# ISO/IEC 27018:2019*

Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
IEC International Electrotechnical Commission
ISO International Organization for Standardization

# Overview

ISO/IEC 27018 addresses the privacy aspects of cloud computing for consumers. It is the first international set of privacy controls in the cloud.

# Components

ISO/IEC 27018 focuses on five key principles:

CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customers. In addition, a customer should be able to employ the service without having to consent to the use of their personal data for advertising or marketing.

Customers have explicit control over how CSPs are to use their information.

CSPs must inform customers about items such as where their data resides. CSPs also need to disclose to customers the use of any subcontractors who will be used to process PII.

CSPs should keep clear records about any incident and their response to it, and they should notify customers.

To remain compliant, the CSP must subject itself to yearly third-party reviews. This allows the customer to rely upon the findings to support their own regulatory obligations.