ISO/IEC 27018 certification: Protection of Personally Identifiable Information (PII) in Public Cloud Environments

Organizations increasingly rely on public cloud environments to process personal data. This requires demonstrable and careful protection of personally identifiable information (PII). ISO/IEC 27018 is the international standard for cloud providers acting as PII processors and shows that privacy is structurally and transparently embedded. With ISO/IEC 27018 certification by Kiwa, you demonstrate that your cloud services comply with internationally recognized privacy principles.

Receive a quote tailored to your needs

+31 (0)88 998 49 00 Contact us Get a quote

What is ISO/IEC 27018?

ISO/IEC 27018 is an international privacy and security standard that provides guidelines for the protection of personally identifiable information (PII) in public cloud environments. The standard is specifically developed for public cloud service providers acting as PII processors and supports them in meeting legal, contractual and ethical obligations related to privacy and information security. With ISO/IEC 27018 certification, cloud providers demonstrate that they process personal data transparently, carefully and in accordance with internationally recognized privacy principles.

Part of the ISO 27001 family

ISO/IEC 27018 (full title: Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) is part of the ISO/IEC 27000 family of information security standards. It was one of the first international standards fully focused on privacy protection in cloud computing. The standard is based on ISO/IEC 27002 and extends it with specific privacy controls for cloud-based PII processing. In addition, ISO/IEC 27018 aligns with the privacy principles defined in ISO/IEC 29100.

ISO/IEC 27018 provides cloud providers with a framework to:

  • Identify and assess privacy risks
  • Implement appropriate organizational and technical measures
  • Provide transparency to customers regarding the use of personal data

What’s new in ISO/IEC 27018:2025?

The 2025 edition of ISO/IEC 27018 includes important updates that reflect the rapidly evolving cloud and privacy landscape. The standard is fully aligned with ISO/IEC 27002:2022 and introduces additional guidance on:

  • Multi-tenant cloud environments, with increased focus on data separation and customer data protection
  • Supplier and supply chain management, including responsibilities in outsourcing arrangements
  • Modern privacy risks, such as large-scale data processing, international data transfers and increasing transparency requirements
  • A stronger emphasis on accountability and auditability

These updates help cloud providers future-proof their privacy measures and align with current laws and regulations.

Why is ISO/IEC 27018 important?

Cloud computing has become the standard form of IT service delivery. At the same time, privacy and data protection requirements continue to increase. Organizations expect cloud providers to handle personal data responsibly and to be able to demonstrate compliance. 

ISO/IEC 27018 provides an internationally recognized framework that enables cloud providers to:

  • Demonstrate compliance with privacy obligations across multiple jurisdictions
  • Strengthen trust among customers and stakeholders
  • Clearly define responsibilities between data controllers and processors
  • Integrate privacy structurally into their services

Benefits of ISO/IEC 27018 certification

Implementing and certifying against ISO/IEC 27018 offers several benefits, including:

  • Increased customer trust through alignment with international privacy principles
  • Clearer roles and responsibilities between cloud provider and customer
  • Support for compliance with legal and contractual privacy requirements
  • Improved transparency, auditability and accountability in PII processing
  • Promotion of privacy by design in the development and delivery of cloud services
  • A stronger position in tenders and with international customers

Who is ISO/IEC 27018 for?

The standard applies to all forms of PII processing by public cloud providers, including the collection, storage, processing, transmission and deletion of personal data on behalf of customers. This makes ISO/IEC 27018 particularly relevant for:

  • Public cloud service providers acting as PII processors
  • Organizations that want to evaluate or compare cloud providers based on privacy protection
  • Companies that outsource personal data processing and want assurance of compliance by their cloud provider

The standard can be effectively combined with other standards in the ISO/IEC 27000 series, such as ISO/IEC 27001 and ISO/IEC 27017.

ISO/IEC 27018 certification by Kiwa

Kiwa supports organizations throughout a careful and efficient ISO/IEC 27018 certification process. With many years of experience in sectors such as healthcare and IT, Kiwa offers deep expertise in privacy and information security. Our experienced auditors provide an independent and professional assessment and guide organizations with a pragmatic, customer-focused approach and clear communication throughout the entire process. By choosing Kiwa, you select a reliable ISO/IEC 27018 certification body that actively supports your organization and contributes to a smooth, transparent, and efficient certification process.

Want to learn more about ISO/IEC 27018 certification with Kiwa?
Contact us for a no-obligation conversation or a customized quotation.

Related services