Definition and purpose

ISO/IEC 27018 specifies guidelines based on ISO/IEC 27002 and additional controls and guidance for public cloud service providers to protect personally identifiable information (PII).

ISO/IEC 27018 is designed for two specific use cases. First, it can be used as a reference by organizations that are in the process of implementing a cloud computing information security management system based on ISO/IEC 27001 and need to select PII protection controls specifically. Organizations implementing ISO/IEC 27001 will use ISO/IEC 27002 controls to protect their own information assets. However, they will need PII protection controls to protect the information assets that their customers trusted them with as well.

Second, ISO/IEC 27018 can be used as a guidance document by public cloud PII processors to implement commonly accepted PII protection controls.

Governing Body

ISO/IEC 27018 is developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Last updated

ISO/IEC 27018 was last updated in 2019. 

Applies to

ISO/IEC  27018 applies to all types and sizes of organizations that provide information processing services as PII processors via cloud computing under contract to other organizations. This includes public and private companies, government entities and not-for-profit organizations. 

The guidelines in this document may also be relevant to organizations acting as PII controllers, but they will be subject to additional PII protection legislation, regulations and obligations.

Controls and requirements

ISO/IEC 27018 outlines specific controls and requirements to protect PII in public cloud environments. Some of the key requirements include:

• Explicit data handling and processing terms in cloud service agreements.
• Restrictions on how PII can be processed and stored.
• Transparency in data processing activities.
• Data portability and deletion requirements.
• Incident reporting and communication.

Please refer to the official ISO 27018 publication for a detailed list of controls and requirements.

Audit type, frequency, and duration

Audits for ISO/IEC 27018 compliance can be performed as third-party audits or internal assessments. The frequency of audits may vary depending on the organization's risk assessment, contractual agreements, and regulatory requirements. Typically, organizations conduct annual audits.

The duration of an ISO/IEC 27018 audit can vary depending on the scope and complexity of the cloud environment. It can range from a few days to several weeks, with the auditors examining the organization's cloud practices, contractual agreements, and adherence to the standard's controls.