1. Home
  2. Moldova standards
  3. STM
  4. St ISO IEC 27018-2025

ISO IEC 27018-2025 PDF

St ISO IEC 27018-2025

Name in English:
St ISO IEC 27018-2025

Name in Russian:
Ст ISO IEC 27018-2025

Description in English:

Original standard ISO IEC 27018-2025 in PDF full version. Additional info + preview on request

Description in Russian:
Оригинальный стандарт ISO IEC 27018-2025 в PDF полная версия. Дополнительная инфо + превью по запросу
Document status:
Active
Format:
Electronic (PDF)
Delivery time (for English version):
1 business day
Delivery time (for Russian version):
365 business days
SKU:
stiso34137
Choose Document Language:
€25

Full title and description

Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors. This international standard provides control objectives, controls and implementation guidance tailored to cloud service providers that process PII on behalf of customers, aligning with the privacy principles of ISO/IEC 29100 and the control framework of ISO/IEC 27002.

Abstract

ISO/IEC 27018:2025 (Edition 3) is a code of practice that adapts and extends ISO/IEC 27002 guidance for the public cloud environment, specifying controls and guidelines to protect personally identifiable information (PII) when cloud providers act as PII processors. The 2025 revision aligns the standard with the updated ISO/IEC 27002:2022 structure and includes additional implementation guidance for cloud-specific privacy risks.

General information

  • Status: Published.
  • Publication date: 26 August 2025 (publication: 2025-08-26).
  • Publisher: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC); developed by ISO/IEC JTC 1/SC 27.
  • ICS / categories: 35.030 (Information security).
  • Edition / version: Edition 3 (2025).
  • Number of pages: 35 pages.

Scope

This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in the public cloud computing environment where the cloud service provider acts as a PII processor. It is applicable to all types and sizes of organizations that provide information processing services as PII processors via public cloud under contract to other organizations; the guidance can also be relevant for organizations acting as PII controllers. The 2025 edition takes into account regulatory requirements and cloud-specific risks and is aligned to ISO/IEC 27002:2022.

Key topics and requirements

  • Control objectives and controls for protecting PII in public cloud services (collection, storage, processing, transmission, retention and deletion).
  • Clarification of roles and responsibilities between PII controllers (customers) and PII processors (cloud providers).
  • Alignment and mapping to ISO/IEC 27002:2022 controls and privacy principles from ISO/IEC 29100.
  • Guidance on contractual and transparency requirements, data subject rights support, breach notification and lawful access handling.
  • Controls addressing data minimization, retention, pseudonymization/anonymization and secure disposal.
  • Considerations for cross-border transfers, third‑party subprocessors and customer-specified controls.
  • Implementation guidance and examples (including new or expanded annex material in the 2025 edition to support deployment).

Typical use and users

Primary users are public cloud service providers that process PII on behalf of customers and want to implement cloud-specific privacy controls or demonstrate privacy-responsible practices. Secondary users include organizations selecting or auditing cloud providers, consultants, auditors and regulators seeking a consistent set of expectations for PII processing in public clouds.

Related standards

ISO/IEC 27018 is part of the ISO/IEC 27000 family and is commonly used alongside ISO/IEC 27001 (information security management systems), ISO/IEC 27002 (controls code of practice), ISO/IEC 27017 (cloud security) and ISO/IEC 27701 (privacy information management). It complements national and regional privacy laws and cloud guidance by providing cloud-focused implementation guidance.

Keywords

PII, personal data, cloud privacy, cloud service provider, PII processor, information security, ISO/IEC 27002, privacy controls, data protection, cloud code of practice.

FAQ

Q: What is this standard?

A: ISO/IEC 27018:2025 is an international code of practice providing guidelines to protect personally identifiable information (PII) processed by public cloud service providers acting as PII processors.

Q: What does it cover?

A: It covers control objectives, controls and implementation guidance tailored to cloud environments for handling PII — including roles and responsibilities, transparency, data subject rights, breach handling and controls aligned to ISO/IEC 27002.

Q: Who typically uses it?

A: Primarily public cloud providers acting as PII processors; also organizations assessing cloud providers, auditors, consultants and regulators.

Q: Is it current or superseded?

A: The 2025 edition (Edition 3), published 26 August 2025, is the current version and supersedes the previous 2019 edition.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family (information security management and related codes of practice) and is designed to be used alongside ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017 and ISO/IEC 27701.

Q: What are the key keywords?

A: Key keywords include PII, personal data, cloud privacy, PII processor, information security, cloud controls and privacy-by-design.