What is the primary objective of ISO 27018?

ISO 27018 provides a code of practice for protecting personally identifiable information (PII) in public clouds acting as PII processors. It extends ISO 27001 and ISO 27002 with ~25–30 privacy-specific controls addressing multi-tenancy, subprocessor transparency, consent, purpose limitation, data minimization, breach notification, and restrictions on secondary PII use like advertising without consent.

Who is legally or professionally required to comply with ISO 27018?

ISO 27018 targets public cloud service providers (CSPs) acting as PII processors for customers. It applies to hyperscalers, regional platforms, and sector-specific clouds (e.g., healthcare, finance) processing PII via multi-tenant environments; controllers use it for vendor due diligence, but it excludes controller-specific obligations.

Does ISO 27018 require an external audit or third-party certification?

ISO 27018 requires assessment via external audits as an extension of ISO 27001 certification, not standalone. Accredited bodies under ISO/IEC 17021 and ISO/IEC 27006 evaluate controls in the Statement of Applicability during ISO 27001 Stage 1/2 audits, with certificates valid for three years.

How often should an assessment for ISO 27018 be performed?

ISO 27018 assessments occur annually via surveillance audits and every three years via full recertification within the ISO 27001 cycle. Ongoing internal reviews and gap analyses ensure continual improvement amid cloud changes like new services or subprocessors.

What are the consequences of non-compliance with ISO 27018?

Non-compliance with ISO 27018 risks lost procurement opportunities, regulatory scrutiny under laws like GDPR Article 28, and cyber insurance issues. CSPs face customer distrust, prolonged RFPs, and inability to demonstrate processor obligations, with no direct fines but heightened legal exposure for PII breaches.

Can ISO 27018 be mapped to other international frameworks?

Yes, ISO 27018 maps directly to frameworks like ISO 27017 (cloud security), ISO 27701 (PIMS), and GDPR Article 28 processor obligations. Controls align with ISO/IEC 29100 privacy principles (e.g., transparency, accountability) and OECD guidelines, enabling unified Statement of Applicability integration.

What is the first step to begin implementing ISO 27018?

Conduct a gap analysis against current ISMS practices and ISO 27018 controls. Review documentation, cloud architectures, subprocessors, and Statement of Applicability to identify deficiencies, then develop a prioritized remediation roadmap integrated with ISO 27001.

What is the primary objective of ISO 27017?

ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4). Published in 2015, it addresses shared responsibilities between cloud service providers (CSPs) and cloud service customers (CSCs), covering multi-tenancy segregation, virtual machine hardening, asset removal/return, administrative operations, customer monitoring, and network alignment in public, private, and hybrid clouds.

Who is legally or professionally required to comply with ISO 27017?

No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice. Professionally, CSPs and CSCs with significant cloud footprints adopt it to demonstrate due diligence, meet procurement demands, and integrate into ISO 27001 ISMS for cloud risks like shared responsibility and multi-tenancy.

Does ISO 27017 require an external audit or third-party certification?

*ISO 27017 does not support standalone certification or external audit. It is implemented within an ISO 27001 ISMS, with auditors assessing its 37 extended and 7 CLD controls during ISO 27001 Stage 1/2 audits; certification bodies may reference ISO 27017 conformity as an extension on the ISO 27001* certificate.

How often should an assessment for ISO 27017 be performed?

Assessments for ISO 27017 follow the ISO 27001 cycle: annual surveillance audits and triennial recertification. Controls are reviewed via ongoing risk assessments, with changes in cloud services triggering ad-hoc evaluations to maintain ISMS effectiveness.

What are the consequences of non-compliance with ISO 27017?

*ISO 27017 non-compliance carries no direct penalties, as it is not certifiable or legally binding. Indirect risks include failed ISO 27001* audits, rejected procurement RFPs, regulatory scrutiny for cloud incidents (e.g., misconfigurations causing data breaches), and loss of competitive edge in cloud markets.

Can ISO 27017 be mapped to other international frameworks?

Yes, ISO 27017 maps effectively to frameworks like NIST SP 800-53 and CSA STAR via its ISO 27002 foundation. The 7 CLD controls and 37 extended controls align with cloud security baselines, enabling unified evidence for multi-framework compliance in CSP/CSC environments.

What is the first step to begin implementing ISO 27017?

Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify threats like multi-tenancy and shared responsibilities. Define ISMS scope including cloud services, then map risks to the 37 ISO 27002-extended controls and 7 CLD controls, updating the Statement of Applicability.

Standards Comparison

ISO 27018 vs ISO 27017

ISO 27018

Voluntary

2019

Code of practice for PII protection in public clouds

ISO 27017

Voluntary

2015

International code for cloud-specific security controls

Quick Verdict

ISO 27018 provides privacy controls for PII in public clouds, while ISO 27017 offers security guidance for all cloud services. Companies adopt them to demonstrate robust cloud compliance, build trust, and accelerate procurement in regulated environments.

Cloud Privacy

ISO 27018

ISO/IEC 27018:2019 PII protection in public clouds

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Cloud-specific PII processor controls extension to ISO 27001
Mandatory subprocessor transparency and disclosure requirements
Prohibits PII use for advertising without customer consent
Requires prompt breach notification to PII controllers
Supports data subject rights in multi-tenant environments

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities for CSPs and CSCs
Adds 7 cloud-specific CLD security controls
Addresses multi-tenancy and virtual segregation
Provides VM hardening and configuration guidance
Enables customer monitoring of cloud activities

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 27018 Details

What It Is

ISO/IEC 27018:2019 is an international code of practice extending ISO 27001 and ISO 27002 for protecting personally identifiable information (PII) in public clouds where providers act as PII processors. Its primary scope targets cloud-specific privacy risks like multi-tenancy and cross-border flows, using a risk-based approach integrated into an Information Security Management System (ISMS).

Key Components

Core domains: transparency, contractual obligations, data subject rights support, breach management, data minimization.
~25-30 additional privacy controls mapped to ISO 27001 Annex A's 93 controls.
Built on principles: consent, purpose limitation, accountability.
Assessed via ISO 27001 audits; no standalone certification.

Why Organizations Use It

Enhances customer trust, accelerates procurement, aligns with GDPR Article 28, reduces cyber insurance friction. Offers risk transfer, competitive differentiation for CSPs, and evidence of processor diligence.

Implementation Overview

Layer controls into existing ISMS via gap analysis, policy updates, technical safeguards. Suited for CSPs of all sizes; involves subprocessors disclosure, training, audits. Annual surveillance post-initial certification.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice extending ISO/IEC 27002 with guidance for information security controls in cloud services. It adopts a risk-based approach within ISO 27001 ISMS, targeting public, private, hybrid clouds across IaaS, PaaS, SaaS for CSPs and CSCs.

Key Components

37 ISO 27002 controls with cloud-specific implementation guidance
7 additional CLD controls (e.g., shared responsibilities CLD.6.3.1, VM segregation CLD.9.5.1)
Covers 14 domains like access control, operations security
Integrated compliance model via ISO 27001 audits, no standalone certification

Why Organizations Use It

Addresses cloud risks like multi-tenancy, shared responsibilities
Boosts procurement trust, regulatory alignment (GDPR/CCPA)
Reduces incidents via clear roles, monitoring
Competitive differentiator for CSPs, assurance for customers

Implementation Overview

Gap analysis on existing ISMS, cloud risk assessment
Configure VMs, logging, contracts; use CSPM tools
Applies globally to all sizes, cloud-heavy orgs
Joint ISO 27001 audit in 9-12 months (184 words)

Key Differences

Aspect	ISO 27018	ISO 27017
Scope	PII protection in public clouds	Cloud security controls all data
Industry	Cloud providers handling PII	All cloud providers and customers
Nature	Privacy code of practice	Security code of practice
Testing	ISO 27001 audit extension	ISO 27001 audit extension
Penalties	No legal penalties	No legal penalties

Scope

ISO 27018

PII protection in public clouds

ISO 27017

Cloud security controls all data

Industry

ISO 27018

Cloud providers handling PII

ISO 27017

All cloud providers and customers

Nature

ISO 27018

Privacy code of practice

ISO 27017

Security code of practice

Testing

ISO 27018

ISO 27001 audit extension

ISO 27017

ISO 27001 audit extension

Penalties

ISO 27018

No legal penalties

ISO 27017

No legal penalties

Frequently Asked Questions

Common questions about ISO 27018 and ISO 27017

ISO 27018 FAQ

ISO 27017 FAQ

You Might also be Interested in These Articles...

One Step at a Time - a 6 Month Plan to Live and Breath DORA

Achieve DORA compliance in 6 months with our detailed plan. Learn implementation sequence, starting steps, pitfalls to avoid, and accelerators for success. Toug

CIS Controls v8.1 Metrics That Matter: KPIs, KRIs, and Dashboards for Board-Ready Cyber Reporting

Quantify CIS Controls v8.1 success with KPIs, KRIs & dashboards. Learn what to measure, calculations, and executive presentations linking security to business r

Proving CIS Controls v8.1 Works: A KPI & Evidence Framework for Board Reporting, Audits, and Continuous Assurance

Prove CIS Controls v8.1 effectiveness with KPI catalog, evidence checklist & reporting cadence. Ideal for board reports, audits & cyber-insurance. Measure outco

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 27018 and ISO 27017 compare against other standards

Other ISO 27018 Comparisons

Other ISO 27017 Comparisons

What It Is

Key Components

Core domains: transparency, contractual obligations, data subject rights support, breach management, data minimization.

~25-30 additional privacy controls mapped to ISO 27001 Annex A's 93 controls.

Built on principles: consent, purpose limitation, accountability.

Assessed via ISO 27001 audits; no standalone certification.

What It Is

Key Components

37 ISO 27002 controls with cloud-specific implementation guidance
7 additional CLD controls (e.g., shared responsibilities CLD.6.3.1, VM segregation CLD.9.5.1)
Covers 14 domains like access control, operations security
Integrated compliance model via ISO 27001 audits, no standalone certification

Why Organizations Use It

Addresses cloud risks like multi-tenancy, shared responsibilities
Boosts procurement trust, regulatory alignment (GDPR/CCPA)
Reduces incidents via clear roles, monitoring
Competitive differentiator for CSPs, assurance for customers

Implementation Overview

Gap analysis on existing ISMS, cloud risk assessment
Configure VMs, logging, contracts; use CSPM tools
Applies globally to all sizes, cloud-heavy orgs
Joint ISO 27001 audit in 9-12 months (184 words)

Aspect

ISO 27018

ISO 27017

Scope

PII protection in public clouds

Cloud security controls all data

Industry

Cloud providers handling PII

All cloud providers and customers

Nature

Privacy code of practice

Security code of practice

Testing

ISO 27001 audit extension

Penalties

No legal penalties