ISO 27018: Data protection standards for the cloud

February 5, 2015

In 2014, the International Standards Organization (ISO) added to its family of information security standards when it published ISO/IEC 27018, a code of practice that sets forth standards for the protection of personally identifiable information (PII) in the public cloud.

ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII. 

The standard requires cloud service providers to, among other things:

  • only process PII in accordance with the customer’s instructions;
  • only process PII for marketing or advertising purposes with the customer’s express consent;
  • implement tools that enable customers to comply with PII access, removal and correction requirements;
  • disclose to the customer the identity of subcontractors and any possible locations where PII may be processed;
  • ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training;
  • only disclose PII to governmental or regulatory authorities when legally obligated to do so; and
  • assist customers in complying with notification obligations in the event of a security breach.

The standard may be of particular interest to customers in highly regulated industries, such as financial services and insurance, since compliance by a customer’s service providers with the standard may provide a better quality of assurance to the customer’s regulators.

DISCLAIMER: This publication is intended to convey general information about legal issues and developments as of the indicated date. It does not constitute legal advice and must not be treated or relied on as such. Please read our full disclaimer at

Stay in Touch with Knowledge Hub