ISO/IEC 27018, automated
Show how you protect personal data as a cloud processor under ISO 27018, with an agent to do the legwork and a human to certify.
- Live today
- Cross-mapped with ISO 27001
- Agent-assisted, human-certified
- EU data residency
ISO/IEC 27018 is the code of practice for protecting personally identifiable information (PII) in public clouds that act as a processor. Diligio Compliance runs its controls on the same knowledge base as your ISO 27001 and GDPR work, so the privacy controls reuse evidence you already maintain.
What ISO 27018 is
ISO/IEC 27018:2019 extends ISO 27002 with privacy controls for public-cloud providers acting as PII processors. It covers processing only on customer instruction, transparency about sub-processors and locations, support for data-subject rights, and the return, transfer and deletion of PII.
Its obligations align closely with the processor duties in GDPR Articles 28 and 32, which is why a public-cloud vendor often pursues ISO 27018 to evidence its privacy posture to customers.
How Diligio Compliance helps
PII controls for a processor
A control register covering the ISO 27018 PII controls, each with status, owner, proof, and last-reviewed date, kept alongside your ISO 27001 and GDPR records.
Aligned with GDPR Article 28
The controls are cross-mapped to GDPR processor obligations, so the work you do for one evidences the other instead of being duplicated.
An agent that proposes, a human that certifies
Connect your own AI agent to propose evidence and control statuses across the privacy controls. A person certifies before anything becomes your attested posture, with a kill switch and an audit trail.
One knowledge base with your questionnaires
The same approved answers that respond to privacy questions in security questionnaires drive your ISO 27018 posture and Trust Center. EU data residency throughout.
New to the process? Read the ISO 27017 and ISO 27018, explained.
Frequently asked questions
How does ISO 27018 relate to GDPR?
ISO 27018 is a standard, GDPR is a law, but they overlap heavily for a cloud processor. ISO 27018 gives you an auditable way to evidence many of the processor obligations in GDPR Articles 28 and 32. Diligio Compliance cross-maps the two.
Who needs ISO 27018?
Public-cloud providers and SaaS vendors that process personal data on behalf of their customers. It lets you demonstrate a privacy posture to buyers without re-explaining it for every questionnaire.
Is ISO 27018 support available now?
Yes. ISO 27018 is live in Diligio Compliance. Talk to us and we will enable it and align it with your ISO 27001 and GDPR work.
Get started
Tell us you are working towards ISO 27018 and we will enable Diligio Compliance for your team and help you get set up. A flat $1,999 per company per year, or $499 for your first year as a startup.