New ISO Code of Practice for Public Cloud Service Providers Processing Personal Data

 In August this year (to not a great deal of fanfare), ISO published a new security standard for cloud services: ISO/IEC 27018Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (“ISO 27018”).  Datonomy reported in May this year, that this new standard was on its way. This publication is a welcome step towards ensuring compliance with the principles of privacy laws and further boosting customer confidence in in cloud computing technologies.

 Here are Datonomy’s questions and answers on this new security standard.  

 What’s the aim of ISO 27018?

 The standard’s aim is to create a common set of security controls that can be implemented by a public cloud computing service provider that is processing personal data on behalf of another party.   

 How is ISO 27018 structured?

 The standard is based on (and follows a similar structure to) ISO/IEC 27002 – Information technology – Security techniques – Code of practice for information security controls (“ISO 27002”).  In short, ISO 27018 tailors ISO 27002 for use by a public cloud computing service provider.  The structure breaks down into three key parts:

  1. ISO 27018 provides a reference to ISO 27002 where the controls in ISO 27002 are applicable to cloud computing service providers processing personal data. 
  2. ISO 27018 sets out additional guidance and/or information for these controls, where necessary for cloud computing service providers processing personal data. 
  3. There are additional controls (and associated guidance) in the Annex to the standard which are not covered in ISO 27002.

 What’s in ISO 27018?

 The main section of ISO 27018 covers the same  areas as ISO 27002: Information security policies; Organization of information; Human resource security; Asset management; Access control; Cryptography; Physical and environmental security; Operations security; Communications security; System acquisition, development and maintenance; Supplier relationships; Information security incident management; Information security aspects of business continuity management; and Compliance.

 The Annex to ISO 27018 covers additional areas: Consent and choice; Purpose legitimacy and specification; Data minimization; Use, retention and disclosure limitation; Openness, transparency and notice; Accountability; Information security; and Privacy compliance.

 From a legal perspective, ISO 27018 can been seen as having elements of a controller to processor agreement and elements of technical and organizational security measures.

 Who can use ISO 27018?

 ISO states that “ISO 27018 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

 How can ISO 27018 be used?

 The organizations listed above can use the standard to select applicable controls when implementing a cloud computing information security management system and/or as a guidance document for implementing these controls. Like ISO 27002, ISO 27018 does not specify what controls are applicable to what organization.  This is not surprising as it would be near impossible to do so. However, to circumvent this issue, ISO/IEC 27001 requires a risk assessment to be performed to identify what controls are required and to what extent it should be applied. A new ISO 27017  that is still in the pipeline might fill this gap.

 Providers that comply with ISO 27018 will definitely have a better selling argument as they confirm compliance with important data protection standards. There are also good arguments that a self-audit by a provider under ISO 27018 is accepted as proof of compliance with technical and organizational measures (as required, for example, under EU law for data processing agreements).

 What are the limitations of ISO 27018?

 Most of the controls in the standard will also apply to a controller of personal data.  However, the controller will, in most cases, be subject to additional obligations, not included in this standard.

  1. Cloud beyond personal data.  ISO 27017, which has not been published yet, will deal with the application of ISO 27002 to the use of cloud services and to the provision of cloud services generally.  ISO 27018 is focused on cloud services that process personal data.
  2. Legal nuances.  We will have to see if this ISO standard is widely adopted. It is being  heavily promoted by cloud giants.  The standard addresses, broadly, the key obligations in privacy laws around the world (and there are of course large similarities).  However,  there are nuances in privacy laws around the world.  The standard does not address all of these.  Therefore customers and providers alike will still have to consider those nuances. 
  3. Additional sector rules.  There are often additional rules to privacy laws that ISO 27018 doesn’t deal with.  Many readers will be familiar with additional relevant rules imposed in particular industry sectors e.g. the financial services industry, the public sector, the health sector and the education sector.  Customers and providers in these sectors will still have to consider these additional rules.


 This is a helpful standard for the cloud industry.  ISO 27018 is not a management standard (c.f. ISO 27001) and therefore is unlikely to be certified against.  The same is true for ISO 27017.  However, it provides a useful reference guide for customers and suppliers alike – it is the first global standard of its kind and is a suitable means for globally operating providers to demonstrate their data protection/privacy compliance – instead of having to cope with different national standard in various jurisdictions.  If this standard is adopted and accepted widely, then customers and providers can use this standard to evaluate what protections are in place and, more importantly, what’s missing!

One thought on “New ISO Code of Practice for Public Cloud Service Providers Processing Personal Data”

Leave a Reply

Your email address will not be published. Required fields are marked *