Connect with us

Hi, what are you looking for?


ISO/IEC 27018

ISO/IEC 27018:2019 – Information technology — Security techniques — Guidelines for protecting Personally Identifiable Information (PII) in public cloud servers acting as PII processors


The purpose of this standard is to ensure that the cloud service providers (such as Google and Amazon) implement suitable information security controls as a means of protecting their customers’ information, primarily securing Personally Identifiable Information.

In addition to privacy, the standard will be followed by ISO/IEC 27017, which covers multiple aspects of information security of cloud computing.

In addition to national standards organizations, the Cloud Security Alliance endorsed the project.

Scope and objectives

The standard aims to serve as a guide for selecting PII protection controls in the context of implementing an ISO/IEC 27001-based cloud computing information security management system, or as a guide for organizations for implementing generally accepted PII protection controls.

Cloud computing services act as public-cloud computing processors under this standard. “A public cloud service provider processes personal information for and according to instructions from a cloud service customer”. It does not address PII principals (e.g. individuals who process personal information in the cloud, for instance, Google Drive) or PII controllers (i.e. enterprises which use cloud services for processing PII of clients, customers, employees, etc. ), even though they share many concerns and are interested in the cloud service provider’s privacy policies.

ISO/IEC 27002 is interpreted in the standard rather than duplicated to secure personal data held in the cloud. 27002 includes an annexe that, for example, advises cloud service providers to inform their customers if they use subcontractors.

ISO/IEC 27000, 27001, and 27002 are considered to be “normative” (i.e. necessary) standards, including ISO/IEC 17788 “Cloud computing – overview and terminology” and ISO/IEC 29100 “Privacy framework”.

The standard’s status

In 2014, the first edition was published.

The second edition was published in 2019 (a minor revision).


A few sections of ISO/IEC 27002 are expanded, as is the general advice offered by 27002, and several OECD privacy principles are referenced.

Most of the sections simply state: “The objectives and content of Clause of ISO/IEC 27002 apply.”

Expansions and additions are fairly straightforward.

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Information Privacy

ISO/IEC TS 27560 — Privacy technologies — Consent record information structure [Draft] Introduction For recording PII Principals’ (data subjects’) consent to data processing, this...


The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...


The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...