ISO/IEC 27018
What is ISO/IEC 27018?
ISO/IEC 27018A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
● Examples
- 01
A SaaS vendor's trust portal references ISO 27018 alongside ISO 27001/27017 to demonstrate baseline privacy controls for customer PII.
- 02
A privacy team uses ISO 27018 controls as a checklist when assessing a new cloud subprocessor for GDPR Article 28 compliance.
● Frequently asked questions
What is ISO/IEC 27018?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002. It belongs to the Compliance & Frameworks category of cybersecurity.
What does ISO/IEC 27018 mean?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
How does ISO/IEC 27018 work?
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
How do you defend against ISO/IEC 27018?
Defences for ISO/IEC 27018 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ISO/IEC 27018?
Common alternative names include: ISO 27018, Cloud PII processor code of practice.
● Related terms
- compliance№ 620
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
- compliance№ 622
ISO/IEC 27017
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
- compliance№ 488
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 312
Data Protection Impact Assessment (DPIA)
A structured assessment, required by GDPR Article 35, that identifies and mitigates risks to individuals' rights and freedoms before high-risk personal data processing begins.
- privacy№ 957
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.
- privacy№ 914
Personally Identifiable Information (PII)
Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records.