What ISO 27018 covers
ISO 27018 is a code of practice for protecting personally identifiable information (PII) in public clouds. It extends ISO 27001 and ISO 27002 with controls aimed at public cloud service providers that process PII on behalf of their customers — setting expectations around how that personal data is handled, disclosed and protected.
It is most relevant to public cloud providers, and to the customers who entrust them with personal data and want assurance it is properly protected.
What certification involves
Because ISO 27018 builds on ISO 27001, certification assesses the PII-protection controls on top of an information security management system, typically including:
- Consent and choice over how PII is processed
- Purpose limitation and restrictions on use of PII
- Transparency about sub-processors and data locations
- Controls over disclosure, return and deletion of PII
It sits within the IT-security part of the ISO Certifications portfolio and is frequently pursued alongside ISO 27017 for general cloud security.
Timeline & process
For an organisation that already holds ISO 27001, adding ISO 27018 typically takes around 10–14 weeks; implementing both together takes longer. Each engagement begins with a fixed-price scoping call and a proposal within 24 hours.
Common questions
Do we need ISO 27001 before ISO 27018?
Yes. ISO 27018 extends an ISO 27001 information security management system with controls specific to protecting PII in public clouds. ISO 27001 is the foundation; ISO 27018 adds the cloud-PII controls, and the two are often certified together.
How does ISO 27018 relate to ISO 27701?
ISO 27018 focuses specifically on PII handled by public cloud providers. ISO 27701 is the broader Privacy Information Management System extending ISO 27001 to privacy across an organisation. A cloud provider may hold both.
