标准简介
ISO/IEC 27018:2019 是由 国际标准化组织 (ISO) 发布的有效标准,常用于科技、服务业、金融银行、医疗健康等行业,并适用于全球等市场。
本页汇总了 ISO/IEC 27018:2019 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。
PII Processor Focus
Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).
No Secondary Use
Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.
Data Deletion Guarantees
Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.
list_alt Key Privacy Controls
- Consent and choice for PII processing purposes
- Purpose limitation — PII processed only as instructed
- No use of PII for advertising or marketing without consent
- Transparent sub-processor disclosure requirements
- Data breach notification obligations to cloud customers
- PII return, transfer, and secure disposal procedures
- Geographic location disclosure for PII storage
- Regular compliance auditing and verification
Who Needs to Comply?
Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.
Key Requirements
Purpose Limitation
Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.
Sub-Processor Transparency
Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.
Breach Notification
Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.
Data Location and Transfer
Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.
Penalties & Enforcement
No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.