An implementation playbook for public cloud PII processor privacy controls.
Built for cloud providers, SaaS teams, procurement reviewers, and privacy teams that need contract-ready evidence.
Structured answer sets in this page tree.
Cited legal and guidance references.
ISO/IEC 27018 is a code of practice for protecting personally identifiable information in public clouds acting as PII processors. In practice, strong implementation means you can show that personal data is processed only under customer instructions, that subprocessor use and storage countries are transparent, that disclosure requests are legally screened and logged, that breach notifications are prompt and evidence backed, and that deletion or return can be executed across production, backup, and business continuity environments.
The ISO standard listing now identifies ISO/IEC 27018:2025 as the current edition, and the ISO/IEC 27018:2019 page is marked withdrawn. The control themes in this playbook are grounded in the 2019 control model because that is the local source pack available for detailed implementation review.
Use this page to shape operating controls and evidence, then validate any final wording or certification claim against the current ISO listing and the edition you license internally.
ISO 27018 applies when a public cloud service provider processes PII for and according to the instructions of a cloud service customer. The distinction holds only if the provider has no processing objectives of its own beyond what is necessary to deliver the customer service.
This boundary matters because the same provider can still act as a controller for separate data sets, such as billing, account ownership, fraud management, or its own HR records.
The core ISO 27018 rule is simple: PII processed under contract should not be used for any purpose independent of the customer instruction. This is the processor control that procurement teams, privacy counsel, and auditors look for first.
The standard also states that PII processed under contract should not be used for marketing or advertising without express consent, and that consent should not be a condition of receiving the service.
ISO 27018 expects subprocessor use to be disclosed before use, with the names of relevant subprocessors, the countries where they can process data, and the means by which they are required to meet or exceed the processor's obligations.
The contract should also support general authorization, timely notice of intended changes, and a customer ability to object or terminate.
The standard requires notification of legally binding requests for disclosure of PII, unless notification is prohibited. It also requires the processor to reject requests that are not legally binding, consult the customer where legally permissible, and record disclosures.
This cannot be handled as an ad hoc legal email thread. It needs a repeatable runbook with evidence fields.
ISO 27018 says the processor should promptly notify the relevant cloud service customer when unauthorized access to PII, or to processing equipment or facilities, results in loss, disclosure, or alteration of PII.
The contract should define the maximum notification delay and the information needed so the customer can assess its own legal notification duties.
ISO 27018 requires a policy for return, transfer, or disposal of PII and says the processor should provide information necessary for the customer to ensure that PII is erased wherever stored, including backup and business continuity environments, once it is no longer needed for the customer's purpose.
Deletion is not credible if it only covers the primary environment. The contract and runbooks should specify the mechanism, timing, and verification method.
ISO 27018 recognizes that individual customer audits in a multi-tenant cloud can be impractical or can increase security risk. In those cases, the processor should make independent evidence available before contract signature and during the contract term.
A strong evidence model shortens sales cycles and reduces repeated customer questionnaires.
Assessment Autopilot can take ISO 27018 Compliance from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on ISO 27018 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from ISO 27018 Compliance and turn the guidance into owned tasks, evidence requests, and review checkpoints.
Review your current process, evidence gaps, and next steps for ISO 27018 Compliance.