Processing personal data in the public cloud creates specific risks that generic security standards do not fully address. ISO 27018 was developed to fill this gap. It provides a code of practice for the protection of personally identifiable information (PII) in public cloud computing environments, establishing clear expectations for cloud service providers acting as PII processors.
Core principles of ISO 27018
ISO 27018 is built on several fundamental principles that align closely with established privacy frameworks. Purpose limitation requires that personal data processed in the cloud is used only for the purposes specified by the cloud customer. Transparency demands that cloud providers are clear about where data is processed and stored, including any use of sub-processors.
The standard also addresses data return and deletion. When a cloud service agreement ends, the provider must return or securely delete all personal data within a defined timeframe. This is a practical requirement that organizations frequently overlook until they actually need to migrate away from a provider.
Breach notification is another core element. ISO 27018 requires cloud providers to notify customers promptly when a data breach affecting personal data is detected. This obligation is particularly important because the cloud customer, as data controller, typically has legal notification obligations to data protection authorities and data subjects.
Relationship with GDPR
For European organizations, ISO 27018 provides a practical framework for implementing many GDPR requirements in cloud environments. The principles of purpose limitation, data minimization, transparency and breach notification map directly to GDPR obligations. While ISO 27018 certification does not guarantee GDPR compliance (the GDPR is broader in scope), it demonstrates that a cloud provider has implemented systematic controls for personal data protection.
Regulators and data protection authorities increasingly view ISO 27018 certification as a positive indicator when assessing the adequacy of data processing arrangements. For cloud service providers, this certification strengthens the position of their customers in demonstrating accountability under the GDPR.
Combined certification approach
ISO 27018 is designed to be implemented alongside ISO 27001 and ISO 27017. While ISO 27001 provides the information security management system, ISO 27017 adds cloud-specific security controls, and ISO 27018 adds cloud-specific privacy controls. Together, they form a comprehensive framework for secure and privacy-respecting cloud services.
The combined certification approach is both practical and cost-effective. All three standards share the ISO management system structure, which means a single integrated management system can satisfy all requirements. Audit activities can be combined, reducing the burden on your organization while maximizing the assurance provided to customers.
Secure Audit helps cloud service providers implement and certify against the full ISO 27001, 27017 and 27018 framework. Contact us to discuss how PII protection certification can strengthen your cloud offering and support your customers' compliance needs.
About the author
Partner | IT Auditor