The ISO/IEC 27018 standard provides guidelines for the protection of personally identifiable information (PII) in public cloud services , particularly when the cloud service provider acts as a data processor of the personal data.Based on the ISO/IEC 27002 standard, this standard outlines specific controls and principles for cloud environments, ensuring that cloud service providers manage PII responsibly , transparently, and securely.
This regulation is important because cloud computing is becoming the default service delivery method. Therefore, organizations must ensure that personal data stored and processed in the cloud is adequately protected.
ISO/IEC 27018 helps cloud service providers meet their legal, contractual, and ethical obligations regarding PII.
It supports compliance across jurisdictions, builds customer trust, and provides a clear framework for data protection in the cloud.
What's new in version 2025?
- Alignment with other standards : The standard is aligned with the latest versions of related standards, such as ISO/IEC 27002:2022, to ensure greater consistency and integration between security controls.
- Greater clarity on roles : Greater precision in the distinction between the roles of data processor and data controller, with an emphasis on monitoring of activities and accountability.
- Subprocessor Management : The new version provides more explicit guidance on how to manage responsibilities and security requirements when data is processed by subprocessors.
- Transparency and accountability : Greater emphasis on the need for transparency, including timely notification of breaches and auditability of data management practices.