ISO recently published the second edition of ISO/IEC 27018 – Guidelines for the protection of personal data in public clouds acting as PII processors.
ISO/IEC 27018 provides guidelines for the protection of personal data in public cloud services, in particular when the cloud service provider acts as a processor of personal data. This standard, based on ISO/IEC 27002, describes control measures and policies adapted to cloud environments and ensures that cloud service providers handle personal data responsibly, transparently and securely.
Why is ISO/IEC 27018 important?
As cloud computing becomes the standard way of delivering services, organisations must ensure that personal data stored and processed in the cloud is properly protected. ISO/IEC 27018 helps cloud service providers meet their legal, contractual and ethical obligations regarding the processing of personal data. It promotes cross-jurisdictional compliance, increases customer confidence and provides a clear structure for data protection in the cloud.
Benefits
- Strengthens trust through compliance with the Global Privacy Principles
- Clarifies roles and responsibilities between cloud service providers and customers
- Helps cloud service providers meet regulatory and contractual obligations
- Promotes transparency, auditability and accountability in the processing of personal data
- Facilitates privacy by design when developing cloud services
Who should use ISO/IEC 27018?
Public cloud service providers that act as data processors, as well as organisations that evaluate cloud service providers or seek to ensure their own compliance when outsourcing data processing.
How does ISO/IEC 27018 relate to ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27018 extends ISO/IEC 27002 to include controls specifically tailored to the processing of personal data in the cloud and complements the Information Security Management System (ISMS) based on ISO/IEC 27001.
What’s new in the 2025 version
The 2025 edition has been adapted to the updated ISO/IEC 27002:2022, ensuring consistency between standards. It also includes a new Annex B, which offers expanded implementation guidance.
What types of data are protected
Includes all personal data processed by public cloud service providers on behalf of customers – including collection, storage, processing, transfer and deletion.