1. Home
  2. Moldova standards
  3. STM
  4. St ISO IEC 27018-2019

ISO IEC 27018-2019 PDF

St ISO IEC 27018-2019

Name in English:
St ISO IEC 27018-2019

Name in Russian:
Ст ISO IEC 27018-2019

Description in English:

Original standard ISO IEC 27018-2019 in PDF full version. Additional info + preview on request

Description in Russian:
Оригинальный стандарт ISO IEC 27018-2019 в PDF полная версия. Дополнительная инфо + превью по запросу
Document status:
Active
Format:
Electronic (PDF)
Delivery time (for English version):
1 business day
Delivery time (for Russian version):
365 business days
SKU:
stiso25975
Choose Document Language:
€25

Full title and description

Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. A specialised code of practice that adapts ISO/IEC 27002 controls and privacy principles to the context of public cloud service providers that process PII on behalf of cloud customers.

Abstract

ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls and implementation guidance to protect personally identifiable information (PII) processed by public cloud service providers acting as PII processors. It interprets and augments ISO/IEC 27002 for cloud environments, taking into account regulatory and contractual requirements, and is intended to improve transparency, accountability and trust between cloud providers and their customers.

General information

  • Status: Withdrawn / replaced (superseded by ISO/IEC 27018:2025).
  • Publication date: January 2019 (Edition 2).
  • Publisher: ISO and IEC (joint publication by ISO/IEC JTC 1/SC 27).
  • ICS / categories: 35.030 (Security of information technology).
  • Edition / version: Edition 2 (2019).
  • Number of pages: 23 pages.

Scope

Provides guidelines for public cloud service providers that act as PII processors, describing how to apply and supplement the information security controls in ISO/IEC 27002 to protect PII in cloud computing environments. The standard is applicable to all types and sizes of organisations that provide public cloud information processing services under contract to other organisations. It is focused on processor obligations and guidance; PII controllers may have additional legal and regulatory obligations outside the scope of this code of practice.

Key topics and requirements

  • Mapping and adaptation of ISO/IEC 27002 controls for cloud PII processing.
  • Control objectives and controls specific to PII protection in a multi-tenant public cloud.
  • Transparency and contractual obligations: disclosure of processing, sub‑processors and audit rights.
  • Requirements for breach notification and incident management with respect to PII.
  • Data subject rights support and assistance to controllers (where applicable).
  • Guidance on retention, disposal and secure deletion of PII held in the cloud.
  • Security measures: segregation of customer data, access control, encryption and key management.
  • Operations and monitoring controls appropriate to virtualised and shared cloud infrastructure.
  • Considerations for international transfers, jurisdictional issues and regulatory compliance.
  • Recommendations for contractual clauses, service descriptions and transparency reporting to customers.

Typical use and users

Intended for public cloud service providers (IaaS, PaaS, SaaS) and organisations that evaluate or contract cloud providers. Typical users include cloud security and privacy teams, compliance and legal departments, auditors and certification bodies, cloud customers assessing vendor risk, and consultants implementing cloud privacy controls.

Related standards

Commonly used alongside and referenced with: ISO/IEC 27001 (ISMS requirements), ISO/IEC 27002 (information security controls), ISO/IEC 27017 (cloud security guidance), ISO/IEC 27701 (privacy information management), ISO/IEC 29100 (privacy framework), ISO/IEC 17788 (cloud computing vocabulary) and ISO/IEC 27005 (information security risk management).

Keywords

PII, personal data, public cloud, cloud service provider, privacy, information security, code of practice, ISO/IEC 27002, data protection, breach notification, sub‑processor, transparency, contractual obligations.

FAQ

Q: What is this standard?

A: ISO/IEC 27018:2019 is a code of practice that specifies control objectives, controls and guidelines for protecting personally identifiable information (PII) processed by public cloud service providers acting as PII processors.

Q: What does it cover?

A: It covers how to adapt and apply ISO/IEC 27002 information security controls to the public cloud context, with additional guidance on transparency, contractual arrangements, sub‑processor disclosure, breach reporting, data retention and assistance to controllers for data subject rights.

Q: Who typically uses it?

A: Public cloud providers, their security and privacy teams, auditors and certification bodies, cloud customers performing vendor assessments, legal and compliance teams, and consultants working on cloud privacy implementations.

Q: Is it current or superseded?

A: The 2019 edition (Edition 2) was published in January 2019 and has since been superseded by a later edition published in 2025; the 2019 document is withdrawn and the 2025 edition is the current active standard.

Q: Is it part of a series?

A: Yes. ISO/IEC 27018 is part of the ISO/IEC 27000 family of information security standards and is intended to be used together with ISO/IEC 27001 and ISO/IEC 27002, and it links to other cloud and privacy standards such as ISO/IEC 27017, ISO/IEC 27701 and ISO/IEC 29100.

Q: What are the key keywords?

A: PII, personal data, public cloud, cloud provider, privacy, data protection, transparency, breach notification, sub‑processor, ISO/IEC 27002.