ISO/IEC 27018.

A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002. Cette notion relève de la catégorie Conformité et référentiels en cybersécurité.

A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.

ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.

Les défenses contre ISO/IEC 27018 combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : ISO 27018, Cloud PII processor code of practice.