ISO 27018 Cloud Privacy & PII Protection Resources

What is ISO/IEC 27018?

ISO/IEC 27018 is an international code of practice that establishes commonly accepted control objectives, controls, and guidelines for protecting personally identifiable information (PII) in public cloud computing environments. It specifically addresses the requirements of cloud service providers acting as PII processors on behalf of their customers (PII controllers).

Published as a companion to ISO/IEC 27002, ISO 27018 adds privacy-specific controls for cloud environments covering consent management, purpose limitation, data minimisation, transparency, sub-processor oversight, and cross-border data transfer safeguards. Organisations implement it as an extension to their ISO 27001 ISMS.

• Extends ISO 27002 with PII-specific controls for cloud processors
• Addresses consent, purpose limitation, data minimisation, and transparency in cloud processing
• Certified as an extension to ISO 27001 — not a standalone certification
• Directly supports GDPR Article 28 processor obligations with auditable controls
• Covers sub-processor management, breach notification, and data subject rights in cloud environments
• Increasingly demanded by data controllers selecting cloud processors for PII handling