ISO 27018:2019 provides guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles for the public cloud computing environment, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

ISO 27018 is relevant for organizations storing privacy sensitive data in the cloud

This add-on provides implementation guidelines for 14 existing ISO 27001 Annex A controls.

Next to that, the following 25 new controls are added:

  • Authorization for taking the physical media off-site
  • Confidentiality agreements for individuals who can access personal data
  • Deletion of data in storage assigned to other customers
  • Deletion of temporary files
  • Destruction of printed media with personal data
  • Disabling the usage of expired user IDs
  • Disclosing the information about all the sub-contractors used for processing the personal data
  • Disclosing to the cloud customer in which countries will the data be stored
  • Document management for cloud policies and procedures
  • Encrypting data that is transmitted over public networks
  • Ensuring the data reaches the destination
  • Not using the data for marketing and advertising
  • Notification to the customer in case of a data breach
  • Notification to the customer in case of a request for data disclosure
  • Policy for return, transfer and disposal of personal data
  • Procedure for data restoration
  • Processing the data only for the purpose for which the customer has rovided this data
  • Recording all the disclosures of personal data
  • Records of user access to the cloud
  • Restriction of printing the personal data
  • Restriction of usage of media that does not have encryption capability
  • Rights of the customer to access and delete the data
  • Specifying the minimum security controls in contracts with customers and subcontractors
  • Usage of unique IDs for cloud customers

Add-ons are delivered as a separate Confluence space backup. They can be merged into Instant 27001 using the provided instructions.


  • ISO 27018 add-on ISMS: € 995 (for existing Instant 27001 clients)
  • Instant 27001 + ISO 27018 add-on: € 2990

Excluding applicable taxes (read more)

Start your ISO 27001
journey today!

Order now   Book a demo