ISO certificate
ISO/IEC 27018 Certification (Protection of PII in Public Clouds)
A practical guide to privacy controls for cloud service providers processing personal data — often implemented with ISO/IEC 27001 and ISO/IEC 27701.
What ISO/IEC 27018 is (in operational terms)
ISO/IEC 27018 is a privacy code of practice for public cloud service providers (CSPs) that process personally identifiable information (PII) as processors. It helps customers understand and trust a provider’s privacy commitments and operational controls.
Common audit focus areas
- Clear PII processing roles (processor obligations) and customer transparency.
- PII use limitations (no processing beyond customer instructions) and control enforcement.
- Subprocessor management, customer notification, and contract commitments.
- Access controls and personnel confidentiality for PII handling.
- Secure deletion/return processes and retention alignment.
- Incident notification and evidence of response workflows.
Typical evidence pack (examples)
- PII data flow mapping + processor obligations mapping.
- Subprocessor register + due diligence records.
- Deletion/return procedures + sampling evidence.
- Access review evidence for PII admin roles.
- Privacy incident response playbooks + case records.
Related certificates
ISO/IEC 27018 is often paired with ISO/IEC 27001 and ISO/IEC 27701.
Next step
Want a clear path to certification?
Send your scope and target date and we’ll reply with an implementation path and quotation.