Quick Contact
Need Help?
Please Feel Free To Contact Us. We Will Get Back To You With 1-2 Business Days.
info@cybersecuritycentre.com.au
ISO/IEC 27018:2019 — Public cloud privacy (PII) controls
- What it is: A code of practice establishing commonly accepted control objectives, controls, and guidelines to protect Personally Identifiable Information (PII) in the public cloud.
- Core context: Designed for organisations acting as public cloud PII processors, aligned to the privacy principles in ISO/IEC 29100.
- What it adds to ISO/IEC 27001:
- Augments ISO/IEC 27001 with:
- (1) PII-specific implementation guidance and
- (2) an additional control set to address public-cloud PII processing requirements.
- Augments ISO/IEC 27001 with:
- Key control themes (examples from the standard):
- Support PII principal rights (access/correction/erasure) via capabilities the customer can use.
- Purpose limitation: PII must not be processed for purposes independent of customer instructions.
- No marketing/advertising use without express consent (and consent must not be a condition of service).
- Disclosure handling: Notify customers of legally binding disclosure requests (subject to lawful constraints) and record disclosures (what, to whom, when).
- Sub-processor transparency: Disclose the use of subcontractors processing PII before use (with contractual transparency/consent concepts).
- PII breach notification: Promptly notify the customer of unauthorised access/loss/disclosure/alteration affecting PII and define notification terms contractually.
- Return/transfer/disposal: Maintain and provide a policy for return/transfer/disposal and enable erasure (including backups/BC copies) once no longer needed for the customer’s purposes.
The prerequisites required by the Cyber Security Centre include an up to date (within 3 months) ISO 27001 certification or surveillance. This forms a foundation component for successful attestation.
ISO/IEC 27018 Attestation
A code of practice for protecting personally identifiable information (PII) in public cloud services based on ISO/IEC 27018:2025.
ISO/IEC 27018 provides privacy-specific guidance for public cloud service providers (CSPs) when they act as PII processors—that is, when they process personal data on behalf of their customers. Built on ISO/IEC 27001, it helps translate privacy principles into practical, auditable controls tailored to cloud delivery, and it complements an ISO/IEC 27001:2022 Information Security Management System (ISMS).
The standard supports responsible, transparent, and secure handling of PII throughout the cloud data lifecycle—collection, storage, processing, transmission, and deletion—and helps organizations address common cloud privacy expectations, including:
- Clear roles and responsibilities between the cloud provider (processor) and the customer (typically the controller)
- Limits on processing to documented customer instructions and agreed purposes
- Controls for disclosure, lawful access requests, and transparency to customers
- Sub processor (third-party) governance and contractual privacy requirements
- Secure deletion, return, and disposal of PII at end of service or on request
Auditability, accountability, and privacy-by-design practices for cloud services (including updated guidance aligned to ISO/IEC 27001:2022)
If you operate a cloud service or you rely on public cloud providers to process PII, Cyber Security Centre’s ISO/IEC 27018 overview and readiness support can help you understand the standard’s requirements, map responsibilities, and identify the practical control and evidence expectations needed to demonstrate conformance.
What is ISO/IEC 27017?
ISO/IEC 27018 is a code of practice for protecting personally identifiable information (PII) in public cloud environments where the cloud service provider acts as a PII processor. It extends ISO/IEC 27001 by adding privacy-specific control guidance to help organizations manage personal data in the cloud and demonstrate stronger accountability for how that data is handled. It provides cloud privacy guidance across key areas such as:
Clear rules for processing PII only in line with the customer’s instructions
Restrictions on using PII for advertising or marketing without consent
Greater transparency over data handling, subcontracting, and cross-border transfers
Support for data subject rights, including access, correction, and deletion
Protection of PII through secure deletion, return, and disposal processes
Appropriate technical and organizational measures for safeguarding personal data
Breach and incident management processes relevant to PII in the cloud
Cyber Security Centre’s ISO/IEC 27018 attestation helps organizations understand the standard’s requirements, implement the relevant privacy controls, and demonstrate independent assurance over the protection of personal information in cloud services.
How will a cloud service provider benefit from ISO 27018 Attestation?
- Inspires trust – demonstrates disciplined, transparent handling of PII in public cloud environments and increases customer confidence.
- Competitive advantage – supports procurement, tender, and assurance requirements where privacy controls are explicitly assessed.
- Protects your brand reputation – reduces the likelihood and impact of privacy incidents, complaints, and adverse publicity.
- Supports regulatory and contractual compliance – helps meet applicable privacy obligations and strengthens processor commitments in customer contracts.
- Enables growth – provides a globally recognized reference point for consistent privacy controls across regions, customers, and cloud offerings.