ISO 27018 & ISO 27001 Relationship

ISO 27018 doesn't stand alone—it builds on the foundation of ISO 27001 and ISO 27002. Understanding their relationship is crucial for implementation.

The ISO 27000 Family

ISO 27018 = 27002 + Cloud PII Controls

ISO 27018 takes ISO 27002 controls and:

1. Adapts them for cloud environments
2. Adds PII-specific requirements
3. Provides cloud service provider guidance
4. Clarifies customer vs. provider responsibilities

How They Work Together

If You Have ISO 27001

• You already have the ISMS framework
• Add ISO 27018-specific controls
• Extend scope to cover PII processing
• Update policies for cloud privacy

If You're Starting Fresh

• Implement ISO 27001 ISMS first
• Add ISO 27002 controls
• Layer on ISO 27018 requirements
• Consider dual certification

Certification Options

Option 1: ISO 27001 + 27018

• Full ISMS with cloud PII focus
• Two certificates
• Most comprehensive approach

Option 2: ISO 27001 with 27018 Controls

• Single ISMS including cloud PII
• One certificate mentioning both
• More integrated approach

Option 3: ISO 27018 Only

• Less common
• Cloud-specific certification
• Limited market recognition

Key Additions in ISO 27018

ISO 27018 adds these to 27002:

• Consent management requirements
• Data location transparency
• PII disclosure procedures
• Return/deletion of PII
• Sub-processor notification
• Cloud-specific technical controls

Practical Example

Without ISO 27018: "We encrypt customer data in transit and at rest."

With ISO 27018: "We encrypt customer PII in transit and at rest, provide customers with documented data location details, notify customers before engaging sub-processors, and ensure PII deletion within 90 days of contract termination."

Implementation Strategy

1. Establish ISO 27001 ISMS (if not already certified)
2. Identify PII in cloud services
3. Gap analysis against 27018 requirements
4. Implement additional controls
5. Update documentation
6. Pursue certification

Next Lesson: Deep dive into PII processing principles.