabilities specific to cloud PII processing
• Risk treatment plan links to ISO 27018 controls
• Has been reviewed within the last 12 months or after significant changes

PII Processing Inventory

• Lists all PII processing activities by service
• Documents PII categories, data subjects, processing purposes
• Maps data flows from ingestion through processing, storage, and deletion
• Identifies PII controllers and the processor's role for each activity
• Includes data storage locations and any cross-border transfers

Internal Audit Report

• Internal audit covers ISO 27018 controls within scope
• Findings and nonconformities are documented
• Corrective actions are tracked to closure
• Audit was conducted by competent, independent auditors

Contractual Evidence Checklist

ISO 27018 places significant emphasis on the contractual relationship between PII processors and controllers. Auditors will examine your contractual framework closely.

Data Processing Agreements (DPAs)

• DPA template addresses all ISO 27018 requirements
• Defines processing purposes and scope with specificity
• Specifies processor obligations: confidentiality, security, sub-processors, breach notification
• Includes provisions for PII return and secure disposal on contract termination
• Addresses data subject rights assistance obligations
• Specifies data processing locations and notification of changes
• Includes audit support commitments
• Signed DPAs are in place for all active customers whose PII is processed

Sub-Processor Agreements

• Contracts with sub-processors include equivalent PII protection obligations
• Agreements cover all ISO 27018-relevant requirements (confidentiality, security, disposal)
• Sub-processor contracts are reviewed and renewed on schedule

Confidentiality Agreements

• All employees with PII access have signed confidentiality agreements
• Agreements include PII-specific clauses and survive termination
• Contractors and temporary staff have equivalent confidentiality obligations
• Register of signed agreements is maintained and current

Operational Evidence Checklist

Operational evidence demonstrates that your ISO 27018 controls are functioning in practice, not just documented on paper.

Sub-Processor Register and Management

• Complete register of all sub-processors: name, location, services provided, PII processed
• Register is current (updated within the last review cycle)
• Evidence of controller notification for sub-processor changes
• Sub-processor compliance assessments conducted periodically
• Process for onboarding and offboarding sub-processors is documented

PII Disclosure Records

• Register of all PII disclosures to third parties
• Each disclosure record includes: date, third party, legal basis, PII disclosed, controller notification
• Records of any government or law enforcement disclosure requests
• Evidence of controller notification (or legal justification for withholding)

Data Subject Request Handling

• Process documented for assisting controllers with data subject requests
• Records of requests received and actions taken
• Response timelines documented and met
• Technical capability to retrieve, export, correct, and delete PII demonstrated

PII Incident Response Records

• PII breach classification criteria documented
• Incident response procedures include PII-specific steps and timelines
• Controller notification procedures and templates in place
• Evidence of PII incident response testing or exercises (at least annual)
• Records of any actual PII incidents: detection, response, notification, lessons learned

PII Retention and Disposal

• Retention schedules for PII aligned with controller requirements
• Evidence of automated retention enforcement (configuration screenshots, job logs)
• Records of PII disposal on contract termination
• Secure deletion verification records (including backups and temporary files)
• Process for PII return to controllers documented and tested

Data Location Documentation

• Documentation of all countries where PII is stored or processed
• Documentation of countries from which PII can be accessed (support locations)
• Data residency configuration evidence (for customers with location requirements)
• Records of controller notification for data location changes

Technical Evidence Checklist

Technical evidence demonstrates that your systems enforce PII protection controls at the infrastructure and application level.

Access Control for PII Systems

• RBAC configuration showing PII-specific access roles
• MFA enabled for all access to PII-containing systems
• Privileged access management (PAM) for administrative PII access
• PII access logs with sufficient detail for audit (who, what, when)
• Recent access review records specifically for PII systems
• Deprovisioning records showing timely access removal

Encryption and Key Management

• TLS 1.2+ configuration for PII in transit (certificate evidence, scan results)
• Encryption-at-rest configuration for PII storage (AES-256 or equivalent)
• Key management procedures documented
• Key rotation records
• Customer-managed key options documented (if applicable)

Log Management and PII Sanitisation

• Log sanitisation configuration showing PII masking or removal
• Sample sanitised logs demonstrating PII is not exposed
• Log retention periods for PII-containing logs defined and enforced
• Monitoring tool configurations showing PII is not captured in dashboards or alerts

Network and Infrastructure Security

• Network segmentation isolating PII-processing systems
• Firewall rules and security group configurations
• Intrusion detection/prevention system evidence
• Vulnerability scan results for PII-processing systems
• Penetration test results relevant to PII systems

People and Training Checklist

ISO 27018 requires that personnel handling PII are competent, aware, and bound by appropriate obligations.

PII Training Programme

• PII-specific training materials covering ISO 27018 requirements
• Training attendance records for all staff with PII access
• Comprehension assessment results
• New hire onboarding includes PII handling module
• Annual refresher training schedule and completion records
• Role-specific training for staff with elevated PII access

Background Screening

• Background check procedures for staff with PII access
• Records of completed background checks
• Process for re-screening at defined intervals

Awareness and Communication

• Evidence of ongoing PII awareness communications (newsletters, reminders, posters)
• Staff can articulate purpose limitation obligations when interviewed
• Staff know the procedure for reporting PII incidents
• Staff understand confidentiality obligations and consequences of breach

Evidence Matrix by Control Area

The following matrix provides a quick reference mapping each ISO 27018 control area to the key evidence types required.

Common Gaps and How to Close Them

Based on our audit experience, the following gaps are frequently encountered during ISO 27018 readiness assessments. Address these proactively to avoid nonconformities during the certification audit.

Gap 1: Incomplete Sub-Processor Register

The problem: Organisations often have an incomplete list of sub-processors, missing cloud infrastructure providers, CDN services, monitoring tools, or support platforms that may access PII.

How to close it: Conduct a thorough review of all third-party services used in your cloud infrastructure. For each service, determine whether it processes, stores, or can access customer PII. Include infrastructure providers (AWS, Azure, GCP), monitoring services (Datadog, New Relic), support tools (Zendesk, Intercom), and any other service with potential PII access.

Gap 2: DPAs Missing ISO 27018-Specific Clauses

The problem: DPA templates may address GDPR requirements but miss ISO 27018-specific obligations such as notification of government access requests, prohibition of commercial use, and specific data location transparency commitments.

How to close it: Review your DPA template against each ISO 27018 control that has a contractual dimension. Add clauses for purpose limitation, sub-processor notification, data location disclosure, PII return/disposal procedures, and audit support.

Gap 3: PII in Logs Not Managed

The problem: Application logs, error reports, and monitoring data contain unmasked PII. Log retention periods are not defined or not enforced for PII-containing logs.

How to close it: Implement log sanitisation at the application layer before logs are written. Configure log management tools to mask or redact PII fields. Define and enforce retention periods for all logs that may contain PII. Test sanitisation effectiveness regularly.

Gap 4: No PII-Specific Incident Response Testing

The problem: Incident response exercises cover general security scenarios but never specifically address PII breach scenarios including controller notification, regulatory reporting, and data subject communication support.

How to close it: Conduct at least one PII breach-specific tabletop exercise annually. Include scenarios that test controller notification procedures, regulatory reporting timelines, communication templates, and cross-functional coordination between security, legal, and operations teams.

Gap 5: Lack of Evidence Maturity

The problem: Evidence was created shortly before the audit and doesn't demonstrate controls operating over time. For example, a sub-processor register created last week doesn't prove ongoing sub-processor management.

How to close it: Start implementing controls early. Maintain dated records with version history. Show evidence of periodic reviews, updates, and improvements. A sub-processor register with quarterly review dates over 6-12 months is far more convincing than one created last month.

Gap 6: Staff Cannot Articulate PII Obligations

The problem: During interviews, staff who handle PII cannot explain purpose limitation, their confidentiality obligations, or the procedure for reporting a PII incident.

How to close it: Conduct role-specific training that goes beyond general awareness. Use practical scenarios relevant to each role. Test comprehension through assessments. Follow up with refresher communications before the audit.

Gap 7: PII Disposal Not Verified

The problem: PII disposal procedures exist but there is no evidence that disposal actually occurs correctly, particularly for backups, temporary files, and contract termination scenarios.

How to close it: Test disposal processes end-to-end, including backup purging. Document test results with timestamps and verification steps. For contract terminations, maintain a disposal checklist with sign-off at each step.

Audit Preparation Tips

1. Start Early and Accumulate Evidence

Begin preparing at least 3-6 months before the audit. This allows time to implement missing controls, accumulate operational evidence, and demonstrate that controls have been functioning over time rather than just recently created.

2. Create an Evidence Index

Build a spreadsheet or document mapping each ISO 27018 control in your SoA to specific evidence items, their location, and responsible owners. Share this with the auditor before Stage 1 to streamline the process.

3. Conduct a Pre-Audit Readiness Check

Before the certification audit, conduct an internal readiness check using this checklist. Identify any remaining gaps and remediate them. If time allows, have an independent internal auditor verify the remediation.

4. Prepare Key Personnel for Interviews

Auditors will interview staff who handle PII. Prepare them by reviewing their specific PII responsibilities, the policies they follow, and the procedures for common scenarios (data subject requests, incidents, sub-processor changes).

5. Keep Evidence Accessible

Organise evidence in a shared repository with clear naming conventions and folder structures. Avoid having evidence scattered across email inboxes, personal drives, and multiple tools. Centralised, indexed evidence dramatically improves audit efficiency.

6. Document the Journey, Not Just the Destination

Auditors appreciate seeing evidence of improvement and maturity. Include records of gap assessments, corrective actions, management reviews, and changes made over time. This demonstrates active management rather than a point-in-time snapshot.

7. Leverage ISO 27001 Evidence

Many ISO 27001 controls overlap with ISO 27018 requirements. Reference existing ISO 27001 evidence where applicable and supplement it with PII-specific elements. This avoids duplication and shows integration.

Frequently Asked Questions

What evidence do I need for an ISO 27018 audit?

Key evidence includes signed DPAs, sub-processor registers, PII processing inventories, data location documentation, PII disclosure logs, incident response records, confidentiality agreements, training records, access control configurations, encryption documentation, and internal audit reports covering ISO 27018 controls.

How long should I prepare before an ISO 27018 audit?

Allow at least 3-6 months of preparation if adding ISO 27018 to an existing ISO 27001 certification. This provides time for gap remediation, control implementation, evidence accumulation, and internal audit. Auditors expect to see evidence of controls operating over time, not just recently created documentation.

What are the most common gaps in ISO 27018 readiness?

Common gaps include incomplete sub-processor registers, DPAs missing ISO 27018-specific clauses, PII in logs not being managed, no evidence of PII-specific incident response testing, incomplete data location documentation, staff unable to articulate purpose limitation obligations, and unverified PII disposal processes.

Can I reuse ISO 27001 evidence for ISO 27018?

Yes, partially. Many ISO 27001 controls have PII-enhanced versions in ISO 27018. Your existing evidence for those controls provides the foundation, but you need to supplement it with PII-specific elements such as PII access logs, PII-specific training, privacy-focused risk assessments, and PII breach response procedures.

How should I organise the evidence pack for the audit?

Organise evidence by ISO 27018 control area, with each control having a folder containing the relevant policies, procedures, records, and technical evidence. Create an evidence index that cross-references each SoA control with its corresponding evidence items and locations, so auditors can quickly find what they need.