Home » ISO Certification » ISO 27018

ISO 27018 (PII)

Protection of Personally Identifiable Information (PII)

ISO 27018 is the global standard which organisations use to implement and manage systems that protect Personally Identifiable Information (PII), such as sensitive customer data. It is part of the broader ISO 27001 and ISO 27002 standards, but ISO 27018 focuses on safeguarding PII data on cloud services. Having effective systems for your organisation to become ISO certified increases customer trust and helps meet data protection regulations.

Request a Quote

Enter your details below to get started on
your journey to certification.

What Is ISO 27018?

In the ISO 27000 series, ISO 27018 holds a pivotal role, operating as a global standard dedicated to strengthening the safeguarding of Personally Identifiable Information (PII) within cloud environments.

Organisations seeking this ISO certification aim to:

• Enhance protection of PII: implement robust measures aligned with ISO/IEC 29100 privacy principles to improve the protection of Personally Identifiable Information.
• Demonstrate compliance and expertise: obtain ISO 27018 certification from an accredited certification body, demonstrating proficiency in cloud data protection and compliance with its standards.
• Address specific cloud security concerns: showcase readiness in addressing cloud-specific security concerns, thereby instilling confidence in stakeholders.
• Foster trust and accountability: build trust among customers and stakeholders by showcasing a commitment to responsible data handling and cloud security practices.

What Are the Benefits of ISO 27018?

Competitive
advantage

Brand
protection

Risk
reduction

Compliance
assurance

Global business
opportunities

Increased
client trust

Cost
savings

More
flexibility

Mobile
accessibility

Data
safeguarding

Misuse risk
mitigation

Regulatory
compliance

Key Requirements of ISO 27018

The ISO 27018 standard outlines a number of requirements that organisations must meet to demonstrate their commitment to protecting personally identifiable information (PII). These include:

Usage consent

Cloud service providers should not use any of their clients' personally identifiable information for advertising and marketing unless explicitly instructed by the data controller.

Data transparency

In case of sub-contracting, cloud providers must inform customers about the data processing details, including subprocessing, implementing function, location and any change related to this.

Data disclosure

Service providers must disclose the geographic location of data, meaning the cloud provider must give the data controllers the ability to restrict the storage and processing of their data.

Robust security
measures

Cloud providers need to implement and maintain appropriate technical and organisational measures to protect PII from accidental or unlawful loss, edits, unauthorised disclosure or access.

Data breach
notifications

In the event of a data breach, the service provider must promptly notify the data controller and have policies and procedures in place to respond to and report about such incidents.

Secure data
handling

When the contractual agreement ends, the cloud service provider must return, transfer, or dispose of personal data in its possession as per the instruction of data controller.

Why You Should Choose Amtivo

• Ireland-based team that understands your needs
• Five-star ratings, independently reviewed via Feefo
• A wide range of training courses to build your expertise
• Access to a global team with global resources

Request a Quote

Becoming ISO 27018 Certified

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

Stage One The initial assessment determines if the mandatory requirements of the standard are being met and if the management system is capable of proceeding to
Stage Two.

Stage Two The second assessment determines the effectiveness of the system, and seeks to confirm that the management system is implemented and operational.

Recommendation for Certification At this point in the process we review any corrective actions taken to address findings raised at Stage 1 & 2. Certification may be recommended.

Certification Review & Decision The organisations files are reviewed by an independent and impartial panel and the certification decision is made.

Certification Achieved Successful certification is communicated to the client. Certificates are issued.

STEP 1

Stage One The initial assessment determines if the mandatory requirements of the standard are being met and if the management system is capable of proceeding to
Stage Two.

STEP 2

Stage Two The second assessment determines the effectiveness of the system, and seeks to confirm that the management system is implemented and operational.

STEP 3

Recommendation for Certification At this point in the process we review any corrective actions taken to address findings raised at Stage 1 & 2. Certification may be recommended.

STEP 4

Certification Review & Decision The organisations files are reviewed by an independent and impartial panel and the certification decision is made.

STEP 5

Certification Achieved Successful certification is communicated to the client. Certificates are issued.

Implementing ISO 27018

Elevating your Personally Identifiable Information (PII) Management System to meet ISO 27018 standards is a collective effort involving a variety of departments. Training courses are essential to prepare your teams and support them in understanding this certification. Amtivo offers a variety of ISO 27018 training courses, both online and face-to-face, to meet your needs. 

Our trainer-led courses are delivered by PII management experts, these courses cover implementation strategies, auditing techniques and continuous improvement practices. 

ISO 27018 Training Courses

• Introduction Training

Related Resources

ISO Buyer’s Guide

Download our ISO Buyer's Guide to read our expert tips and learn how you can simplify the certification process.

Learn More

Steps to ISO Certification

Our ISO Certification Guide provides a comprehensive introduction to the assessment process covering everything from pre-assessment to recertification audits.

Learn More

Certification Process

Download our free guide to learn the simple steps required to achieve certification and discover how the process works.

Learn More

See All Resources

Related ISO 27018 Insights

What Are the Security Issues in Cloud Computing?

Check out our tips for addressing security issues in cloud computing and protecting your organisation with cloud services.

Learn More

What Is Big Data? Challenges and Solutions

Understand Big Data and discover the solutions to issues that organisations can face. Learn how ISO 27001 can help your business.

Learn More

Keeping Customer Data Secure – a Data Security Guide

Learn the importance of data security, GDPR compliance, and how Cyber Essentials can boost your cyber protection.

Learn More

IT Security and Cyber Safety Tips for Employees

Read our IT safety advice and discover ISO 27001 and Cyber Essentials certifications – a robust framework for your business.

Learn More

See More Insights

ISO 27018 FAQs

What is ISO 27018:2019?

ISO 27018:2019 is the latest standard in the ISO 27018 collection. Amtivo assessors only provide accreditation to organisations to the latest standard.

What industries implement ISO 27018?

ISO 27018 certification is suitable for any organisation, large or small, in any sector.

The standard is especially suitable for protecting personal data such as payroll, HR or client’s payment details stored in a cloud environment. All organisations that collect, process and store personal data must demonstrate compliance with GDPR and show how they protect data.

If your organisation is already implementing an ISO 27001 ISMS, then you are covered for 70% of the regulations within ISO 27018. However, if you are operating using cloud base technologies then this standard has been seen as an effective bolt-on standard as companies wish to demonstrate GDPR compliance specifically with data that is stored on the cloud.

How long does the ISO 27018 certification last?

ISO 27018 certification lasts for approximately three years. During this period, assessors are required to complete routine surveillance assessments every six months to ensure compliance with ISO 27018 standards.

Sign Up to Our Newsletter

Enter your details below to stay up to date with all the latest certification news and expert insights.

Related ISO Certifications

ISO 9001

Certification to ISO 9001 is one way to demonstrate to stakeholders and customers that you are committed and able to consistently deliver high quality products.

Learn More

ISO 14001

Want to better manage your environmental impact and lower costs? Amtivo offers comprehensive ISO 14001 certification, auditing and training.

Learn More

ISO 45001

Comply with occupational health and safety regulations and reduce insurance premiums with an ISO 45001 certification.

Learn More

ISO 50001

Reduce energy usage, lower operation costs and reduce your business's impact on the environment with an ISO 50001 Certification for energy management.

Learn More

ISO 13485

Ensure your medical device business is complying with industry regulation and effectively manage risk with Amtivo's globally recognised ISO 13485 certification.

Learn More

ISO 27001

Protect customer data, avoid security risks, demonstrate compliance and stay competitive with an ISO 27001 certification for your ISMS. Contact us for a free quote.

Learn More

ISO 27017

Boost cloud data security and comply with strict data regulations with an ISO 27017 certification.

Learn More

ISO 27701

Better protect sensitive data and reduce the risk of security breaches and legal costs with an ISO 27001 certified Privacy Information Management System.

Learn More

ISO 20000-1

With an Amtivo ISO 20000-1 certification, your business can showcase its commitment to delivering satisfying and high-quality, yet cost-efficient, IT services.

Learn More

ISO 22301

Protect your business from disruption and disaster with an ISO 22301 certification from Amtivo.

Learn More

ISO 20121

An ISO 20121 certification for event sustainability management can help you reduce waste and energy usage, boosting your company reputation and delivering a competitive edge.

Learn More