Choose another country to see content specific to your location

//Select Country

ISO 27018 Certification & Audits

Meet regulatory requirements for PII controls via cloud computing

Enhance Cloud Security for PII

As a growing number of organizations move to the cloud, the data entrusted to public cloud service providers (CSPs) often includes personally identifiable information (PII), such as bank records, credit card details and passport information. Consequently, a security breach can severely impact large data volumes, with the hacking of sensitive information resulting in identity theft and financial loss. A PII security incident also attracts regulatory fines and reputational damage for both data owners and CSPs. It is therefore vital that CSPs’ customers can be assured that all the necessary cybersecurity checks and safeguards have been implemented. An effective information security management system (ISMS), which is specifically customized for security and privacy of PII protection in public clouds, reduces the risk of data breaches

Any business which stores its customers’ private details on your cloud will seek assurances that you take private data protection seriously. Introduced in 2014, ISO/IEC 27108 (Information technology – Security techniques – Code of practice for protection of PII in public clouds acting as PII processors) gives a framework for assessing how well they protect personally identifiable information (PII) in public clouds. ISO/IEC 27018 guidelines helps to protect the highly sensitive or critical PII of your organization and your customers. It also includes provisions for confidentiality agreements with CSP/CSC staff for PII processing and training. While ISO/IEC 27018 is not mandatory, it is increasingly recognized as the industry standard.

ISO/IEC 27018 serves as a guideline or code of practice for selecting PII protection controls within the process of implementing an ISO/IEC 27001-based ISMS in a cloud environment. While ISO/IEC 27001 safeguards an organization’s information assets, ISO/IEC 27018 helps CSPs to protect the highly sensitive or critical PII entrusted to them by their customers. It also includes provisions for confidentiality agreements with CSP staff for PII processing and training.

Becoming certified provides several key benefits:

  • Avoid penalties – Meet regulatory compliance to avoid fines and penalties levied globally and nationally for data breaches and other cyber-attacks
  • Follow best practices ISO/IEC 27018 audits help you to follow best practices around protection PII in cloud, so you can be confident that your environments are safe
  • Mitigate risk and reputational damage - Safeguard the access, storage, transmission and processing of PII data in the cloud by following ISO/IEC 27018 guidelines and avoid damaging data breaches
  • Gain a competitive edge - As more organizations attain ISO/IEC 27018 certification, those which do not may struggle to win new contracts
  • Clearly define responsibilities - ISO/IEC 27018 helps to define which areas of PII you are responsible for, and which your customers must take care of. This improves clarity and avoids misunderstandings.
  • Win customer trust - A third-party certification by TÜV SÜD demonstrates your commitment to information security. Many new cloud customers will now demand evidence that you are able to protect PII in cloud and may require you to fill out extensive checklists to prove it – showing you have ISO/IEC 27018 certification could save you time and effort providing this information

ISO 27018 Certification Process

  • Receive a customized quote from TÜV SÜD – including detailed costs and timescales
  • TÜV SÜD conducts an in-depth assessment
  • Our assessment report is released to you
  • Prepare your prioritized action plan, based on our assessment report
  • TÜV SÜD issues your ISO/IEC 27018 certificate

TÜV SÜD is a globally recognized ISO/IEC 27018 auditor

We provide complete ISMS and cloud PII security assessments, based on ISO/IEC 27001 and ISO/IEC 27018 guidelines. As TÜV SÜD is vendor agnostic, our assessments are both impartial and independent. We work with both major household-name CSPs as well as a wide variety of smaller cloud service providers and can adapt our processes to your needs and requirements.


ISO 27701 Report

ISO 27701 – Extension of ISO 27001 With Emphasis on Privacy

Learn how ISO 27701 can help you successfully manage your organization's data privacy

Learn More

ISO 27701 White Paper
White paper

ISO 27701: Cybersecurity

Discover how ISO 27701 can bolster and protect your organization

Learn More

Voith Digital Solutions
Case Study

Voith Digital Solutions

ISO/IEC 27001: With an Information Security Management System (ISMS) certified by TÜV SÜD, clients worldwide entrust Voith with their data

Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification (CMMC)

Determine which CMMC maturity level you must achieve to work for the Department of Defense

Learn More

View All Resources

Next Steps

Select Your Location





Middle East and Africa