ISO/IEC 27018:2025 - Code Of Practice For Protecting Personally Identifiable Information (PII) In Public Clouds

The Internet has advanced the global economy immensely, and the emergence of various web-connected devices or “things” accelerates the delivery of technology’s many benefits for organizations of all sizes. However, this is a double-edged sword; while enormous potential has been made possible by the Internet, its proliferation has introduced more openings for cybercrime. In fact, it is estimated that worldwide
cybercrime is going to cost $10.5 trillion in 2025, representing the greatest transfer of economic wealth in history.

IT security is an anxiety-inducing issue in the digital age, as its threats can be unseen, disastrous, and ever-looming. The ISO/IEC 27000 family of international standards has been tasked with combating this issue by letting organizations filter through the chaos. A document in this series, ISO/IEC 27018:2025 – Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors has been released.

What Is ISO/IEC 27018:2025?

ISO/IEC 27018:2025 sets “commonly accepted control objectives, controls and guidelines for implementing measures” to protect personally identifiable information (PII)—“any information that can be used to establish a link between the information and the natural person to whom such information relates, or is or can be directly or indirectly linked to a natural person”—in line with the privacy principles found in ISO/IEC 29100:2011.

While compared to other information technology security standards, ISO/IEC 27018:2025 follows a somewhat different perspective. While many standards are oriented around protecting an organization from cybercrime, ISO/IEC 27018:2025 works to protect the information that an organization’s customers and other stakeholders have entrusted to the organization.

This standard is intended to be used in conjunction with the information security objectives and controls found in ISO/IEC 27002 for creating a common set of security categories and controls for implementation by a public cloud computing service provider. It follows the structure of ISO/IEC 27002 in describing the controls and in the instances where the controls require additional context of public cloud PII protection, additional guidance is provided.

The public cloud service provider acts as the PII processor, or the “privacy stakeholder that processes PII on behalf of and in accordance with the instructions of a PII controller.” In fulfilling this intention, ISO/IEC 27018:2025 is meant to help the public cloud service provider comply with applicable obligations when acting as a PII processor, enable the public cloud PII processor to be transparent in relevant matters for the benefit of the customer, assist the cloud service customer and public cloud PII processor in entering into a contractual agreement, and provide cloud service customers with the ability to exercise audit and compliance rights and responsibilities.

With this last part, it is crucial that, while adhering to ISO/IEC 27018:2025, an organization identifies various needs for the protection of PII. Three main resources that need to be identified are risks, corporate policies, and legal, statutory, regulatory, and contractual requirements. These, of course, can vary between organization and location. For example, the notable General Data Protection Regulation (GDPR) puts greater requirements on organizations who process PII from data subjects residing in the European Union.

There is also Annex A in ISO/IEC 27018:2025, which covers “Public cloud PII processor extended control set for PII protection.” This section features additional controls meant to address public cloud PII protection, such as the secure erasure of temporary files and PII disclosure notification.

How Does ISO/IEC 27018:2025 Relate to Other Standards?

Since the ISO/IEC 27000 series is positioned around providing a harmonized approach towards handling an organization’s IT security risks, ISO/IEC 27018:2025 is intertwined with several other related standards.

When it comes to this series and the management of cybersecurity risks at the organization level, the seminal document is ISO/IEC 27001:2022 – Information Technology – Security Techniques – Information Security Management Systems – Requirements. This standard specifies the framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Under the standard’s guidance, an organization can position itself towards progress and respond to the ever-evolving risk environment of cyberspace.

ISO/IEC 29100:2011 – Information Technology – Security Techniques – Privacy Framework gives a policy framework that specifies common terminology, defines the actors and associated roles in processing PII, describes privacy safeguarding considerations, and provides references to known IT privacy principles.

ISO/IEC 27018:2025 mentions ISO/IEC 27002 in its scope, in that it details its controls and provides additional information when necessary. ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Controls helps organizations select security controls while implementing an ISMS in accordance with ISO/IEC 27001:2022.

Changes to ISO/IEC 27018:2025

ISO/IEC 27018:2025 is the third edition of the international standard for protecting PII in public clouds. In revising the previous edition from 2019, this standard saw the following changes: