Understanding ISO 27018 – A Guide to PII Protection in Cloud Services

What is ISO/IEC 27018?

ISO/IEC 27018 is an international standard focused on protecting Personally Identifiable Information (PII) in public cloud services. Published by the International Organization for Standardization (ISO), it serves as a code of practice, offering essential guidelines for cloud service providers that handle personal data.

Rather than a standalone certification, it functions as a specialized extension to the ISO/IEC 27001 information security family. It builds upon the controls in ISO/IEC 27002, adding specific requirements for cloud privacy and PII protection to create a more secure and transparent cloud ecosystem. The standard defines the responsibilities of a public cloud provider when acting as a ‘PII processor.’

Key Principles of ISO/IEC 27018

ISO/IEC 27018 is built on key principles designed to create a transparent and accountable framework for protecting PII. These include:

• Customer Control: Customers retain full control over their data, as the provider acts strictly as a PII processor. This means they must follow the customer’s instructions and are explicitly prohibited from using PII for marketing or advertising.

• Transparency: Providers must be transparent about their data handling practices—including the use of sub-processors and the geographic locations of data storage—to enable customers to conduct thorough risk assessments.

• Security and Communication: Providers must implement strong security controls, promptly notify customers of data breaches, and disclose legally binding requests for PII from law enforcement unless prohibited by law.

• Accountability: Accountability is enforced through structured contractual agreements that grant customers the right to audit and verify compliance, which in turn builds greater trust.

Benefits of ISO/IEC 27018 Compliance

Compliance with ISO/IEC 27018 offers several key benefits for both cloud providers and their customers:

• Enhanced Customer Trust: It demonstrates a verifiable commitment to protecting sensitive PII, which builds customer confidence and strengthens relationships.

• Simplified Regulatory Compliance: The standard provides a clear framework that helps organizations meet complex legal and contractual data protection obligations across multiple jurisdictions.

• Competitive Differentiation: As a tangible credential, it distinguishes a provider in the marketplace, potentially opening access to regulated sectors like finance and healthcare.

• Streamlined Customer Due Diligence: It simplifies the risk assessment process for customers, offering third-party assurance that a provider’s PII controls align with international best practices.

ISO/IEC 27018 Audit Requirements

Achieving ISO/IEC 27018 certification requires a formal audit by an accredited third-party assessor, a process typically conducted alongside an ISO/IEC 27001 audit.

The certification audit is divided into two phases:

• Stage 1 Audit: A readiness review where auditors examine documentation, policies, and the scope of the management system to assess the organization’s preparedness for the main audit.

• Stage 2 Audit: A formal compliance audit where auditors verify that PII protection controls are fully implemented and operating effectively.

Once certification is granted after a successful Stage 2 audit, it must be maintained through annual surveillance audits. These audits ensure ongoing adherence to the standard and demonstrate a continuing commitment to data privacy.

ISO/IEC 27018 and Major Cloud Providers

For major public cloud providers, a commitment to data privacy is more than a compliance checkbox—it’s a core business requirement. Adhering to standards like ISO/IEC 27018 is a primary way they build and maintain customer trust, using internationally recognized certifications to prove their controls are both strong and effective.

Microsoft exemplifies this commitment. Its services, including Microsoft Azure and Azure Germany, undergo regular third-party audits at least annually to validate compliance with both ISO/IEC 27001 for general information security and ISO/IEC 27018 for PII protection. This annual verification confirms that Microsoft’s security controls are well-designed and operating effectively to protect customer data.

While both address cloud security, ISO/IEC 27018 and ISO/IEC 27017 have different focuses:

• ISO/IEC 27017: This standard provides a framework for general cloud security controls that applies to both cloud providers and their customers.

• ISO/IEC 27018: This standard focuses specifically on protecting Personally Identifiable Information (PII) in public clouds, which makes it an essential add-on for meeting data protection regulations like GDPR.

For customers evaluating cloud services, these certifications offer a transparent and reliable benchmark. Leading providers like Microsoft make their compliance status readily accessible via resources like the Microsoft Trust Center, which hosts detailed documentation, product terms, and data protection addendums. This transparency helps organizations use their provider’s certifications to simplify their own compliance and risk assessment processes.