標準簡介
ISO/IEC 27018:2025 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於科技、服務業、金融銀行、醫療健康等產業,並適用於全球等市場。
本頁整理了 ISO/IEC 27018:2025 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
PII Processor Focus
Specifically designed for public cloud providers acting as PII processors — establishing controls for handling personal data on behalf of cloud customers (PII controllers).
No Secondary Use
Cloud providers must not process PII for advertising or marketing purposes unless expressly instructed by the cloud customer — a key protection against data monetization.
Data Deletion Guarantees
Requires cloud providers to have policies and procedures for the timely return, transfer, and secure disposal of PII when the service agreement ends.
list_alt Key Privacy Controls
- Consent and choice for PII processing purposes
- Purpose limitation — PII processed only as instructed
- No use of PII for advertising or marketing without consent
- Transparent sub-processor disclosure requirements
- Data breach notification obligations to cloud customers
- PII return, transfer, and secure disposal procedures
- Geographic location disclosure for PII storage
- Regular compliance auditing and verification
誰需要合規?
Public cloud service providers that process personally identifiable information on behalf of their customers. Also relevant for organizations evaluating cloud providers for PII processing compliance, particularly in regulated industries.
關鍵要求
Purpose Limitation
Process PII only for the purposes specified by the cloud service customer. Do not use PII for advertising, marketing, or any secondary purpose without explicit customer authorization.
Sub-Processor Transparency
Disclose all sub-processors involved in PII processing before engagement. Provide cloud customers with the ability to approve or object to sub-processor changes.
Breach Notification
Implement processes to notify cloud service customers without undue delay in the event of a data breach involving their PII. Provide sufficient information for customers to meet their own notification obligations.
Data Location and Transfer
Disclose the countries and geographic regions where PII may be stored or processed. Ensure international transfers comply with applicable legal frameworks and customer requirements.
實施路線圖
識別公共雲 PII 處理
映射提供商作爲 PII 處理者的公共雲服務,識別客戶指示、數據類別、司法轄區、分處理者,以及與 ISO/IEC 29100 相關的隱私原則。
定義處理者隱私控制
建立客戶指示、目的限制、同意支持、披露限制、分處理者透明度、數據主體支持、返還和刪除,以及執法請求處理的控制。
實施證據和客戶承諾
更新雲合同、隱私通知、技術控制、加密、訪問限制、日誌、隔離、事件通知、刪除流程和客戶審覈或保證材料。
維護雲隱私保證
監控服務、分處理者、區域、法律和控制變化。爲客戶盡職調查、ISO 27001 審覈和隱私評審刷新證據。
合規檢查清單
checklist PII 處理者範圍
checklist 隱私控制
checklist 安全和保證
處罰與執行
No direct legal penalties — ISO/IEC 27018 is a voluntary code of practice. However, adherence demonstrates due diligence for GDPR, CCPA, and other privacy regulations. Cloud providers without ISO 27018 attestation may lose contracts with privacy-conscious customers.
常見問題解答
ISO/IEC 27018 用於什麼?
expand_more
ISO/IEC 27018 爲公共雲環境中由雲提供商代表客戶處理個人身份信息提供控制目標、控制和指南。
ISO 27018 的主要受衆是誰?
expand_more
該標準最適用於作爲 PII 處理者的公共雲服務提供商,客戶也可用它評估提供商隱私承諾和保證證據。
ISO 27018 與 ISO 27001 有何關係?
expand_more
ISO 27018 建立在信息安全管理體系之上,並增加雲隱私控制。它通常與 ISO 27001 和雲安全控制一起評估。
哪些客戶承諾最重要?
expand_more
重要承諾包括僅按客戶指示處理、限制披露、管理分處理者、支持刪除和返還、保護 PII,以及通知客戶相關事件。
ISO 27018 是否取代隱私法律合規?
expand_more
不會。它提供雲 PII 保護控制框架,但組織仍需映射並滿足適用隱私法律、合同和跨境傳輸義務。