ISO/IEC 27018
Demonstrate strong cloud personal-data handling with ISO/IEC 27018.
PII Controls Gap
Against 27018's cloud PII-processor controls
Within Your Audit
Assessed inside the ISO 27001 audit
Privacy Assurance
Proof of strong cloud personal-data handling
Cloud Privacy Team
Cloud personal-data specialists
What it is
ISO/IEC 27018 is a code of practice for protecting personally identifiable information (PII) processed in public clouds as a PII processor. It extends ISO/IEC 27002 with privacy controls covering consent, transparency, data return and deletion and breach notification, and directly supports GDPR Article 28 processor obligations.
Who must comply
Public cloud providers and SaaS vendors that process customer or end-user personal data on behalf of clients, especially where those clients are themselves bound by GDPR.
How IntelligenceX helps
Frequently Asked Questions
No. 27018 demonstrates good cloud-PII handling and strongly supports GDPR processor obligations, but GDPR compliance is a legal determination. We map 27018 controls to GDPR Article 28.
If you process personal data in the cloud, yes. 27017 secures the cloud; 27018 governs the personal data inside it. We commonly run both extensions in parallel.
Yes. Both are extensions assessed within your ISO 27001 audit scope, so when you process personal data in the cloud we usually run them together, sharing evidence and a single audit: 27017 secures the cloud environment and 27018 governs the personal data inside it.