ISO/IEC 27018
Was ist ISO/IEC 27018?
ISO/IEC 27018A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
● Beispiele
- 01
A SaaS vendor's trust portal references ISO 27018 alongside ISO 27001/27017 to demonstrate baseline privacy controls for customer PII.
- 02
A privacy team uses ISO 27018 controls as a checklist when assessing a new cloud subprocessor for GDPR Article 28 compliance.
● Häufige Fragen
Was ist ISO/IEC 27018?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002. Es gehört zur Kategorie Compliance und Frameworks der Cybersicherheit.
Was bedeutet ISO/IEC 27018?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
Wie funktioniert ISO/IEC 27018?
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
Wie schützt man sich gegen ISO/IEC 27018?
Schutzmaßnahmen gegen ISO/IEC 27018 kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für ISO/IEC 27018?
Übliche alternative Bezeichnungen: ISO 27018, Cloud PII processor code of practice.
● Verwandte Begriffe
- compliance№ 620
ISO/IEC 27001
Internationaler Standard mit Anforderungen an ein Information Security Management System (ISMS), nach dem Organisationen formal zertifiziert werden können.
- compliance№ 622
ISO/IEC 27017
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
- compliance№ 488
DSGVO
Datenschutz-Grundverordnung der Europäischen Union, die die Verarbeitung personenbezogener Daten von Personen in der EU und im EWR regelt.
- compliance№ 312
Datenschutz-Folgenabschätzung (DPIA)
Strukturierte Bewertung gemäß Artikel 35 der DSGVO, die vor einer voraussichtlich risikoreichen Datenverarbeitung Risiken für Rechte und Freiheiten betroffener Personen identifiziert und mindert.
- privacy№ 957
Privacy by Design
Engineering- und Governance-Ansatz, der Datenschutz von Anfang an in Systeme, Prozesse und Standardeinstellungen integriert, statt ihn nachträglich hinzuzufügen.
- privacy№ 914
Personenbezogene Daten (PII)
Daten, die allein oder in Kombination mit anderen Informationen eine bestimmte Person identifizieren können, z. B. Namen, Identifikatoren oder biometrische Merkmale.