India's Most Trusted ISO/IEC 27018:2019 Cloud Privacy Certification Consultants — Protecting PII in Public Cloud with DPDPA 2023 & GDPR Alignment

ISO/IEC 27018:2019 (first published as ISO/IEC 27018:2014, updated in 2019) is the international Code of Practice for Protection of Personally Identifiable Information (PII) in Public Cloud Computing. It is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) — the same bodies that publish ISO/IEC 27001.

ISO 27018:2019 is specifically designed for public cloud service providers (CSPs) acting as PII processors — organisations that process personal data on behalf of their customers (who are the PII controllers). Examples: a SaaS company that processes its enterprise clients' employee or customer data, a managed cloud hosting company that stores client databases, a cloud analytics platform that processes customer behavioural data.

What ISO 27018:2019 covers:

• PII controller and processor obligations: Clarifying which privacy obligations belong to the cloud service provider (as PII processor) vs. its customers (as PII controllers)
• Consent and purpose limitation: PII must be processed only for purposes specified by the PII controller; the cloud provider must not use customer PII for its own purposes (e.g., advertising) without explicit consent
• Transparency: Cloud providers must disclose to customers what PII is processed, where it is stored, who has access, and what sub-processors are used
• Data subject rights: Mechanisms for data subjects (individuals) to exercise rights of access, correction, deletion, and portability through the cloud provider's systems
• Data deletion and return: PII must be deleted or returned to the customer at contract termination; deletion must be verifiable
• Sub-processor management: Cloud providers must ensure their sub-processors (infrastructure providers, software vendors) apply equivalent PII protection
• Security controls for PII: Extends ISO 27001 Annex A controls with PII-specific security requirements — encryption, access logging, data masking in non-production, DLP
• Cross-border transfers: Restrictions on transferring PII to jurisdictions without adequate privacy protection

What ISO 27018:2019 is NOT:

• It is not a standalone certification standard — it is a code of practice used as a control extension to ISO 27001. ISO 27018 certification is typically achieved through a combined ISO 27001 + ISO 27018 audit.
• It does not replace GDPR, DPDPA 2023, or any national privacy law — it provides internationally recognised technical and organisational controls that support compliance with these laws
• It does not cover on-premises (private cloud) environments — it is specifically for public cloud computing services

ISO 27018:2019 vs ISO 27018:2014: The 2019 update aligned the standard more closely with the GDPR terminology (using "PII principal" aligned with "data subject") and updated some technical controls to reflect current cloud architectures. Organisations certified under the 2014 edition were expected to transition to the 2019 edition, though the IAF transition period was shorter than for major standard revisions.

For Indian organisations, ISO 27018:2019 is increasingly the certification of choice for demonstrating DPDPA 2023 compliance evidence to enterprise clients and regulators — particularly for SaaS companies, cloud hosting providers, and BPOs processing customer PII in public cloud environments.

ISO/IEC 27018:2019 is not legally mandatory in India or globally, but it is increasingly treated as a de facto requirement in multiple commercial and regulatory contexts. Understanding the specific drivers helps organisations assess their priority for certification.

Commercial / Contractual Mandates (most common driver in India):

• Enterprise SaaS procurement: Large Indian corporations and MNCs increasingly include ISO 27018 as a vendor security questionnaire requirement or a contractual prerequisite for SaaS vendors that process employee, customer, or financial PII. Without it, SaaS vendors may be excluded from enterprise procurement shortlists.
• Government and PSU procurement: Public sector IT procurement for cloud services increasingly specifies ISO 27018 or equivalent privacy controls for vendors processing citizen or government data in cloud environments.
• Banking and insurance client requirements: BFSI clients (banks, NBFCs, insurance companies) under RBI IT Framework and IRDAI cybersecurity guidelines require their cloud vendors — especially SaaS and managed cloud providers — to demonstrate formal PII protection governance. ISO 27018 is the recognised evidence.
• Export market requirements (UK, EU, Middle East): Indian IT service exporters serving EU clients must demonstrate GDPR Article 28 compliance (data processor obligations). ISO 27018:2019 + ISO 27701:2019 is accepted as evidence of GDPR processor compliance by EU Data Protection Authorities and enterprise legal teams.
• Healthcare client requirements: Indian health-tech companies processing patient data for hospital clients face privacy requirements under the National Digital Health Mission (NDHM/ABDM) framework. ISO 27018 is used as evidence of PII protection controls for such processing.

Regulatory Alignment (indirect mandate):

• DPDPA 2023: India's Digital Personal Data Protection Act 2023 requires Data Fiduciaries (organisations processing personal data) to implement appropriate technical and organisational security safeguards. ISO 27018:2019 certification is the most credible internationally recognised evidence of such safeguards for cloud processing — particularly for organisations likely to be designated as Significant Data Fiduciaries (SDFs).
• CERT-In Directions 2022: Cloud service providers are specifically addressed in CERT-In's April 2022 cybersecurity directions — including log retention, incident reporting, and security controls requirements. ISO 27018 controls for logging and incident notification support CERT-In compliance.
• IT Act Section 43A: Reasonable security practices for sensitive personal data. ISO 27018 certification satisfies the "reasonable security practices" standard for PII in cloud — consistent with the IT (Reasonable Security Practices) Rules, 2011 that reference internationally recognised security standards.

Cyber Insurance:

• Cyber insurance underwriters increasingly evaluate PII protection governance — ISO 27018 certification demonstrating formal cloud PII controls can reduce underwriter risk assessment and premium costs for cloud-first businesses.

Which organisations need ISO 27018:2019 certification as a priority:

• SaaS companies processing enterprise customer PII (employee data, customer data, financial data) in cloud
• Managed cloud hosting providers storing client databases containing PII
• Healthcare technology platforms processing patient data in cloud (ABDM ecosystem)
• HR technology platforms processing employee personal and sensitive data
• Fintech and payment service providers processing financial PII in cloud
• BPOs/KPOs processing client PII in cloud environments
• Any Indian IT company exporting services to EU/UK clients where GDPR Article 28 compliance is required

The distinction between PII Controller and PII Processor is fundamental to ISO 27018:2019 — and mirrors the GDPR Controller/Processor distinction and the DPDPA 2023 Data Fiduciary/Data Processor distinction. Different obligations apply to each role.

PII Controller (GDPR: Data Controller / DPDPA: Data Fiduciary):

• Definition: The entity that determines the purpose and means of processing PII — i.e., decides WHY and HOW PII is collected and used
• Examples: A bank that collects customer KYC data; a hospital that collects patient health records; an e-commerce company that collects shopper purchase history; an HR department that collects employee personal data
• Primary obligations under ISO 27018 + DPDPA 2023:
  • Obtain and manage consent from PII principals
  • Define purposes and communicate to PII principals via privacy notice
  • Respond to data subject rights requests (access, correction, erasure, portability)
  • Notify PII principals and regulators in case of PII breach
  • Ensure data processor contracts include ISO 27018-equivalent PII protection obligations

PII Processor (GDPR: Data Processor / DPDPA: Data Processor):

• Definition: The entity that processes PII on behalf of the PII controller — acting under instructions from the controller, not for its own purposes
• Examples: A SaaS company that processes its enterprise clients' employee or customer PII; a cloud hosting company that stores its clients' databases; a cloud analytics platform that processes behavioural data on behalf of an e-commerce client
• Primary obligations under ISO 27018 (the standard's core focus):
  • Process PII only according to the controller's instructions — never for the processor's own purposes (no using customer PII for advertising or product improvement without explicit controller consent)
  • Implement security controls adequate for the PII categories processed
  • Notify the controller of any sub-processors used and obtain consent for sub-processing
  • Support the controller in responding to data subject rights requests
  • Notify the controller promptly of any PII security incidents or breaches
  • Delete or return all PII to the controller at contract termination
  • Allow the controller to audit PII protection controls (right-to-audit or equivalent)

When an organisation is BOTH controller and processor simultaneously:

• Many cloud companies operate in both roles simultaneously: A SaaS HR platform is a PII processor for its enterprise clients' employee data (processing on behalf of the client who determines the purpose) — but simultaneously a PII controller for its own employees' HR data and for its customers' account/billing data.
• ISO 27018 applies primarily to the processor role; ISO 27701:2019 (the Privacy Information Management System standard) extends this to cover both controller and processor roles comprehensively.
• The ISO 27018 gap assessment must clearly identify which processing activities fall under which role — and apply the appropriate controls accordingly.

Practical implication for ISO 27018 audit:

• The certification auditor will test whether the organisation has correctly identified its PII processing roles and implemented the appropriate controls for each. A cloud provider that claims to be "only a processor" but has product analytics that use customer PII without explicit controller authorisation — fails the purpose limitation control and will receive a major non-conformity.
• The data mapping and role determination exercise is typically the most challenging and time-consuming part of ISO 27018 implementation — PrecisionTech facilitates this as a dedicated workshop with legal, technical, and business stakeholders.

ISO/IEC 27018:2019 is an extension to ISO/IEC 27001 — it provides additional PII-specific controls (Annex A of ISO 27018) that supplement the general information security controls of ISO 27001 Annex A. Understanding this relationship is critical for implementation planning.

The relationship:

• ISO 27018 explicitly states in its introduction that it is based on ISO 27002 (the implementation guidance for ISO 27001 Annex A controls) and that its controls should be implemented within the context of an ISO 27001 ISMS.
• ISO 27001 provides the ISMS framework — risk assessment, risk treatment, policies, awareness, internal audit, management review, continual improvement.
• ISO 27018 adds cloud PII-specific controls — consent management, purpose limitation, data subject rights, transparency, data deletion verification, sub-processor management, cross-border transfer restrictions — as additional controls within the ISMS.
• The Statement of Applicability (SoA) for a combined ISO 27001 + ISO 27018 certification references both the ISO 27001 Annex A 2022 controls (93 controls) AND the ISO 27018 Annex A additional controls.

Combined ISO 27001:2022 + ISO 27018:2019 certification:

• NABCB-accredited certification bodies (BSI, Bureau Veritas, SGS, TÜV SÜD, DNV) offer combined ISO 27001 + ISO 27018 audits — a single Stage-1 and Stage-2 audit covering both standards.
• The combined certificate references both ISO/IEC 27001:2022 and ISO/IEC 27018:2019.
• Annual surveillance audits cover both standards — one audit process, two certifications maintained.
• The incremental audit cost for adding ISO 27018 to an ISO 27001 audit is typically 20–40% of the base ISO 27001 audit cost — significantly more efficient than separate audits.

Can an organisation achieve ISO 27018 certification without ISO 27001:

• Technically, ISO 27018 is not a standalone certification standard — it is a code of practice to be implemented within an ISMS. Certification bodies audit ISO 27018 as an extension to ISO 27001.
• An organisation without an existing ISO 27001 certification must implement ISO 27001 first (or concurrently), then add the ISO 27018 controls.
• PrecisionTech implements both simultaneously for organisations starting fresh — delivering combined ISO 27001:2022 + ISO 27018:2019 certification in a single project, typically 16–24 weeks for a medium SaaS company.

ISO 27018 vs ISO 27701:2019 — which to pursue:

• ISO 27018:2019: Focused specifically on PII in public cloud — best for cloud service providers acting as PII processors. Narrower scope, lower implementation overhead, strong market recognition for cloud providers.
• ISO 27701:2019 (PIMS — Privacy Information Management System): Covers both PII controllers AND processors across all environments (not just cloud). Provides GDPR and DPDPA 2023 alignment for both roles. More comprehensive privacy governance — higher implementation effort but broader applicability.
• Both: The most comprehensive approach for SaaS companies processing PII in cloud in both controller and processor roles — ISO 27001 (ISMS foundation) + ISO 27018 (cloud PII processor controls) + ISO 27701 (full controller + processor privacy governance). PrecisionTech designs integrated implementations that serve all three certifications from a single unified ISMS.

ISO/IEC 27018:2019 Annex A provides additional controls specifically for PII protection in public cloud — supplementing the ISO 27001 Annex A general information security controls. These controls are evaluated in the combined SoA for ISO 27001 + ISO 27018 certification.

Structure of ISO 27018:2019 Annex A:

The controls are organised into control groups following a privacy-by-design approach. Key control groups and representative controls include:

A.1 — Consent and Choice:

• A.1.1 — Obligation to use PII only as agreed: The cloud provider may not process PII for any purpose other than those agreed with the customer (PII controller). This directly addresses concerns about cloud providers mining customer data for advertising or product improvement.
• A.1.2 — Obtaining and managing PII principal consent: Where the cloud provider collects PII directly from PII principals (e.g., a SaaS application where end users enter their own data), consent mechanisms must be implemented with granularity, specificity, and withdrawal capability.

A.2 — Purpose Legitimacy and Specification:

• A.2.1 — Purpose specification: All PII processing purposes must be documented and communicated to both the customer (PII controller) and PII principals. Processing for undisclosed purposes is prohibited.
• A.2.2 — Use, retention, and disclosure of PII: PII must be used only for its specified purposes and not disclosed to third parties beyond what is agreed. Retention periods must be defined and enforced.

A.3 — Data Minimisation:

• A.3.1 — Minimise PII collection: Only the minimum necessary PII for each purpose. Cloud providers must assess their service design — does the service collect more PII than strictly necessary? Data minimisation by design is required.

A.4 — Accuracy and Quality:

• A.4.1 — Accuracy and quality of PII: PII must be accurate and complete. Cloud providers must provide mechanisms for PII principals or customers to correct inaccurate PII.

A.5 — Openness, Transparency, and Notice:

• A.5.1 — Privacy policy and contract: Privacy policies accessible to PII principals. Contracts with customers must address PII processing obligations.
• A.5.2 — Purpose disclosure: Purposes of PII processing disclosed to PII principals at or before time of collection.
• A.5.3 — Identifying the PII controller: Where the cloud provider is the PII processor, the identity of the PII controller must be disclosed to PII principals if requested.
• A.5.5 — Sub-processor disclosure: Customers must be informed of which sub-processors are used and what PII they access. Changes to sub-processors must be notified in advance.

A.6 — Individual Participation and Access (Data Subject Rights):

• A.6.1 — Rights of PII principals: Mechanisms for PII principals to exercise rights of access, correction, erasure, restriction, and portability — with defined SLAs and response procedures.

A.7 — Accountability:

• A.7.1 — Disclosure of how PII is used: Transparency reports and disclosures to customers.
• A.7.2 — Notification about government access requests: Cloud providers must notify customers if they receive government or law enforcement requests for access to customer PII — unless prohibited by law (e.g., National Security Letter gag orders). This is a significant control for organisations with data sovereignty concerns.

A.8 — Retention, Deletion, and Return:

• A.8.1 — Temporary files: PII in temporary files (log files, cache files, temporary database tables) must be subject to the same deletion controls as structured PII.
• A.8.2 — Return, transfer, and disposal of PII: At contract termination, the cloud provider must return or securely delete all customer PII. Deletion must be verified and documented.
• A.8.3 — PII backup: PII in backups must be subject to the same protection controls as live data — and deleted from backups at the applicable retention period expiry.

A.9 — Privacy Compliance:

• A.9.1 — Compliance with privacy legislation: The cloud provider must identify applicable privacy laws (DPDPA 2023, GDPR if processing EU resident data, PDPA for Singapore data, etc.) and demonstrate compliance through the ISMS.
• A.9.2 — Privacy audit: Periodic privacy audits — internal or third-party — covering all ISO 27018 Annex A controls.

Technical PII Security Controls (extending ISO 27001 Annex A for PII context):

• Encryption of PII in transit and at rest
• Access logging for all PII access — who accessed what PII, when, from where
• Data masking in non-production environments (dev, test, staging) — no production PII in non-production
• Restriction of PII access to authorised personnel only — least privilege principle for PII datasets
• Physical media disposal — secure wiping of storage media containing PII
• Unique user IDs — prohibition on shared accounts for PII systems (enables audit trail)
• Records of disclosures — log of all PII disclosed to third parties

The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law — applicable to all Data Fiduciaries processing digital personal data of Indian citizens. ISO/IEC 27018:2019 provides substantial technical and organisational control alignment with DPDPA 2023 requirements, making it a powerful compliance enabler for cloud-first organisations.

Key DPDPA 2023 obligations and ISO 27018:2019 alignment:

1. Security safeguards (Section 8(5)):

DPDPA requires Data Fiduciaries to implement appropriate technical and organisational measures. ISO 27018:2019 certification — built on ISO 27001 — is the internationally recognised evidence of such measures for cloud PII processing. The combined ISO 27001 + ISO 27018 certification demonstrates systematic security governance satisfying Section 8(5) to enterprise clients, the Data Protection Board of India, and sector regulators.

2. Data breach notification (anticipated in DPDPA rules):

DPDPA requires notification to the Data Protection Board and affected Data Principals following a personal data breach. ISO 27018 A.7.3 (Notification of requests) and the ISO 27001 incident management controls (A.5.24–A.5.28) provide the framework for detecting, assessing, and notifying breaches — including the cloud-specific requirement to notify the PII controller immediately upon discovering a breach affecting their customers' PII.

3. Right to erasure (Section 12):

DPDPA Section 12 grants Data Principals the right to erasure of their personal data. ISO 27018:2019 A.8.2 (Return, transfer, and disposal of PII) directly addresses secure, verified deletion — including deletion from backups (A.8.3), temporary files (A.8.1), and sub-processors' systems. ISO 27018-certified cloud providers have the documented deletion procedures, deletion verification records, and sub-processor deletion obligations required to satisfy DPDPA Section 12 in a cloud environment.

4. Purpose limitation (Section 7):

DPDPA restricts processing to the purposes for which consent was obtained. ISO 27018 A.2.1 (Purpose specification) and A.1.1 (Obligation to use PII only as agreed) impose technical and procedural controls enforcing purpose limitation in cloud environments — preventing cloud providers from using customer PII beyond the agreed processing purpose.

5. Data minimisation (implicitly required by DPDPA Section 8):

DPDPA requires that only the personal data necessary for the stated purpose is processed. ISO 27018 A.3.1 (Minimise PII collection) enforces data minimisation as a cloud service design requirement — both for data collected by the cloud provider and for data that customers store in the cloud service.

6. Data processor obligations (Section 8(3)):

DPDPA requires Data Fiduciaries to enter into contracts with Data Processors imposing security obligations equivalent to those of the Fiduciary. ISO 27018 A.5.5 (Sub-processor disclosure), the sub-processor contract requirements, and the right-to-audit provisions directly address the DPDPA Section 8(3) data processor contract requirement.

7. Cross-border data transfers (Section 16):

DPDPA Section 16 restricts transfer of personal data of Indian citizens to countries not on a government-approved whitelist (to be notified by the Data Protection Board). ISO 27018 A.9.1 (Compliance with privacy legislation) requires identification and adherence to applicable data transfer restrictions. For Indian cloud providers with global customer PII: the cross-border transfer control framework required by ISO 27018 directly supports DPDPA Section 16 compliance.

8. Significant Data Fiduciaries (SDFs) — enhanced obligations:

Organisations designated as Significant Data Fiduciaries under DPDPA face enhanced obligations including Data Protection Impact Assessments (DPIA) and appointment of a Data Protection Officer (DPO). ISO 27018:2019 + ISO 27701:2019 provides the governance framework for SDF obligations — with ISO 27701's PII controller controls covering DPIA requirements and DPO governance.

PrecisionTech's DPDPA-integrated ISO 27018 implementation:

• We map all DPDPA 2023 obligations to ISO 27018 controls from Day 1 — ensuring certification simultaneously advances DPDPA compliance
• We build DPDPA-compliant privacy notices, consent management frameworks, data subject rights procedures, data processor contract clauses, and cross-border transfer mechanisms within the ISO 27018 control implementation
• Our implementation is designed to satisfy both the ISO 27018 auditor and the Data Protection Board of India simultaneously

Consent management is one of the most operationally complex areas of ISO 27018:2019 implementation — and one of the most important for DPDPA 2023 and GDPR compliance. ISO 27018 requires that consent for PII processing is: freely given, specific, informed, and unambiguous.

ISO 27018:2019 consent requirements:

• Freely given: Consent must not be a precondition for accessing the service unless the processing is strictly necessary for the service. "Bundled consent" — making consent to optional processing a condition for accessing essential functionality — is not compliant. This is a common non-conformity for SaaS companies that use a single "I accept terms" checkbox to cover both core service processing and optional analytics/marketing processing.
• Specific: Consent must be obtained separately for each distinct processing purpose. One generic consent for all purposes is not compliant. A SaaS platform should have separate consent for: account management (potentially not requiring consent if based on contract), product analytics, marketing communications, third-party data sharing, and cross-border processing.
• Informed: PII principals must understand what they are consenting to — plain-language description of the processing, purpose, data categories, retention period, and data subject rights. Legal jargon-heavy privacy policies do not satisfy the "informed" requirement if they are not accessible to a lay person.
• Unambiguous: Active consent — a specific action (checkbox, button click) — not pre-ticked boxes, silence, or inactivity. For sensitive PII categories (health, biometric, financial, children's data), explicit consent with a separate, prominent consent mechanism.

Consent management system components for ISO 27018 compliance:

1. Consent record storage:

• For every consent granted: WHO consented (PII principal identity), WHEN (timestamp with timezone), WHAT they consented to (specific purpose and data categories — version reference of the privacy notice shown), HOW they consented (mechanism — click, form submission, API call), FROM WHERE (IP address, device identifier for context)
• Consent records must be immutable — cannot be modified after recording. A consent audit trail is tested in ISO 27018 audits.

2. Consent withdrawal mechanism:

• As easy to withdraw consent as it is to give it. A SaaS platform that allows one-click consent but requires emailing support to withdraw consent — is non-compliant.
• Withdrawal must trigger immediate cessation of the specific processing activity (not just deletion of the consent record)
• Withdrawal must trigger notification to sub-processors performing that processing activity on behalf of the PII processor

3. Consent management platform (CMP) considerations:

• For websites and SaaS interfaces with complex consent scenarios: CMPs like OneTrust, Cookiebot, Usercentrics, or custom-built consent modules provide the technical infrastructure
• For API-first SaaS and B2B cloud services: consent is typically captured at the customer (PII controller) level — the customer's privacy notice to their users covers the processing. The SaaS provider must ensure its customer contract authorises the specific processing performed.
• Cookie consent under DPDPA (awaiting rules) and GDPR (for EU users): separate consent is required for non-essential cookies (analytics, marketing trackers). ISO 27018 compliance requires this to be properly implemented and evidenced.

4. Consent lifecycle management:

• Consent expiry: DPDPA 2023 and ISO 27018 do not specify a mandatory consent expiry period, but best practice is periodic consent refresh (every 12–24 months) to ensure consent remains current and informed
• Privacy notice version management: When the privacy notice changes (new processing purposes, new sub-processors, new data categories), existing consent must be reviewed — if the change is material, fresh consent is required
• Consent status audit: Regular audit of consent records — identifying data subjects with withdrawn or expired consent and ensuring processing has ceased

Common consent management non-conformities in ISO 27018 audits:

• No consent records — consent collected via checkbox but no audit trail of who consented to what when
• Pre-ticked consent boxes — not valid consent under GDPR or DPDPA
• Bundled consent — one checkbox for all purposes including optional analytics and marketing
• No withdrawal mechanism or withdrawal mechanism much harder than consent mechanism
• Consent records deleted when a user deletes their account — but consent records must be retained as proof of lawful processing (separate retention from operational PII)

ISO 27018:2019 requires cloud service providers to implement mechanisms enabling data subjects (PII principals) to exercise their privacy rights — either directly or through the PII controller (the cloud provider's customer). These rights align closely with GDPR Articles 15–22 and the anticipated rights framework under DPDPA 2023.

Right of Access (Subject Access Request / SAR):

• Data subjects have the right to receive a copy of all PII held about them — including: what data is held, for what purposes, from whom it was obtained, who it has been shared with, how long it will be retained, and information about their other rights
• For cloud providers: the mechanism depends on role. If the cloud provider is a PII processor for its customer, the customer (PII controller) handles SARs and the cloud provider must support the customer in extracting the relevant PII data within a defined SLA. If the cloud provider also acts as a PII controller (for account data), it responds to SARs directly.
• SLA: ISO 27018 expects SARs to be handled within 30 days (aligned with GDPR; DPDPA rules will specify the Indian timeline)
• Format: Machine-readable structured format (JSON, CSV) for portability-combined SARs

Right to Correction / Rectification:

• Data subjects can request correction of inaccurate or incomplete PII
• Cloud provider must implement: self-service correction mechanisms in the product UI (preferred for standard fields), support-assisted correction process for complex or system-computed data, propagation of corrections to backup copies and sub-processors

Right to Erasure (Right to be Forgotten):

• Data subjects can request deletion of their PII — particularly relevant when the legal basis was consent (which has been withdrawn) or when the purpose for processing has expired
• ISO 27018 A.8.2 specifically addresses verified deletion: the cloud provider must delete PII from all systems — active databases, backup tapes/cloud backups, cached copies, log files (where identifiable), and sub-processors' systems
• Deletion must be verifiable — deletion records (timestamp, scope, method) maintained. Cryptographic erasure (destroying the encryption key for encrypted PII) satisfies deletion for encrypted cloud storage
• Exceptions: PII required for legal compliance or legitimate interest may be retained even after erasure request — but must be clearly segregated and only the minimum required retained

Right to Data Portability:

• Data subjects can request their PII in a structured, commonly used, machine-readable format (JSON, CSV, XML) — for transfer to another service provider
• Cloud providers must implement: data export functionality in the product, standard format export (not proprietary locked formats), export within defined SLA
• For B2B SaaS: the PII controller customer can typically exercise data portability on behalf of their users — the cloud provider must support bulk export at customer request

Right to Restrict Processing:

• Data subjects can request restriction of processing while a correction request is being resolved, or while an objection is being assessed
• Technical implementation: account flag or processing suspension mechanism — marking the data subject's records as "restricted" and ensuring no further processing beyond storage until restriction is lifted

Right to Object:

• Data subjects can object to processing based on legitimate interest or for direct marketing purposes
• The cloud provider must implement an objection mechanism and assess objections — cessation of processing if objection is upheld

Data subject rights procedure requirements for ISO 27018 audit:

• Documented procedure for each right — who receives the request, how it is verified (identity verification), who processes it, what systems must be queried, what response must be sent, within what SLA
• Request tracking log — all data subject rights requests recorded with: request date, right exercised, identity verified, action taken, response sent, closure date
• Testing — the auditor may submit a test SAR or erasure request during the Stage-2 audit to verify the procedure actually functions
• Sub-processor obligations — when erasure or restriction is required, the cloud provider must communicate to all sub-processors accessing that data

Sub-processor management is one of the most practically challenging ISO 27018:2019 requirements — and one of the highest-risk areas from a PII protection standpoint. A sub-processor is any third party that a cloud PII processor uses to perform PII processing activities on its behalf — creating a chain of PII processing obligations.

Who counts as a sub-processor in cloud environments:

• Cloud infrastructure providers: AWS, Azure, GCP as the underlying IaaS for a SaaS platform — they store and process the PII that the SaaS platform holds. Even if the cloud provider has its own ISO 27018 certification, they are still a sub-processor requiring formal management.
• Customer support platforms: Zendesk, Freshdesk, Intercom — if customer support tickets contain customer PII, these platforms are sub-processors
• Email delivery services: SendGrid, AWS SES, Mailchimp — if emails contain PII (account details, names, transactional data), these are sub-processors
• Analytics platforms: Mixpanel, Amplitude, Google Analytics (if PII-linked) — sub-processors for behavioural PII
• Error tracking and monitoring: Sentry, Datadog, New Relic — if error logs contain PII data (often do — email addresses, user IDs, session tokens), these are sub-processors
• Payment processors: Razorpay, Stripe, PayU — processing financial PII on behalf of the merchant client
• HR/payroll software used for client employees' data: Darwinbox, SAP SuccessFactors — if an HRMS SaaS uses these to process client employee data

ISO 27018:2019 sub-processor management requirements:

1. Sub-processor register:

• Maintain a complete register of all sub-processors — name, purpose for which they are used, categories of PII they access, data location (country), their privacy/security certifications (ISO 27018, ISO 27001, SOC 2 Type II, GDPR DPA), and contract reference
• The sub-processor register must be available to customers on request (or publicly published) — ISO 27018 A.5.5 requires disclosure of sub-processors to PII controllers

2. Customer notification of sub-processor changes:

• When a new sub-processor is added or an existing sub-processor is changed — customers must be notified in advance (before the change takes effect)
• Customers must have the opportunity to object to the sub-processor change. If a customer objects and the change cannot be avoided, the customer may have the right to terminate the contract without penalty.
• This is a significant contractual and operational requirement — cloud providers must update their customer notification processes and Terms of Service to include sub-processor change notification mechanisms

3. Sub-processor contracts:

• Contracts with all sub-processors must impose PII protection obligations at least equivalent to those imposed on the cloud provider by its customers
• Required contract clauses: purpose limitation (sub-processor processes PII only as instructed by the cloud provider), deletion obligation (delete PII at contract termination or instruction), right-to-audit or equivalent assurance (SOC 2 Type II report, ISO 27018 certificate, or similar), breach notification (sub-processor notifies cloud provider immediately on PII breach), sub-processing restrictions (sub-processor cannot further sub-process without authorisation)

4. Sub-processor due diligence:

• Before engaging a sub-processor with access to PII: privacy controls assessment — review the sub-processor's privacy policy, DPA (Data Processing Agreement), security certifications (ISO 27001, ISO 27018, SOC 2), and penetration testing results
• Annual re-assessment — sub-processor security posture changes over time; annual review required
• For major cloud providers (AWS, Azure, GCP): their ISO 27018 certification, SOC 2 Type II reports, and publicly available security documentation satisfy the due diligence requirement

Government access to PII — a critical sub-processor and cloud provider obligation:

• ISO 27018 A.7.2 requires the cloud provider to notify customers if it receives government or law enforcement requests for access to customer PII — unless legally prohibited from doing so. This is a significant transparency obligation.
• Cloud providers must have a defined policy for handling government access requests: legal review, challenge of overbroad requests, customer notification where permitted, and logging of all government access requests.
• For Indian cloud providers: government access requests under the IT Act, DPDPA, or national security provisions must be handled through defined procedures with customer notification where possible.

Data deletion and retention management is one of the most technically demanding aspects of ISO 27018:2019 — and one of the most frequently tested areas in certification audits. The standard imposes both a retention obligation (don't keep PII beyond its specified purpose and period) and a deletion verification obligation (prove the PII has actually been deleted).

ISO 27018:2019 deletion and retention controls:

A.8.2 — Return, Transfer, and Disposal of PII:

• At contract termination: all PII must be returned to the customer or deleted (securely, verifiably) within a specified post-termination period (typically 30–90 days)
• Deletion certification: the cloud provider must provide a written declaration to the customer confirming PII deletion — what was deleted, when, using what method
• Customer data export: before deletion, customers must be given an opportunity to export their PII in a machine-readable format (data portability)
• Legal hold exception: if PII must be retained for legal compliance beyond the retention period, it must be clearly segregated, access-restricted, and only the minimum required subset retained

A.8.1 — Temporary Files:

• PII that appears in temporary files — application caches, database transaction logs, temporary query results, error logs, debugging logs — must be subject to the same deletion controls as structured PII
• This is a common gap: organisations implement deletion from the main database but forget that PII is logged in application logs (exception traces with email addresses, user IDs, query parameters) or cached in Redis/Memcached. The ISO 27018 auditor specifically checks for PII in temporary storage.

A.8.3 — PII Backup:

• PII in backup storage — backup tapes, cloud backup buckets (S3, Azure Blob), snapshot storage — must be subject to the same protection controls as live data
• Backup retention periods must align with PII retention schedules — it is non-compliant to delete PII from live systems but retain indefinite backups containing that PII
• For cloud-native organisations using point-in-time recovery: backup retention settings must be set to match PII retention requirements (not default unlimited retention)
• Verification: when PII is deleted from live systems, the backup deletion schedule must be confirmed and a projected date for backup deletion recorded

Technical approaches to verified deletion in cloud environments:

1. Cryptographic erasure (most practical for cloud storage):

• Encrypt all PII at rest with a per-customer or per-data-subject encryption key managed in a dedicated Key Management Service (AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault)
• To "delete" PII: destroy the encryption key — the encrypted data becomes permanently inaccessible, satisfying deletion requirements even if the underlying storage blocks are not immediately overwritten
• This approach makes deletion verifiable (key destruction is logged in KMS audit trail) and efficient (no need to overwrite individual cloud storage objects)
• Accepted by GDPR supervisory authorities and anticipated to be accepted under DPDPA rules as a valid deletion method for encrypted cloud storage

2. Object-level deletion with verification:

• For S3/Azure Blob/GCS object storage: delete individual objects containing PII with deletion confirmation logging. For structured databases: SQL DELETE with transaction log retention showing deletion records.
• Challenge: ensuring deletion propagates to all replicas, read replicas, and CDN caches — must be explicitly addressed in deletion procedures

3. Retention policy automation:

• Automated retention policies in cloud storage — AWS S3 Object Lifecycle rules, Azure Blob lifecycle management, GCP Object Lifecycle — automatically delete objects after defined retention periods without manual intervention
• These automated deletions must be logged and the logs retained as deletion evidence

Retention schedule management for ISO 27018 compliance:

• Define retention periods for each PII category and processing purpose — customer account data (retained for duration of relationship + X years), transaction records (retained for Y years per tax/regulatory requirements), support tickets with PII (retained for Z years), marketing contact records (retained until consent withdrawn or B years from last interaction)
• The retention schedule must be documented, communicated in the privacy notice, and technically enforced through automated systems — not manual deletion processes
• Retention schedule review: when DPDPA 2023 rules specify mandatory retention limits, the schedule must be updated accordingly

Cross-border PII transfer controls are among the most commercially significant ISO 27018:2019 requirements for Indian cloud providers serving global clients — and the most complex given the evolving regulatory landscape spanning DPDPA 2023, GDPR, and sector-specific data localisation requirements.

ISO 27018:2019 cross-border transfer requirements (A.9.1 — Compliance with Privacy Legislation):

• The cloud provider must identify all applicable privacy laws governing PII processing — including laws of the country where the cloud provider operates, where PII principals are located, and where data is stored
• PII transfers to countries without adequate privacy protection must be governed by appropriate safeguards
• Customers must be informed of the countries where PII may be processed or stored — including sub-processors' data locations

Indian regulatory cross-border transfer requirements:

DPDPA 2023 — Section 16 (Cross-border transfers):

• Personal data of Indian citizens can only be transferred to countries on a whitelist to be notified by the central government (whitelist not yet published as of early 2025)
• Until the whitelist is published, the status of cross-border transfers under DPDPA remains uncertain — standard contractual clauses (SCCs) and contractual safeguards are the interim approach
• ISO 27018-certified cloud providers must monitor DPDPA whitelist developments and update their cross-border transfer mechanisms accordingly
• Significant Data Fiduciaries may face additional cross-border transfer restrictions under forthcoming SDF rules

RBI Data Localisation:

• RBI requires payment system data to be stored only in India (circular 2018). All data related to payment transactions must be stored in India — a copy cannot be stored abroad even as backup
• For cloud providers processing payment data: all RBI-covered payment data must be in Indian data centres. Cloud providers must clearly segment Indian payment data from other data categories and ensure no cross-border replication
• AWS, Azure, and GCP all have India regions — cloud providers must configure services to ensure payment data stays within the India region with no cross-region replication to overseas regions

IRDAI Data Localisation:

• IRDAI guidelines require insurance data to be stored in India. Cloud providers hosting insurance company data must ensure India-only data residency for insurance records

GDPR cross-border transfer requirements (for Indian cloud providers serving EU clients):

• GDPR Chapter V restricts transfer of EU resident personal data to countries without an adequacy decision. India does not currently have an EU adequacy decision.
• Indian cloud providers (SaaS, IT services) processing EU resident data must rely on: Standard Contractual Clauses (SCCs — 2021 edition, EDPB-approved), Binding Corporate Rules (BCRs — for multinational groups), or customer-approved derogations
• The Data Processing Agreement (DPA) between the Indian cloud provider and its EU customer must include the appropriate SCCs
• ISO 27018 implementation includes drafting and executing GDPR-compliant DPAs with EU customers — making certification directly commercially valuable for Indian IT exporters

Practical implementation for Indian cloud providers:

• Data residency configuration: configure cloud services (AWS, Azure, GCP) to store PII in the correct region (India for RBI/IRDAI/DPDPA-sensitive data), with explicit no-replication-overseas settings
• Sub-processor data location disclosure: publish data location of all sub-processors — customers must know where their PII is stored geographically
• DPA templates: maintain DPA templates for: Indian customer data processing (aligned with DPDPA 2023), EU customer data processing (GDPR SCCs), UK customer data processing (UK GDPR International Data Transfer Agreements — IDTAs), UAE/Singapore/other jurisdiction DPAs
• Cross-border transfer register: maintain a register of all cross-border PII transfers — which data, to which country, by which sub-processor, under what legal mechanism

Transparency is one of the foundational principles of ISO 27018:2019 — and one of the most visible to customers and data subjects. The standard requires cloud service providers to be transparent about every material aspect of their PII processing.

ISO 27018:2019 transparency obligations:

1. Privacy Notice (Privacy Policy):

A clear, accessible privacy notice that covers:

• Identity and contact details of the PII controller and (if applicable) the data protection officer
• Purposes of PII processing and the legal basis for each purpose
• Categories of PII collected
• Recipients of PII — including categories of sub-processors and their data locations (countries)
• Retention periods for each PII category
• Data subjects' rights and how to exercise them
• Right to withdraw consent and how to do so
• Right to lodge a complaint with a supervisory authority (Data Protection Board under DPDPA; relevant DPA under GDPR)
• Whether PII provision is mandatory or voluntary and consequences of not providing it
• Cross-border transfer information — countries PII may be transferred to and safeguards in place

Privacy notice requirements for ISO 27018 compliance:

• Written in plain language — accessible to a lay person, not just legal specialists
• Prominently accessible — linked from every page of the website/application where PII is collected, not buried in a footer or sub-menu
• Version-controlled — the version of the privacy notice shown at the time of consent must be linked to the consent record
• Updated when processing changes — any material change to PII processing (new sub-processor, new purpose, new data category) requires an updated privacy notice and (if the change affects consent-based processing) fresh consent

2. Sub-processor Disclosure:

ISO 27018 A.5.5 requires cloud providers to disclose to their customers the sub-processors they use — including:

• Name and location of each sub-processor
• Purpose for which the sub-processor is used
• Data categories the sub-processor accesses
• Whether the sub-processor is ISO 27018 certified or equivalent

Best practice: maintain a publicly accessible sub-processor list (many major cloud providers — AWS, Salesforce, Atlassian — publish this publicly). The sub-processor list must be updated when sub-processors change, with customer notification before the change takes effect.

3. Government Access Request Transparency:

ISO 27018 A.7.2 requires cloud providers to publish their policy on government access to customer PII — including:

• The process followed when a government or law enforcement request for customer PII is received
• The process for challenging overbroad or unlawful requests
• The process for notifying customers when legally permissible
• Statistical disclosure (transparency report): aggregate data on government access requests received — number of requests, data categories requested, response actions — published annually. This is a practice pioneered by major US cloud providers (Google, Microsoft, AWS) and increasingly expected of cloud providers processing sensitive PII.

4. Disclosure of Data Locations:

Customers must know where their PII is stored — which countries and which cloud regions. This is particularly important for Indian data residency requirements (RBI, IRDAI, anticipated DPDPA whitelist) and for customers with GDPR cross-border transfer restrictions. The cloud provider must disclose data storage locations in its privacy notice and service agreement, and notify customers of any changes to data storage locations.

5. Privacy-in-Advertising Prohibition:

ISO 27018 A.1.1 explicitly prohibits cloud providers from using customer PII for advertising purposes — including targeted advertising based on customer content, behavioural profiling of cloud service users for advertising, and selling or sharing customer PII with advertising networks. This is a critical control distinguishing ISO 27018-certified cloud providers from "free" services that monetise user data. The prohibition must be explicitly stated in the cloud provider's terms of service.

For Indian IT companies — IT services, SaaS, BPO, KPO — that process personal data of EU or UK residents, GDPR compliance is a commercial necessity and legal obligation. ISO/IEC 27018:2019 certification is widely recognised by EU enterprise clients, data protection authorities, and legal teams as credible evidence of GDPR Article 28 data processor compliance.

GDPR Article 28 — Data Processor Requirements and ISO 27018 alignment:

GDPR Article 28 requires that controllers only use processors that provide "sufficient guarantees" to implement appropriate technical and organisational measures to meet GDPR requirements. The Article 28 processor contract must include specific clauses:

• Process only on documented instructions of the controller: ISO 27018 A.1.1 (obligation to use PII only as agreed) + A.2.1 (purpose specification) directly implement this
• Confidentiality obligations on persons authorised to process: ISO 27001 A.6.1 (People controls — screening, confidentiality agreements) + ISO 27018 access controls
• Implement appropriate security measures (GDPR Article 32): ISO 27001:2022 certification + ISO 27018:2019 extension = the most credible available evidence of Article 32 compliance for cloud processing
• Sub-processor management: ISO 27018 A.5.5 (sub-processor disclosure), sub-processor contracts with equivalent obligations, customer notification of sub-processor changes — directly addresses GDPR Article 28(2) and 28(4)
• Assist controller in responding to data subject rights: ISO 27018 data subject rights procedures (access, erasure, portability, restriction) directly address GDPR Article 28(3)(e)
• Assist controller with security, breach notification, DPIAs: ISO 27001 incident management (A.5.24–A.5.28) + ISO 27018 breach notification obligations address GDPR Article 28(3)(f)
• Delete or return all PII at end of contract: ISO 27018 A.8.2 (return, transfer, disposal) directly addresses GDPR Article 28(3)(g)
• Provide information and allow audits: ISO 27018 certification itself serves as evidence; right-to-audit provisions in ISO 27018 contracts satisfy GDPR Article 28(3)(h)

Standard Contractual Clauses (SCCs) and ISO 27018:

• For transfers of EU resident data from the EU to India (no adequacy decision), the 2021 EU SCCs must be incorporated into the DPA between the EU controller and the Indian processor
• ISO 27018 certification satisfies the security measures required by the SCCs (Module 2 — Controller to Processor SCCs require Annex II technical and organisational measures)
• Indian IT companies with ISO 27018 certification can use the certification as the primary Annex II security measures description in their SCC-compliant DPAs — significantly simplifying DPA negotiation with EU clients

EU Data Protection Authority recognition of ISO 27018:

• Multiple EU DPAs (Germany, France, Netherlands) have published guidance recognising ISO 27018 certification as relevant evidence of GDPR cloud security compliance
• The UK Information Commissioner's Office (ICO) references ISO 27018 in cloud security guidance for GDPR-aligned data processing
• Cloud provider ISO 27018 certifications are accepted by enterprise legal teams in the EU/UK as satisfying the "sufficient guarantees" requirement of GDPR Article 28(1) for cloud processor selection

Practical benefit for Indian IT exporters:

• Accelerated DPA negotiation: standard DPA templates pre-populated with ISO 27018/27001 certification references, pre-signed SCCs, and pre-completed Annex II technical measures — reducing contract negotiation time from weeks to days
• Vendor security questionnaire acceleration: ISO 27018 certification answers the majority of GDPR-specific vendor security questionnaire questions — reducing the administrative burden of EU client onboarding
• Risk reduction: demonstrating to EU clients that their personal data is processed with formally audited PII protection controls reduces reputational and contractual risk for both parties

Understanding common ISO 27018:2019 non-conformities enables organisations to address them proactively before Stage-1 or Stage-2 audits. The following are the most frequently identified NCRs in ISO 27018 certification audits.

Stage-1 NCRs (documentation gaps):

• No PII data inventory / data map (most common Stage-1 NCR): The organisation has not documented what PII it processes, for what purposes, under what legal basis, with what retention periods, in which systems, and shared with which third parties. Without a data map, the SoA cannot demonstrate informed control selection and auditors cannot verify the scope is correctly defined.
• PII controller vs. processor roles not documented: The organisation has not formally documented which processing activities it performs as a controller vs. a processor — leading to unclear and inconsistent control implementation between the two role categories.
• Privacy notice does not meet ISO 27018 transparency requirements: Privacy policy written in legal jargon, inaccessible (buried in site footer), missing required elements (sub-processor names, data locations, retention periods, rights exercise procedure), or not updated to reflect current processing activities.
• Sub-processor register incomplete or undisclosed: Sub-processor register exists but is not shared with customers; or the register is missing sub-processors that access PII (commonly: error monitoring tools, log management platforms, support ticket systems).
• No data processing agreements (DPAs) with sub-processors: The organisation uses multiple cloud services and third-party tools that access PII but has no formal DPAs with PII protection obligations. Using AWS without accepting AWS's Data Processing Addendum (DPA), or using Slack for support communications containing PII without a DPA — are common gaps.

Stage-2 NCRs (implementation gaps):

• PII in test/development environments not masked: Production PII data used directly in development or testing environments — violating A.3.1 (data minimisation) and the technical controls for non-production data masking. A very common gap for SaaS companies where developers use production database copies for debugging. The Stage-2 auditor will specifically check development and staging environment data classification.
• No consent records / no withdrawal mechanism: Consent collected via checkbox but no audit trail of who consented to what. Or consent withdrawal is disproportionately difficult compared to consent grant. Or pre-ticked consent boxes used.
• Data subject rights requests not tracked or not responded within SLA: No formal SAR log; or SARs responded informally via email with no systematic tracking; or no test of the erasure procedure demonstrating actual deletion from all systems.
• Temporary files contain PII beyond retention period: Application logs containing PII retained indefinitely because the log retention policy covers operational logs differently from PII retention policy. The auditor checks log files for PII exposure.
• No deletion verification at contract termination: The cloud provider has a policy of deleting customer data at termination but no records of deletion having been performed, and no mechanism for providing deletion certificates to customers.
• PII in backups retained beyond PII retention period: Live database PII deleted at retention period expiry but backup files retaining the same PII indefinitely — or backup retention settings not aligned with PII retention schedule.
• Customer not notified of sub-processor changes: A new sub-processor was added (new analytics tool, new support platform) without notifying existing customers in advance. Change management for sub-processors is regularly tested in Stage-2.
• Using customer PII for service improvement without explicit authorisation: Product analytics that use customer PII to train ML models or improve product features, without the customer (PII controller) having explicitly authorised this use — violates A.1.1 (purpose limitation and use only as agreed).

ISO/IEC 27701:2019 (Privacy Information Management System — PIMS) and ISO/IEC 27018:2019 are both privacy standards built on the ISO 27001 ISMS foundation — but they have different scopes, applicability, and certification pathways. Understanding their relationship is critical for organisations planning their privacy certification strategy.

ISO/IEC 27018:2019 — Scope and focus:

• Scope: Public cloud computing environments only
• Role coverage: PII Processors (cloud service providers acting as processors for their customers' PII) — with limited controller coverage for PII collected directly by the cloud provider
• Control framework: Annex A of ISO 27018 — 25 additional controls for cloud PII processing
• Standard type: Code of Practice — guidance document that provides additional controls for use within ISO 27001 ISMS
• Best suited for: SaaS companies and cloud hosting providers that primarily act as PII processors for their enterprise clients

ISO/IEC 27701:2019 — Scope and focus:

• Scope: Any environment — cloud, on-premises, hybrid
• Role coverage: Both PII Controllers AND PII Processors — with separate Annexes for each role (Annex B for controllers, Annex C for processors)
• Control framework: Extends ISO 27001 Annex A with additional privacy controls, plus provides two separate annexes addressing GDPR-specific requirements (informative)
• Standard type: Management system requirements — certifiable extension to ISO 27001 ISMS
• Best suited for: Any organisation processing PII in any environment that needs comprehensive privacy governance covering both controller and processor roles

Key differences:

• Comprehensiveness: ISO 27701 is the more comprehensive privacy standard — covering both controller and processor obligations across all environments. ISO 27018 is narrower — cloud processing + primarily processor role.
• GDPR alignment: ISO 27701 has explicit GDPR mapping in its annexes (Annex D maps ISO 27701 controls to GDPR articles). ISO 27018 predates GDPR and while aligned, does not have a systematic GDPR mapping.
• DPDPA 2023 alignment: ISO 27701's controller controls (Annex B) more comprehensively address DPDPA Data Fiduciary obligations — notice, consent, data subject rights, DPA obligations — than ISO 27018 alone.
• Market recognition: ISO 27018 has been in the market since 2014 and has stronger cloud-specific brand recognition. ISO 27701 is newer (2019) but rapidly gaining recognition as the preferred comprehensive privacy certification.

Which to pursue:

• Pure cloud PII processor (SaaS, cloud hosting): ISO 27001 + ISO 27018 — focused scope, established certification pathway, direct market recognition from cloud customers
• Organisation processing PII in both controller and processor roles, or in non-cloud environments: ISO 27001 + ISO 27701 — comprehensive privacy governance covering all contexts
• Maximum coverage: ISO 27001:2022 + ISO 27018:2019 + ISO 27701:2019 — triple certification providing comprehensive cloud privacy + full privacy management system coverage. PrecisionTech designs integrated implementations that achieve all three certifications from a single unified ISMS — significantly reducing duplicate effort.

The relationship in a combined certification:

• ISO 27701 processor controls (Annex C) largely subsume ISO 27018 controls for cloud processing — if an organisation implements ISO 27701, most ISO 27018 requirements are automatically addressed
• However, ISO 27018 has some cloud-specific controls (particularly around government access disclosure and cloud service agreement specifics) that are not covered in ISO 27701 — both standards provide value even when implemented together
• The combined SoA for ISO 27001 + ISO 27018 + ISO 27701 references all three sets of controls — ISO 27001 Annex A (93 controls), ISO 27018 Annex A (additional cloud PII controls), and ISO 27701 Annexes (privacy management controls for controller and/or processor roles)

ISO 27018:2019 certification timeline and cost vary significantly based on the organisation's existing ISO 27001 certification status, cloud environment complexity, and current PII governance maturity.

Scenario 1 — Organisation with existing ISO 27001:2022 certification (most common):

For organisations that already have ISO 27001:2022 certification and want to add ISO 27018:2019:

• Timeline: 8–14 weeks from engagement to combined certification
• Scope of work: PII inventory and data mapping, ISO 27018 gap assessment against Annex A controls, PII controller/processor role documentation, consent management implementation, data subject rights procedures, sub-processor register and DPAs, privacy notice update, data deletion verification procedures, ISO 27018 internal audit extension, management review with privacy metrics, combined certification audit with CB
• PrecisionTech consulting fees: Based on scope (number of PII processing activities, number of sub-processors, complexity of cloud architecture). Contact for proposal.
• CB audit fees (add-on to ISO 27001 audit): Typically INR 40,000–1,50,000 additional for ISO 27018 coverage in a combined audit

Scenario 2 — Organisation without ISO 27001 certification (starting from scratch):

Combined ISO 27001:2022 + ISO 27018:2019 from scratch:

• Timeline: 16–26 weeks depending on scope and complexity
• Small SaaS (20–100 employees, single cloud environment): 14–18 weeks
• Medium cloud provider (100–500 employees, multi-cloud, multiple PII categories): 18–24 weeks
• Large BPO/IT services (500+ employees, complex PII processing for multiple clients): 22–30 weeks
• CB audit fees: Combined ISO 27001 + ISO 27018 initial certification INR 1,20,000–3,50,000 (organisation size dependent)

Scenario 3 — Combined ISO 27001:2022 + ISO 27018:2019 + ISO 27701:2019 (triple certification):

• Timeline: Add 6–10 weeks to Scenario 2
• CB audit fees: Add INR 40,000–1,20,000 for ISO 27701 coverage
• Best for organisations with both controller and processor roles, GDPR obligations, or anticipated DPDPA Significant Data Fiduciary designation

Factors that accelerate certification:

• Existing privacy programme or privacy team — GDPR compliance work, existing privacy notices, existing DPAs
• Cloud-native architecture with automated controls (AWS IAM, encryption defaults, automated retention policies)
• Dedicated internal resource (privacy officer or IS manager) who can coordinate with PrecisionTech
• Existing sub-processor DPAs with major cloud providers (AWS DPA, Google Cloud DPA, Azure DPA)

ROI of ISO 27018:2019 certification for Indian cloud companies:

• Revenue acceleration: Enterprise client procurement teams clear vendor security questionnaires faster for ISO 27018-certified vendors. For SaaS companies, this directly translates to shorter sales cycles and higher enterprise win rates.
• Export market access: GDPR-regulated EU/UK clients accept ISO 27018 + ISO 27001 as sufficient evidence for DPA "sufficient guarantees" under GDPR Article 28 — removing the need for individual security assessments that can take months.
• Cyber insurance: ISO 27018 certification demonstrating formal cloud PII controls is increasingly recognised by underwriters — potential premium reduction of 10–20% for cloud-first businesses.
• Regulatory readiness: DPDPA 2023 compliance evidence for Data Protection Board proceedings, client audits, and sector regulator assessments.

Beyond privacy governance controls (consent, transparency, data subject rights), ISO 27018:2019 requires specific technical security controls to protect PII during cloud processing. These extend the ISO 27001 technical controls with PII-specific requirements.

Encryption — PII at rest and in transit:

• Encryption at rest: All PII stored in cloud must be encrypted using strong encryption (AES-256 minimum). This applies to: structured databases, object storage (S3, Azure Blob, GCS), file storage, backup storage, and archived data. Encryption keys must be managed through a dedicated Key Management Service (KMS) with key rotation, key access logging, and key revocation capability.
• Customer-managed keys (BYOK — Bring Your Own Key): For enterprise cloud providers, customers often require the ability to manage their own encryption keys — so that only the customer can decrypt their PII, and the cloud provider cannot access the plaintext data even with administrative access to the storage. This is a significant architectural requirement that must be planned from the start.
• Encryption in transit: All PII transmitted between systems — client to server, server to server, server to sub-processor — must be encrypted using TLS 1.2 minimum (TLS 1.3 preferred). Certificate management with automated renewal (Let's Encrypt, AWS Certificate Manager, Azure Key Vault certificates) must be in place to prevent expired certificate outages.

Access Control for PII:

• Least privilege for PII access: Database accounts, application service accounts, and administrative accounts must have only the minimum permissions required — no global read-all or admin access to PII databases without specific justification and monitoring
• No employee access to production PII without documented business need: Developers, data scientists, and support staff should not have routine access to production PII. Data masking or anonymisation for non-production use cases; time-limited, audited access for production investigation
• Unique user IDs: All access to PII systems must use individual, unique user accounts — no shared service accounts for interactive access. This enables a complete audit trail of who accessed what PII.
• Multi-factor authentication (MFA): Required for all privileged access to PII systems, cloud consoles, and administrative interfaces

Access Logging for PII:

• All access to PII — read, write, delete, export — must be logged with: who (user ID), what (data accessed or modified), when (timestamp with timezone), and from where (IP address, session identifier)
• Access logs must be protected from modification (immutable log storage — CloudTrail S3 with Object Lock, Azure Monitor Logs with immutable storage) and retained according to the PII retention schedule or regulatory requirements (180 days minimum per CERT-In; longer for DPDPA/GDPR investigation support)
• Access logs must be monitored for anomalous PII access patterns — unusually large data exports, access at unusual times, access from unusual locations — using SIEM alerting (ISO 27001:2022 A.8.16 — Monitoring Activities)

Data Masking in Non-Production Environments:

• Production PII must never be used directly in development, testing, staging, or analytics environments. Masked, anonymised, or synthetically generated data must be used instead.
• Masking techniques: pseudonymisation (replace identifying fields with tokens), format-preserving encryption (encrypt while preserving data format for testing), data synthesis (generate synthetic data with same statistical properties), redaction (remove PII entirely from test datasets)
• Data masking tools: AWS Glue DataBrew, Microsoft Purview, Delphix, Informatica Data Masking, custom masking scripts
• Audit: the ISO 27018 auditor will specifically request to see test/development environment data — confirming no production PII is present

Physical Media Disposal:

• Physical storage media containing PII — hard drives, SSDs, backup tapes, USB drives — must be securely disposed of through certified data destruction (degaussing + physical destruction, or certified wiping to NIST 800-88 / DoD standards)
• For cloud environments using managed services: the cloud provider's media disposal procedures (AWS, Azure, GCP publish their data centre decommissioning procedures, which include NIST 800-88 compliant media sanitisation) must be confirmed and documented as part of the sub-processor assessment

While ISO 27018:2019 itself does not mandate a Data Protection Officer by name, the governance requirements of ISO 27018 — combined with DPDPA 2023 Significant Data Fiduciary obligations and GDPR Article 37 requirements — make the DPO role a critical element of a comprehensive cloud privacy compliance framework.

GDPR Article 37 — Mandatory DPO situations:

• Public authorities or bodies (regardless of size)
• Organisations whose core activities involve large-scale, regular, and systematic monitoring of individuals (e.g., behavioural analytics platforms, ad-tech companies)
• Organisations whose core activities involve large-scale processing of special categories of data (health data, biometric data, genetic data, data about criminal convictions)
• For Indian SaaS companies processing EU resident data in these categories: GDPR Article 37 DPO appointment is legally mandatory

DPDPA 2023 — DPO for Significant Data Fiduciaries:

• DPDPA Section 10(2)(b) requires Significant Data Fiduciaries to appoint a Data Protection Officer (DPO) who is based in India, is an individual (not an entity), and reports directly to the board of the organisation
• The criteria for SDF designation (data volumes, sensitivity of data processed, national security implications, impact on sovereignty) are to be notified by the central government — organisations should assess their likelihood of SDF designation and prepare DPO governance accordingly

DPO responsibilities in the context of ISO 27018 compliance:

• Privacy governance oversight: Monitoring the organisation's compliance with ISO 27018, DPDPA 2023, and GDPR — including maintaining the data map, reviewing consent management, overseeing data subject rights processing
• Privacy impact assessment (DPIA/PIA): Conducting or overseeing privacy impact assessments for new cloud services, new PII processing activities, or significant changes to existing processing. DPIAs are mandatory for high-risk processing under GDPR and anticipated for SDFs under DPDPA.
• Data subject rights coordination: Oversight of the SAR, erasure, and other data subject rights request processes — ensuring SLAs are met and responses are legally compliant
• Regulator interface: Primary point of contact for the Data Protection Board of India, EU DPAs, and ICO — receiving regulator correspondence, coordinating responses, and representing the organisation in regulatory proceedings
• Training: Conducting privacy awareness training for staff, particularly those handling PII processing activities
• Vendor due diligence oversight: Overseeing sub-processor and third-party privacy due diligence and DPA execution

Practical options for Indian companies:

• Internal DPO: A senior employee (Head of Legal, Head of Compliance, or dedicated Privacy Officer) designated as DPO. Must be independent — no conflict of interest with data processing decisions (cannot be the Head of Marketing or Head of IT simultaneously for GDPR purposes).
• External / Virtual DPO (DPO as a Service): A qualified external privacy professional or firm serving as DPO on a retainer basis. Permissible under GDPR (shared DPO for groups of companies). PrecisionTech offers DPO-as-a-Service as part of its privacy compliance portfolio — providing experienced DPO governance without the overhead of a full-time hire.

A Privacy Impact Assessment (PIA) — called a Data Protection Impact Assessment (DPIA) under GDPR — is a systematic process for identifying and mitigating privacy risks associated with a new or significantly changed PII processing activity. ISO 27018:2019 references PIAs as part of the privacy governance framework, and GDPR Article 35 mandates DPIAs for high-risk processing.

When a DPIA/PIA is required:

GDPR Article 35 mandatory DPIA triggers:

• Systematic and extensive profiling or automated decision-making with significant effects on individuals (credit scoring, insurance underwriting, targeted advertising)
• Large-scale processing of special categories of data (health, biometric, genetic, racial/ethnic origin, political opinion, religious beliefs, sexual orientation)
• Systematic monitoring of publicly accessible areas on a large scale (CCTV, location tracking, social media monitoring)
• Any processing likely to result in high risk to the rights and freedoms of data subjects — assessed using the WP29 nine criteria

ISO 27018 + good practice PIA triggers (beyond GDPR mandatory):

• New cloud service or new cloud architecture deployment that processes PII
• Adding a new sub-processor with access to sensitive PII categories
• New purpose for existing PII processing (purpose expansion)
• New cross-border PII transfer arrangement
• Significant change to data retention or deletion practices
• New AI/ML model trained on or making decisions about PII

DPIA/PIA process — step by step:

1. Necessity and proportionality assessment: Is the proposed processing necessary for the stated purpose? Could a less privacy-invasive alternative achieve the same objective? Is the scope proportionate to the purpose?
2. Data mapping: What PII is involved? Who are the data subjects? What are the processing operations? Which systems, sub-processors, and transfers are involved?
3. Risk identification: What privacy risks does the processing create? Risks to: accuracy (incorrect PII leading to adverse decisions), availability (PII unavailable when needed), confidentiality (PII disclosed to unauthorised parties), and non-compliance (processing that violates data subject rights or legal requirements)
4. Risk assessment: Likelihood and severity assessment for each identified risk. High-severity risks requiring mitigation before implementation.
5. Risk mitigation measures: Technical controls (encryption, access restriction, data minimisation, anonymisation), organisational controls (consent management, retention limits, sub-processor requirements), and legal controls (SCCs, DPAs, consent mechanisms)
6. Residual risk assessment: Post-mitigation risk assessment — if residual risk remains high after all practicable mitigation measures, GDPR Article 36 requires prior consultation with the supervisory authority (EU DPA) before processing commences
7. DPIA documentation: Written DPIA report — mandatory for GDPR SDFs; good practice for all organisations. Must be maintained and updated as the processing evolves.

DPIA for AI/ML systems processing PII — emerging requirement:

• AI systems making automated decisions about individuals using PII (recommendation engines, credit scoring models, churn prediction, fraud detection) require DPIA before deployment
• The DPIA must address: training data quality and bias, model explainability and transparency, right to human review of automated decisions (GDPR Article 22), model drift monitoring, and data minimisation in ML feature engineering
• For Indian AI companies processing PII of Indian or EU residents: DPIA is best practice now and may become mandatory under anticipated DPDPA rules and proposed EU AI Act requirements for high-risk AI systems

PrecisionTech — PRECISION e-Technologies Pvt Ltd — brings 30 years of technology and consulting experience to ISO 27018:2019 cloud privacy certification. Founded in 1994 and having served thousands of global clients, PrecisionTech occupies a unique position: the technical depth to understand cloud architectures and the consulting expertise to translate technical controls into internationally auditable governance frameworks.

Why 30 years of experience matters for ISO 27018 implementation:

• Deep cloud technology understanding: ISO 27018 controls are meaningful only when implemented correctly in cloud environments — AWS, Azure, GCP. Our technical team's cloud architecture expertise ensures controls are designed into the system, not bolted on as documentation-only compliance.
• Cross-domain portfolio: Our portfolio spans IT infrastructure, cloud, cybersecurity, ERP (Tally), payment integration, and certifications — meaning we understand how PII flows through the technology ecosystem of Indian businesses. A Tally ERP system, a payment gateway integration, and a cloud-hosted CRM all create PII flows that must be mapped and governed. We understand all of them.
• Global client experience: Having served clients globally, we understand the specific privacy certification requirements of EU/UK (GDPR), UAE, Singapore (PDPA), and other major markets — essential for Indian IT exporters pursuing ISO 27018 to satisfy international client requirements.

PrecisionTech's ISO 27018 implementation methodology:

1. Privacy Discovery Workshop (Week 1–2):

• Facilitated workshop with legal, technical, product, and business stakeholders to identify all PII processing activities, determine controller/processor roles, map PII data flows, and identify regulatory obligations (DPDPA, GDPR, CERT-In)
• Output: Comprehensive PII data map and controller/processor role matrix — the foundation of the entire ISO 27018 implementation

2. Gap Assessment Against ISO 27018 Annex A (Week 2–3):

• Structured review of current cloud PII protection practices against all applicable ISO 27018 Annex A controls
• Technical assessment: encryption configuration review, access control review, logging review, non-production data masking status, sub-processor DPA status
• Output: Gap report with risk-prioritised remediation plan and realistic certification timeline

3. Control Implementation (Weeks 3–10):

• Parallel workstreams: legal (privacy notice, consent mechanism, DPAs, data subject rights procedures), technical (encryption, masking, logging, deletion automation), and governance (PII inventory, sub-processor register, training)
• Bi-weekly progress reviews with stakeholders — ensuring implementation stays on track

4. Internal Audit and Management Review (Weeks 10–12):

• ISO 27018 internal audit — document review, technical evidence review, consent record testing, sub-processor DPA verification, data subject rights procedure testing
• Management review with privacy performance metrics
• Stage-2 readiness verdict and final preparation

5. Certification Audit Support (Weeks 12–14+):

• CB interface, Stage-1 documentation preparation, Stage-1 observation response, Stage-2 support, CAPA management, certificate issuance

6. Annual Surveillance Support:

• Annual PII inventory update, privacy notice review, sub-processor register update, consent record audit, data subject rights SLA review, internal audit, management review facilitation, surveillance audit preparation

All CTAs and enquiries are handled through our contact page — our privacy consulting team responds within 1 business day.

ISO 27018:2019 requires that the relationship between the cloud service provider (PII processor) and its customer (PII controller) be governed by a formal cloud service agreement that includes specific PII protection clauses. These clauses are tested in Stage-2 audits — the auditor will review customer contract templates for required provisions.

Mandatory cloud service agreement provisions under ISO 27018:2019:

1. Scope of PII processing:

• Clear description of what PII the cloud provider will process, for what purposes, and under what instructions from the customer. The agreement must establish that the cloud provider processes PII only per customer instructions — no processing for the cloud provider's own purposes.

2. Security measures:

• Description of the technical and organisational security measures in place — or reference to the cloud provider's publicly available security documentation (security whitepaper, ISO 27001/27018 certification, SOC 2 Type II report). Customers have a right to audit these measures.

3. Sub-processor provisions:

• List of current sub-processors (or reference to the published sub-processor list), commitment to notify customers before adding or changing sub-processors, customer right to object to sub-processor changes, clause imposing equivalent PII obligations on sub-processors

4. Data subject rights support:

• Cloud provider commits to supporting the customer in responding to data subject rights requests — providing data extracts for SARs, executing deletion for erasure requests, supporting portability for portability requests — within defined SLAs

5. Breach notification:

• Cloud provider will notify the customer without undue delay (typically within 24–72 hours) upon becoming aware of a security incident affecting the customer's PII. The notification must include: nature of the incident, categories and approximate number of data subjects affected, categories and approximate volume of PII records affected, likely consequences, measures taken or proposed to address the incident.

6. Data deletion/return at termination:

• Upon contract termination: customer's choice of deletion or return of all PII within a specified period (typically 30–90 days post-termination). After the period, cloud provider certifies that all PII has been deleted — including from backups and sub-processors' systems.

7. Prohibition on use for advertising or other unauthorised purposes:

• Explicit prohibition on using customer PII for any purpose not authorised by the customer — specifically: advertising, product analytics beyond service delivery, training AI models on customer data without authorisation, selling or sharing customer PII with third parties beyond authorised sub-processors

8. Government access request notification:

• Cloud provider will notify customer if it receives a government request for access to customer PII — unless legally prohibited. Cloud provider will challenge overbroad or unlawful requests.

9. Audit rights:

• Customer right to audit the cloud provider's PII protection controls — either through direct audit or through review of third-party audit reports (ISO 27018 certificate, SOC 2 Type II report). The ISO 27018 certificate itself partially satisfies the right-to-audit obligation.

10. Data localisation commitments:

• For customers with data residency requirements (RBI, IRDAI, DPDPA whitelist, GDPR transfer restrictions): explicit commitment to process and store PII only in specified data locations, with no cross-border transfer without customer authorisation.

PrecisionTech provides a complete cloud service agreement clause library — including DPA templates for DPDPA 2023, GDPR SCCs (Module 2 — Controller to Processor), UK GDPR IDTAs, and jurisdiction-specific addenda — as part of the ISO 27018 implementation engagement. These templates significantly accelerate customer DPA negotiations for Indian cloud providers.

In a market crowded with compliance consultants who have emerged recently in response to GDPR and DPDPA, PrecisionTech's 30-year technology and consulting heritage — serving thousands of global clients since 1994 — provides a fundamentally different quality of ISO 27018 certification service.

1. Technology depth — not just documentation depth:

• Many ISO 27018 consultants produce policy documents and control checklists — but lack the technical depth to verify whether the controls actually work in the cloud environment. PrecisionTech's technical team reviews cloud IAM configurations, encryption settings, log retention policies, masking implementations, and deletion automation — not just the policies that claim to govern them.
• We have implemented cloud architectures on AWS, Azure, and GCP for clients across industries — we understand the practical realities of implementing ISO 27018 controls in cloud-native SaaS, hybrid cloud BPO, and managed cloud hosting environments from direct experience, not theory.

2. Cross-domain integration — the strength of a wide portfolio:

• PrecisionTech's portfolio spans cloud, IT infrastructure, ERP (Tally), payment gateway integration, cybersecurity, and ISO certifications. This breadth is not just our USP — it is our competitive advantage for ISO 27018 implementation. We understand how PII flows through the entire technology ecosystem of an Indian business: from Tally accounting data to payment gateway transaction records to cloud-hosted CRM data to employee HRMS data.
• A consultant who only understands privacy governance but not cloud architecture, ERP data flows, or payment data handling will miss critical PII sources that create ISO 27018 non-conformities.

3. Global client experience — understanding international privacy requirements:

• Having served clients globally for 30 years, PrecisionTech understands the specific privacy requirements of major export markets: GDPR (EU/UK), PDPA (Singapore), PIPL (China), HIPAA (US healthcare), and anticipated frameworks in the UAE and GCC. Indian IT exporters pursuing ISO 27018 typically need to satisfy multiple privacy frameworks simultaneously — our global experience enables us to design a single ISMS that addresses all relevant frameworks without redundant effort.

4. Regulatory depth — 30 years of watching regulations evolve:

• We have seen the IT Act (2000), its amendments (2008, 2023), the IT Rules (2011), CERT-In Guidelines (multiple iterations), RBI IT Framework (2011, updated), and now DPDPA 2023. We anticipate regulatory direction — building ISO 27018 implementations that are robust to forthcoming DPDPA rules, anticipated SDF designations, and evolving CERT-In requirements, not just compliant with the current rules as written.

5. Sustainable compliance — not just certification compliance:

• An ISMS that survives only until the auditor leaves is worthless. PrecisionTech designs ISO 27018 implementations that organisations can maintain independently — clear procedures, automated controls where possible, practical documentation that staff can actually use, and annual surveillance support that keeps the certification alive and meaningful.
• Our clients consistently achieve surveillance audits with zero major non-conformities — because the ISMS was designed for long-term operational sustainability, not just initial certification.

Contact PrecisionTech:

With 30 years of technology and consulting expertise, thousands of global client relationships, and a comprehensive certification consulting portfolio — PrecisionTech is India's most experienced partner for ISO 27018:2019 cloud privacy certification. Start your journey with a free gap assessment. All enquiries through our contact page — responded to within 1 business day by our privacy consulting team.