Choose another country to see content specific to your location

//Select a site

ISO/IEC 27018 Certification

Code of Protection of Personally identifiable Information (PII) in Public Cloud

ISO/IEC 27018 Certification - Protection of Personally identifiable Information (PII) in Public Cloud

With benefits like scalability, cost-effectiveness, balancing of load across multiple servers, convenience of easy accessibility, fast data delivery speeds and assured business continuity, more and more organisations today are opting to ‘move to the cloud’. As most of this data entrusted by the organisations to the public cloud service providers (CSPs) include Personally Identifiable Information (PII) like bank records, credit and debit card numbers, personal and family details, health reports, insurance details, passport information, driver’s license, Aadhar card numbers, biometric scans and others , it becomes critical to protect it from security threats.

A security breach in the public cloud based PII can severely impact large volumes of data and may even result in identity thefts, financial and personal losses or sensitive information hacking for a number of people. Hence, customers of cloud-based service providers who host sensitive PII information would like to ensure that all the necessary cyber security checks and safeguards have been implemented. A PII security incident attracts regulatory fines and reputational damage for the cloud service providers (CSPs) as well as their customers. To avoid such breaches, there is a need for an efficient information security management system, specially customised for security and privacy scrutiny of PII protection for public clouds.

What is ISO/IEC 27018?

ISO/IEC 27018 is a standard that serves as guidelines or code of conduct for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001. It also helps implement commonly accepted PII protection controls for organisations offering information processing services as PII processors and PII controllers via public cloud computing under a contract or agreement.

While ISO/IEC 27001 safeguards an organisation’s assets, ISO/IEC 27018 helps CSPs to protect the information assets entrusted to them by their customers or data owners. This is especially critical when their customers ask CSPs to process highly sensitive or critical PII like financial or defense related information. The ISO/IEC 27018 standard is also based on guidelines of ISO/IEC 27002 & privacy principles of ISO/IEC 29100 and focusses on the regulatory mandates for PII protection in the information security risk environments of the public clouds.

Why is ISO/IEC 27018 Important?

Given the multi-fold increase in security incidents over the last few years, safeguarding of cloud-hosted sensitive data that holds PII has gained prime importance.  The international standard of ISO/IEC 27018 can help mitigate the risk of data compromise for public cloud PII.  The standard ensures that a cloud service provider has appropriate procedures in place for handling PII.

The ISO/IEC 27018 standard is often treated by data owners as an independent measure for evaluation and comparison of privacy controls when selecting the public cloud CSP, hence, it can give you a competitive advantage. Data owners or customers of CSPs expect them to offer an enhanced IT security in the presence of an ever-altering threat landscape and dynamic attack vectors.

The ISO/IEC 27018 standard aims to provide transparency for the cloud service customers or data owners so that they have a clear understanding of what the cloud service providers are doing with respect to the security and protection of personal data. Thus, adhering to the guidelines of the ISO/IEC 27018 standard can help you mitigate the risk of data breach in Public cloud PII and win customer confidence.


TÜV SÜD has the expertise and experience to assess your organisation's cloud security as per the requirements of ISO/IEC 27018. Through a detailed assessment, we can Identify the minimum amount of PII protection that you need to implement to avoid cyber-attacks.

While conducting this assessment, we consider your legal requirements to retain every type of PII and practical requirements to ensure your business runs smoothly. During and post assessment, we maintain complete transparency to customers and data owners about the acquisition, maintenance and recovery mechanism of PII data.

Step 1: 
Get in touch with us to receive a customised quote, including detailed costs, planning and time required
Step 2: We conduct in-depth assessment
Step 3: Report is released to you
Step 4: Issuance of ISO/IEC 27018 certification


Your benefits at a glance

  • Instill confidence -  ISO/IEC 27018 enables the data owners and the CSPs to win their customers’ trust by ensuring that preventive measures have been implemented to avoid compromise of PII or critical data
  • Gain a competitive edge – Customers and data owners prefer CSPs who implement security measures against data breaches over those who do not have the right PII protection safeguards in place.
  • Enhance Reputation – By mitigating the risk of data breach, you avoid attracting reputation damage and continue to strengthen your market position.
  • Avoid Penalties – Meet regulatory compliance to avoid fines and penalties levied globally and nationally for data breaches and other cyber-attacks.
  • Marketing Advantage – ISO/IEC 27018 implements many security safeguards and also has provisions for the confidentially agreement with the CSP staff for PII processing and training. Thus, CSPs who opt for ISO/IEC 27018 get a unique marketing advantage over others.
  • Faster Adaptation – As compliance to ISO/IEC 27018 can be easily adapted into the Master Service Agreement, contracts can be easily streamlined without losing out on time.
  • Mitigate Risk – The ISO/IEC 27018 standard not only safeguards the access, storage, transmission and processing of data, it also defines the data recovery and restoration strategy for the CSP.
  • Optimise cost – By avoiding data compromise, you not only enhance your reputation but also save cost for expensive PII restoration efforts for your customers.

Next Steps

Site Selector