ISO/IEC 27018 - Protection of Personally Identifiable Information (PII) in Public Cloud

Code of protection of personally Identifiable Information (PII) in Public Cloud

Code of protection of personally Identifiable Information (PII) in Public Cloud


A security breach in the public cloud based Personally Identifiable Information (PII) can severely impact large volumes of data and may even result in identity thefts, financial and personal losses or sensitive information hacking for a number of people. A PII security incident attracts regulatory fines and reputational damage for the cloud service providers (CSPs) as well as their customers. To avoid such breaches, there is a need for an efficient information security management system, specially customised for security and privacy scrutiny of PII protection for public clouds.

WHAT IS ISO/IEC 27018 and why is it important?

ISO/IEC 27018 is a standard that serves as guidelines or code of conduct for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001. It also helps implement commonly accepted PII protection controls for organisations offering information processing services as PII processors and PII controllers via public cloud computing under a contract or agreement.

Given the multi-fold increase in security incidents over the last few years, safeguarding of cloud-hosted sensitive data that holds PII has gained prime importance. The international standard of ISO/IEC 27018 can help mitigate the risk of data compromise for public cloud PII. The standard ensures that a cloud service provider has appropriate procedures in place for handling PII.


TÜV SÜD has the expertise and experience to assess your organisation's cloud security as per the requirements of ISO/IEC 27018. Through a detailed assessment, we can Identify the minimum amount of PII protection that you need to implement to avoid cyber-attacks.


  • Instil confidence - ISO/IEC 27018 enables the data owners and the CSPs to win their customers’ trust by ensuring that preventive measures have been implemented to avoid compromise of PII or critical data. By mitigating the risk of data breach, you avoid attracting reputation damage and continue to strengthen your market position
  • Competitive Advantage – ISO/IEC 27018 implements many security safeguards and also has provisions for the confidentially agreement with the CSP staff for PII processing and training. Thus, CSPs who opt for ISO/IEC 27018 get a unique competitive advantage over others
  • Avoid Penalties – Meet regulatory compliance to avoid fines and penalties levied globally and nationally for data breaches and other cyber-attacks
  • Mitigate Risks & Optimise Costs – The ISO/IEC 27018 standard not only safeguards the access, storage, transmission and processing of data, it also defines the data recovery and restoration strategy for the CSP. By avoiding data compromise, you not only enhance your reputation but also save cost for expensive PII restoration efforts for your customers


Fill-in the adjacent form to know more about our auditing and certification services.

Next Steps

Site Selector