ISO 27018
Protection of PII in Public Cloud Services
Demonstrate responsible handling of personal data in your cloud environment — building trust with customers and regulators while aligning with Indonesia's UU PDP and global privacy standards.
Overview
ISO/IEC 27018 is a code of practice focused on the protection of Personally Identifiable Information (PII) in public cloud computing environments. It provides specific controls for cloud service providers acting as PII processors — organizations that handle personal data on behalf of their clients.
With Indonesia's Personal Data Protection Law (UU PDP No. 27/2022) now in force, cloud service providers and SaaS companies processing customer personal data face new accountability obligations. ISO 27018 directly addresses these concerns, providing a recognized framework for cloud privacy controls that regulators, enterprise clients, and data subjects can trust. Tobias helps cloud-based businesses implement ISO 27018 as part of a broader privacy and security program.
Key Benefits
UU PDP & GDPR Alignment
ISO 27018 controls directly support compliance with Indonesia's UU PDP and, where applicable, GDPR obligations for cloud data processors.
Build Trust with Enterprise Clients
Enterprise clients increasingly require cloud vendors to demonstrate certified privacy controls before entrusting personal data — ISO 27018 is a recognized proof point.
Reduce Data Breach Exposure
Implement controls specifically designed to prevent unauthorized access, disclosure, and misuse of personal data stored in cloud environments.
Transparent Data Processing
ISO 27018 requires clear documentation of what personal data is processed, for what purpose, and under what retention and deletion policies — reducing regulatory risk.
Key Requirements
1. Consent & Purpose Limitation
PII must only be processed for the purposes agreed with the cloud service customer. Use for marketing or secondary purposes without explicit consent is prohibited.
2. Transparency of Sub-processors
Cloud providers must disclose the use of sub-processors that may handle PII and obtain customer consent before engaging them.
3. Data Return & Deletion
Customers must be able to retrieve their PII and have it securely deleted — including from backup systems — upon contract termination.
4. Access Controls & Encryption
Implement strong access controls and encryption for PII at rest and in transit, with documented key management procedures.
5. Breach Notification
Establish procedures to promptly notify cloud customers of any PII breaches, enabling them to fulfill their own notification obligations to regulators and data subjects.
Industries That Benefit
Frequently Asked Questions
Is ISO 27018 certifiable?
Like ISO 27017, ISO 27018 is a code of practice rather than a standalone certifiable standard. Certification bodies typically include ISO 27018 controls within an ISO 27001 certification scope — so you can achieve audited assurance against ISO 27018 controls as part of your ISO 27001 ISMS certification.
How does ISO 27018 relate to UU PDP?
UU PDP requires data processors to implement appropriate security measures and maintain accountability for personal data. ISO 27018 provides the specific technical and organizational controls to meet these obligations in cloud environments. Implementing ISO 27018 significantly strengthens your UU PDP compliance posture as a cloud-based data processor.
Do I need ISO 27001 first?
ISO 27018 is built on top of ISO 27001 and ISO 27002. While you can implement ISO 27018 controls independently, you get the most value — and the strongest audit position — when ISO 27018 is layered onto an existing ISO 27001 ISMS. Tobias can help you implement both together efficiently.
How does ISO 27018 differ from ISO 27701?
ISO 27018 focuses specifically on PII protection in public cloud services, targeting cloud providers acting as data processors. ISO 27701 is broader — it extends ISO 27001 to cover privacy information management for any organization, whether controller or processor, cloud or on-premise. Many cloud businesses implement both.