Contact us Client area Consultant area Careers Newsletter sign up
Global Certification Body
menu Created with Sketch. close Created with Sketch.
Infosec
ISO 27018

Protection of Personally Identifiable Information

ISO 27018

ISO 27018: 2019 is the Code of Practice for protecting personal information in public clouds.

Book training

ISO 27018: Protection of Personally Identifiable Information

What is 27018?

ISO/IEC 27018:2019 is an information security code of practise for cloud service providers who process personally identifiable information for their customers. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls. It details privacy requirements and security control enhancements for privacy to be implemented by cloud service providers.
 
It is complementary to ISO 27017:2015, Security Control for Cloud Services, and to ISO 27701:2019, Privacy Information Management, both of which also extend ISO 27001:2013.
 
As an extension to ISO 27001, ISO 27018 provides guidance on 16 ISO 27002 controls, as well as providing 25 new privacy and security controls:
  • The requirement to cooperate with PII controllers
  • The maintenance of PII principals’ rights
  • Compliance with fundamental privacy requirements, such as data minimisation and accuracy
  • The principles of transparency and accountability
  • Additional security controls
  • Requirements for sub-contracted processing

Get in touch

Helps you with

  • Customer trust
  • Brand reputation
  • Competitive advantage
  • Data breaches
  • Continued confidentiality
  • Meet compliance
  • Risk management
  • Improved security
  • Procurement

Other risk management standards:

ISO 27001 training

Steps to Certification

  1. Step 1

    Complete a Quote Request Form so that we can understand your company and requirements. You can do this by completing either the online quick quote or the online formal quote request form. We will use this information to accurately define your scope of assessment and provide you with a proposal for certification.

  2. Step 2

    Once you’ve agreed to your proposal, we will contact you to book your assessment with an NQA Auditor. This assessment consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been fully operational for a minimum of three months and has been subject to a management review and full cycle of internal audits.

  3. Step 3

    Following a successful two stage audit, a certification decision is made and if positive, then certification to the required standard is issued by NQA. You will receive both a hard and soft copy of the certificate. Certification is valid for three years and is maintained through a program of annual surveillance audits and a three yearly recertification audit.

See more details

Information Security Toolkit

ISO 27001 FAQs

ISO 27001 Implementation Guide

ISO 27701 Implementation Guide

ISO 27001 Information Security Checklist

ISO 27001 27017 27018 27701 Mapping

Integrated Quote Request Form

ISO 27001 in relation to GDPR video

Download Certification Logos

ISO 9001 to ISO 27001 Gap Guide

Annex SL Comparison Tool

Gap Analysis

Related ISO 27001 Content

Implementing ISO Security and Privacy Frameworks to Meet the New York SHIELD Act summary image

10 March 2021

Implementing ISO Security and Privacy Frameworks to Meet the New York SHIELD Act
ISO 27001 - Non-Conformities in Clause 7 summary image

24 February 2021

ISO 27001 - Non-Conformities in Clause 7
The Birth of ISO 27701:2019 summary image

02 February 2021

The Birth of ISO 27701:2019

What's next

Get in touch today to begin your journey to a greener, more sustainable business and a member of our team will be in touch to discuss your requirements: