BM TRADA Logo Library
Get a quote

Protection of Personally Identifiable Information

ISO 27018

ISO 27018: 2019 is the Code of Practice for protecting personal information in public clouds.

ISO 27018: Protection of Personally Identifiable Information

What is 27018?

ISO/IEC 27018:2019 is an information security code of practise for cloud service providers who process personally identifiable information for their customers. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls. It details privacy requirements and security control enhancements for privacy to be implemented by cloud service providers.
 
It is complementary to ISO 27017:2015, Security Control for Cloud Services, and to ISO 27701:2019, Privacy Information Management, both of which also extend ISO 27001:2013.
 
As an extension to ISO 27001, ISO 27018 provides guidance on 16 ISO 27002 controls, as well as providing 25 new privacy and security controls:
  • The requirement to cooperate with PII controllers
  • The maintenance of PII principals’ rights
  • Compliance with fundamental privacy requirements, such as data minimisation and accuracy
  • The principles of transparency and accountability
  • Additional security controls
  • Requirements for sub-contracted processing

Benefits of ISO 27018 Certification

Reduce risk icon

Reduce risk

It helps reduce the risk of a privacy breach and fines from the ICO.

Customer assurance icon

Customer assurance

Provides external assurance to customers that personal information processed in the cloud by the cloud service provider is managed in a compliant manner.

Alternative to ISO 27701 icon

Alternative to ISO 27701

It may be considered an appropriate alternative to ISO 27701 in the cloud services processor context.

Extends and enhances certification icon

Extends and enhances certification

It extends and enhances a clients ISO 27001 certification.

Privacy framework icon

Privacy framework

Provides a comprehensive privacy framework for cloud service providers who want increased assurance on the privacy compliance of their cloud services.

Steps to Certification

  1. Step 1

    Complete a Quote Request Form so we can understand you and your business. We will then use this to personally prepare a proposal for your certification and define what is known as your 'scope of assessment'.

  2. Step 2

    We will then contact you to book your assessment with an NQA assessor. It consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been operational for a minimum of three months and has been subject to a management review and a full cycle of internal audits.

  3. Step 3

    Following a successful stage two audit, a decision is made. If positive, your certification will be issued by NQA, with both a hard and soft copy of the certificate awarded. Certification is valid for three years and maintained through surveillance audits (years one and two) and a recertification audit in year three.

See more details

Information Security Toolkit 2013

ISO 27001 FAQs

ISO 27701 Implementation Guide

ISO 27001 Information Security Checklist

ISO 27001 27017 27018 27701 Mapping

Risk Assurance Brochure

Integrated Quote Request Form

Information Security Management Training

Measuring Operational Resilience Method

Annex SL Comparison Tool

Gap Analysis

CityFibre Case Study

Is Your Management System Integrated?

Need a Consultant?

Download Certification Logos

Combining ISO 27001 with ISO 9001 Gap Guide