Data protection standard for cloud services
The international standard applies to all types and sizes of organizations, including public and private companies, government agencies, and not-for-profit organizations that provide information processing services as PII processors via cloud computing on behalf of other organizations. The guidelines in this document may also be relevant to organizations acting as PII controllers. However, PII controllers may be subject to additional PII protection laws, regulations, and obligations that do not apply to PII processors. This document is not intended to cover such additional obligations.
ISO/IEC 27018:2020 is applicable to all types and sizes of organizations, including private and public companies, government agencies, and not-for-profit organizations, that provide information processing services via cloud computing in the sense of a PII processor.
Cloud computing information security management system based on ISO 27001
Implementation of generally accepted PII protection controls
Linkage to OECD privacy principles
Internationally recognized compliance gives competitive advantages
Information on the ISO 27018 standard
ISO/IEC 27018 specifies data protection requirements for cloud service providers and formulates monitoring mechanisms and guidelines for implementing controls to ensure the protection of personal data in a cloud environment. In doing so, the standard takes into account data protection requirements that already exist in other areas and adapts them specifically to information security risks in the area of cloud computing.
The current standard was published in August 2020 by the G
Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is available from the ISO website
This standard follows ISO/IEC 27017 (Information security controls for cloud services), which covers other information security aspects of cloud computing than just data privacy.
What are the advantages of an internationally certified cloud standard?
Who is allowed to certify according to ISO 27018?
What are the steps to an ISO 27018 certification?
Your company will be certified on the basis of the international standard ISO/IEC 27001 for an information security management system implemented according to SO/IEC 27018:2019. Once all standard requirements have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS.
In the first step, you will discuss your company, your current information security and the goals of an ISO 27018 certification. Based on these discussions, you will receive an individual offer tailored to your company's needs.
Especially for larger certification projects, a planning meeting is a valuable opportunity to get to know your auditor as well as to develop an individual audit program for all involved areas and locations. A pre-audit also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.
The certification audit starts with a system analysis (audit stage 1) and the evaluation of your documentation, the objectives, the results of your management assessment, the review of the scope and the internal audits. In this process, we determine whether your management system is sufficiently developed and ready for certification.
In the next step (system audit stage 2), your DQS auditor assesses the effectiveness of all management processes on site to identify if you meet all the requirements of the standard. A legal expert is added to the audit team to assess the effectiveness of the management system with regard to the applicable data privacy laws. The results are presented at a final meeting and, if necessary, plans for concrete measures are agreed upon.
After the certification audit, the results are evaluated by the independent certification board of DQS. You will receive an audit report documenting the audit results. If all standard requirements are met, you will receive a corresponding certificate of conformity. Its validity is linked to that of the underlying ISO 27001 certificate.
To ensure that your company continues to meet all important requirements after the audit, we conduct surveillance audits on an annual basis. This provides competent support for the continuous improvement of your information security management system and your business processes.
The certificate of conformity is valid for a maximum of three years. Recertification is carried out in good time before expiry to ensure ongoing compliance with the applicable standard requirements of the IT security catalog. Upon compliance, a new certificate of conformity is issued.
What does ISO 27018 certification cost?
What you can expect from us
- Expertise and accreditations for all relevant standards
- Personal, smooth support from our specialists - regionally, nationally, and internationally
- Individual offers with flexible contract terms and no hidden costs