ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud

ISO/IEC 27018 overview

The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world's largest developer of voluntary international standards. The ISO/IEC 27000 family of standards helps organizations of every type and size keep information assets secure.

In 2014, the ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.

Microsoft and ISO/IEC 27018

At least once a year, Microsoft Azure and Azure Germany are audited for compliance with ISO/IEC 27001 and ISO/IEC 27018 by an accredited third-party certification body. This audit provides independent validation that applicable security controls are in place and operating effectively. As part of this compliance verification process, the auditors validate in their statement of applicability that Microsoft in-scope cloud services and commercial technical support services have incorporated ISO/IEC 27018 controls for the protection of PII in Azure. To remain compliant, Microsoft cloud services must be subject to annual third-party reviews.

By following the standards of ISO/IEC 27001 and the code of practice embodied in ISO/IEC 27018, Microsoft demonstrates that its privacy policies and procedures are robust and in line with its high standards.

  • Customers of Microsoft cloud services know where their data is stored. Because ISO/IEC 27018 requires certified CSPs to inform customers of the countries in which their data may be stored, Microsoft cloud service customers have the visibility they need to comply with any applicable information security rules.
  • Customer data won't be used for marketing or advertising without explicit consent. Some CSPs use customer data for their own commercial ends, including for targeted advertising. Because Microsoft has adopted ISO/IEC 27018 for its in-scope enterprise cloud services, customers can rest assured that their data will never be used for such purposes without explicit consent, and that consent can't be a condition for use of the cloud service.
  • Microsoft customers know what's happening with their PII. ISO/IEC 27018 requires a policy that allows for the return, transfer, and secure disposal of personal information within a reasonable period of time. If Microsoft works with other companies that need access to your customer data, Microsoft proactively discloses the identities of those sub-processors.
  • Microsoft complies only with legally binding requests for disclosure of customer data. If Microsoft must comply with such a request (as in the case of a criminal investigation), it will always notify the customer unless it's prohibited by law from doing so.

Microsoft in-scope cloud platforms & services

  • Azure, Azure Government, and Azure Germany
  • Azure DevOps Services
  • Dynamics 365, Dynamics 365, and Dynamics 365 Germany
  • Intune
  • Microsoft Defender for Cloud Apps
  • Microsoft Professional Services: Premier and On Premises for Azure, Dynamics 365, Intune, and for medium business and enterprise customers of Microsoft 365 for business
  • Microsoft Graph
  • Microsoft Healthcare Bot
  • Microsoft Managed Desktop
  • Microsoft Threat Experts
  • Microsoft Stream
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
  • Office 365 Germany
  • OMS Service Map
  • Power Automate (formerly Microsoft Flow): cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • PowerApps cloud service: either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI cloud service: either as a standalone service or as included in an Office 365 branded plan or suite
  • Power BI Embedded
  • Power Virtual Agents
  • Microsoft Defender for Endpoint: Endpoint Detection & Response, Automatic Investigation & Remediation, Secure Score
  • Windows 365

Azure, Dynamics 365, and ISO ISO/IEC 27018

For more information about Azure, Dynamics 365, and other online services compliance, see the Azure ISO/IEC 27018 offering.

Office 365 and ISO ISO/IEC 27018

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Access Online, Microsoft Entra ID, Azure Communications Service, Compliance Manager, Customer Lockbox, Delve, Exchange Online Protection, Exchange Online, Forms, Griffin, Identity Manager, Lockbox (Torus), Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Customer Portal, Office 365 Microservices (including but not limited to Kaizala, ObjectStore, Sway, PowerPoint Online Document Service, Query Annotation Service, School Data Sync, Siphon, Speech, StaffHub, eXtensible Application Program), Office 365 Security & Compliance Center, Office Online, Office Pro Plus, Office Services Infrastructure, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, Project Online, Service Encryption with Microsoft Purview Customer Key, SharePoint Online, Skype for Business, Stream
GCC Microsoft Entra ID, Azure Communications Service, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream
GCC High Microsoft Entra ID, Azure Communications Service, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business
DoD Microsoft Entra ID, Azure Communications Service, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, Power BI, SharePoint Online, Skype for Business

Office 365 Audits, reports, and certificates

Microsoft cloud and commercial technical support services are audited once a year for the ISO/IEC 27018 code of practice as part of the certification process for ISO/IEC 27001.

Frequently asked questions

To whom does ISO/IEC 27018 apply?

This code of practice applies to CSPs that process PII under contract for other organizations. At Microsoft, it also applies to the support of these CSPs.

What is the difference between 'personal information controllers' and 'personal information processors'?

In the context of ISO/IEC 27018:

  • 'Controllers' control the collection, holding, processing, or use of personal information; they include those parties who control it on another company's behalf.
  • 'Processors' process information on behalf of controllers; they don't make decisions as to how to use the information or the purposes of the processing. In providing its enterprise cloud services, Microsoft (as a vendor to you) is an information processor.

Where can I view Office 365 compliance information for ISO/IEC 27018?

  • You can review the ISO/IEC 27018 certificates from BSI (the independent auditor that validated Microsoft compliance with ISO/IEC 27018) for Office 365.

Can I use Microsoft's compliance in my organization's certification process?

Yes. If compliance with ISO/IEC 27018 is important for your business and implementations deployed on any of Microsoft in-scope enterprise cloud services, you can use Microsoft's attestation of compliance with ISO/IEC 27018 with Microsoft's certification for ISO/IEC 27001 in your compliance assessment.

However, you're responsible for engaging an assessor to evaluate your implementation for compliance, and for the controls and processes within your own organization.

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources