# ISO/IEC 27018:2019: Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
IEC International Electrotechnical Commission
ISO International Organization for Standardization
PII Personally Identifiable Information

# Overview

ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

# Annex A

Annex A provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002( target="_blank" ) control set.

  • A.1 General
  • A.2 Consent and choice
  • A.3 Purpose legitimacy and specification
  • A.4 Collection limitation
  • A.5 Data minimization
  • A.6 Use, retention and disclosure limitation
  • A.7 Accuracy and quality
  • A.8 Openness, transparency and notice
  • A.9 Individual participation and access
  • A.10 Accountability
  • A.11 Information security
  • A.12 Privacy compliance

# Noteworthy

  • ISO/IEC 27018 aims to addresses the privacy aspects of cloud computing.
  • ISO/IEC 27018 is focused on PII.
  • ISO/IEC 27018 is the first international set of privacy controls in the cloud.

# Sources