What Is ISO 27018 and How Does it Apply to Cloud Providers?

ISO 27018 featured

ISO/IEC 27018 establishes commonly accepted control objectives to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for cloud providers offering public infrastructure and services. It is a critical document for these providers seeking to instill the trustworthiness of their systems in their customers and clients. Learn more about ISO 27018 and what it takes to get your cloud infrastructure up to speed.


Cloud Providers and Personal Identifiable Information (PII)

One of the primary challenges that cloud providers face is handling user data. Because cloud systems are predicated on storing information for hundreds or even thousands of customers, often private data that must be protected. 

Once a particular and common form of private data is Personal Identifiable Information or PII. PII is information that, as the name suggests, could potentially lead to the identification of a user–a use case that, in almost all cases, is prohibited. Therefore, most regulations and security frameworks include requirements applying to users’ privacy through the protection of PII. 

PII can include a user’s name, address, phone number, social security number, unique ID number, or any other information that, either on its own or in combination with other pieces of information, can lead to someone determining that user’s identity.

Cloud providers are often charged with handling these types of information–which means that they will also be in charge of the security infrastructure around this information (and, subsequently, the privacy of their customers and employees.

Following that, there are two general approaches that these providers can or must take to protect PII:

  • Compliance with Regulations: In regulated industries, a cloud provider must, without question, adhere to laws and regulations in that industry. For example, the healthcare industry has strict laws protecting Protected Health Information (PHI) which may contain PII. Adhering to these laws is non-negotiable for regulated businesses, including cloud providers supporting healthcare providers with services that store or process PHI or PII.
  • Optional Certifications: Some businesses do not follow specific regulations but may, either of their own volition or as part of a private agreement with another organization, pursue industry-specific certifications. These include SOC 2 or various certifications under the ISO/IEC designation.

In the latter case (and, specifically, ISO), these providers will obtain certification based on their specific offerings. For cloud providers, this is the ISO 27018 standard


What Are the Objectives of ISO 27018?

ISO 27018

The core reasoning behind ISO 27018 is to provide clear guidance for implementing security and privacy controls in cloud infrastructure. Specifically, these standards apply to CSPs that store or process PII for clients, such that this information remains private and secure. 

Following that, the standard lays out a set of objectives that CSPs must meet so that the organization may display the certification seal from ISO, verified through accurate audits and reporting. 

Note that these standards are primarily derived from ISO/IEC 27002, “Information security, cybersecurity, and privacy protection,” and are organized to benefit cloud service providers specifically.

Information Security Policies

Any cloud provider processing PII must have security policies demonstrating the practices and processes the CSP uses to support compliance and contractual obligations. This means that the responsibilities of the CSP must be clearly defined in client/partner agreements such that the use of services and infrastructure are delineated between those that process PII and those that do not. 



CSPs must deploy specific organizational policies and roles to support their cloud security efforts. These specific responsibilities include:

  • Roles and Responsibilities: Cloud providers must define and fill positions that align with security and privacy requirements as they fit organizational needs. These roles will be commensurate with company policies (defined above). They must include positions responsible for protecting information and assets, carrying out specific security processes, managing risk, and managing personnel working with PII. 
  • Contact with Stakeholders: Policies and procedures must be in place to manage contact with relevant stakeholders in case of changes, updates, or upgrades. These stakeholders will include external authorities, special interest groups, etc.
  • Security in Project Management: The organization must include security and privacy considerations in organization-wide project management efforts. 
  • Security for Mobile Computing: Policies must be in place to define how remote access and telework function within required security settings.


Human Resources

Often, insider threats are some of the most dangerous vulnerabilities an IT company can face. Cloud providers, therefore, must approach personnel security with an eye toward ensuring that employees are well-known and that they only have access to specific systems.

  • Background Checks: Organizations should perform background screenings for full- and part-time employees, including the gathering of references, confirmation of claims on CVs or resumes, verification of identity through official documents, and (potentially) background criminal or credit checks.
  • Training: Employees must receive regular information and training on security-related practices and topics, including those related to the employee’s role and any relevant disciplinary consequences.
  • Disciplinary Processes: The CSP must also have appropriate disciplinary processes that may apply to employees based on intentional or unintentional misconduct. These processes must be clearly documented and defined for all employees.
  • Termination: The CSP must have policies in place to address employee termination, including removing system access and reviewing logs in cases of suspected misconduct.


Asset Management

A cloud provider must implement processes to inventory all assets, including PII, processing infrastructure, and devices. This includes maintaining a record of ownership for those assets, how those assets may or may not be used, and how those assets are checked out/assigned, returned, and disposed of. 


Access Control

Simply put, the CSP must maintain appropriate controls to ensure that only authorized users access the resources they need to perform their tasks. This can include public-facing access for users and owners of PII and work-related tasks.

  • User Access Controls: Users must be properly authorized for any resources they access. This includes paying attention to user privileges such that no user may access anything beyond their immediate needs. Organizations must also regularly review user privileges and accounts to avoid lingering security holes. 
  • Review and Removal: Upon review, if a user or account is deemed unnecessary, it must be removed such that the user or their credentials cannot be used to launch attacks against the system. 


System and Application Access Control

The cornerstone of any good form of security is front-end interface control, including strong authentication and identity verification.

  • Secure Logon: The CSP must require a secure login for any user inside or outside the organization. Depending on the organization’s industry and business model, this can mean multi-factor authentication (MFA), biometrics or other advanced authentication factors, or additional identity assurance measures.
  • Password Management: Password systems must allow users to alter or change their passwords, enforce strong passwords, prevent the re-use of passwords, and require regular password changes based on a schedule. All passwords must also be stored and transmitted securely (encrypted). 
  • Source Code: Providers must maintain security around all application source code, including protecting libraries or limiting code access to development tools.



The CSP must have policies in place to use cryptography to obfuscate data at rest and during transmission. This requirement also includes having secure key management practices in place, including management of issuing and revoking keys, secure storing keys, and destroying keys.


Environmental Security

Environmental security refers to the security and protection measures to lock down physical spaces where computing and data resources are located.

  • Equipment Security: All workstations, mobile devices, cabling, utilities, and data center locations must be protected against unauthorized access. This includes using locks, biometric or OTP devices, and security cameras.
  • Removal and Disposal: All devices and media must be disposed of properly so as not to disclose any remnant PII. This includes destroying or sanitizing storage media and workstation devices.



Larger security issues must be addressed at the organizational level–that is, at the level of operations. This includes implementing large-scale policies based on the needs of the organization.

  • Change Management: Operations should be able to adjust and document required changes to technology, personnel, or business requirements.
  • Capacity Management: IT systems must be able to adjust to and meet changing capacity requirements (in terms of users, data capacity, or other monitoring requirements). 
  • Environment Separation: Testing, development, and operational instances of cloud instances must remain separated to prevent security issues. 
  • Backups: The CSP must have automated systems to manage data backups to prevent data loss or corruption.


Communications Security

Cloud service providers have technology and security measures to protect network communications, specifically sending PII or other sensitive messages across internal or public networks. This security requirement also includes specifics on non-disclosure agreements or receiving permission to share data via specific technologies (like email). 


Incident Management

The CSP must have policies and plans to identify, respond to, and remediate incidents as they occur. This includes training and professional development for any employees tasked with incident response.


Get Ready for ISO 27018 Certification with Lazarus Alliance

Cloud providers who want to guarantee their PII processing security will, sooner or later, rub up against certification with ISO 27018. This massive document draws from other requirements in the ISO 27000 series–that means having a deep knowledge of the expectations of the standard both now and as it changes in the future. 

If you’re ready to jump into ISO 27018, work with experts who have managed clients through the certification process for years. Work with Lazarus Alliance.

Lazarus Alliance