標準簡介
ISO/IEC 27018:2019 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於科技、服務業、金融銀行、醫療健康等產業,並適用於全球等市場。
本頁整理了 ISO/IEC 27018:2019 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
PII Processor Focus
Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).
No Secondary Use
Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.
Data Deletion Guarantees
Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.
list_alt Key Privacy Controls
- Consent and choice for PII processing purposes
- Purpose limitation — PII processed only as instructed
- No use of PII for advertising or marketing without consent
- Transparent sub-processor disclosure requirements
- Data breach notification obligations to cloud customers
- PII return, transfer, and secure disposal procedures
- Geographic location disclosure for PII storage
- Regular compliance auditing and verification
Who Needs to Comply?
Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.
Key Requirements
Purpose Limitation
Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.
Sub-Processor Transparency
Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.
Breach Notification
Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.
Data Location and Transfer
Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.
Penalties & Enforcement
No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.