ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. The ISO/IEC 27000 family of standards helps organizations of every type and size keep information assets secure.
In 2014, the ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.
At least once a year, Microsoft Azure and Azure Germany are audited for compliance with ISO/IEC 27001 and ISO/IEC 27018 by an accredited third party certification body, providing independent validation that applicable security controls are in place and operating effectively. As part of this compliance verification process, the auditors validate in their statement of applicability that Microsoft in-scope cloud services and commercial technical support services have incorporated ISO/IEC 27018 controls for the protection of PII in Azure. To remain compliant, Microsoft cloud services must be subject to annual third-party reviews.
By following the standards of ISO/IEC 27001 and the code of practice embodied in ISO/IEC 27018, Microsoft—the first major cloud provider to incorporate this code of practice—demonstrates that its privacy policies and procedures are robust and in line with its high standards.
- Customers of Microsoft cloud services know where their data is stored. Because ISO/IEC 27018 requires certified CSPs to inform customers of the countries in which their data may be stored, Microsoft cloud service customers have the visibility they need to comply with any applicable information security rules.
- Customer data won’t be used for marketing or advertising without explicit consent. Some CSPs use customer data for their own commercial ends, including for targeted advertising. Because Microsoft has adopted ISO/IEC 27018 for its in-scope enterprise cloud services, customers can rest assured that their data will never be used for such purposes without explicit consent, and that consent cannot be a condition for use of the cloud service.
- Microsoft customers know what’s happening with their PII. ISO/IEC 27018 requires a policy that allows for the return, transfer, and secure disposal of personal information within a reasonable period of time. If Microsoft works with other companies that need access to your customer data, Microsoft proactively discloses the identities of those sub-processors.
- Microsoft will comply only with legally binding requests for disclosure of customer data. If Microsoft must comply with such a request—as in the case of a criminal investigation—it will always notify the customer unless it is prohibited by law from doing so.
Frequently asked questions
In the context of ISO/IEC 27018:
- “Controllers” control the collection, holding, processing, or use of personal information; they include those who control it on another company’s behalf.
- “Processors” process information on behalf of controllers; they do not make decisions as to how to use the information or the purposes of the processing. In providing its enterprise cloud services, Microsoft—as a vendor to you—is an information processor.
- You can review the ISO/IEC 27018 certificates from BSI for Azure, Azure Germany, Commercial Support, and Power BI.
- You can also review ISO/IEC 27001 certificates from BSI upon which ISO/IEC 27018 certification is based for Dynamics 365, Office 365, and Visual Studio Team Services.
- To review the BSI reports, the independent auditor that validated Microsoft compliance with ISO/IEC 27018, visit the Service Trust Portal.
Yes. If compliance with ISO/IEC 27018 is important for your business and implementations deployed on any of Microsoft in-scope enterprise cloud services, you can use Microsoft’s attestation of compliance with ISO/IEC 27018 in conjunction with Microsoft’s certification for ISO/IEC 27001 in your compliance assessment.
However, you are responsible for engaging an assessor to evaluate your implementation for compliance, as well as for the controls and processes within your own organization.
Audit reports and certificates
Microsoft cloud and commercial technical support services are audited once a year for the ISO/IEC 27018 code of practice as part of the certification process for ISO/IEC 27001.
Audits and reports
- Azure, Intune, Power BI, Cloud App Security, Microsoft PowerApps, Microsoft Flow, Microsoft Graph, Microsoft Genomics, and Microsoft Datacenter - ISO 27001 and 27018 Certificate
- Azure, Intune, Power BI, Cloud App Security, Microsoft PowerApps, Microsoft Flow, Microsoft Graph, Microsoft Genomics, and Microsoft Datacenter - ISO 27001 and 27018 Audit Assessment Report
- Azure, Intune, Power BI, Cloud App Security, Microsoft PowerApps, Microsoft Flow, Microsoft Graph, Microsoft Genomics, and Microsoft Datacenter - ISO 27001 and 27018 Statement of Applicability (SOA) 2017
- Azure - Germany ISO 27018 - Code of Practice for Protecting Personal Data in the Cloud -Certificate
- Office 365 - ISO 27001, ISO 27018, and ISO 27017 Audit Assessment Report
- Yammer ISO 27018 Audit Assessment Report
- Dynamics 365 ISO 27018 Audit Assessment Report
- Dynamics 365 for Marketing ISO 27018 Audit Assessment Report Report
- Dynamics 365 Parature ISO 27018 Audit Assessment Report
Visual Studio Team Services
Microsoft in-scope services
Covered services include:
- Azure, Azure Government, and Azure Germany detailed list
- Cloud App Security
- Commercial Support: Premier and on premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Office 365
- Dynamics 365 and Dynamics 365 U.S. Government detailed list
- Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense detailed list
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- Visual Studio Team Services