What do ISO 27018 and ISO 29151 cover?
ISO/IEC 27018 provides guidelines for the protection of personally identifiable information in public cloud computing environments, specifically for organisations acting as PII processors. It is widely used by cloud service providers to demonstrate their commitment to privacy protection.
ISO/IEC 29151 provides a code of practice for PII protection, offering additional controls and guidance beyond what is covered in ISO 27002. It is primarily aimed at PII controllers and provides practical implementation advice.
Annex E of ISO 27701:2025 provides an indicative mapping showing how these three standards relate to each other. This is particularly valuable for organisations that already comply with ISO 27018 or ISO 29151 and want to understand how much of their existing work carries over to ISO 27701:2025.
For the full control structure, see the Annex A overview. For GDPR alignment, see the Annex D GDPR mapping. For ISO 29100 privacy principles, see Annex C. For 2019 equivalences, see the Annex F correspondence table. For an overview of all changes, see what’s new in ISO 27701:2025.
How do the management system clauses map?
The management system requirements in Clauses 4 through 10 of ISO 27701:2025 do not have direct equivalents in either ISO 27018 or ISO 29151, as neither of those standards defines a management system. This means:
- Organisations already complying with ISO 27018 or ISO 29151 will still need to implement the PIMS management system requirements (Clauses 4-10) to achieve ISO 27701:2025 certification
- The mapping value lies primarily in the control-level overlap, not at the management system level
How do shared security controls map?
The shared security controls (Table A.3) have the strongest overlap with both ISO 27018 and ISO 29151. These controls cover information security fundamentals that all three standards address. Each B.3 reference below provides implementation guidance for the corresponding A.3 control.
| Annex B Guidance | Annex A Controls | ISO 27018 | ISO 29151 | Topic |
|---|---|---|---|---|
| B.3.3-B.3.16 | A.3.3 through A.3.16 | 5.1, 5.2, 5.12-36, A.10-A.11 | 5.1, 5.2, 5.12-36 | Security policies, roles, classification, access, incidents, compliance |
| B.3.17-B.3.18 | A.3.17, A.3.18 | 6.3, 6.6, A.11.1 | 6.3, 6.6 | Awareness, training, confidentiality agreements |
| B.3.19-B.3.21 | A.3.19, A.3.20, A.3.21 | 7.7, 7.10, 7.14, A.11.2-13 | 7.1-7.14 | Physical security, media, disposal |
| B.3.22-B.3.31 | A.3.22 through A.3.31 | 8.1, 8.5, 8.13-33, A.11.6 | 8.1, 8.13-33 | Endpoint devices, authentication, backup, logging, crypto, development |
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How do PII controller controls map?
PII controller controls from ISO 27701:2025 map primarily to ISO 29151, which provides a PII controller-focused code of practice. ISO 27018 has limited coverage here since it focuses on processors. Each B.1 reference provides implementation guidance for the corresponding A.1 control.
| Annex B Guidance | Annex A Controls | ISO 27018 | ISO 29151 | Topic |
|---|---|---|---|---|
| B.1.2.2-3 | A.1.2.2, A.1.2.3 | N/A | A.4, A.4.1 | Purpose specification, lawful basis |
| B.1.2.4-5 | A.1.2.4, A.1.2.5 | N/A | A.3.1 | Consent and choice |
| B.1.2.6 | A.1.2.6 Privacy impact assessment | N/A | A.11.2 | PIA requirements |
| B.1.3.2-10 | A.1.3.2 through A.1.3.10 | N/A | A.9, A.9.2, A.10 | Individual participation, access, transparency |
| B.1.4.2-10 | A.1.4.2 through A.1.4.10 | N/A | A.5-A.8 | Collection limitation, data minimisation, accuracy, use limitation |
| B.1.5.2-5 | A.1.5.2 through A.1.5.5 | N/A | A.7.4, A.13.2 | Transfer safeguards, disclosure records |
How do PII processor controls map?
PII processor controls from ISO 27701:2025 have strong overlap with ISO 27018, which is specifically designed for cloud-based PII processors. Each B.2 reference provides implementation guidance for the corresponding A.2 control.
| Annex B Guidance | Annex A Control | ISO 27018 | ISO 29151 | Topic |
|---|---|---|---|---|
| B.2.2.3 | A.2.2.3 Organisation’s purposes | A.3.1 | N/A | Processing under authority |
| B.2.2.4 | A.2.2.4 Marketing and advertising | A.3.2 | N/A | Marketing restrictions |
| B.2.3.2 | A.2.3.2 Obligations to PII principals | A.2.1 | N/A | Compliance assistance |
| B.2.4.2-4 | A.2.4.2, A.2.4.3, A.2.4.4 | A.5.1, A.10.3, A.12.2 | A.7.2, A.11.3 | Temporary files, return of PII, transmission |
| B.2.5.2-9 | A.2.5.2 through A.2.5.9 | A.6.1-2, A.8.1, A.12.1 | A.4.1, A.7.3-5, A.13.2 | Disclosure, subcontractors, international transfers |
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Who benefits most from this mapping?
- Cloud service providers already certified to ISO 27018 can use this mapping to accelerate their ISO 27701:2025 implementation, as many processor controls overlap
- Organisations certified to ISO 29151 can map their existing PII controller controls to the new ISO 27701:2025 structure (see the transition guide)
- Multi-standard environments can use the mapping to identify shared evidence and avoid duplicating compliance effort across standards
Why choose ISMS.online for multi-standard compliance?
ISMS.online supports organisations running multiple privacy and security standards in parallel:
- Cross-framework views — See how one control implementation satisfies requirements across ISO 27701, ISO 27018, ISO 29151 and more
- Shared evidence — Link policies, procedures and records to multiple framework requirements without duplication
- Unified audit preparation — Generate evidence packs that cover multiple standards in a single export
- Gap identification — Spot where existing certifications already cover ISO 27701:2025 requirements and where new work is needed
- Integrated management system — Manage ISO 27001, ISO 27701 and related standards in one platform
FAQs
If I am certified to ISO 27018, do I still need ISO 27701?
ISO 27018 and ISO 27701 serve different purposes. ISO 27018 provides cloud-specific PII processor guidelines but is not a certifiable management system standard on its own (it extends ISO 27001). ISO 27701:2025 provides a complete, standalone privacy information management system. The two complement each other, and the Annex E mapping shows where they overlap. See also the GDPR compliance guide for the GDPR-specific mapping.
Does ISO 27701:2025 replace ISO 27018 or ISO 29151?
No. ISO 27018 and ISO 29151 remain separate, active standards. ISO 27701:2025 can be implemented alongside them. The Annex E mapping simply shows where the standards overlap, helping organisations that implement multiple standards to reduce duplication.
What is the relationship between Annex A and Annex B?
Annex A defines the privacy controls (what you must do) and Annex B provides the corresponding implementation guidance (how to do it). They share the same numbering: A.1.2.2 is the control and B.1.2.2 is its guidance. Both annexes are normative in the 2025 edition. The tables on this page reference the B numbering because Annex E maps the implementation guidance to ISO 27018 and ISO 29151, but each B control has a direct A counterpart shown in the second column.
Why do some controls show N/A in the mapping?
N/A indicates that the ISO 27701:2025 control has no direct equivalent in that particular standard. For example, PII controller controls show N/A for ISO 27018 because ISO 27018 only covers PII processors. Similarly, some processor controls show N/A for ISO 29151 because that standard focuses on PII controllers.
