ISO 27018 Certification
ISO/IEC 27018 is an international standard that establishes an internationally agreed set of controls for protecting personal data in public clouds. The standard adds twenty-four controls unique to cloud service providers, covering PII protection throughout the entire lifecycle — from collection to destruction, transparent responsibility allocation between the provider, its subcontractors, and the customer, technical measures (encryption, access control, logging), data breach response procedures, and data subject rights. The standard is based on the 11 privacy principles from ISO/IEC 29100 — the same principles underlying GDPR.
Imperium Certific is a NAAU-accredited certification body. We conduct certification audits according to the requirements of DSTU ISO/IEC 27018:2019 (ISO/IEC 27018:2019, IDT) as a scope extension of ISO/IEC 27001 certification.
Important to understand: ISO/IEC 27018, like ISO/IEC 27017, is by nature a code of practice, not a requirements standard. There is no standalone certification for ISO 27018 — certification is achieved through scope extension of the ISO/IEC 27001 audit with the inclusion of twenty-four PII protection controls in the Statement of Applicability. This practice is the industry standard — under this model, Microsoft Azure, AWS, Google Cloud, Oracle, and other leading global cloud providers are certified.
Who Needs ISO 27018 Certification
The ISO/IEC 27018 standard was created for public cloud service providers acting as personal data processors — those who process data not for themselves but on behalf of and under the instructions of their customers. Certification is particularly relevant for:
SaaS, PaaS, and IaaS Providers
— companies whose cloud services store data of customers employees, buyers, patients, or users
Data Centers and Hosting Providers
— colocation, dedicated servers, virtual data centers processing customer PII
Cloud Business Platform Developers
— CRM, ERP, HRM, medical, educational, financial SaaS solutions handling personal data
IT Outsourcing and MSP Services
— managed services, IT infrastructure outsourcing, data processing, contact centers
Subcontractors of Cloud Providers
— companies acting as PII processors in the cloud services chain for another CSP
PII Controllers Using Cloud Services
— organizations that determine the purposes of data processing and need to confirm due diligence in selecting a cloud processor
Any organization
— from startup to government enterprise, working with personal data in public clouds and required to prove an adequate level of PII protection to regulators, auditors, and customers
Benefits of ISO 27018 Certification
ISO 27018 certification answers the key question of the modern digital business: how can a cloud provider prove to customers, regulators, and auditors that personal data under their control is actually protected.
-
Access to large contracts and tenders — corporate customers, banks, insurance, medical institutions, and international companies increasingly include ISO/IEC 27018 compliance requirements in tender documentation. Without a certificate, a provider risks being excluded from the shortlist — especially in government and European tenders
-
GDPR and Ukrainian Data Protection Law readiness — the standard systematically covers the technical and organizational measures required by Article 32 GDPR. The certificate significantly simplifies proof of due diligence before European and Ukrainian regulators and reduces the risk of fines, which under GDPR can reach 20 million euros or 4% of global turnover
-
Competitive advantage in the international market — Microsoft Azure, AWS, Google Cloud, and Oracle are certified under this standard. With the same certificate, a Ukrainian company speaks the same language with customers and partners — especially important under EU integration and entering foreign markets
-
Ready framework for Data Processing Agreements (DPA) — Annex A of the standard is essentially a checklist of conditions that should be in the data processing agreement: breach notifications, PII return or destruction, geographical server location, prohibition of commercial use of customer data, subcontractor control. This saves lawyers weeks of work and closes typical contract loopholes
-
Transparent responsibility allocation with the customer — the standard clearly regulates what the provider must do and what remains the customer's responsibility — in IaaS, PaaS, and SaaS models. This eliminates dozens of potential disputes at the contract stage and proves crucial during incidents
-
Increased customer trust and simplified external audits — the certificate is public proof that the provider does not use customer data for its own marketing purposes, controls subcontractors, maintains a log of information disclosures, and is ready to quickly report any incident. Instead of dozens of separate customer infrastructure audits (technically complex in a multi-tenant environment), the provider presents one independent certificate
Order Certification
ISO 27018 Certification Process
ISO/IEC 27018 certification is conducted as an add-on assessment within the framework of an ISO/IEC 27001 certification audit and complies with ISO/IEC 17021-1 and NAAU accreditation requirements.
Stage 1 — Application and Scope Definition — The organization submits an application for ISO 27001 certification with scope extension under ISO 27018. We analyze the cloud services architecture, the volume and categories of processed PII, controller and processor roles, geography of data processing, list of subcontractors, and service delivery model to determine audit complexity.
Stage 2 — Stage 1 Audit (Documentation Review) — Verification of ISMS and PII protection controls readiness: cloud personal data protection policy, PII register and data subject categories, Statement of Applicability with included ISO 27018 controls, data processing agreements (DPAs), breach notification procedures, data subject rights implementation procedures.
Stage 3 — Stage 2 Audit (On-site) — The audit team verifies the practical functioning of 27018 controls: PII encryption at rest and in transit, customer data access control, PII operation logging, secure deletion of temporary files and previously used disk space, unique user IDs, subcontractor management, return/destruction of PII upon contract termination.
Stage 4 — Certification Decision — Based on the audit results, a report is prepared. The decision to issue the certificate is made independently of the audit team, ensuring impartiality.
Stage 5 — Certificate Issuance — An ISO/IEC 27001 certificate is issued with explicit indication in the scope statement that the ISMS includes ISO/IEC 27018:2019 controls. The certificate is valid for 3 years. Certification information is entered into the register.
Stage 6 — Surveillance Audits — Annual surveillance audits confirm continuous functioning of 27018 controls within the ISMS. The recertification audit is conducted before the certificate expires.
ISO 27018 Certification Cost
The cost of ISO 27018 certification is added to the base cost of ISO 27001 certification and is determined individually based on preliminary analysis.
Factors affecting cost:
Calculate Cost →
Calculate Cost
Fill in a short questionnaire — we will prepare an offer for your business
Documents for ISO 27018 Certification
In addition to the standard document package for ISO 27001, the organization must additionally prepare:
- — 1. Personal data protection policy for cloud services
- — 2. Register of PII and data subject categories
- — 3. Statement of Applicability with included ISO/IEC 27018 controls
- — 4. Data processing agreements (DPAs) with cloud service customers
- — 5. List of subcontractors with PII access and agreements with them
- — 6. Procedure for notifying customers and regulators of PII breaches
- — 7. Register of PII disclosures (law enforcement requests, court orders)
- — 8. Procedures for implementing data subject rights (access, rectification, erasure)
- — 9. Procedure for returning or destroying PII after engagement termination
- — 10. Document on PII processing geography (location of PII processing)
- — 11. PII encryption policy at rest and in transit
- — 12. Procedure for secure deletion of temporary files and released disk space
Get the ISO 27018 Certification Application →
Надіслати заявкуFAQ
No. ISO/IEC 27018 is a code of practice, not a certification standard. Certification is achieved through scope extension of ISO/IEC 27001 certification with the addition of twenty-four CSP-unique PII protection controls to the Statement of Applicability. The certificate scope statement references ISO/IEC 27018:2019.
ISO/IEC 27018 is based on the 11 privacy principles from ISO/IEC 29100 — the same principles that underpin GDPR. The standard systematically covers the technical and organizational measures required by Article 32 GDPR. The certificate significantly simplifies proof of due diligence before European regulators and reduces the risk of fines, which under GDPR can reach 20 million euros or 4% of global turnover.
ISO/IEC 27017 establishes general information security controls for cloud services and addresses both providers and cloud service customers. ISO/IEC 27018 specializes specifically in protecting personally identifiable information (PII) in public clouds and primarily addresses providers acting as PII processors. Both standards complement ISO/IEC 27001 and are often certified together as a unified ecosystem of cloud controls.
Or write to us right now
We will call you back during the working day