ISO/IEC 27018
ISO/IEC 27018 是什么?
ISO/IEC 27018A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
● 示例
- 01
A SaaS vendor's trust portal references ISO 27018 alongside ISO 27001/27017 to demonstrate baseline privacy controls for customer PII.
- 02
A privacy team uses ISO 27018 controls as a checklist when assessing a new cloud subprocessor for GDPR Article 28 compliance.
● 常见问题
ISO/IEC 27018 是什么?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002. 它属于网络安全的 合规与框架 分类。
ISO/IEC 27018 是什么意思?
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
ISO/IEC 27018 是如何工作的?
ISO/IEC 27018:2019 specifies commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in line with privacy principles for the public cloud computing environment, focusing on public-cloud service providers acting as PII processors. It complements ISO 27001/27002 and ISO 27017 with controls addressing consent, choice, purpose limitation, transparency, accountability, subcontractor disclosure, retention and deletion, and information-security incident response for PII. Many cloud providers and SaaS vendors hold ISO 27018 certification together with ISO 27001 and ISO 27017, and customers use it as an indicator that the provider has implemented baseline privacy controls — especially in jurisdictions where GDPR or local privacy law requires processors to demonstrate adequate technical and organisational measures. ISO 27018 is purely a code of practice; it does not on its own satisfy GDPR but is widely treated as supporting evidence in DPIAs and processor due diligence.
如何防御 ISO/IEC 27018?
针对 ISO/IEC 27018 的防御通常结合技术控制与运营实践,详见上方完整定义。
ISO/IEC 27018 还有哪些其他名称?
常见的别称包括: ISO 27018, Cloud PII processor code of practice。
● 相关术语
- compliance№ 620
ISO/IEC 27001
信息安全管理体系(ISMS)要求的国际标准,组织可据此通过正式认证。
- compliance№ 622
ISO/IEC 27017
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
- compliance№ 488
GDPR(欧盟通用数据保护条例)
欧盟通用数据保护条例,规范对位于欧盟和欧洲经济区个人的个人数据处理活动。
- compliance№ 312
数据保护影响评估(DPIA)
在开展高风险个人数据处理前,按 GDPR 第 35 条要求进行的结构化评估,用于识别并缓解对个人权利与自由的风险。
- privacy№ 957
隐私设计
一种工程与治理方法,在系统、流程及默认配置的最早设计阶段就内建隐私考量,而非事后补救。
- privacy№ 914
个人可识别信息 (PII)
可单独或与其他信息结合用于识别特定个人的任何数据,例如姓名、标识符或生物特征记录。