ISO/IEC 27018 Certification

ISO/IEC 27018 Certification

Meet regulatory requirements for PII controls via cloud computing

Meet regulatory requirements for PII controls via cloud computing


With a rise in privacy data breaches and new regulations like the GDPR, any business which stores its customers’ private details on your cloud will seek assurances that you take private data protection seriously. Introduced in 2014, ISO/IEC 27108 gives a framework for assessing how well they protect personally identifiable information (PII) in public clouds.

ISO/IEC 27018 guidelines helps to protect the highly sensitive or critical PII of your organization and your customers. It also includes provisions for confidentiality agreements with CSP/CSC staff for PII processing and training. While ISO/IEC 27018 certification is not mandatory, it is increasingly recognised as the industry standard.


If you store any kind of PII in cloud environment, ISO/IEC 27018 compliance audits can be invaluable. An assessment helps you to identify any vulnerabilities in your architecture and resolve them fast.

Becoming certified provides several key benefits:

  • Follow best practices ISO/IEC 27018 audits help you to follow best practices around protection PII in cloud, so you can be confident that your environments are safe
  • Mitigate risk and reputational damage - Safeguard the access, storage, transmission and processing of PII data in cloud by following ISO/IEC 27018 guidelines and avoid damaging data breaches
  • Gain a competitive edge - As more organisations attain ISO/IEC 27018 certification, those which do not may struggle to win new contracts
  • Clearly define responsibilities - ISO/IEC 27018 helps to define which areas of PII you are responsible for, and which your customers must take care of. This improves clarity and avoids misunderstandings.
  • Win customer trust - A third-party certification by TÜV SÜD demonstrates your commitment to information security. Many new cloud customers will now demand evidence that you are able to protect PII in cloud and may require you to fill out extensive checklists to prove it – showing you have ISO/IEC 27018 certification could save you time and effort providing this information


TÜV SÜD is trusted around the world for our cloud assessment expertise. We employ leading professionals across our global network who have the proven knowledge required to provide complete cloud PII security assessments as per the ISO/IEC 27018 guidelines. As TÜV SÜD is vendor agnostic, our assessments are both impartial and independent, meaning you and your end customers can trust us for reliable assessments.

We work with both major household-name CSPs as well as a wide variety of smaller cloud service providers and can adapt our processes to your needs and requirements.


Frequently Asked Questions


  • What is the ISO 27018 certification process?

    The ISO 27018 certification process is as follows:

    1. Informational Meeting:
    This meeting involves asking and answering relevant questions, jointly planning the next steps, discussing the project, and an optional pre-audit.
    2. Review of documents and on-site audit:
    This step includes reviewing the management system’s description, evaluating readiness, verifying the ability to provide required customer assistance, and implementing documented statements into the daily practice.
    3. Assessment and audit report:
    Evaluation of the management system and report of the site visit.
    4. Documentation process:
    After meeting the certification requirements, the organisation receives a document of certification.
    5. Annual Audit:
    An annual audit monitors the progress, performance, and continued implementation of the standard.
    6. Recertification process:
    Repeating steps 2 through 6 is necessary for recertification three years after initial certification.


  • What are the requirements for ISO 27018?

    ISO/IEC 27018 expands on the implementation guidance for security controls in ISO/IEC 27002. It controls the division of duties for data protection. For ISO 27018 compliance, the additional security measures cover:

    ● PII encryption requirements for transmitting and storing needs
    ● A secure termination plan for any PII that is unnecessary
    ● A cloud service agreement explaining the purpose of PII processing
    ● Information governance assurance from a stable cloud service provider
    Additional security measures are also required because ISO 27018 certification requires cloud providers to demonstrate their expertise in safeguarding their clients’ personally identifiable information (PII).


  • What is the difference between ISO 27001 and 27018?

    The standards ISO/IEC 27018 and ISO/IEC 27001 support cloud service providers and help them follow the best practices for managing data. While the ISO 27018 standard is a revised framework primarily focusing on Personally Identifiable Information (PII), ISO 27001 is an information security management system (ISMS) Standard.


  • Who needs ISO 27018 certification?

    Many companies utilise cloud-based services for different purposes, such as storage, processing power, and even application software. The ISO 27018 standard applies to all businesses and other organisations that provide cloud-based personal data processing services.

    The development of supplementary implementation regulations for security controls is based on the ISO 27001, ISO 27002, and ISO 27017 standards to ensure sufficient data protection. As a result, ISO 27018 certification is advantageous for all businesses. It assures the clients of the cloud service provider that their personal information is handled and managed in a secure and compliant way.



ISO/IEC 27018

ISO/IEC 27018

Enhance cloud security for personally identifiable information

Download now

ISO/IEC 27017

ISO/IEC 27017

Implement robust information security controls to safeguard cloud services

Download now

iso/iec 27001 Information security management system

ISO/IEC 27001 Information security management system

Secure your knowledge and information with a systematic approach


ISO/IEC 20000 IT service management

ISO/IEC 20000 IT service management

Adopt a systematic approach to IT service improvement



Next Steps

Site Selector