ISO 27018 for cloud service providers

What is ISO/IEC 27018?

The ISO/IEC 27000 family of standards includes the security standard ISO/IEC 27018.

The industry promoted the first international standard regarding privacy in cloud computing services. It was developed in 2014 as an addition to ISO/IEC 27001, the original global standard for cloud privacy practices. It aids cloud service providers who handle personally identifiable information (PII) with risk assessment and PII protection control implementation. Under the supervision of the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27, it was issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Data security in the cloud by datatunnel

Objectives of ISO/IEC 27018?

A public cloud computing service provider operating as a PII processor can establish a standard set of security categories and controls by using this document in conjunction with the information security objectives and controls in ISO/IEC 27002.

The following are its goals:

  • As a PII processor, the public cloud service provider has legal requirements that must be met, whether those obligations are imposed directly or through a contract.
  • Allowing for transparency in pertinent areas will enable clients of cloud services to choose well-managed cloud based PII processing services.
  • Help in the contracting process between the public cloud PII processor and the user of the cloud service.

In situations where individual cloud service customer audits of data hosted in a multiparty, virtualized server (cloud) environment may be technically impractical and may increase risks to those physical and logical network security controls in place, provide cloud service customers with a mechanism for exercising audit and compliance rights and obligations.


The benefits of applying this standard are as follows:

  • Higher security is provided for consumer data and information.
  • It elevates the platform above the competitors and increases customer trust in the platform.
  • Faster global operations enablement
  • Simplified agreements.
  • It offers both users and cloud service providers legal safeguards.


ISO – ISO/IEC 27018:2019 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

Similar Posts