Build or upgrade your ISMS on our platform

Understanding ISO 27018:2020

ISO 27018 is the code of practice for the protection of personally identifiable information (PII) in public clouds. We’re going to explore what it means for both providers and customers.

What is ISO 27018?

ISO/IEC 27018 is the international standard for protecting personal information in cloud storage. The term for the personal data it covers is Personally Identifiable Information or PII. ISO 27018 is a code of practice for public cloud service providers.
ISO 27018 does two things:

  • Gives further helpful implementation guidance (adding to ISO 27002) for the controls published in ISO/IEC 27001
  • Sets out extra guidance on PII protection requirements for the public cloud

These extra controls aren’t covered in ISO 27002.

A PII processor is any public cloud service provider that processes personal data for their clients. Remember that the original client may be the PII controller, creating separate legal obligations for them. ISO/IEC 27018 doesn’t cover any of these extra requirements.

What are ISO 27018’s objectives?

ISO 27018 gives generic agreed guidance on information security categories. The standard targets public cloud services providers that act as PII processors.

Its key objectives are to:

  • Help the public cloud PII processor meet their obligations, including when they’re under contract to provide public cloud services
  • Enable transparency, so prospective cloud service customers can access secure, well managed cloud-based PII processing services
  • Help cloud services and users establish contractual agreements for processing PII
  • Give cloud service customers an audit and compliance methodology

Why is securing Personally Identifiable Information important?

According to IBM Security’s 2020 Data Breach Report, 80% of all data breaches involve PII. Securing PII covers a range of measures, some of which you’ll already be familiar with. These include:

  • Minimising data collection and retention
  • Adopting a secure data destruction schedule
  • Data encryption for both storage and transmission
  • Limiting access to data
  • Employee training
  • Compliance with relevant regulations
  • Implementing an information governance strategy

The UK’s Information Commissioner’s Office (ICO) gives full guidance on what counts as PII. You can read it here.

What is Personally Identifiable Information?

Can you identify who someone is from the data they give you? If you can, that’s Personally Identifiable Information. By definition, PII is information that could link back to identify an individual. PII can include:

  • A person’s name
  • Their date of birth
  • Where they live
  • Their IP address
  • Bank details
  • Medical records
  • And much more
See how simple it is with

Why should you process PII via the cloud?

There are many advantages to processing PII through the cloud. Using cloud storage for PII reduces operational costs compared to storing data on-site. It also makes information more accessible when you’re remote working. But cloud data storage can be risky. You need to be confident that a cloud provider has the best controls in place to keep your information secure. If you’re a cloud provider, you’ll need to show your customers you have excellent security controls in place.

ISO 27018 classes cloud service providers as processors when they process your organisation’s personal data. Your organisation stays classed as the data controller even when a cloud service provider processes your data for you. Both processors and data controllers have legal responsibilities for PII protection.

What’s the history of ISO/IEC 27018:2020?

The information security management environment is rapidly evolving. The technical Standard ISO/IEC 27001 doesn’t address PII. So ISO created a new, complimentary standard in 2014, ISO 27018. The new standard addresses concerns about companies processing personal data in cloud service providers.  ISO/IEC 27018:2020 is the third version of the 2014 document.

What changed from ISO/IEC 27018:2019 to 27018:2020?

ISO/IEC 27018:2020 is the latest version of ISO 27018. The differences between ISO 27018:2019 and ISO 27018:2020 are essentially technical. For all practical purposes, you can treat the 2019 and 2020 versions of ISO 27018 as being identical.

What changed from ISO/IEC 27018:2014 to 27018:2019?

The 2019 version of ISO 27018 contained only minor revisions from the 2014 version. The new version of ISO 27018:

  • Added a general background section
  • Defined it as a document not an international standard

Defining ISO 27018 as a document not a standard is more technically accurate, because the agreed standard for an Information Security Management System (ISMS) is ISO 27001.

ISO has withdrawn ISO/IEC 27018:2014.

What’s ISO 27018’s relationship with other standards?

ISO 27018 is one of the ISO 27000 family of information security management standards. The ISO 27000 standards provide an internationally recognised infosec framework.


How does ISO 27018 relate to ISO 27001?

ISO 27001 sets out the technical requirements for establishing an ISMS. Compliance with ISO 27001 is the foundation standard for data security. ISO 27018 adds guidance on cloud service data protection to ISO 27001.

Rather than choosing between ISO 27001 or 27018, think about implementing them together. ISO 27001 is the best framework for creating an ISMS that focuses on risk management. ISO 27018 adds guidance for achieving robust security in the cloud.


How does ISO 27018 relate to ISO 27701?

ISO 27701 covers privacy information management, setting out requirements and guidance for implementing a privacy information management system (PIMS). The standard also gives guidance for PII controllers and processors, including implementation advice depending on:

  • Your location
  • Any national legislation or regulations

ISO 27701 maps to ISO 27018 and the EU GDPR legislation. It’s an extension of ISO 27001, the foundation standard for data security.

How does ISO 27018 relate to GDPR?

If your organisation works in the European Union, you must comply with and so should be aware of GDPR (General Data Protection Regulation). It’s an EU law (and UK, post-Brexit) that governs the processing of personal data. GDPR doesn’t only apply to EU countries. The law also applies to any organisation that provides goods or services into the EU.

GDPR and ISO 27018 serve slightly different functions. GDPR sets out data privacy and protection regulations. ISO 27018 gives you a practical framework to manage data protection and information security risks. Implementing ISO 27001, in conjunction with 27018, gives you a solid foundation for GDPR compliance.

Which other guidelines complement ISO 27018?

ISO 27018 links to ISO/IEC 29100. ISO 29100 provides:

  • Privacy principles for the public cloud environment
  • A general framework for protecting PII within an ICT system

ISO 29100 links to ISO 27018 by:

  • Helping you to define PII privacy requirements
  • Explaining the different roles in processing PII

ISO 29100 also establishes key privacy principles and terminology.

Read our free guide to achieving ISO 27001 first time

What are the benefits of ISO 27018?

Cybersecurity is a massive issue for business confidence. In today’s global marketplace, protecting customer data has never been more critical. ISO 27018 creates a robust global compliance framework.

ISO 27018 is particularly helpful for cloud service clients. It supports auditing for compliance against internal responsibilities. This is especially helpful when the data processor is a third-party cloud provider.

Other benefits of ISO 27018 are that it:

  • Reduces the risks of data breaches in the cloud and related regulatory fines
  • Inspires trust in your organisation
    • Clients and customers will know that you’re ser protecting their personal data.
  • Protects your brand reputation

Who can implement ISO 27018?

This standard is relevant for many types of organisation. Whether you’re:

  • private, public or not-for-profit sector
  • a large, medium or small company

if you process PII data via cloud computing, ISO 27018 is for you.

If you contract out PII to another company, due diligence will show if they work with ISO/IEC 27018. Any service provider that uses the cloud or PII should consider ISO 27018.

Most well-known cloud service providers are developing or have developed security measures to protect PII. Major industry players that already have ISO/IEC 27018-compliant policies include:

  • Amazon Web Services
  • Dropbox
  • Google Apps for Work
  • IBM Softlayer
  • Microsoft Azure

How do I get started with ISO 27018?

There are three areas you should look at when thinking about implementing ISO 27018:

  • Find out what existing regulations apply legally to your organisation
  • Don’t forget to include requirements that apply to your specific industry
  • See if implementing ISO 27018 could give rise to any additional organisational risks
  • Understand how adopting ISO 27018 could change your company culture / policies

Note that these areas are also covered by ISO 27001. ISO 27018 focuses more deeply on PII and cloud computing services.

What’s good ISO 27018 practice?

When adopting ISO 27018, it’s good practice to start by understanding your starting point. It’s important to build on what’s already in place. You’ll also need to identify any gaps that may increase the risk of a data breach in the cloud. A rigorous self-assessment process will achieve these aims.

Once you’ve established your starting point, invest in internal communications. Give your colleagues notice of any planned changes and involve them in discussions about why they’re needed. That will help you:

  • Create workforce ownership
  • Drive adoption of data protection controls and ISO 27018 measures

Can you get certification for ISO 27018?

ISO 27018 a code of practice, not a standard. ISO 27018 certification is generally included in the ISO 27001 audit process, if it’s included as an add-on to the ISMS.

To gain certification for an ISO standard, a competent auditor will conduct an audit. The auditor will check if the organisation meets the ISO criteria or if there are any gaps. This is known as a stage 1 audit.

After the audit, the organisation will have time to address any gaps in:

  • Processes
  • Procedures
  • Implementation

After a few weeks, the auditor will return for the stage 2 audit. This is a much longer and more in depth audit than stage 1. Your stage 2 audit will ensure that the ISMS is actually working as designed and implemented.

The awarding of ISO certification follows this visit providing the ISMS meets all criteria. The auditor will visit the organisation periodically (usually annually) to confirm your continued compliance. To maintain your ISO certified status you’ll need to pass your annual maintenance audits.

What are the requirements of ISO/IEC 27018:2020?

ISO/IEC 27018 extends the guidance for implementing security controls in ISO/IEC 27002. These controls divide the responsibilities for data protection into:

  • Your responsibilities as the cloud service customer and data controller, even if you outsource data storage.
  • Your cloud service provider’s responsibilities as the data processor

The extended security controls include:

PII encryption requirements during storage and transmission
A secure deletion schedule for any no-longer-required PII
A cloud service agreement that defines why PII processing takes place
Robust cloud service provider assurances for information governance

You’ll also need an extra set of security controls. These align with the privacy principles set out in the ISO/IEC 29100 privacy framework. ISO/IEC 27018 allows cloud providers to prove that they know how to protect their customers PII.

If your organisation processes PII, consider implementing ISO 27018 alongside an ISO 27001 ISMS. If you’re still curious about the specifics of what is included in the report, here’s the full list of ISO 27018’s clauses:

What are ISO/IEC 27018:2020’s Annex A clauses?

Note that the list below is additional to controls defined in ISO 27001.

Clause 1: Scope

Clause 2: Normative references

Clause 3: Terms and definitions

Clause 4: Overview

4.1: Structure of this document
4.2: Control categories

Clause 5: Information security policies

5.1: Management direction for information security

Clause 6: Organization of information security

6.1: Internal organisation
6.2: Mobile devices and teleworking

Clause 7: Human resource security

7.1: Prior to employment
7.2: During employment
7.3: Termination and change of employment

Clause 8: Asset management

Clause 9: Access control

9.1: Business requirements of access control
9.2: User access management
9.3: User responsibilities
9.4: System and application access control

Clause 10: Cryptography
10.1: Cryptographic controls

Clause 11: Physical and environmental security

11.1: Secure areas
11.2: Equipment

Clause 12: Operations security

12.1: Operational procedures and responsibilities
12.2: Protection from malware
12.3: Backup
12.4: Logging and monitoring
12.5: Control of operational software
12.6: Technical vulnerability management
12.7: Information systems audit considerations

Clause 13: Communications security

13.1: Network security management
13.2: Information transfer

Clause 14: System acquisition, development and maintenance
Clause 15: Supplier relationships
Clause 16: Information security incident management

16.1: Management of information security incidents and improvements

Clause 17: Information security aspects of business continuity management

Clause 18: Compliance

18.1: Compliance with legal and contractual requirements
18.2: Information security reviews

What are ISO/IEC 27018:2020’s Annex A clauses?

Note that the list below is additional to controls defined in ISO 27001.  Annex A Public cloud PII processor extended control set for PII protection.

1: General

2: Consent and choice

3: Purpose legitimacy and specification

4: Collection limitation

5: Data minimisation

6: Use, retention and disclosure limitation

7: Accuracy and quality

8: Openness, transparency and notice

9: Individual participation and access

10: Accountability

11: Information security

12: Privacy compliance

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27010

  • 8

    ISO 27014

  • 9

    ISO 27013

  • 10

    ISO 27016

  • 11

    ISO 27017

  • 12

    ISO 27018

  • 13

    ISO 27019

  • 14

    ISO 27038

  • 15

    ISO 27039

  • 16

    ISO 27040

  • 17

    ISO 27050

  • 18

    ISO 27102