What is ISO 27018 Certification?

Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO/IEC 27018 is a standard that serves as guidelines or code of conduct for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001. It also helps implement commonly accepted PII protection controls for organisations offering information processing services as PII processors and PII controllers via public cloud computing under a contract or agreement. Given the multi-fold increase in security incidents over the last few years, safeguarding of cloud-hosted sensitive data that holds PII has gained prime importance. The international standard of ISO/IEC 27018 can help mitigate the risk of data compromise for public cloud PII. The standard ensures that a cloud service provider has appropriate procedures in place for handling PII.

Benefits of ISO 27017 Certification

Provides a higher security to customer data and information

Streamlined contracts

provides legal protections for cloud providers and users

Faster enablement of global operations

Competitive Advantage

Mitigate Risks & Optimise Costs

Who can be certified ISO 27017 Certification?

ISO 27018 a code of practice, not a standard. ISO 27018 certification is generally included in the ISO 27001 audit process, if it’s included as an add-on to the ISMS. To gain certification for an ISO standard, a competent auditor will conduct an audit.

IT & IT Enabled Companies

Research and Development

Banking & Financial Institute

Design Services

Organization with Sensitive Data

Government Agencies


Document required for ISO 27017 Certification

  • System Manual
  • System Procedure
  • Policy
  • Objectives
  • Mission & Vision
  • Standard Operating Procedure (SOP)
  • Checklist
  • Forms
  • Formats
  • Records

The extent of Documented Information differs as per:

  • Organization’s size
  • Activities performed by the organization
  • Processes undertaken by the Organization
  • Products and services offered by the organization
  • The complexity of processes undertaken
  • Competence of persons involved

Role of Shamkris and Process of ISO 27018 Certification

Shamkris adopts a results-oriented approach to effective system implementation in the organization. A simple and practical method of system implementation helps organizations increase business efficiency and sustainability. Shamkris supports 100% documentation to obtain an accreditation body of success in addition to enhanced performance.

The implementation process is described below:

Day 1

GAP Analysis, Certification Body, Selection, Cost Estimates

• Finding the GAP between existing system related to ISO 27018 requirements
• Selecting the appropriate certification Body
• Based on the scope of your business & certification Body you choose

Week 1

Developing Documents

• Management System Manual, Management System Procedures, Policy, Objectives, Forms etc.
• Review of Standard Operating Procedures (SOP)

Week 4

Implementing Management System

• ISO 27018 Awareness training for the top management and staff
• Implementing a well-documented management system throughout the organization

Week 8

Internal Audit

• Internal audits identifying nonconformities related to ISO 27018 requirements
• Management Review Meetings
• Corrective and Preventive Action plan for nonconformities

Week 10

Certification Body
N-C Closing

• Shamkris acts on your behalf and assists you in the third-party audit
• Closing of any nonconformities identified by the certification body

Week 12

Certification Body

• ISO 27018 certificates issued for 1 years

Year on Year

Yearly Compliance

• Support of Yearly documentation for audit

ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).

ISO 27017 certification demonstrates cloud service security to users, while ISO 27018 certification ensures that personal data is processed securely.

What is ISO 27018? ISO/IEC 27018 is the international standard for protecting personal information in cloud storage. The term for the personal data it covers is Personally Identifiable Information or PII. ISO 27018 is a code of practice for public cloud service providers.

Earning the ISO 27001/27018 certification is an important part of establishing a baseline of security for any business that processes data in the cloud. Simply put, following these standards helps you reduce security risk since they are recognized as some of the comprehensive in cloud computing applications