ISO 27018 ensures that personal data is processed securely within the cloud
Jessica Doering

November 25, 2022



 min reading time

Protection of Personally Identifiable Information (ISO 27018) under ISO 27001!

Meet the laid-back member of the ISO 27k family - ISO 27018! 

ISO 27018 is an international standard that provides guidelines for protecting personal data in a public cloud computing environment.

And since we wanted to know more details and the fact that TISAX seems to be the solution around protecting customer and prototype data, ISO 27018 was up for an interview! He had something to say too!

And not to brag, but our guest is the first international standard developed specifically for cloud computing data protection.

Purpose of ISO 27018

Q: So what is your purpose? 

A: My controls help cloud service providers mitigate security risks to personal data. 

Q: So it's getting personal? 

A: Kinda.

Q: You’re also part of the ISO 27k clan, and that alone makes you interesting…

A: Yes, it's a nice burden to be part of my family. 

Q: So your job is to protect personal information? 

A: Yes, I like it face to face. 

Q: Do you like the official description of yourself?

Official wording of ISO (International Organization for Standardization): This document establishes generally accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

A: I mean, i'm fine with that. The key words like controls, policies, protection of personal data are included, so it's already clear what role I play. 

Q: And your mother, aka ISO 27002, is also mentioned. Doesn't she also deal with vulnerability management on a daily basis? And how is your sister ISO 27017 doing? 

A: Sorry, you can find their resumes on other blogs. Today it's all about me! 

Q: Okay, we respect that but maybe we need to talk about your granny.

A: Yeah, i know. ISO 27001. Without her, I would be nothing, so that's okay.

Q: So what is your scope?

Scope of ISO 27018

A: I ensure the secure processing of personal data in this cloud. I've always loved going deeper into the subject matter, you know. So, my scope is to establish common policies for the handling of personal data by public clouds acting as processors on behalf of their clients. 

Q: What exactly are you providing? 

A: I provide guidance for cloud service providers on selecting and implementing security controls based on my granny ISO 27001 and my mom ISO 27002

These guidelines are then used for data processing by data controllers. However, they in turn are still subject to additional obligations, but I do not cover these further. 

Difference between ISO 27017 & ISO 27018 & TISAX

Q: Isn't that the same thing your sister (ISO 27017) does?

A: No, she is more concerned with specific guidelines for securing cloud environments. I, on the other hand, match the legal requirements for protecting personal data. I often have conversations with data controllers. They are usually looking for adequate security for the cloud services they use. And that's where I can help with my guidelines, of course! 

Q: So you know TISAX? I mean, you got some similarities or not?

A: Well, we know each other, but my grandmother (ISO 27001) and my mother (ISO 27002) actually catch everything concerning TISAX well. When it comes to explicit protection of personal data, i'm just on board. But the prototype protection - story is already a TISAX thing. And that's fine as far as it goes. But actually we are a very large, highly and widely developed ISO 27k Matriarchy and therefore have the power to actually cover everything that concerns an ISMS

Benefits of ISO 27018

Q: Well, and what are your benefits?

A: Again, my main benefit is that I provide a guide to protecting personal data in the cloud. In doing so, I help companies demonstrate compliance with data protection regulations.... And also contribute to ISO 27001 certification! A family goal, you know.  

Q: Anything you wanna brag about?

A: I myself am even certifiable, although I need both my grandmother's certification (ISO 27001) and my sister's permission (ISO 27017) to do so. Well, as I said - matriarchy. However, this is not a certificate as for ISO 27001, it is more an independently verified certification, the same is true for my sister. However, it is something to brag about. I do that less, she does. Well. 

Q: Seems you have some beef with your sister?

A: Absolutely not! If my sister makes it through the audit successfully, I can audition in the same audit right away. That's why it's always a nice reunion, since we live quite far apart. I am a bit dependent on her, but she has never disappointed me. 

Controls of ISO 27018

Q: Do you have some stats?

A: You want me to list them?

Q: Yes!

A:  Alright, i provide a guide with 16 controls for my mother's business (ISO 27002) and 25 new privacy and security controls that are just mine :)

In some case i’m supplementing my sister (ISO 27017)... and my controls are dealing with this: 

  • The obligation to cooperate with personal data controllers.
  • Safeguarding the rights of PII principals.
  • Adherence to basic data protection requirements, such as data minimization and accuracy
  • The principles of transparency and accountability
  • Additional security controls
  • Requirements for processing by subcontractors

Q: In summary, you cover important data protection requirements for cloud computing and regulate the processing of personal data?

A: Yes!

Q: Quite Confident! 

A: Why not? After all, in the 27k family we work towards each other and I have to admit that I don't go to every family party either. However, my independently verified certification is also a strong tag, as I am, after all, confirming the highest possible information security of your cloud services!  Of course, this creates trust between companies, their suppliers and their customers. 

Q: Any last words?

A: Yeah, book a consultation with Secfix!

Focus on building Security and run Compliance in the background

Secfix has the largest partner network of pentesting companies and auditors in EU and can reduce the time, effort and cost for an ISO 27001 certification with its software.

non-binding and free of charge

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet and is especially open-minded for any future-oriented inspiring humans and things that cross her path.

ISO 27001