verified_user
Standardful
首页chevron_right标准chevron_rightISO/IEC 27018:2025
有效国际标准update 标准更新:2025年8月fact_check 事实核查:2026年6月28日

ISO/IEC 27018:2025

信息技术 安全技术 公有云中个人身份信息保护实践指南

apartment发布组织:国际标准化组织 (ISO)

标准简介

ISO/IEC 27018:2025 是由 国际标准化组织 (ISO) 发布的有效标准,常用于科技、服务业、金融银行、医疗健康等行业,并适用于全球等市场。

本页汇总了 ISO/IEC 27018:2025 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。

privacy_tip

PII Processor Focus

Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).

do_not_disturb_on

No Secondary Use

Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.

delete_forever

Data Deletion Guarantees

Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.

list_alt Key Privacy Controls

  • Consent and choice for PII processing purposes
  • Purpose limitation — PII processed only as instructed
  • No use of PII for advertising or marketing without consent
  • Transparent sub-processor disclosure requirements
  • Data breach notification obligations to cloud customers
  • PII return, transfer, and secure disposal procedures
  • Geographic location disclosure for PII storage
  • Regular compliance auditing and verification

谁需要合规?

groups

Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.

关键要求

1

Purpose Limitation

Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.

2

Sub-Processor Transparency

Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.

3

Breach Notification

Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.

4

Data Location and Transfer

Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.

实施路线图

1
阶段 1schedule 预计周期: 3-6 周

识别公共云 PII 处理

映射提供商作为 PII 处理者的公共云服务,识别客户指示、数据类别、司法辖区、分处理者,以及与 ISO/IEC 29100 相关的隐私原则。

2
阶段 2schedule 预计周期: 4-8 周

定义处理者隐私控制

建立客户指示、目的限制、同意支持、披露限制、分处理者透明度、数据主体支持、返还和删除,以及执法请求处理的控制。

3
阶段 3schedule 预计周期: 8-16 周

实施证据和客户承诺

更新云合同、隐私通知、技术控制、加密、访问限制、日志、隔离、事件通知、删除流程和客户审核或保证材料。

4
阶段 4schedule 预计周期: 持续进行

维护云隐私保证

监控服务、分处理者、区域、法律和控制变化。为客户尽职调查、ISO 27001 审核和隐私评审刷新证据。

合规检查清单

0 / 12

checklist PII 处理者范围

checklist 隐私控制

checklist 安全和保证

处罚与执行

warning

No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.

常见问题解答

ISO/IEC 27018 用于什么?

expand_more

ISO/IEC 27018 为公共云环境中由云提供商代表客户处理个人身份信息提供控制目标、控制和指南。

ISO 27018 的主要受众是谁?

expand_more

该标准最适用于作为 PII 处理者的公共云服务提供商,客户也可用它评估提供商隐私承诺和保证证据。

ISO 27018 与 ISO 27001 有何关系?

expand_more

ISO 27018 建立在信息安全管理体系之上,并增加云隐私控制。它通常与 ISO 27001 和云安全控制一起评估。

哪些客户承诺最重要?

expand_more

重要承诺包括仅按客户指示处理、限制披露、管理分处理者、支持删除和返还、保护 PII,以及通知客户相关事件。

ISO 27018 是否取代隐私法律合规?

expand_more

不会。它提供云 PII 保护控制框架,但组织仍需映射并满足适用隐私法律、合同和跨境传输义务。

官方文档

查看全部

实施时间线

rocket_launch
2014年
ISO/IEC 27018:2014 first edition published — world's first cloud privacy code of practice
update
2019年1月
ISO/IEC 27018:2019 second edition published with clarifications on controller/processor roles
cloud
2020年
Major cloud providers adopt ISO 27018 as standard attestation
check_circle
2025年8月
ISO/IEC 27018:2025 third edition published with updated alignment

相关分类