ISO 27018: Cloud Privacy Controls for PII
ISO 27018 gives cloud service providers and their customers a concrete set of controls for protecting personally identifiable information (PII) in public cloud environments. If your organization processes personal data in the cloud - whether as a provider or a customer - this standard fills the gaps that ISO 27002 alone does not address.
Published by ISO/IEC as a code of practice, ISO 27018:2019 extends the controls in ISO 27002 with 25 additional requirements specific to cloud PII processing. It is not a standalone certification - you implement it within your existing ISO 27001 ISMS and reference the controls in your Statement of Applicability.
How ISO 27018 fits into the ISO 27001 framework
The relationship between ISO 27018 and the broader ISMS standards is straightforward:
- ISO 27001 defines the management system requirements - your risk assessment, leadership commitment, internal audits, and continuous improvement cycle
- ISO 27002 provides the general information security controls (93 controls in the 2022 version)
- ISO 27018 adds cloud PII-specific implementation guidance for relevant ISO 27002 controls, plus 25 additional controls in its Annex A
In practice, this means you take your existing ISO 27001 ISMS, identify which ISO 27002 controls apply to cloud PII processing, and then layer on the ISO 27018 guidance and Annex A controls. Your Statement of Applicability grows to include the additional controls, but the management system stays the same.
This approach works because ISO 27018 follows the same control structure as ISO 27002. If you already have controls for access management, encryption, or incident response, ISO 27018 tells you how to apply those controls specifically to PII in cloud environments.
Key Annex A controls
ISO 27018’s Annex A contains 25 controls organized around the privacy principles from ISO 29100. These go beyond general security and address the specific obligations of a cloud PII processor:
Consent and choice. The cloud provider must support the customer’s ability to manage data subject consent. This includes mechanisms for users to access, correct, and erase their PII - directly supporting GDPR Article 17 (right to erasure) and similar rights under other privacy regulations.
Purpose limitation. PII processed on behalf of a customer must only be used for the purposes specified in the service agreement. The provider cannot repurpose customer data for marketing, analytics, or any secondary use without explicit authorization. This control matters because cloud platforms often have the technical ability to analyze data across tenants.
Data minimization. Providers must limit PII collection to what is strictly necessary for service delivery. Temporary files, logs, and metadata containing PII must follow defined retention periods and deletion procedures.
Disclosure and transparency. Before engaging subprocessors, the provider must disclose their identity and role to the customer. Any government or law enforcement requests for PII must be communicated to the customer unless legally prohibited - a control that gained significance after the Schrems II ruling and its implications for cross-border data transfers.
Breach notification. The provider must notify the customer promptly about any unauthorized PII access, loss, or disclosure. The notification must include enough detail for the customer to meet their own regulatory reporting obligations - typically within 72 hours under GDPR.
Data location. The provider must disclose the countries and regions where PII is stored, processed, or backed up. Customers must have the ability to specify geographic restrictions. This control directly supports data residency requirements under GDPR, local data protection laws, and contractual commitments.
Return and disposal. When a contract ends, the provider must return all PII to the customer in a usable format and securely delete all copies - including backups and disaster recovery replicas.
ISO 27018 vs ISO 27701
Both standards address personal data protection, but they serve different purposes and scopes:
| Aspect | ISO 27018 | ISO 27701 |
|---|---|---|
| Scope | PII in public cloud environments only | PII across all processing activities |
| Role | Cloud provider as PII processor | Both PII controllers and processors |
| Structure | Extends ISO 27002 controls + 25 Annex A controls | Extends ISO 27001 + ISO 27002 as a Privacy Information Management System (PIMS) |
| Certification | Not separately certifiable - referenced within ISO 27001 SoA | Certifiable as an extension to ISO 27001 |
| GDPR alignment | Partial - focuses on processor obligations | Comprehensive - maps to both controller and processor requirements |
If your organization is a cloud service provider processing PII on behalf of customers, ISO 27018 gives you targeted controls for that specific relationship. If you need a broader privacy management system covering all personal data processing - whether in the cloud or on-premises - ISO 27701 is the more comprehensive choice. Many organizations implement both, using ISO 27018 for their cloud-specific obligations and ISO 27701 for the overall privacy management framework.
Implementing ISO 27018 in your ISMS
Adding ISO 27018 to an existing ISO 27001 ISMS typically takes 4-6 weeks for organizations that already have mature cloud security controls. Here is a practical approach:
1. Scope definition. Identify which cloud services process PII and which provider relationships fall under ISO 27018. Not every cloud service handles personal data - focus on the ones that do.
2. Gap analysis. Map your existing ISO 27002 controls against the ISO 27018 implementation guidance. Many controls - encryption, access management, logging - likely already meet the requirements. The gaps usually appear in the Annex A controls around purpose limitation, subprocessor disclosure, and data location transparency.
3. SoA extension. Add the applicable ISO 27018 Annex A controls to your Statement of Applicability. Document the justification for including or excluding each control, just as you would for ISO 27002 controls.
4. Policy and procedure updates. Update your information security policy, data processing agreements, and incident response procedures to reflect the ISO 27018 requirements. Pay particular attention to breach notification timelines and subprocessor disclosure obligations.
5. Supplier assessment. If you are a cloud customer, assess your providers against ISO 27018 controls. Request their SOC 2 reports, ISO 27001 certificates, and any ISO 27018 compliance documentation. Major providers like AWS, Microsoft Azure, and Google Cloud publish ISO 27018 compliance statements.
6. Internal audit. Include the ISO 27018 controls in your next internal audit cycle. Auditors should verify that cloud PII controls are implemented, effective, and documented - not just present on paper.
When ISO 27018 matters most
ISO 27018 carries particular weight in situations where cloud PII processing is central to your business:
- Cloud SaaS providers processing customer data - enterprise clients increasingly ask for ISO 27018 compliance alongside ISO 27017 and SOC 2
- Healthcare and fintech organizations storing sensitive PII in cloud infrastructure, where regulatory scrutiny on data handling is highest
- Cross-border data processing where demonstrating adequate privacy controls supports data transfer mechanisms under GDPR or equivalent frameworks
- Government and public sector contracts that require explicit PII protection assurances from cloud providers, particularly in the EU market alongside C5 attestation
How 27kay can help
We help organizations implement ISO 27018 controls within their existing ISO 27001 ISMS - from gap analysis through audit preparation. Whether you are a cloud provider building trust with enterprise customers or a cloud customer assessing your providers’ PII protections, we can help you get the controls right without overcomplicating the process.
Need to strengthen your cloud privacy controls? Let’s talk - we will assess where you stand and build a practical plan to close the gaps.