ISO/IEC 27018:2019

International

1 domains

32 controls

ISO/IEC 27018:2019 Code of practice for PII protection in public clouds acting as PII processors.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (1)

PII Processor

32 controls

Controls in the PII Processor domain of ISO/IEC 27018:2019 — 32 controls
Code	Title	Description
A.1.1	Consent and choice	Public cloud PII processor shall process PII only as instructed by the cloud service customer who is the PII controller...
A.10.1	Information security	PII shall be protected with appropriate technical and organizational measures consistent with risk.
A.10.10	User ID management	De-activated or expired user IDs shall not be granted to other individuals.
A.10.11	Contract measures	Contracts between the public cloud PII processor and its customers shall specify the allocation of responsibilities for...
A.10.12	Sub-contracted PII processing	Contracts between the public cloud PII processor and any subcontractors involved in PII processing shall specify equival...
A.10.13	Access to data on pre-used data-storage space	The cloud PII processor shall ensure that whenever data storage space is assigned to a customer, any previous PII residi...
A.10.2	Confidentiality obligations of personnel	Personnel processing PII shall be under confidentiality obligations recorded in writing.
A.10.3	Restriction of creation of hardcopy material	Creation of hardcopy materials containing PII shall be restricted and controlled.
A.10.4	Control and logging of data restoration	Restoration of PII from backups shall be controlled and logged.
A.10.5	Protection of data on storage media leaving premises	PII on media leaving premises shall be subject to authorization and protective measures including encryption.
A.10.6	PII transmission	PII transmitted over networks shall be encrypted and integrity-protected.
A.10.7	Disclosure of PII	Disclosures of PII to third parties including law enforcement shall be logged and where lawful notified to the customer.
A.10.8	Unique use of user IDs	If more than one individual has access to stored PII, then they shall each have a distinct user ID for identification, a...
A.10.9	Records of authorized users	An up-to-date record of users or profiles of users who have authorized access to information systems handling PII shall...
A.11.1	Geographical location of PII	Customer shall be informed of countries in which PII is or may be stored or processed.
A.11.2	Intended destination of PII	PII shall be transmitted only to destinations agreed with the customer.
A.11.3	Disposal of PII	The processor shall have a policy on the disposal of PII when it is no longer required, including for backup copies.
A.11.4	Temporary files	Temporary files containing PII shall be identified and securely deleted within a documented period.
A.11.5	PII transmission	The cloud PII processor shall ensure that information transmissions are routed and protected in a manner appropriate to...
A.12.1	Notification of a data breach	The processor shall promptly notify the customer of any incident leading to loss, disclosure or alteration of PII.
A.12.2	Return, transfer and disposal of PII	On termination the processor shall return or securely dispose of PII as instructed by the customer.
A.12.3	Periodic audits and reviews	The public cloud PII processor shall be subject to periodic audits and reviews of its PII protection controls by an inde...
A.2.1	Purpose legitimacy and specification	PII shall be processed only for the purposes specified by the customer and not used for the processor's own purposes.
A.2.2	AI policy	The organization shall document a policy for the development, deployment, or use of AI systems that aligns with the orga...
A.3.1	Collection limitation	The processor shall not collect PII beyond what is required for the agreed purpose.
A.4.1	Data minimization	Temporary files and copies of PII shall be erased or destroyed in a defined period.
A.5.1	Use, retention and disclosure limitation	PII shall not be retained beyond the timeframe required to fulfil the agreed purpose unless required by law.
A.5.2	AI system impact assessment process	The organization shall establish a process to assess the potential consequences of the AI system for individuals or grou...
A.6.1	Accuracy and quality	PII processed shall be accurate and up to date to the extent necessary for the purpose.
A.7.1	Openness, transparency and notice	The processor shall provide the customer with information about the processing of PII including subcontractors and locat...
A.8.1	Individual participation and access	The processor shall provide means for the customer to fulfil PII principal rights including access, correction and delet...
A.9.1	Accountability	The processor shall assign roles to manage PII protection and demonstrate compliance.

Frequently Asked Questions

What is ISO/IEC 27018:2019?

ISO/IEC 27018:2019 is a compliance framework from International with 1 domains and 32 controls. ISO/IEC 27018:2019 Code of practice for PII protection in public clouds acting as PII processors. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ISO/IEC 27018:2019 have?

ISO/IEC 27018:2019 has 32 controls organised across 1 domains. The largest domains are PII Processor (32 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ISO/IEC 27018:2019 map to?

ISO/IEC 27018:2019 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with ISO/IEC 27018:2019 compliance?

Start your ISO/IEC 27018:2019 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO/IEC 27018:2019 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required