ISO/IEC 27018
ISO/IEC 27018 とは何ですか?
ISO/IEC 27018A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
● 例
- 01
A SaaS vendor's trust portal references ISO 27018 alongside ISO 27001/27017 to demonstrate baseline privacy controls for customer PII.
- 02
A privacy team uses ISO 27018 controls as a checklist when assessing a new cloud subprocessor for GDPR Article 28 compliance.
● よくある質問
ISO/IEC 27018 とは何ですか?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002. サイバーセキュリティの コンプライアンスとフレームワーク カテゴリに属します。
ISO/IEC 27018 とはどういう意味ですか?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 27018 はどのように機能しますか?
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
ISO/IEC 27018 からどのように防御しますか?
ISO/IEC 27018 に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
ISO/IEC 27018 の別名は何ですか?
一般的な別名: ISO 27018, Cloud PII processor code of practice。
● 関連用語
- compliance№ 620
ISO/IEC 27001
情報セキュリティマネジメントシステム(ISMS)の要求事項を定める国際規格で、組織は正式な認証を取得できる。
- compliance№ 622
ISO/IEC 27017
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
- compliance№ 488
GDPR
EU 域内および EEA に所在する個人の個人データ処理を規律する欧州連合の一般データ保護規則。
- compliance№ 312
データ保護影響評価 (DPIA)
GDPR 第 35 条が要求する構造化評価で、高リスクな個人データ処理を開始する前に、個人の権利と自由に対するリスクを特定し低減するもの。
- privacy№ 957
プライバシー・バイ・デザイン
システム・プロセス・初期設定に対し、設計の最初期段階からプライバシー観点を組み込む工学・ガバナンスのアプローチ。
- privacy№ 914
個人を特定できる情報 (PII)
氏名、識別子、生体情報など、単独で、あるいは他の情報と組み合わせることで特定の個人を識別できるあらゆるデータ。