In This Guide
- ISO/IEC 27018 is a code of practice for protecting personally identifiable information (PII) in public cloud environments, built on top of ISO 27002 controls.
- It is designed specifically for cloud service providers (CSPs) acting as PII processors on behalf of their customers.
- ISO 27018 is not independently certifiable; it extends ISO 27001 by adding PII-specific controls to the Statement of Applicability.
- The standard addresses key privacy principles including consent, purpose limitation, data minimisation, transparency, and accountability.
- Adoption of ISO 27018 directly supports GDPR Article 28 obligations for data processors operating in the cloud.
What is ISO 27018?
ISO/IEC 27018:2019 is an international standard that establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. It was first published in 2014 and revised in 2019.
In practical terms, ISO 27018 is a code of practice that tells cloud service providers how to handle the personal data their customers entrust to them. While ISO 27001 establishes the management system and ISO 27002 provides general security controls, ISO 27018 focuses specifically on what cloud providers must do to protect the privacy of personal data they process on behalf of others.
The standard recognises a fundamental reality of modern business: organisations increasingly entrust their customers' personal data to cloud service providers. When a company moves its HR system, CRM, or customer database to the cloud, the cloud provider becomes a PII processor. ISO 27018 provides the specific controls needed to ensure that processor handles personal data responsibly, transparently, and securely.
What: Code of practice for PII protection in public clouds
Full Name: Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
First Published: July 2014
Current Edition: ISO/IEC 27018:2019
Certification: Via ISO 27001 Statement of Applicability (not standalone)
Intended For: Cloud service providers processing PII
History and Background
The development of ISO 27018 was driven by the rapid growth of cloud computing and the corresponding need for standardised privacy protections in cloud environments.
Timeline of Development
- 2010-2012: ISO/IEC JTC 1/SC 27 recognised the gap between general information security controls and the specific privacy needs of cloud computing. Work began on a cloud-specific privacy standard.
- July 2014: ISO/IEC 27018:2014 was published as the first international standard specifically addressing PII protection in the public cloud. It was groundbreaking because no other standard addressed this specific intersection of cloud computing and personal data protection.
- January 2019: The standard was revised as ISO/IEC 27018:2019, aligning it with the updated ISO/IEC 27002:2013 control set, clarifying implementation guidance, and reflecting the evolving regulatory landscape including GDPR.
Why ISO 27018 Was Needed
Before ISO 27018, cloud providers relied on general security standards (ISO 27001/27002) to address privacy. However, these standards were not designed for the unique characteristics of cloud computing:
- Multi-tenancy: Multiple customers' data co-existing on shared infrastructure creates unique PII isolation challenges
- Data location uncertainty: Cloud customers often don't know exactly where their data is stored or processed geographically
- Sub-processing chains: Cloud providers frequently use other cloud services, creating complex processing chains
- Self-service provisioning: Automated provisioning means PII can be replicated, moved, or deleted at scale without manual intervention
- Shared responsibility: The division of security and privacy responsibilities between cloud provider and customer needs explicit definition
ISO 27018 filled this gap by providing controls specifically designed for these cloud-specific scenarios, giving both cloud providers and their customers a common framework for privacy expectations.
Relationship to ISO 27001 and ISO 27002
Understanding how ISO 27018 relates to the broader ISO 27000 family is essential for proper implementation. The standard does not exist in isolation; it is built as an extension layer on top of established information security foundations.
The ISO 27000 Family Hierarchy for Cloud Privacy
| Standard | Role | What It Provides |
|---|---|---|
| ISO 27001 | Management System | ISMS framework (Plan-Do-Check-Act), risk assessment, audit, management review |
| ISO 27002 | Control Guidance | Implementation guidance for 93 security controls referenced by ISO 27001 Annex A |
| ISO 27017 | Cloud Security Extension | Additional cloud-specific security controls for both providers and customers |
| ISO 27018 | Cloud PII Extension | PII-specific controls for cloud providers acting as processors |
How ISO 27018 Extends ISO 27002
ISO 27018 takes two approaches to extending ISO 27002:
- Enhanced guidance for existing controls: For many ISO 27002 controls, ISO 27018 adds PII-specific implementation guidance. For example, the ISO 27002 control for access management is enhanced with guidance on ensuring PII is only accessible to authorised personnel for authorised purposes.
- New controls unique to cloud PII: ISO 27018 introduces entirely new controls not found in ISO 27002, addressing scenarios unique to cloud PII processing such as notification of PII disclosure requests, PII return and disposal, and transparency about sub-processors.
Relationship to ISO 27017
ISO 27017 (cloud security) and ISO 27018 (cloud PII) are complementary standards. Many cloud providers implement both alongside ISO 27001 to provide comprehensive cloud security and privacy coverage. While ISO 27017 addresses the security of cloud services generally, ISO 27018 focuses exclusively on the privacy dimension of personal data in the cloud.
The most common cloud certification combination is ISO 27001 + ISO 27017 + ISO 27018, which together provide a comprehensive framework for cloud security (27017) and cloud privacy (27018) within a certified management system (27001).
PII Processor vs PII Controller
ISO 27018 is specifically written for organisations acting as PII processors in the cloud. Understanding the distinction between processor and controller roles is fundamental to understanding the standard's scope.
PII Controller
The PII controller is the organisation that determines why and how personal data is processed. In a cloud context, this is typically the cloud customer — the company whose end users' or employees' data is being processed.
- Determines the purpose and means of PII processing
- Responsible for lawful basis, consent, and data subject rights
- Decides what data to collect and how long to retain it
- Selects and instructs the cloud provider (processor)
PII Processor
The PII processor is the organisation that processes personal data on behalf of the controller. In the ISO 27018 context, this is the cloud service provider.
- Processes PII only as instructed by the controller
- Must not use PII for its own purposes (e.g., marketing, analytics, profiling)
- Implements appropriate technical and organisational security measures
- Supports the controller in fulfilling data subject rights and obligations
| Aspect | PII Controller (Cloud Customer) | PII Processor (Cloud Provider) |
|---|---|---|
| Determines processing purpose | Yes | No — follows controller instructions |
| ISO 27018 applies to | Not directly (see ISO 27701 for controllers) | Yes — primary audience |
| Example | Company using a cloud HR platform | The cloud HR platform provider |
| Key obligation | Ensure processor is adequate | Protect PII per controller instructions |
ISO 27018 focuses on the processor role. If your organisation determines the purposes of personal data processing (controller), ISO 27701 is the more appropriate standard. Many cloud providers, however, act as processors for customer data while also being controllers for their own employee and business data — in these cases, ISO 27018 covers the processor role while ISO 27701 (or organisational policies) covers the controller role.
Who Needs ISO 27018?
ISO 27018 is relevant for any cloud service provider that processes personally identifiable information on behalf of its customers. The standard uses the term "public cloud PII processor" but in practice applies broadly across cloud service models.
SaaS Providers
Software-as-a-Service providers are the most common adopters of ISO 27018. If your application stores or processes customer personal data — whether employee records, customer contact information, health data, or financial information — ISO 27018 provides the framework for demonstrating responsible processing.
- HR and payroll SaaS platforms
- CRM and marketing automation tools
- Healthcare management systems
- E-commerce platforms handling customer data
- Educational technology platforms
Cloud Hosting and Infrastructure Providers
IaaS and PaaS providers may host databases, applications, and workloads containing PII. Even when the provider doesn't directly access the data, ISO 27018 provides controls for ensuring the infrastructure protects PII appropriately.
- Virtual machine and container hosting
- Database-as-a-service platforms
- Storage and backup services
- Content delivery networks
Managed Service Providers
Managed service providers (MSPs) that administer cloud environments on behalf of customers often have access to PII within those environments. ISO 27018 ensures these providers handle that access responsibly.
- Managed cloud security providers
- Cloud migration and management services
- DevOps and site reliability services
- Managed database administration
Data Processing and Analytics Services
Organisations providing cloud-based data processing, analytics, or AI/ML services that operate on datasets containing personal data benefit from ISO 27018's controls around purpose limitation and data use restrictions.
Key Principles of ISO 27018
ISO 27018 is built on the privacy principles defined in ISO/IEC 29100 (Privacy Framework). These principles form the foundation for all controls in the standard and align closely with the data protection principles found in GDPR and other global privacy regulations.
1. Consent and Choice
The cloud PII processor must ensure that PII processing occurs only based on the documented instructions of the cloud customer (controller). The processor must not use PII for marketing, advertising, or any other purpose without the explicit consent of the relevant PII principal or controller.
- PII must not be processed for any purpose beyond the contracted service
- The processor must not use PII for targeted advertising or profiling
- Any additional processing requires explicit, documented consent from the controller
- Mechanisms must exist for controllers to communicate and withdraw consent
2. Purpose Legitimacy and Specification
PII must only be processed for the specific, documented purposes agreed between the processor and controller. The cloud provider must clearly communicate what processing it performs and ensure it does not exceed the agreed scope.
- Processing purposes must be documented in the service agreement
- Temporary files and metadata containing PII must be managed with the same purpose restrictions
- PII used for service improvement must be anonymised or pseudonymised
3. Data Minimisation
The cloud processor must limit PII processing to what is necessary and proportionate for the contracted purpose. This includes managing temporary data, logs, and backup copies that may incidentally contain PII.
- Only collect and process PII necessary for the service
- Temporary files containing PII must have defined retention periods
- PII in logs and diagnostics must be minimised or pseudonymised
- Backup and recovery processes must respect PII minimisation
4. Use, Retention, and Disclosure Limitation
PII must not be used beyond the agreed purposes, retained longer than necessary, or disclosed to third parties without appropriate authorisation from the controller.
- Clear retention periods aligned with controller requirements
- Secure deletion when retention period expires or contract ends
- Third-party disclosures only with controller authorisation or legal obligation
- Government access requests must be handled transparently
5. Openness, Transparency, and Notice
The cloud processor must be transparent about its PII processing practices, including the use of sub-processors, data locations, and any government access requests received.
- Disclose all sub-processors before engagement
- Inform controllers about the countries where PII may be stored or processed
- Notify controllers promptly of any legally binding disclosure requests
- Maintain clear documentation of processing activities
6. Individual Participation and Access
The cloud processor must support the controller in fulfilling data subject access requests and other individual rights. This includes providing mechanisms to retrieve, correct, or delete PII when requested by the controller on behalf of PII principals.
7. Accountability
The cloud processor must demonstrate accountability through documented policies, procedures, audits, and incident management processes. This includes maintaining records that demonstrate compliance with the standard's requirements.
8. Information Security
All ISO 27002 security controls applicable to PII must be implemented with enhanced measures for protecting personal data. This includes encryption, access controls, monitoring, and incident response procedures specifically designed for PII breach scenarios.
9. Privacy Compliance
The cloud processor must monitor and ensure ongoing compliance with the contractual privacy obligations and applicable privacy regulations. Regular audits, reviews, and assessments must validate continued effectiveness of PII protection measures.
Additional PII Controls in ISO 27018
Beyond enhancing existing ISO 27002 controls with PII-specific guidance, ISO 27018 introduces several controls unique to cloud PII processing. These additional controls address scenarios that general security standards do not cover.
Notification of PII Disclosure
The cloud provider must have a process for notifying the cloud customer of any legally binding requests for disclosure of PII (e.g., law enforcement subpoenas). Unless legally prohibited, the provider must inform the controller before disclosing PII and provide details about the request.
Recording of PII Disclosures
All disclosures of PII to third parties must be recorded, including the nature of the disclosure, the identity of the third party, the legal basis, and the PII disclosed. These records must be available to the cloud customer upon request.
PII Return, Transfer, and Disposal
When the service contract ends, the cloud provider must have a defined process for returning PII to the controller, transferring it to another provider if requested, or securely disposing of it. This must include all copies, backups, and temporary files.
Obligation of Confidentiality
All personnel with access to PII must be subject to confidentiality obligations. These obligations must survive termination of employment or contract, ensuring continued protection even after access is revoked.
Sub-Processor Management
The cloud provider must disclose the use of any sub-processors and obtain the controller's consent before engaging them. Contracts with sub-processors must include equivalent PII protection obligations, and the primary processor remains accountable for sub-processor compliance.
PII Processing Under Contract
The cloud provider must ensure that PII is processed only in accordance with the customer's documented instructions. Any processing that occurs as part of the service (such as indexing for search functionality) must be transparent and within the scope of the agreement.
Data Location Transparency
The cloud provider must disclose the countries in which PII may be stored or from which it may be accessed. Changes to data processing locations must be communicated to the controller in advance.
How ISO 27018 Supports GDPR Compliance
ISO 27018 was developed before GDPR took effect, but its principles and controls align remarkably well with GDPR's requirements for data processors. For cloud service providers subject to GDPR, ISO 27018 provides a structured framework for meeting key processor obligations.
GDPR Article 28 Alignment
GDPR Article 28 sets out specific requirements for data processors. ISO 27018 addresses many of these directly:
| GDPR Art. 28 Requirement | ISO 27018 Coverage |
|---|---|
| Process only on documented instructions | PII processing under contract controls; purpose limitation |
| Ensure confidentiality obligations for staff | Obligation of confidentiality controls |
| Implement appropriate security measures | Full ISO 27002 control set with PII enhancements |
| Sub-processor requirements | Sub-processor management and transparency controls |
| Assist controller with data subject rights | Individual participation and access controls |
| Delete or return PII on contract end | PII return, transfer, and disposal controls |
| Support controller audits | Accountability and audit support controls |
Supporting Data Protection by Design
GDPR Article 25 requires data protection by design and by default. ISO 27018's controls for data minimisation, purpose limitation, and privacy-aware security implementations support this requirement in cloud environments.
Cross-Border Transfer Safeguards
ISO 27018's requirements for data location transparency and controller notification of processing locations support GDPR's requirements for international data transfers. Cloud providers implementing ISO 27018 can demonstrate that they maintain transparency about where PII is processed, a key element in cross-border transfer assessments.
Breach Notification Support
ISO 27018's incident management controls, combined with the PII disclosure notification requirements, provide a framework for the timely detection and reporting of personal data breaches required by GDPR Articles 33 and 34. Cloud providers with ISO 27018 controls in place can more efficiently support controllers in meeting the 72-hour notification requirement.
While ISO 27018 significantly supports GDPR compliance for cloud processors, it does not guarantee full GDPR compliance. Legal requirements such as valid Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs) for international transfers, and Data Protection Impact Assessments (DPIAs) require additional measures beyond what the standard covers.
Benefits of Adopting ISO 27018
1. Build Customer Trust and Confidence
ISO 27018 provides an independently audited assurance that your cloud service handles personal data responsibly. In procurement processes, this certification is increasingly requested alongside ISO 27001, particularly by European and privacy-conscious customers.
2. Competitive Differentiation
While many cloud providers hold ISO 27001, adding ISO 27018 demonstrates a specific commitment to privacy that differentiates your service. It signals to enterprise customers that you understand and have addressed the unique privacy challenges of cloud computing.
3. Simplified Compliance Demonstrations
Instead of responding to custom privacy questionnaires from each customer individually, ISO 27018 certification provides a standardised, audited evidence base. This reduces the burden on sales and compliance teams during procurement.
4. Regulatory Preparedness
As privacy regulations tighten globally, cloud providers with ISO 27018 controls in place are better positioned to adapt. The standard's principles align with GDPR, CCPA, LGPD, DPDP Act, and other regulations, providing a regulatory-resilient framework.
5. Reduced Breach Risk
The PII-specific controls in ISO 27018 address privacy risks that general security controls may overlook, such as purpose limitation, sub-processor management, and data disposal. Implementing these controls reduces the likelihood and impact of PII-related incidents.
6. Efficient Integration with Existing ISO 27001
For organisations already ISO 27001 certified, adding ISO 27018 requires extending the existing Statement of Applicability rather than building a separate system. The incremental effort is modest compared to the value delivered.
Getting Started with ISO 27018
Prerequisites
- ISO 27001 Certification: ISO 27018 requires an existing ISO 27001 ISMS as the management system foundation. You cannot pursue ISO 27018 without ISO 27001.
- PII Processing Inventory: Document all PII processing activities within your cloud services, including data types, processing purposes, and data flows.
- Processor Role Clarity: Confirm which services position you as a PII processor and identify the corresponding PII controllers (your customers).
Implementation Roadmap
- Gap Assessment: Compare current PII handling practices against ISO 27018 controls. Identify where existing ISO 27001 controls need PII-specific enhancements and which new controls need to be implemented.
- PII Flow Mapping: Document how PII flows through your cloud services from ingestion to deletion, including all intermediate processing, storage, and transfer points.
- Control Implementation: Implement the enhanced and additional controls identified in the gap assessment. This includes updating policies, technical controls, procedures, and contractual templates.
- SoA Extension: Extend your ISO 27001 Statement of Applicability to include ISO 27018 controls, documenting the applicability and implementation status of each.
- Training and Awareness: Train relevant staff on PII-specific handling requirements, including developers, operations teams, and customer support.
- Internal Audit: Audit the extended controls against ISO 27018 requirements before the certification audit.
- Certification Audit: Engage your existing ISO 27001 certification body to include ISO 27018 in the next audit cycle.
Timeline Expectations
- Already ISO 27001 certified with strong privacy practices: 2-4 months
- ISO 27001 certified but limited PII-specific controls: 4-6 months
- Pursuing ISO 27001 + ISO 27018 together: 8-14 months
Frequently Asked Questions
What is ISO 27018?
ISO/IEC 27018 is a code of practice for protecting personally identifiable information (PII) in public cloud computing environments. It builds on ISO 27002 controls and adds cloud-specific PII protection requirements for cloud service providers acting as PII processors.
Who needs ISO 27018?
ISO 27018 is primarily intended for cloud service providers that process PII on behalf of their customers, including SaaS providers, IaaS/PaaS platforms, cloud hosting companies, and managed service providers handling personal data in cloud environments.
Is ISO 27018 a standalone certification?
No. ISO 27018 is not independently certifiable. It is implemented as an extension to ISO 27001 by incorporating its PII-specific controls into the ISO 27001 Statement of Applicability (SoA). The certificate references ISO 27018 alongside ISO 27001.
How does ISO 27018 relate to ISO 27001?
ISO 27018 provides additional implementation guidance for ISO 27002 controls and introduces new controls specific to cloud PII protection. It is implemented within an ISO 27001 ISMS by extending the Statement of Applicability to include ISO 27018 controls.
Does ISO 27018 help with GDPR compliance?
Yes. ISO 27018 supports GDPR compliance for cloud processors by addressing key processor obligations including consent management, purpose limitation, data minimisation, transparency, sub-processor controls, and cross-border transfer safeguards required under GDPR Article 28. However, full GDPR compliance requires additional legal and organisational measures.