Secure Your Business



The International Standard for Data Protection in the Cloud directly builds on the contents of
information security acc. to ISO 27001.




“An ISO Standard will always have the
biggest expressiveness on the market.
As we are a computing center certified acc. to ISO-27001,
cloud certification acc. to
ISO 27018 is the logical add-on for us.”


 Dipl.-Ing. Dietmar Schlar, Raiffeisen Informatik Center Steiermark GmbH (Raiffeisen IT Center Styria Ltd.)


The International Standard for “Data Protection in the Cloud” is aimed at guaranteeing protection for customers’ administered personally identifiable information that is as high as possible and secured contractually while minimizing the risks of contractual breaches: ISO/IEC 27018:2014 (“Information technology — Security techniques — Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors“) directly refers to the contents of the Certification Standard ISO/IEC 27001 for Information Security and the commensurate Guide for Information Security Controls ISO/IEC 27002. ISO 27018 specifies these controls by helping to integrate the special requirements relating to the protection of personally identifiable information within public cloud services in an existing information security management system. In ISO 27018, the contents of ISO 27002 are extended by adding the relevant cloud aspects. At first sight, the main clauses of ISO 27018 thus are identical to those of ISO 27002:


The 14 main clauses of ISO/IEC 27018

  • Security Policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical & environmental security
  • Operations securitymark_orange_istockphoto_nmcandre
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • IS incident management
  • IS aspects of business continuity management
  • Compliance


Thanks to its requirements, ISO 27018 fulfils large parts of the planned EU General Data Protection Directive just as much as large parts of the Austrian and German Data Protection Acts. Furthermore, organizations will, in the course of a certification project acc. to ISO 27018, define what national legal requirements are relevant to their services in a public cloud as well as to their customers and business partners. The vocabulary and contents of ISO/IEC 27018 follow ISO/IEC 17788 “Cloud computing - overview and vocabulary” as well as ISO/IEC 29100 “Privacy framework”.

Central requirements ISO 27018 places on certified cloud providers:

  • Personally identifiable information may exclusively be processed in conformity to the customer requirements and must not be used for the cloud providers’ own purposes unless the customer has given an explicit consent.
  • It is required to define processes defining the return, transmission, forwarding and destruction of personally identifiable information.
  • Before concluding a contract, all the relevant subcontracts as well as all countries where data processing takes place will have to be disclosed.
  • Any kind of infringement of data security will have to be documented - this also refers to the steps taken to solve the problems and the possible consequences.
  • Security infringements will have to be communicated to the customer immediately so that the customer can fulfil the customer’s own reporting duty.
  • Customers will have to be supported in safeguarding the rights of parties concerned: The cloud customers will have to be offered tools helping them to give the end users access to their personally identifiable information so that they can change, delete and correct this information.
  • Personally identifiable information may only be passed on to criminal prosecution authorities if there is a legal obligation. The customer concerned will have to be informed before personally identifiable information is passed on unless it is prohibited to pass on such information by law.
  • The cloud services provided will have to be reviewed by independent third parties at regular intervals and in case of major system changes.


CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com