ISO/IEC 27018:2019 - Protection of Personally Identifiable Information


The volume of cloud-managed information continues to grow, and as public breaches emerge, customers' perceptions focus on the risk of their sensitive information being misused. Therefore, it is important for businesses operating in the cloud services sector that they can ensure their customers' data is appropriately protected.

In addition, more and more countries have new statutory requirements to control the activities of cloud services.


ISO/IEC 27018:2019 is a set of codes of practice focused on protecting personal data in the cloud. This regulation is based on the information security standard ISO/IEC 27002 and provides guidance for implementing ISO/IEC 27002 controls that apply to Personally Identifiable Information (PII) in the public cloud. These practices will provide an additional set of controls and guidance associated with the purpose of meeting PII protection requirements in the public cloud that are not yet met by the existing ISO/IEC 27002 controller.


  • Increase customer trust and give them confidence to continue using cloud services
  • Increase brand reputation and enhance competitive advantage
  • Improve security, reduce the risk of data breaches
  • Be clear about the roles and responsibilities of cloud service users and cloud service providers


Cloud service providers that handle large volumes of Personally Identifiable Information (PII) will be able to seek ISO 27001, ISO 27017 and ISO 27018 certification, or they can combine these standards to provide transparency to their customers regarding the responsible management of their customers' sensitive personal data.

Bureau Veritas Certification as a certification body with competence and experience in conducting audits in the information technology sector, our auditors with extensive cloud experience will help your businesses ensure the highest level of protection by reviewing specific requirements to identify potential vulnerabilities and risks of cloud services.