ISO/IEC 27018:2019 — Public cloud PII

Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors. Foundational for cloud service providers serving customer PII; also relevant for cloud customers needing to verify CSP suitability for PII handling. Maps directly to GDPR and DPDPA processor obligations.

Composition

28 controls currently indexed; participates in 11 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Cloud Security Posture Management — continuous configuration assessment
• Cryptographic controls, key management, and post-quantum readiness
• Data localisation — DPDPA SDF traffic data + sectoral requirements
• Data subject / Data Principal rights — operational rights mechanism
• Data-at-rest protection — encryption, access, processor controls
• Data-in-transit protection and physical media handling
• Privacy governance — legal, regulatory, contractual, and algorithmic obligations
• Processor (PII Processor) obligations — ISO 27701 controller relationship
• Secure disposal of equipment, media, and personal information
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting