Topic-specific policies
ISO/IEC 27018

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27018:2019 < Click to purchase via Amazon — Information technology — Security techniques — Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors



“ISO/IEC 27018 establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018 specifies guidelines based on ISO/IEC 27002, considering the regulatory requirements for the protection of PII, which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The guidelines in ISO/IEC 27018 might also be relevant to organizations acting as PII controllers; however, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. ISO/IEC 27018 is not intended to cover such additional obligations.”
[Source: SC27 Standing Document 11 (2021)]


This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing Personally Identifiable Information entrusted to them.

The standard will be followed by ISO/IEC 27017 covering the wider information security angles of cloud computing, other than privacy.

The project had widespread support from national standards bodies plus the Cloud Security Alliance.


Scope and purpose

The standard intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for organizations for implementing commonly accepted PII protection controls” [quoted from the DIS version].

The standard is primarily concerned with public-cloud computing service providers acting as PII processors . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [from the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls.

The standard interprets rather than duplicates ISO/IEC 27002 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors.

ISO/IEC 27000, 27001 and 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788 “Cloud computing - overview and vocabulary” and ISO/IEC 29100 “Privacy framework” (a free download!).


Status of the standard

The first edition was published in 2014.

The second edition (a minor revision) was published in 2019.


Personal comments

The standard builds on ISO/IEC 27002, expanding on 27002’s generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations.

In most sections, it simply says:

“The objectives specified in, and the contents of,
[whatever] of ISO/IEC 27002 apply.”


The expansions or additions are pretty straightforward.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.