AuditXYZ

Compliance Framework

ISO/IEC 27018:2019 Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds

ISO 27018 sets controls for protecting personally identifiable information in public cloud services. Learn how it helps cloud providers demonstrate PII protection compliance.

$15,000–$75,0002–6 monthsAudit Required2019
Request a ConsultationSee process
Issuing BodyInternational Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)
First Published2014-07-29
Latest Version2019
Typical Cost$15,000–$75,000
Typical Timeline2–6 months
Audit RequiredYes
Audit FrequencyAudited as an extension to ISO 27001 surveillance and recertification cycles
Geographyglobal

ISO 27018: Protecting Personal Data in the Cloud

ISO/IEC 27018 establishes commonly accepted control objectives and guidelines for protecting personally identifiable information (PII) in public cloud computing environments. It is the first international standard focused specifically on privacy in cloud services.

What ISO 27018 Covers

The standard builds on ISO 27002 controls, adding PII-specific implementation guidance and introducing additional controls derived from privacy principles. Key areas include consent management, purpose limitation, data minimization, transparency, PII disclosure procedures, sub-processor oversight, and data portability.

ISO 27018 explicitly addresses the role of the cloud service provider as a PII processor, establishing expectations for how processors handle personal data on behalf of their customers (PII controllers).

Who Needs ISO 27018

Public cloud service providers that process PII on behalf of customers are the primary audience. This includes SaaS companies handling customer data, IaaS providers hosting applications with personal data, and any cloud service that touches PII.

The standard is particularly relevant for organizations subject to GDPR, as ISO 27018 maps well to GDPR processor requirements. Companies operating in healthcare, financial services, and education — where PII sensitivity is highest — find ISO 27018 especially valuable.

Key Privacy Controls

ISO 27018 introduces controls beyond standard ISO 27002, including:

  • Consent and choice — PII must not be used for marketing without explicit consent
  • Purpose limitation — Cloud providers must not process PII beyond the customer's instructions
  • Data minimization — Temporary files containing PII must be erased within a specified period
  • Transparency — Providers must disclose sub-processors and PII storage locations
  • Breach notification — Providers must notify customers of PII breaches promptly
  • Data return — PII must be returnable and erasable upon contract termination

Certification Path

Like ISO 27017, ISO 27018 is certified as an extension to ISO 27001. The incremental effort for organizations with existing ISO 27001 certification is manageable. Primary work involves documenting PII handling procedures, implementing privacy-specific controls, and ensuring sub-processor agreements meet the standard's requirements.

Organizations pursuing ISO 27018 alongside ISO 27017 create a comprehensive cloud security and privacy posture that resonates strongly with enterprise customers and regulators.

Get the ISO 27018 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001iso-27017iso-27701gdpr

Get matched with a ISO 27018 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
ISO 27017
Framework
ISO 27017 provides cloud-specific security controls and implementation guidance for cloud service providers and customers. Learn how it extends ISO 27001 for cloud environments.
View
ISO 27701
Framework
ISO 27701 extends ISO 27001 with a privacy information management system (PIMS). Learn how it helps organizations demonstrate GDPR compliance and manage personal data responsibly.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View