Skip to content

discovered, explained

ISO 27018

Personal data optimally protected in the cloud

ISO 27018 provides cloud computing providers with guidelines that they can use to ensure the secure processing of personal data within the cloud environment. The standard should be seen as a supplement to the ISO 27001, ISO 27002 and ISO 27017 standards and can therefore be easily integrated into an existing information security management system (ISMS).

What is ISO 27018?

ISO 27018 is an international standard that focuses on the protection of personal data in the cloud. It provides guidance to cloud service providers on how to securely manage personal data and ensure privacy. The standard builds on the existing ISO/IEC 27002 framework for information security management and specifically addresses the unique privacy and security challenges associated with cloud computing. It includes controls and best practices for handling personal data, ensures transparency and protects data from unauthorised access.

Special features of ISO 27018

  • Provides a framework to successfully ensure the protection of personal data in a cloud environment
  • Helps to fulfil legal and regulatory requirements for data protection and privacy
  • Addresses privacy-related cloud-specific security issues and provides additional controls
  • Helps to identify, assess and manage existing information security risks

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about ISO 27018

As every company has different requirements and the requirements for a management system vary, the question of the costs for ISO 27018 certification cannot be answered in a generalised way.

In principle, the number of days required for the two certification audits is decisive. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with a customised quote.

An existing ISO 27001 and ISO 27017 certification is a necessary prerequisite for ISO 27018 certification.

ISO 27018 certification is particularly suitable for

Cloud Service Providers (CSPs)

Cloud service providers can use the certification to demonstrate that they comply with the highest standards for the protection of personal data in the cloud. This is particularly important for providers who work with sensitive or personal data.

Organisations that use cloud services

Organisations that use cloud services and want to ensure that their data is handled in accordance with the best data protection practices can benefit from the certification.

Overall, ISO 27018 certification is suitable for any organisation that processes personal data in the cloud and wants to ensure that it adheres to the highest data protection standards.

Do you already have an ISO 27001 and ISO 27017 certificate?

In this case, your ISMS will be audited separately in accordance with ISO 27018. The resulting certificate then corresponds to the term of your ISO 27001 certificate.

Is your ISO 27001 certificate expiring?

In this case, it makes sense to synchronise the audits for ISO 27001 and ISO 27017 and ISO 27018.

Are you aiming for joint certification to ISO 27001 & ISO 27017 & ISO 27018?

If you start with ISO 27001, ISO 27017 and ISO 27018 at the same time, the audits for the two standards will be synchronised.

The ISO 27018 certificate is valid for a maximum of 3 years.

A surveillance audit must be carried out in the first and second year after successful certification. After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.