ISO/IEC 27018:2025
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Standard Introduction
ISO/IEC 27018:2025 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Technology, Services, Finance & Banking, Healthcare and applies in Global.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/IEC 27018:2025.
PII Processor Focus
Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).
No Secondary Use
Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.
Data Deletion Guarantees
Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.
list_alt Key Privacy Controls
- Consent and choice for PII processing purposes
- Purpose limitation — PII processed only as instructed
- No use of PII for advertising or marketing without consent
- Transparent sub-processor disclosure requirements
- Data breach notification obligations to cloud customers
- PII return, transfer, and secure disposal procedures
- Geographic location disclosure for PII storage
- Regular compliance auditing and verification
Who Needs to Comply?
Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.
Key Requirements
Purpose Limitation
Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.
Sub-Processor Transparency
Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.
Breach Notification
Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.
Data Location and Transfer
Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.
Implementation Roadmap
Identify public-cloud PII processing
Map public cloud services where the provider acts as a PII processor, identify customer instructions, data categories, jurisdictions, subprocessors, and privacy principles relevant to ISO/IEC 29100.
Define processor privacy controls
Establish controls for customer instructions, purpose limitation, consent support, disclosure restrictions, subprocessor transparency, data-subject support, return and deletion, and law-enforcement request handling.
Implement evidence and customer commitments
Update cloud contracts, privacy notices, technical controls, encryption, access restrictions, logging, segregation, incident notification, deletion workflows, and customer audit or assurance materials.
Maintain cloud privacy assurance
Monitor service, subprocessor, region, law, and control changes. Refresh evidence for customer due diligence, ISO 27001 audits, and privacy reviews.
Compliance Checklist
checklist PII processor scope
checklist Privacy controls
checklist Security and assurance
Penalties & Enforcement
No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.
Frequently Asked Questions
What is ISO/IEC 27018 used for?
expand_more
ISO/IEC 27018 provides control objectives, controls, and guidelines for protecting personally identifiable information in public cloud environments where the cloud provider processes PII for customers.
Who is the main audience for ISO 27018?
expand_more
The standard is most relevant to public cloud service providers acting as PII processors, but customers can also use it to evaluate provider privacy commitments and assurance evidence.
How does ISO 27018 relate to ISO 27001?
expand_more
ISO 27018 builds on an information-security management system and adds cloud privacy controls. It is commonly assessed together with ISO 27001 and cloud-specific security controls.
What customer commitments matter most?
expand_more
Important commitments include processing only on customer instructions, limiting disclosure, managing subprocessors, supporting deletion and return, protecting PII, and notifying customers of relevant incidents.
Does ISO 27018 replace privacy law compliance?
expand_more
No. It provides a control framework for cloud PII protection, but organizations still need to map and satisfy applicable privacy laws, contracts, and cross-border transfer obligations.
Official Documentation
Official PDF for ISO/IEC 27018:2025
Official publication or summary for ISO/IEC 27018:2025
Official online resource
International Organization for Standardization (ISO) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for ISO/IEC 27018:2025