标准简介
ISO/IEC 27018:2025 是由 国际标准化组织 (ISO) 发布的有效标准,常用于科技、服务业、金融银行、医疗健康等行业,并适用于全球等市场。
本页汇总了 ISO/IEC 27018:2025 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。
PII Processor Focus
Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).
No Secondary Use
Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.
Data Deletion Guarantees
Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.
list_alt Key Privacy Controls
- Consent and choice for PII processing purposes
- Purpose limitation — PII processed only as instructed
- No use of PII for advertising or marketing without consent
- Transparent sub-processor disclosure requirements
- Data breach notification obligations to cloud customers
- PII return, transfer, and secure disposal procedures
- Geographic location disclosure for PII storage
- Regular compliance auditing and verification
谁需要合规?
Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.
关键要求
Purpose Limitation
Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.
Sub-Processor Transparency
Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.
Breach Notification
Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.
Data Location and Transfer
Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.
实施路线图
识别公共云 PII 处理
映射提供商作为 PII 处理者的公共云服务,识别客户指示、数据类别、司法辖区、分处理者,以及与 ISO/IEC 29100 相关的隐私原则。
定义处理者隐私控制
建立客户指示、目的限制、同意支持、披露限制、分处理者透明度、数据主体支持、返还和删除,以及执法请求处理的控制。
实施证据和客户承诺
更新云合同、隐私通知、技术控制、加密、访问限制、日志、隔离、事件通知、删除流程和客户审核或保证材料。
维护云隐私保证
监控服务、分处理者、区域、法律和控制变化。为客户尽职调查、ISO 27001 审核和隐私评审刷新证据。
合规检查清单
checklist PII 处理者范围
checklist 隐私控制
checklist 安全和保证
处罚与执行
No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.
常见问题解答
ISO/IEC 27018 用于什么?
expand_more
ISO/IEC 27018 为公共云环境中由云提供商代表客户处理个人身份信息提供控制目标、控制和指南。
ISO 27018 的主要受众是谁?
expand_more
该标准最适用于作为 PII 处理者的公共云服务提供商,客户也可用它评估提供商隐私承诺和保证证据。
ISO 27018 与 ISO 27001 有何关系?
expand_more
ISO 27018 建立在信息安全管理体系之上,并增加云隐私控制。它通常与 ISO 27001 和云安全控制一起评估。
哪些客户承诺最重要?
expand_more
重要承诺包括仅按客户指示处理、限制披露、管理分处理者、支持删除和返还、保护 PII,以及通知客户相关事件。
ISO 27018 是否取代隐私法律合规?
expand_more
不会。它提供云 PII 保护控制框架,但组织仍需映射并满足适用隐私法律、合同和跨境传输义务。