TheArtOfService
Back to Frameworks

ISO 27018:2019

Self-Assess
International
v2019
12 domains
84 controls
Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (12)

Access control – ISO 27018:2019

16 controls
Controls in the Access control – ISO 27018:2019 domain of ISO 27018:201916 controls
CodeTitle
iso-27018-2019::9.1Business requirements of access control
iso-27018-2019::9.2User access management
iso-27018-2019::9.2.1User registration and de-registration
iso-27018-2019::9.2.2User access provisioning
iso-27018-2019::9.2.3Management of privileged access rights
iso-27018-2019::9.2.4Management of secret authentication information of users
iso-27018-2019::9.2.5Review of user access rights
iso-27018-2019::9.2.6Removal or adjustment of access rights
iso-27018-2019::9.3User responsibilities
iso-27018-2019::9.3.1Use of secret authentication information
iso-27018-2019::9.4System and application access control
iso-27018-2019::9.4.1Information access restriction
iso-27018-2019::9.4.2Secure log-on procedures
iso-27018-2019::9.4.3Password management system
iso-27018-2019::9.4.4Use of privileged utility programs
iso-27018-2019::9.4.5Access control to program source code

Clause 0 – ISO 27018:2019

4 controls
Controls in the Clause 0 – ISO 27018:2019 domain of ISO 27018:20194 controls
CodeTitle
iso-27018-2019::0.1Background and context
iso-27018-2019::0.2PII protection controls for public cloud computing services
iso-27018-2019::0.3PII protection requirements
iso-27018-2019::0.4Selecting and implementing controls in a cloud computing environment

Clause 13 – ISO 27018:2019

6 controls
Controls in the Clause 13 – ISO 27018:2019 domain of ISO 27018:20196 controls
CodeTitle
iso-27018-2019::13.1Network security management
iso-27018-2019::13.2Information transfer
iso-27018-2019::13.2.1Information transfer policies and procedures
iso-27018-2019::13.2.2Agreements on information transfer
iso-27018-2019::13.2.3Electronic messaging
iso-27018-2019::13.2.4Confidentiality or non-disclosure agreements

Clause 7 – ISO 27018:2019

5 controls
Controls in the Clause 7 – ISO 27018:2019 domain of ISO 27018:20195 controls
CodeTitle
iso-27018-2019::7.1Prior to employment
iso-27018-2019::7.2.1Management responsibilities
iso-27018-2019::7.2.2Informationa8096b2fa1f5/iso-iec-27018-2019
iso-27018-2019::7.2.3Disciplinary process
iso-27018-2019::7.3Termination and change of employment

Compliance – ISO 27018:2019

5 controls
Controls in the Compliance – ISO 27018:2019 domain of ISO 27018:20195 controls
CodeTitle
iso-27018-2019::18.1Compliance with legal and contractual requirements
iso-27018-2019::18.2Information security reviews
iso-27018-2019::18.2.1Independent review of information security
iso-27018-2019::18.2.2Compliance with security policies and standards
iso-27018-2019::18.2.3Technical compliance review

Cryptography – ISO 27018:2019

3 controls
Controls in the Cryptography – ISO 27018:2019 domain of ISO 27018:20193 controls
CodeTitle
iso-27018-2019::10.1Cryptographic controls
iso-27018-2019::10.1.1Policy on the use of cryptographic controls
iso-27018-2019::10.1.2Key management

Information security incident management – ISO 27018:2019

8 controls
Controls in the Information security incident management – ISO 27018:2019 domain of ISO 27018:20198 controls
CodeTitle
iso-27018-2019::16.1Management of information security incidents and improvements
iso-27018-2019::16.1.1Responsibilities and procedures
iso-27018-2019::16.1.2Reporting information security events
iso-27018-2019::16.1.3Reporting information security weaknesses
iso-27018-2019::16.1.4Assessment of and decision on information security events
iso-27018-2019::16.1.5Response to information security incidents
iso-27018-2019::16.1.6Learning from information security incidents
iso-27018-2019::16.1.7Collection of evidence

Information security policies – ISO 27018:2019

3 controls
Controls in the Information security policies – ISO 27018:2019 domain of ISO 27018:20193 controls
CodeTitle
iso-27018-2019::5.1Management direction for information security
iso-27018-2019::5.1.1Policies for information security
iso-27018-2019::5.1.2Review of the policies for information security

Operations security – ISO 27018:2019

16 controls
Controls in the Operations security – ISO 27018:2019 domain of ISO 27018:201916 controls
CodeTitle
iso-27018-2019::12.1Operational procedures and responsibilities
iso-27018-2019::12.1.1Documented operating procedures
iso-27018-2019::12.1.2Change management
iso-27018-2019::12.1.3Capacity management
iso-27018-2019::12.1.4Separation of development, testing and operational environments
iso-27018-2019::12.2Protection from malware
iso-27018-2019::12.3Backup
iso-27018-2019::12.3.1Information backup
iso-27018-2019::12.4Logging and monitoring
iso-27018-2019::12.4.1Event logging
iso-27018-2019::12.4.2Protection of log information
iso-27018-2019::12.4.3Administrator and operator logs
iso-27018-2019::12.4.4Clock synchronization
iso-27018-2019::12.5Control of operational software
iso-27018-2019::12.6Technical vulnerability management
iso-27018-2019::12.7Information systems audit considerations ISO/IEC 27018:2019

Organization of information security – ISO 27018:2019

5 controls
Controls in the Organization of information security – ISO 27018:2019 domain of ISO 27018:20195 controls
CodeTitle
iso-27018-2019::6.1Internal organization
iso-27018-2019::6.1.1Information security roles and responsibilities
iso-27018-2019::6.1.2Segregation of duties
iso-27018-2019::6.1.3Contact with authorities
iso-27018-2019::6.1.4Contact with special interest groups

Overview – ISO 27018:2019

2 controls
Controls in the Overview – ISO 27018:2019 domain of ISO 27018:20192 controls
CodeTitle
iso-27018-2019::4.1Structure of this document
iso-27018-2019::4.2Control categories

Physical and environmental security – ISO 27018:2019

11 controls
Controls in the Physical and environmental security – ISO 27018:2019 domain of ISO 27018:201911 controls
CodeTitle
iso-27018-2019::11.1Secure areas
iso-27018-2019::11.2Equipment
iso-27018-2019::11.2.1Equipment siting and protection
iso-27018-2019::11.2.2Supporting utilities
iso-27018-2019::11.2.3Cabling security
iso-27018-2019::11.2.4Equipment maintenance
iso-27018-2019::11.2.5Removal of assets
iso-27018-2019::11.2.6Security of equipment and assets off-premises
iso-27018-2019::11.2.7Secure disposal or re-use of equipment
iso-27018-2019::11.2.8Unattended user equipment
iso-27018-2019::11.2.9Clear desk and clear screen policy

Your Compliance Coverage

If you comply with ISO 27018:2019, you already cover:

ISO 27002:2022

38%

32 controls mapped

Compare →

ISO 27701:2019

33%

28 controls mapped

Compare →

ISO 27017:2015

27%

23 controls mapped

Compare →

+ 78 more: ISO 19011:2018 (15%), ISO/SAE 21434 (14%)

See all 81 mapped frameworks ↓

Maps to 81 other frameworks

84 total controls
ISO 27002:2022
32 source controls mapped|29 target controls covered
38%
ISO 27701:2019
28 source controls mapped|25 target controls covered
33%
ISO 27017:2015
23 source controls mapped|21 target controls covered
27%
ISO 19011:2018
13 source controls mapped|17 target controls covered
15%
ISO/SAE 21434
12 source controls mapped|9 target controls covered
14%
ISO 27043
12 source controls mapped|9 target controls covered
14%
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1
10 source controls mapped|12 target controls covered
12%
PCI DSS 4.0
8 source controls mapped|8 target controls covered
10%
ISO/IEC 27010:2015
6 source controls mapped|5 target controls covered
7%
ISO 27001:2022
6 source controls mapped|6 target controls covered
7%
ISO/IEC 27011:2024
5 source controls mapped|5 target controls covered
6%
C5 (Germany)
4 source controls mapped|12 target controls covered
5%
API 1164
4 source controls mapped|4 target controls covered
5%
ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence
4 source controls mapped|6 target controls covered
5%
SOC 1 (SSAE 18 / ISAE 3402)
3 source controls mapped|4 target controls covered
4%
Australian Energy Sector Cyber Security Framework (AESCSF)
3 source controls mapped|3 target controls covered
4%
ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories
3 source controls mapped|6 target controls covered
4%
ISO/IEC 27006:2024
3 source controls mapped|3 target controls covered
4%
ISO/IEC 17025:2017 - General Requirements for Testing and Calibration
3 source controls mapped|2 target controls covered
4%
ISO 27019
3 source controls mapped|4 target controls covered
4%
ISO/IEC 27400:2022
2 source controls mapped|2 target controls covered
2%
EASA Part-IS - Information Security in Aviation
2 source controls mapped|2 target controls covered
2%
ISO/IEC 29100:2024
2 source controls mapped|2 target controls covered
2%
FFIEC IT Examination Handbook
2 source controls mapped|2 target controls covered
2%
ISO 27018
2 source controls mapped|1 target controls covered
2%
ISO/IEC 27018:2019
2 source controls mapped|1 target controls covered
2%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
2 source controls mapped|1 target controls covered
2%
AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)
2 source controls mapped|3 target controls covered
2%
NIST SP 800-171 Rev 3
2 source controls mapped|2 target controls covered
2%
CCSDS 350.0-G-3 - Space Communications Security (Consultative Committee for Space Data Systems)
2 source controls mapped|2 target controls covered
2%
Cambodia Sub-Decree on Personal Data Protection (Sub-Decree No. 134)
2 source controls mapped|2 target controls covered
2%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)
2 source controls mapped|2 target controls covered
2%
APRA CPS 230 Operational Risk Management
2 source controls mapped|2 target controls covered
2%
ISO 45001:2018
2 source controls mapped|3 target controls covered
2%
ISO 19011
2 source controls mapped|3 target controls covered
2%
AICPA SOC 3
2 source controls mapped|2 target controls covered
2%
ISO/IEC 27701:2019
2 source controls mapped|2 target controls covered
2%
FedRAMP High
2 source controls mapped|2 target controls covered
2%
NIST SP 800-53 Revision 5.1 HIGH
2 source controls mapped|2 target controls covered
2%
FedRAMP Moderate
2 source controls mapped|2 target controls covered
2%
NIST SP 800-53 Rev 5 MODERATE
2 source controls mapped|2 target controls covered
2%
NIST SP 800-53 Rev 5 LOW
2 source controls mapped|2 target controls covered
2%
ISO 20000-1
2 source controls mapped|2 target controls covered
2%
ITIL 4
2 source controls mapped|2 target controls covered
2%
NSA Guidance for Transition to Quantum-Resistant Cryptography
1 source controls mapped|1 target controls covered
1%
CMMC 2.0
1 source controls mapped|1 target controls covered
1%
ISO/IEC 42001:2023
1 source controls mapped|1 target controls covered
1%
DoD Zero Trust Reference Architecture
1 source controls mapped|1 target controls covered
1%
FBI CJIS Security Policy
1 source controls mapped|1 target controls covered
1%
BCBS 239
1 source controls mapped|1 target controls covered
1%
ISO/IEC 38500:2024
1 source controls mapped|1 target controls covered
1%
ISO 10005:2005
1 source controls mapped|1 target controls covered
1%
AICPA Privacy Management Framework (PMF)
1 source controls mapped|1 target controls covered
1%
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
1 source controls mapped|1 target controls covered
1%
AML/CTF Act 2006 (Australia)
1 source controls mapped|1 target controls covered
1%
Equator Principles (EP4, 2020)
1 source controls mapped|1 target controls covered
1%
ISO/IEC TR 24028:2020
1 source controls mapped|1 target controls covered
1%
ISO 14001:2015
1 source controls mapped|1 target controls covered
1%
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct
1 source controls mapped|1 target controls covered
1%
ISO 31000:2018
1 source controls mapped|2 target controls covered
1%
ISO/IEC 25012:2008 - Data Quality Model
1 source controls mapped|2 target controls covered
1%
NY DFS 23 NYCRR 500
1 source controls mapped|1 target controls covered
1%
NIST SP 800-171
1 source controls mapped|1 target controls covered
1%
NIST SP 800-53 Rev 5
1 source controls mapped|1 target controls covered
1%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
1 source controls mapped|1 target controls covered
1%
ISO 13485
1 source controls mapped|1 target controls covered
1%
ANSSI Cybersecurity Framework
1 source controls mapped|1 target controls covered
1%
BSI IT-Grundschutz
1 source controls mapped|1 target controls covered
1%
ISO 55001:2014
1 source controls mapped|1 target controls covered
1%
ISO 45001
1 source controls mapped|1 target controls covered
1%
ISO 55001
1 source controls mapped|1 target controls covered
1%
PCI SSF
1 source controls mapped|1 target controls covered
1%
ISO 26262:2018 - Functional Safety for Road Vehicles
1 source controls mapped|1 target controls covered
1%
SOC 2
1 source controls mapped|1 target controls covered
1%
NIST SP 1800-32
1 source controls mapped|1 target controls covered
1%
IEC 62443
1 source controls mapped|1 target controls covered
1%
ISO 27017
1 source controls mapped|1 target controls covered
1%
ISO 37301
1 source controls mapped|1 target controls covered
1%
SANS Incident Handler's Handbook and PICERL Methodology
1 source controls mapped|1 target controls covered
1%
UK Gambling Commission - Cyber Resilience Requirements
1 source controls mapped|1 target controls covered
1%
ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)
1 source controls mapped|1 target controls covered
1%
Compare ISO 27018:2019 with ISO 27002:2022

Frequently Asked Questions

What is ISO 27018:2019?

ISO 27018:2019 is a compliance framework from International with 12 domains and 84 controls. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ISO 27018:2019 have?

ISO 27018:2019 has 84 controls organised across 12 domains. The largest domains are Access control – ISO 27018:2019 (16 controls), Operations security – ISO 27018:2019 (16 controls), Physical and environmental security – ISO 27018:2019 (11 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ISO 27018:2019 map to?

ISO 27018:2019 maps to 81 other compliance frameworks. The top mapping partners are ISO 27002:2022 (38% coverage), ISO 27701:2019 (33% coverage), ISO 27017:2015 (27% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with ISO 27018:2019 compliance?

Start your ISO 27018:2019 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO 27018:2019 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 84 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required