Data protection standard for cloud services

ISO/IEC 27018 contains generally accepted control objectives and guidelines for the protection of personal data in cloud computing. In terms of content, the standard builds on existing security standards - in particular ISO/IEC 27002. However, the requirements relate specifically to the regulation of the processing of personal data in a cloud environment.

The international standard applies to all types and sizes of organizations, including public and private companies, government agencies, and not-for-profit organizations that provide information processing services as PII processors via cloud computing on behalf of other organizations. The guidelines in this document may also be relevant to organizations acting as PII controllers. However, PII controllers may be subject to additional PII protection laws, regulations, and obligations that do not apply to PII processors. This document is not intended to cover such additional obligations.

ISO/IEC 27018:2020 is applicable to all types and sizes of organizations, including private and public companies, government agencies, and not-for-profit organizations, that provide information processing services via cloud computing in the sense of a PII processor.

Show more
Show less

Cloud computing information security management system based on ISO 27001

Implementation of generally accepted PII protection controls

Linkage to OECD privacy principles

Internationally recognized compliance gives competitive advantages

Description of the standard

Information on the ISO 27018 standard

The requirements of ISO 27018 are specific to the protection of personally identifiable information (PII). They are aligned with the implementation recommendations from the ISO 27002:2013 Guide to Information Security Controls, and thus fit seamlessly into an ISO 27001:2013 information security management system. Both standards were revised in 2022, which had a particular impact on the content and structure of the Annex A controls. However, ISO/IEC 27018 continues to refer to the 2013 versions of the standards.

ISO/IEC 27018 specifies data protection requirements for cloud service providers and formulates monitoring mechanisms and guidelines for implementing controls to ensure the protection of personal data in a cloud environment. In doing so, the standard takes into account data protection requirements that already exist in other areas and adapts them specifically to information security risks in the area of cloud computing.

The current standard was published in August 2020 by the G

ISO/IEC 27018:2019
Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is available from the ISO website

This standard follows ISO/IEC 27017 (Information security controls for cloud services), which covers other information security aspects of cloud computing than just data privacy. 

Show more
Show less
Added value

What are the advantages of an internationally certified cloud standard?

In practice, the use of recognized security procedures is a decisive criterion for selecting a cloud provider. This applies all the more to the control rights of the client in the context of commissioned data processing in accordance with national legislation, such as Section 11 (2) No. 7 of the German BDSG. With the introduction of ISO 27018, cloud service providers have the opportunity to align their management system specifically to these data protection requirements and have it assessed.

Who may certify?

Who is allowed to certify according to ISO 27018?

In order to certify an information security management system, the respective certification body itself must be accredited according to ISO/IEC 17021 and ISO/IEC 27006. DQS is accredited by the German accreditation body DAkkS (Deutsche Akkreditierungsstelle GmbH) and therefore authorized to perform audits and certifications according to both ISO/IEC 27001 and ISO/IEC 27018.


What are the steps to an ISO 27018 certification?

Your company will be certified on the basis of the international standard ISO/IEC 27001 for an information security management system implemented according to SO/IEC 27018:2019. Once all standard requirements have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS.

In the first step, you will discuss your company, your current information security and the goals of an ISO 27018 certification. Based on these discussions, you will receive an individual offer tailored to your company's needs.

Especially for larger certification projects, a planning meeting is a valuable opportunity to get to know your auditor as well as to develop an individual audit program for all involved areas and locations. A pre-audit also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.

The certification audit starts with a system analysis (audit stage 1) and the evaluation of your documentation, the objectives, the results of your management assessment, the review of the scope and the internal audits. In this process, we determine whether your management system is sufficiently developed and ready for certification.

In the next step (system audit stage 2), your DQS auditor assesses the effectiveness of all management processes on site to identify if you meet all the requirements of the standard. A legal expert is added to the audit team to assess the effectiveness of the management system with regard to the applicable data privacy laws. The results are presented at a final meeting and, if necessary, plans for concrete measures are agreed upon.

After the certification audit, the results are evaluated by the independent certification board of DQS. You will receive an audit report documenting the audit results. If all standard requirements are met, you will receive a corresponding certificate of conformity. Its validity is linked to that of the underlying ISO 27001 certificate.

To ensure that your company continues to meet all important requirements after the audit, we conduct surveillance audits on an annual basis. This provides competent support for the continuous improvement of your information security management system and your business processes.

The certificate of conformity is valid for a maximum of three years. Recertification is carried out in good time before expiry to ensure ongoing compliance with the applicable standard requirements of the IT security catalog. Upon compliance, a new certificate of conformity is issued.


What does ISO 27018 certification cost?

Since every company has different prerequisites and individual requirements for a management system, the costs for the audit and certification to ISO 27018 based on ISO 27001 cannot be given as a lump sum. Please contact us: We will be happy to make you a customized offer based on an objective assessment and your requirements.


What you can expect from us

  • More than 35 years of experience in the certification of management systems and processes
  • Experienced auditors and experts with a high level of sector expertise and knowledge 
  • Value-adding insights into your company 
  • Internationally accepted certificates  
  • Expertise and accreditations for all relevant standards 
  • Personal, smooth support from our specialists - regionally, nationally, and internationally 
  • Individual offers with flexible contract terms and no hidden costs
Show more
Show less
Contact Latin America woman shutterstock_2001161198.jpg

Request a quote

Your local contact person

We will be happy to provide you with a customized offer for your ISO 27018 certification.