ISO/IEC 27018:2025 : New version for cloud processors

History

• 2014 (1st edition): first publication of the “code of best practice” for cloud computing processors.
• 2019 (2nd edition): minor revision to correct and clarify the 1st edition.
• 2025 (3rd edition): Upgrade to align with the new ISO/IEC 27002:2022 standard, with new families of controls, attributes, etc.

What’s new in 2025

The new standard is aligned with the ISO27002:2022 version: controls are reorganized by theme (organization, people, physical, technological). Here are some examples:

• Threat watch (5.7) and ICT continuity preparedness (5.30);
• Configuration management (8.9), information deletion (8.10), data masking (8.11), leakage prevention (8.12);
• Activity monitoring (8.16), web filtering (8.23), secure coding (8.28).

New “public cloud and PR” controls: ISO/IEC 27018 adds implementation guidance specific to public cloud services for several controls, and adds information to Annex A when PR-specific expectations apply. For example:

• Identity management (5.16): provide customers with the means to create and remove user access;
• Logging (8.15): define who can see what, restrict access to logs containing PR, set retention periods and automatic deletion;
• Cryptography (8.24): describe the key management services (KMS), security hardware modules (HSM) and bring-your-own-key (BYOK) options available, as well as key management choices;
• Backups (8.13): clarify who (you or your customer) is responsible for copies, restoration, testing and where replicas are located.

A new Appendix B is a 2019 → 2025 correspondence table to match the old standard with the new one.

Integrate PR requirements right from the start, and clearly define responsibilities in contracts (customer, supplier, subcontractors).

Updated content and references (including ISO/IEC 29100:2024) to better reflect current cloud usage and privacy expectations. The standard is not a law, but it better aligns with the RGPD and Law 25.

More measures to support the customer in collecting, modifying and withdrawing consent, with preservation of proof and operational effect (e.g. immediate cessation of an e-mail after withdrawal).

Increased need for logging of accesses, deletions and modifications to PR, for justification of actions and for availability of electronic traces useful for audits and requests from individuals.

Controls consistent with a “Zero Trust” approach: implementation of least privilege, separation of environments, visibility on transfers and control of subcontractors, including for cross-border transfers.

Clarification and distinction between controller (customer) and processor (supplier), better documented and contractualized throughout the subcontracting chain, with audit trails to demonstrate responsibilities.

Change vocabulary, structure and clauses to better harmonize and facilitate assessments and recognition of compliance with privacy standards and laws worldwide.

Examples of specific “27018” controls

Here are a few examples of ISO27018 requirements

1) A.2.1 – Consent and choice
The processor must support the customer in obtaining valid consent, allowing its modification or withdrawal, and keeping proof of these decisions.
Therefore, a granular consent screen (by purpose), a preferences page accessible at all times, a record of decisions with timestamp and user identity, and automatic updating of processing (e.g., stop sending marketing emails as soon as consent is withdrawn) are required.

2) A.10.1 – Notification of PR breaches
All incidents must be evaluated to determine whether a PR breach has occurred; the customer must be notified promptly with the information required for his legal obligations.
In concrete terms, therefore, the organization must have an incident procedure with criteria (severity, types of PR affected), notification of the customer within a defined timeframe (e.g. 24 to 72 h), incident log, sample message that specifies cause, scope, measures taken and recommended actions to the customer.

3) A.11.8 – Mandatory unique identifier
Access must be assigned individually; shared accounts are to be avoided to ensure traceability.

4) A.12.1 – Location of PRs
The processor documents where PRs are processed and stored (production, backups, backup), and keeps this information up to date.

5) A.5.1 – Deleting temporary files
Temporary files containing PRs should be deleted when they are no longer required.

Quick checklist

Answer Yes or No to each question.

1. Does your SoA reflect the 2025 structure (chapters 5 to 8) and the relevant PR controls?
2. Do you offer your customers the means to exercise their rights (portal and API, clearly defined deadlines)?
3. Do you keep an up-to-date register of subcontractors, including locations and guarantees?
4. Do your contracts include standardized PR clauses (purpose, prohibited use, audit, notification, retention/erasure, localization)?
5. Does identity management provide for customer delegation, a complete lifecycle (creation-modification-end) and periodic validation?
6. Does the logging limit access by organization, include periodic reviews, automatic retention and purging rules?
7. Are your deletion procedures tested (production and backups), with published deadlines and proof of deletion retained?
8. Do you have an inventory of Key Management Service (KMS), Hardware Security Module (HSM) and Bring Your Own Key (BYOK) options, and is the key management policy communicated to customers?
9. Do your backups and restores have defined and tested OTR/OPRs, with documented locations?
10. Does your incident process qualify a PR breach according to clear criteria, with intervention guides for notification and up-to-date records?
11. Do test environments prohibit PR, or do they use pseudonymized/masked data with rapid erasure?
12. Do you offer role-appropriate PR awareness training (consequences, prohibited gestures)?
13. Do you carry out privacy impact assessments (PIAs ) for transfers outside Quebec/Canada/EU, and do you have contractual safeguards in place?
14. Do you keep an up-to-date file of evidence (reports, captures, logs) and schedule an independent review?

In short, ISO/IEC 27018 version 2025 doesn’t reinvent the PR protection program; it updates practices to ISO27002:2022 and makes contractual commitments clearer.