ISO/IEC 27018:2019 is an international code of practice for protecting personally identifiable information (PII) in public clouds that act as PII processors. It supplements ISO/IEC 27002 and ISO/IEC 27001 with privacy-specific controls and guidance, and was the first international standard focused on cloud privacy.

Is it separately certifiable?

Like ISO 27017, ISO 27018 is assessed as an extension of an ISO/IEC 27001 ISMS rather than as a standalone certification. Organizations typically add it (often together with 27017) to their ISO 27001 audit scope.

How does it relate to GDPR?

ISO 27018 is not a substitute for GDPR, but its controls map closely to GDPR obligations for processors and provide recognized evidence of good-faith PII protection in the cloud. It pairs naturally with the certifiable ISO 27701 privacy management standard.

Public-cloud providers and SaaS companies that process personal data on behalf of their customers, and who want a recognized way to demonstrate responsible cloud PII handling to privacy-conscious buyers.

PII protection for public clouds

Add ISO 27018 privacy controls to your ISMS

ISO/IEC 27018:2019 is the code of practice for protecting personally identifiable information in public clouds acting as a PII processor — assessed alongside ISO 27001 and mapped to GDPR.

Start free trial Book a demo

What is ISO 27018?

ISO/IEC 27018:2019 is the international code of practice for protecting personally identifiable information (PII) in public clouds. It supplements ISO/IEC 27002 with privacy-specific controls and guidance aimed at organizations that act as PII processors in a public-cloud setting. First published in 2014 and revised in 2019, it was the first international standard dedicated to cloud privacy.

What it adds

ISO 27018 augments the ISMS with controls that address how a cloud provider handles its customers' PII: obtaining consent and respecting purpose limitation, being transparent about subprocessors and the geographic location of data, restricting the use of PII for marketing or advertising without consent, supporting the customer in meeting data-subject requests, and ensuring PII is returned, transferred, or securely disposed of at the end of the relationship.

How it's assessed

Like ISO 27017, ISO 27018 is not a standalone certification — it is assessed as an extension to an ISO 27001 ISMS. Many cloud providers add both 27017 (cloud security) and 27018 (cloud privacy) to the same audit scope.

How episki helps

episki layers ISO 27018 onto your ISMS with a cloud PII inventory, a subprocessor register, and consent and disposal controls — all cross-mapped to ISO 27701 and GDPR so your cloud-privacy evidence does double duty across your privacy program.

ISO 27018 outcomes with episki

Quantify the impact security and compliance brings to your business.

PII processor

Privacy controls for public-cloud providers acting as PII processors.

27001 add-on

Assessed as an extension of your ISO 27001 ISMS.

GDPR mapped

Controls cross-walked to GDPR and ISO 27701 for evidence reuse.

Why teams choose episki for ISO 27018

Framework-specific automation, collaboration, and reporting in one workspace.

Cloud PII controls

ISO 27018 supplements ISO 27002 with controls for protecting PII in public clouds.

Consent, choice, and purpose limitation
Transparency on subprocessors and data location
Return, transfer, and disposal of PII

Built for processors

Designed for public-cloud providers handling customer PII on their behalf.

Customer-controller / provider-processor split
No use of PII for advertising without consent
Breach notification support to the customer

Reuse privacy evidence

27018 dovetails with ISO 27701 and GDPR work you already do.

Crosswalk to ISO 27701 (PIMS)
Crosswalk to GDPR articles
One audit alongside ISO 27001 / 27017

ISO 27018 readiness inside episki

What a public-cloud PII processor needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ ISO 27001 ISMS in place or in progress
✓ PII processing inventory for cloud services
✓ Consent, choice, and purpose-limitation controls
✓ Subprocessor disclosure and data-location transparency
✓ PII return, transfer, and secure disposal procedures
✓ Breach notification support to the customer-controller

ISO 27018 accelerators

Cloud privacy accelerators

Demonstrate responsible PII handling without a separate privacy project.

Cloud PII inventory

Track the PII you process per cloud service and its location.

Subprocessor register

Disclose and manage subprocessors handling customer PII.

ISO 27701 / GDPR crosswalk

Reuse your PIMS and GDPR evidence to satisfy 27018.

ISO 27018 frequently asked questions

Add ISO 27018 to your ISMS in episki

Extend your ISO 27001 program with cloud privacy controls and reuse the evidence across GDPR and ISO 27701.

Start free trial Book a walkthrough