ISO 27018

What’s ISO 27018?

ISO 27018 is a code of practice for protecting personally identifiable information (PII) in public cloud computing environments. It helps cloud service providers to comply with privacy laws and regulations, and to ensure the security and confidentiality of PII. It is based on ISO 27002, the standard for information security management, and adds specific controls and guidelines for PII protection in the cloud. It covers topics such as consent, purpose limitation, transparency, disclosure, security measures, data retention, and audit rights. ISO 27018 is not a certification standard, but a best practice framework that can be used to demonstrate compliance and to build trust among cloud customers and cloud service providers.

Process offered


The first step of the engagement, after signing the agreement. This helps Securis360 and the Client to understand the scope, objectives, timeline, methods, and roles for the testing.

A good plan is essential for a successful project. Securis360 follows standard procedures to ensure all the important aspects of the engagement are covered.

Understanding and kick off

The kick off marks the beginning of the engagement. Securis360 will set up a call before or at the start of the kick off to sort out any remaining issues. Securis360 will be ready to answer any questions from the client.

Securis360 makes sure to communicate before the testing and on-site visit begin, so that the project and team are stable and the client knows the plan.

Testing and Gathering

The main part of the compliance engagement is testing and gathering. This phase will involve collecting the evidence required for the goals agreed upon during the planning and understanding processes.

Securis360 has a policy of no surprises and keeps in touch with the stakeholders throughout the testing and gathering activities. Moreover, Securis360 will start preparing the draft deliverable to deliver it to the Client quickly after this phase.


The final step of Securis360’s testing method is reporting, but the whole assessment aims to produce a deliverable that is clear, concise, and accurate.

Securis360’s report considers the whole process and tailors a report for each client. The draft report will be delivered at the end of the testing and gathering phase, and the final report will be delivered after the completion of the complete process.