FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage
32of32items
Across 8 modules • Updated May 9, 2026
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Back to sub-FAQs
ISO/IEC 27018 PII Return And Deletion

How should cloud providers prove PII Return And Deletion under ISO/IEC 27018?

Start with the operational decision: define what PII Return And Deletion means in your ISO/IEC 27018 scope, who owns it, and what record proves the decision is current.

In practical terms, the answer is that a processor should return or delete the personal data when the controller instructs it to do so, especially after the service ends, and it should not keep copies unless a law requires retention or another legal exception applies.

  • Name the accountable owner and reviewer for PII Return And Deletion.
  • Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
  • Escalate when PII Return And Deletion changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Citations
Jump to answerOpen module
ISO/IEC 27018 PII Return And Deletion

What evidence should prove PII Return And Deletion is current under ISO/IEC 27018?

The evidence should show the process operating. For this artifact, the strongest record usually includes customer instructions, DPA clauses, subprocessor notices, deletion and return records, disclosure records, access logs, and incident support evidence.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Jump to answerOpen module
ISO/IEC 27018 PII Return And Deletion

Who should approve PII Return And Deletion decisions under ISO/IEC 27018?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
Jump to answerOpen module
ISO/IEC 27018 PII Return And Deletion

When should PII Return And Deletion be reviewed under ISO/IEC 27018?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
Jump to answerOpen module
ISO/IEC 27018 Processor Duties

How should teams handle Processor Duties under ISO/IEC 27018?

Start with the actual duty: a public cloud provider acting as a PII processor should protect personally identifiable information (PII) for the customer under contract, using the control objectives, controls, and guidelines in ISO/IEC 27018.

For cloud privacy work, connect each control to customer instructions, processor role, subprocessor change, disclosure handling, deletion or return, and breach-support evidence. This keeps the answer useful in audits, customer reviews, incidents, supplier reviews, and management review.

  • Name the accountable owner and reviewer for Processor Duties.
  • Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
  • Escalate when Processor Duties changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Citations
Jump to answerOpen module
ISO/IEC 27018 Processor Duties

What evidence should prove Processor Duties is current under ISO/IEC 27018?

The evidence should show the process operating. For this artifact, the strongest record usually includes customer instructions, DPA clauses, subprocessor notices, deletion and return records, disclosure records, access logs, and incident support evidence.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Jump to answerOpen module
ISO/IEC 27018 Processor Duties

Who should approve Processor Duties decisions under ISO/IEC 27018?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
Jump to answerOpen module
ISO/IEC 27018 Processor Duties

When should Processor Duties be reviewed under ISO/IEC 27018?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
Jump to answerOpen module
ISO/IEC 27018 Subprocessor Notice

How should teams handle Subprocessor Notice under ISO/IEC 27018?

Start with the operational decision: define what Subprocessor Notice means in your ISO/IEC 27018 scope, who owns it, and what record proves the decision is current.

For cloud privacy work, connect each control to customer instructions, processor role, subprocessor change, disclosure handling, deletion or return, and breach-support evidence. This keeps the answer useful in audits, customer reviews, incidents, supplier reviews, and management review.

  • Name the accountable owner and reviewer for Subprocessor Notice.
  • Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger.
  • Escalate when Subprocessor Notice changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence.
Citations
ISO/IEC 27018:2025 standard page

ISO listing for the 2025 ISO/IEC 27018 public-cloud PII processor guidance that supports subprocessor notice evidence and customer disclosure controls.

Jump to answerOpen module
ISO/IEC 27018 Subprocessor Notice

What evidence should prove Subprocessor Notice is current under ISO/IEC 27018?

The evidence should show the process operating. For this artifact, the strongest record usually includes customer instructions, DPA clauses, subprocessor notices, deletion and return records, disclosure records, access logs, and incident support evidence.

Avoid evidence that only repeats a requirement. A reviewer should be able to see the actual owner, date, system, supplier, AI system, service, incident, risk, or control sample behind the answer.

  • Use source records from the system of work, not screenshots created only for audit day.
  • Keep exceptions visible as risk acceptance, corrective action, or management-review input.
  • Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date.
Citations
Jump to answerOpen module
ISO/IEC 27018 Subprocessor Notice

Who should approve Subprocessor Notice decisions under ISO/IEC 27018?

The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions.

For high-impact changes, approval should include the teams affected by the evidence: security, privacy, resilience, supplier management, AI governance, legal, risk, or business service owners as relevant.

  • Use a named owner, named backup, and named escalation forum.
  • Separate preparation work from risk acceptance and final approval.
  • Keep approval records with the evidence rather than in disconnected email threads.
Citations
ISO/IEC 27018:2025 standard page

ISO listing for the 2025 ISO/IEC 27018 public-cloud PII processor guidance that supports subprocessor notice evidence and customer disclosure controls.

Jump to answerOpen module
ISO/IEC 27018 Subprocessor Notice

When should Subprocessor Notice be reviewed under ISO/IEC 27018?

Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, AI system, personal data flow, incident process, or customer commitment changes.

A stale record is worse than a short record. If the facts change, update the evidence and mark what changed so the next reviewer can trust the page.

  • Set a planned review date and a change-trigger rule.
  • Use findings to update controls, procedures, contracts, risk registers, or training.
  • Carry unresolved items into management review or risk acceptance.
Citations
ISO/IEC 27018:2025 standard page

ISO listing for the 2025 ISO/IEC 27018 public-cloud PII processor guidance that supports subprocessor notice evidence and customer disclosure controls.

Jump to answerOpen module
Page 2 of 2
Previous12Next