Back to Journal ISO Standards

ISO/IEC 27018 - Protecting Personal Data in Public Cloud Environments

Learn how ISO/IEC 27018 extends cloud security with privacy controls for personally identifiable information (PII) in public clouds — and why it matters for GDPR compliance and enterprise trust.

Savadub GRC Team ·
ISO/IEC 27018 - Protecting Personal Data in Public Cloud Environments

ISO/IEC 27018: The International Standard for PII Protection in Public Cloud Services

When organisations store and process personal data in public cloud environments, the questions multiply: Is the cloud provider using that data for their own purposes? Is it adequately protected? Are employees of the provider accessing it? ISO/IEC 27018:2019 exists to answer these questions with an internationally recognised, auditable framework for protecting personally identifiable information (PII) in public clouds.

What ISO 27018 Adds to Cloud Security

ISO 27018 is a code of practice for the protection of PII in public cloud computing, extending ISO 27001 and ISO 27002 with privacy controls specifically relevant to public cloud service providers acting as PII processors on behalf of their customers.

Key controls introduced or emphasised by ISO 27018 include:

Consent and purpose limitation: Cloud providers should not process customer PII for their own purposes (advertising, analytics, product development) without explicit consent. The provider's use of customer data must be limited to the services contracted by the customer.

Transparency: Providers must disclose sub-processors, data locations, and any third parties with whom customer data is shared. Changes to sub-processors must be communicated to customers in advance.

Data deletion and return: Customers must be able to retrieve their data and request secure deletion upon contract termination. The provider must have documented processes for secure data wiping and certificate of deletion.

Access control and confidentiality: Provider employees must be subject to confidentiality agreements. Access to customer PII must be logged and restricted to personnel with a legitimate need. Employees must not access customer data unless required to deliver the contracted service.

Breach notification: The provider must notify customers of any confirmed or suspected personal data breach affecting their data — within timeframes that allow customers to meet their own regulatory notification obligations.

ISO 27018 and GDPR: A Natural Pairing

For cloud service providers acting as data processors under GDPR Article 28, ISO 27018 alignment provides a strong basis for meeting the "sufficient guarantees" requirement. GDPR requires controllers to use only processors that can demonstrate adequate technical and organisational measures for data protection. An ISO 27018 certificate from a reputable certification body is compelling evidence of exactly this.

Specific GDPR obligations that ISO 27018 controls address:

  • Article 28(3)(b) — data processing only on documented instructions
  • Article 28(3)(c) — confidentiality obligations on authorised personnel
  • Article 28(3)(d) — security measures under Article 32
  • Article 28(3)(e) — assistance with data subject rights
  • Article 28(3)(f) — deletion or return of data
  • Article 28(3)(g) — cooperation with supervisory authorities
  • Article 28(3)(h) — audit rights and information provision

Practical Implementation for Cloud Providers

Implementing ISO 27018 as a cloud service provider involves:

Data mapping: Documenting all PII processed as part of cloud service delivery, the purposes for which it is processed, retention periods, and the sub-processors to whom it may be disclosed.

Employee access controls: Implementing role-based access controls restricting employee access to customer data. Enabling and centralising audit logging of all access to PII. Ensuring employees sign confidentiality agreements.

Sub-processor management: Maintaining a current register of sub-processors. Establishing a customer notification process for sub-processor changes. Ensuring sub-processors are contractually bound to equivalent privacy standards.

Customer transparency: Publishing a clear privacy notice for cloud services covering data locations, sub-processors, data uses, retention, and security measures. Making this information contractually binding in service agreements.

Data return and deletion: Implementing documented processes for secure data return and deletion, including the ability to provide customers with a certificate of deletion upon request.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like