ISO/IEC 27018:2019

ISO/IEC 27018:2019 overview

ISO/IEC 27018:2019 is the first international code of practice for cloud privacy that provides guidelines based on ISO/IEC 27002:2013 guidelines and best practices for information security management. Based on EU data protection laws, it gives specific guidance to cloud service providers acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII. ISO/IEC 27018:2019 establishes cloud-specific control objectives and guidelines for PII in accordance with the privacy principles in ISO/IEC 29100:2011.

Azure and ISO/IEC 27018

Microsoft Azure, Dynamics 365, and other Microsoft cloud services are assessed for compliance with the ISO/IEC 27018 code of practice during regular ISO/IEC 27001 audits conducted by an independent third-party auditing firm. You can review the Azure ISO/IEC 27018 certificate and audit report for more information. These documents demonstrate that Microsoft online services in scope for the audit have incorporated ISO/IEC 27018 controls for the protection of PII.

Applicability

  • Azure
  • Azure Government
  • Azure China (for more information, see Trust Center documentation)

Services in scope

For a list of Microsoft cloud services in audit scope, see the Azure ISO/IEC 27018 certificate or Cloud services in audit scope:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

For Azure DevOps, see the standalone Azure DevOps ISO/IEC 27018 certificate.

Office 365 and ISO/IEC 27018

For more information about Office 365 compliance, see Office 365 ISO/IEC 27018 documentation.

Microsoft Professional Services compliance

For more information about Microsoft Professional Services compliance, see Microsoft Professional Services documentation.

Audit reports and certificates

The Azure ISO/IEC 27018 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services. You can access Azure ISO/IEC 27018 audit documents from the Service Trust Portal (STP) ISO reports section. For instructions on how to access audit reports and certificates, see Audit documentation.

The Azure DevOps ISO/IEC 27018 certificate is available separately from the Service Trust Portal ISO reports section.

Frequently asked questions

To whom does ISO/IEC 27018 apply?
The ISO/IEC 27018 code of practice applies to cloud service providers (CSPs) that process personally identifiable information (PII) under contract for other organizations. At Microsoft, it also applies to the support of those CSPs.

What is the difference between personal information controllers and personal information processors?
In the context of ISO/IEC 27018:

  • Controllers control the collection, holding, processing, or use of personal information; they include those who control it on another company's behalf.
  • Processors process information on behalf of controllers; they don't make decisions as to how the information is used or what the purpose of processing is. In providing its enterprise cloud services, Microsoft (as a vendor to you) is an information processor.

How can I get the Azure ISO/IEC 27018 audit documentation?
For links to audit documentation, see Audit reports and certificates.

Can I use the Azure ISO/IEC 27018 compliance assurances in my organization’s certification process?
Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you're responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.

Resources