verified_user
Standardful
Homechevron_rightStandardschevron_rightISO/IEC 27018:2025
ActiveInternational Standardupdate Standard Updated: August 2025fact_check Fact checked: Jun 28, 2026

ISO/IEC 27018:2025

Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO/IEC 27018:2025 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Technology, Services, Finance & Banking, Healthcare and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/IEC 27018:2025.

privacy_tip

PII Processor Focus

Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).

do_not_disturb_on

No Secondary Use

Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.

delete_forever

Data Deletion Guarantees

Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.

list_alt Key Privacy Controls

  • Consent and choice for PII processing purposes
  • Purpose limitation — PII processed only as instructed
  • No use of PII for advertising or marketing without consent
  • Transparent sub-processor disclosure requirements
  • Data breach notification obligations to cloud customers
  • PII return, transfer, and secure disposal procedures
  • Geographic location disclosure for PII storage
  • Regular compliance auditing and verification

Who Needs to Comply?

groups

Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.

Key Requirements

1

Purpose Limitation

Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.

2

Sub-Processor Transparency

Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.

3

Breach Notification

Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.

4

Data Location and Transfer

Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Identify public-cloud PII processing

Map public cloud services where the provider acts as a PII processor, identify customer instructions, data categories, jurisdictions, subprocessors, and privacy principles relevant to ISO/IEC 29100.

2
Phase 2schedule Duration: 4-8 weeks

Define processor privacy controls

Establish controls for customer instructions, purpose limitation, consent support, disclosure restrictions, subprocessor transparency, data-subject support, return and deletion, and law-enforcement request handling.

3
Phase 3schedule Duration: 8-16 weeks

Implement evidence and customer commitments

Update cloud contracts, privacy notices, technical controls, encryption, access restrictions, logging, segregation, incident notification, deletion workflows, and customer audit or assurance materials.

4
Phase 4schedule Duration: Ongoing

Maintain cloud privacy assurance

Monitor service, subprocessor, region, law, and control changes. Refresh evidence for customer due diligence, ISO 27001 audits, and privacy reviews.

Compliance Checklist

0 / 12

checklist PII processor scope

checklist Privacy controls

checklist Security and assurance

Penalties & Enforcement

warning

No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.

Frequently Asked Questions

What is ISO/IEC 27018 used for?

expand_more

ISO/IEC 27018 provides control objectives, controls, and guidelines for protecting personally identifiable information in public cloud environments where the cloud provider processes PII for customers.

Who is the main audience for ISO 27018?

expand_more

The standard is most relevant to public cloud service providers acting as PII processors, but customers can also use it to evaluate provider privacy commitments and assurance evidence.

How does ISO 27018 relate to ISO 27001?

expand_more

ISO 27018 builds on an information-security management system and adds cloud privacy controls. It is commonly assessed together with ISO 27001 and cloud-specific security controls.

What customer commitments matter most?

expand_more

Important commitments include processing only on customer instructions, limiting disclosure, managing subprocessors, supporting deletion and return, protecting PII, and notifying customers of relevant incidents.

Does ISO 27018 replace privacy law compliance?

expand_more

No. It provides a control framework for cloud PII protection, but organizations still need to map and satisfy applicable privacy laws, contracts, and cross-border transfer obligations.

Official Documentation

View All

Implementation Timeline

rocket_launch
2014
ISO/IEC 27018:2014 first edition published — world's first cloud privacy code of practice
update
Jan 2019
ISO/IEC 27018:2019 second edition published with clarifications on controller/processor roles
cloud
2020
Major cloud providers adopt ISO 27018 as standard attestation
check_circle
Aug 2025
ISO/IEC 27018:2025 third edition published with updated alignment

Related Categories