ISO 27018
Protection of personally identifiable information (PII) in public clouds.
Overview
ISO/IEC 27018 is an international standard that establishes commonly accepted control objectives, controls, and guidelines for protecting personally identifiable information (PII) in public cloud computing environments.
It builds on ISO/IEC 27002, providing additional guidance for cloud service providers acting as PII processors, and helps organizations demonstrate their commitment to privacy and data protection.
The standard addresses cloud-specific privacy risks, including data subject rights, consent, data transfer, and breach notification, and is widely recognized as a best practice for cloud privacy compliance.
Key Requirements
- Implement policies for the protection of PII in cloud environments
- Obtain and document consent for PII processing
- Ensure transparency regarding PII processing activities
- Enable data subjects to access, correct, and delete their PII
- Establish procedures for data breach notification and response
- Control and monitor subcontractor access to PII
- Ensure secure data transfer and deletion in the cloud
- Governing Body:
- International Organization for Standardization (ISO)
- Current Version:
- ISO/IEC 27018:2019
- Type:
- Guidance Standard
- Scope:
- Cloud service providers processing PII
- Relation to Other Standards:
- Supplement to ISO/IEC 27002 and ISO/IEC 27001
- Cloud service providers (IaaS, PaaS, SaaS) processing PII
- Organizations using public cloud services for PII storage or processing
- IT, legal, and compliance teams managing cloud privacy
- Enterprises subject to privacy regulations (GDPR, CCPA, etc.)
- Any business seeking to demonstrate cloud privacy best practices
ISO 27018 Readiness Assessment
Comprehensive evaluation of your cloud privacy posture against ISO 27018 requirements to identify gaps and develop a remediation plan.
Privacy Policy and Procedure Development
Creation of tailored privacy policies and procedures for cloud PII processing.
Data Subject Rights Management
Implementation of processes and tools to manage data subject requests in the cloud.
Subcontractor Risk Assessment
Evaluation and management of privacy risks associated with cloud subcontractors.
Incident Response Planning
Development of breach notification and response processes for cloud environments.