ISO 27018 Privacy in the cloud


The use of cloud services has become an indispensable driver of efficiency for many public and private companies.

Given the diffusion of this model, for some years the personal data supervisory authorities have warned the data controllers of personal data against the risks of lack of transparency on the methods and subjects who process the data, as well as the loss of control over the personal data sent in the "cloud".


The set of specific risks associated with the adoption of cloud solutions therefore concerns both the security of data and company processes, and the security of data protected by the aforementioned regulations (in the case of this document limited to personal data processed by the company as Data Controller), and the correct application of these regulations as a whole and not only in terms of security.

Referring to the Privacy Code , the correct context in which to place the analysis of these new risks and the identification of adequate countermeasures is certainly the process of identifying the suitable and preventive measures pursuant to art. 31 of Legislative Decree 196/03, aimed at reducing the risk of civil disputes.

All these aspects need to be addressed in the definition of the contract that will have to regulate the provision of cloud computing services. The stipulation of this contract is one of the cornerstones of the specific risk management strategy relating to cloud computing, for regulatory compliance and more generally for corporate data security.

ISO/IEC 27018

ISO/IEC 27018 the first and only international standard, which defines control objectives, controls and guidelines based on ISO / IEC 27001 to ensure compliance with personal data, in compliance with current directives and the ISO / IEC 29100 standard, by the public cloud providers that adopt them.

The objective of this standard is to provide a structured way, based on privacy by design, to deal with the main legal issues, both of a legal and contractual nature, related to the management of personal data in distributed IT infrastructures following the public cloud model.

The specific countermeasures introduced by ISO 27018 are based on established international principles regarding privacy. These principles should be used to guide the design, development, implementation, monitoring and measurement of privacy policies and privacy controls in cloud computing services.


CSQA proposes an extended assessment with controls on the protection of personal data from ISO / IEC 27018, for companies already in possession of ISO 27001 certification, with the issue of an ISO 27018 certificate.

The activity has the following objectives:
  • Help cloud service providers address applicable legal obligations as well as customer expectations
  • Facilitate the definition of contracts for cloud services
  • Improve the transparency and credibility of cloud services
  • Increase customer trust

Would you like to have more informations?

Contact us

Download - Documents and pdf

Fill out the form below in order to access the resource you requested

Fields marked with an asterisk (*) are required