ISO 27018 (PII)
Protection of Personally Identifiable Information (PII)
ISO 27018 is the global standard organisations use to implement and manage systems that protect Personally Identifiable Information (PII), such as sensitive customer data. It is part of the broader ISO 27001 and ISO 27002 standards, but ISO 27018 focuses on safeguarding PII data on cloud services. Having effective systems for your organisation to become ISO certified increases customer trust and helps meet data protection regulations.

ISO 27018 accreditation
- Achieve ISO 27108 accreditation with an internationally accredited certification body.
- Gain a competitive advantage through robust data protection systems and management.
- Provide stakeholders and investors reassurance about cloud-based PII protection.
- Demonstrate compliance with data protection regulations such as GDPR.
- Bid for contracts and tenders that require ISO 27018:2019 certification.
- Suitable for organisations of all sizes – from SMEs and corporates to charities.
What is ISO 27018?
ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
ISO 27018 was developed by the International Organization for Standardization. ISO 27018: 2019 is the current version of the international standard. With ISO 27018 accreditation, you will be able to demonstrate to customers, investors, and stakeholders that you have systems and processes in place designed to safeguard data on the cloud and comply with aspects of data protection regulations such as GDPR.
ISO/IEC 27018 has been published to allow cloud service providers whose infrastructure is certified to the standard to reassure existing and potential customers that their data is safeguarded and won’t be used for purposes the data subject hasn’t given consent.
The ISO implements a framework that helps organisations:
- Implement PII protection controls into your organisation’s information security systems.
- Develop a strong understanding of cloud service providers and practices.
- Work towards satisfying other international standard requirements linked to ISO 27018.
- Reduce the risk of data breaches or data misused from cloud-based storage and processing.
- Provide operation efficiencies and accountabilities throughout an organisation.
What are the benefits of ISO 27018?
ISO 27018 is a code of practice based on ISO IEC 27018:2019, which outlines information technology security techniques code for public cloud service customers. It inspires trust in your business, reassuring customers and stakeholders that personal data and information is protected. The cloud provides numerous benefits, including cost savings, flexibility, and mobile access to information. However, sensitive personally identifiable information (PII), such as medical records, financial information, and digital fingerprints, can be stored and processed on cloud-based services, making it crucial to follow the best practices for protection.
ISO 27018 helps organisations develop robust controls to mitigate data misuse risks and protect sensitive data. ISO 27018 certification allows organisations to:
- Gain a competitive advantage – stand out from your competitors by protecting personal information.
- Protect your brand or organisational reputation – reduces the risk of adverse publicity due to data breaches.
- Reduce risks – ensures that risks are identified, and controls are in place to manage or reduce them. Based on ISO IEC 27018:2019, it provides technology security techniques code of practice for protection.
- Protect yourself against fines – ensures that local regulations are complied with, reducing the risk of penalties for data breaches.
- Help grow your business – provides common guidelines across different countries, making it easier to do business globally.
"Certification Europe were very knowledgeable in the area of energy management and had a personable approach during the certification process.”
Evelyn Conlon, Risk Manager, Diageo Bailey’s Global Supply

Nulla vitae elit libero, a pharetra augue. Duis mollis, est non commodo luctus, nisi erat.

How to become ISO 27018 certified
Implementing ISO 27018 means embedding safeguarding measures into your information and data security systems to ensure that PII is safeguarded.
Certification Europe has granted certification to hundreds of organisations and helped them reach ISO standards, including Liverpool Victoria, Greenstar, and Thornton’s Recycling.
Our qualified ISO assessors conduct a pre-assessment to review whether your organisation meets the standard requirements for ISO 27018 with existing systems and processes. Certification Europe conducts assessments using a multi-stage process to ensure a comprehensive evaluation.
If your organisation meets ISO 27018:2019 requirements, we will issue you with an official certificate and other materials you can use for marketing and promotion schemes.
Start your ISO 27018 certification journey
Contact our team for a free, no-obligation quotation from our dedicated ISO support team to start your ISO certification journey. We tailor our quotes to meet your requirements, and we support a range of ISO standards, including ISO 27001, ISO 27017 and Cyber Essentials.
Learn more about Certification Europe’s accreditations, discover our client testimonials and find out more about working with us.
The Certification Journey
Stage
One
The initial assessment determines if the mandatory requirements of the standard are being met and if the management system is capable of proceeding to Stage 2. Recommendation for Certification
At this point in the process we review any corrective actions taken to address findings raised at Stage 1 & 2. Certification may be recommended.
Certification
Achieved
Successful certification is communicated to the client. Certificates are issued. Stage
Two
The second assessment determines the effectiveness of the system, and seeks to confirm that the management system is implemented and operational. Certification Review & Decision
The organisations files are reviewed by an independent and impartial panel and the certification decision is made.The Certification Journey
Stage One
The initial assessment determines if the mandatory requirements of the standard are being met and if the management system is capable of proceeding to Stage 2.
Stage Two
The second assessment determines the effectiveness of the system, and seeks to confirm that the management system is implemented and operational.
Recommendation for Certification
At this point in the process we review any corrective actions taken to address findings raised at Stage 1 & 2. Certification may be recommended.
Certification Review & Decision
The organisations files are reviewed by an independent and impartial panel and the certification decision is made.
Certification Achieved
Successful certification is communicated to the client. Certificates are issued.
ISO 27018 FAQS
ISO 27018 certification is suitable for any organisation, large or small, in any sector.
The standard is especially suitable for protecting personal data such as payroll, HR or clients payment details are stored in a cloud environment. All organisations that collect, process and store personal data must demonstrate compliance with GDPR and show how they protect data.
If your organisation is already implementing ISO 27001 ISMS, then you are covered for 70% of the regulations within ISO 27001. However, if you are operating using cloud base technologies then ISO 27018 has been seen as an effective bolt-on standard as companies wish to demonstrate GDPR compliance specifically with data that is stored on the cloud.
ISO 27018:2019 is the latest standard in the ISO 27018 collection. Certification Europe assessors only provide accreditation to organisations to the latest standard.
ISO 27018 certification lasts for approximately three years. During this period, assessors are required to complete routine surveillance assessments every six months to ensure compliance with ISO 27018 standards.
We’re INAB accredited and always strive to meet rigorous international certification standards.
Accreditation is the process by which a certification body is recognised to offer certification services to other organisations.
To become accredited, Certification Europe is required to implement a Quality Management System which is assessed by an Independent Authorised Body (Irish National Accreditation Body) to determine that it meets International Standards.
We’re audited annually to ensure our services meet the exact requirements of the relevant accreditation standards.
Get in touch
To help us prepare the best quotation for you, please complete the form below. We will get back to you as soon as possible; but if you need immediate assistance, please call +353 1 642 9300.
Our latest LinkedIn insights














Related ISO Certifications

Information Security Management Systems
ISO 27001 is the international standard for managing risks related to the security of information and data your organisation holds. The standard ensures...

Privacy Information Management Systems
ISO 27701 is the global standard for Privacy Information Management Systems (PIMS), also known as the PIM system. Developed by ISO, it helps organisations better...

Cloud Data Protection
ISO 27017 is the global standard used by organisations to strengthen their current cloud data protection and cloud security services. The standard highlights the actions an organisation must take in creating...

Quality Management System
ISO 9001 is an internationally recognised global standard that confirms an organisation’s commitment to improving quality, delivering more efficient operations and improving customer satisfaction....
Related Insights

How to save energy with a carbon footprint calculator
Irish businesses believe that Big Data, analytics and cloud technologies will deliver the most value over the next two years. EY’s Tech Horizon Report, which explores how technology and transformation can...

How to handle a subject access request (SAR)
Under GDPR guidance, individuals are entitled to access their personal data stored by an organisation. These requests are known as Subject Access Requests (SAR) or Data Subject Access Requests (DSAR).

ISO 27001 guide for beginners
Over 35,000 organisations across the globe are ISO 27001 certified, ensuring their information security management systems (ISMS) provide robust, compliance data protection for their business and their customers.