ISO/IEC 27018 is an international standard intended specifically for cloud services, taking into consideration the large number of public and private organizations transitioning to information services into the cloud in order to be more efficient and to lower their expenses.

ISO/IEC 27018 is intended for the cloud, and so it can provide a critical level of transparency for the clients of cloud services who wish to better comprehend and compare different providers of public cloud services and the way they ensure security and protection of personal data or personally identifiable information (PII).

ISO/IEC 27018 can be applied in organizations of various type and size, such as public and private companies, governmental and non-governmental organizations providing services as administrators of personally identifiable information and contracting the use of cloud services to other organizations. Moreover, there is useful guidance in the standard for organizations acting as controlling bodies to those processing personally identifiable information. It should be taken into account, however, that the standard does not cover additional obligations of controlling bodies stemming from legal requirements and regulations.

The standard strives to provide a common set of security controls that could be implemented by a cloud services provider acting as an administrator of personally identifiable information.

Objectives of ISO/IEC 27018:

• To assist providers of public cloud services in covering the applicable requirements for PII processing, whether these requirements are direct or stemming from a contract for PII processing;
• To ensure that the services supplied by the provider of public cloud processing are transparent and accessible, so that clients would be able to select quality services for PII processing in the cloud;
• To assist the client of cloud services and the administrator of PII in the cloud when signing a contract or an agreement;
• To enable clients of cloud services to have mechanisms of control over their PII being kept in the cloud.

Structure:
ISO/IEC 27018 follows the structure that is in place in other ISO standards for information security management from the 2700 series. The standard is closely integrated with ISO/IEC 27002 "Information technology – Security techniques – Code of practice for information security controls", and requirements for Information security management have been expanded to incorporate management of PII in a cloud environment.
 

Implementing ISO/IEC 27018 by providers of public cloud services guarantees to users that:

• Providers process PII only in accordance with clients' instructions;
• Providers agree to not process PII for marketing purposes without the client's stated consent;
• Providers implement appropriate security measures;
• They refuse to share information unless when required by law;
• They ensure transparency regarding their data processing practices.

ISO/IEC 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors