ISO 27018 Protection of Personally Identifiable Information

ISO 27018 Protection of Personally Identifiable Information

What is 27018?

ISO/IEC 27018:2019 is an information security code of practise for cloud service providers who process personally identifiable information for their customers. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls. It details privacy requirements and security control enhancements for privacy to be implemented by cloud service providers.
 
It is complementary to ISO 27017:2015, Security Control for Cloud Services, and to ISO 27701:2019, Privacy Information Management, both of which also extend ISO 27001:2013.

As an extension to ISO 27001, ISO 27018 provides guidance on 16 ISO 27002 controls, as well as providing 25 new privacy and security controls:

  • The requirement to cooperate with PII controllers
  • The maintenance of PII principals’ rights
  • Compliance with fundamental privacy requirements, such as data minimisation and accuracy
  • The principles of transparency and accountability
  • Additional security controls
  • Requirements for sub-contracted processing