ISO/IEC 27018:2025 Now Supported

ISO/IEC 27018:2025 is the third edition of the international standard for protecting personally identifiable information (PII) in public cloud services when the cloud service provider acts as a PII processor.

ISO/IEC 27018 is designed to be used alongside ISO/IEC 27002 and is typically implemented as an extension to an ISO/IEC 27001 ISMS. In Drata, ISO 27018 is offered as an add-on framework to ISO 27001, so customers begin with ISO 27001 and then layer on ISO 27018.

Why It Matters to Customers

As cloud adoption accelerates and data‑protection requirements become more complex, ISO 27018:2025 offers a globally recognised code of practice and control framework built specifically for PII in public cloud environments — helping organisations demonstrate transparency, manage contractual obligations, enable auditability and meet regulatory expectations across jurisdictions. Companies are commonly asked to comply with ISO 27018 by their customers.

What’s New in ISO 27018:2025

• Aligned with ISO/IEC 27002:2022 — the control structure and terminology have been updated to match the latest information‑security baseline.

• Introduction of Annex B — provides mapping and backward‑compatibility guidance to the previous edition (2019) for easier transition.

• Enhanced role clarity — stronger definitions and guidance distinguishing the responsibilities of cloud service providers (as PII processors) and cloud customers (as PII controllers).

• Reinforced sub-processor controls and transparency obligations — detailed guidance on managing and documenting third-party and sub-processing relationships and breach notification.

• Modernised structure and language — reflecting current cloud service models, multi‑tenant environments, and evolving regulatory demands.