ISO/IEC 27018:2019

ISO/IEC 27018:2019 overview

ISO/IEC 27018:2019 is the first international code of practice for cloud privacy that provides guidelines based on ISO/IEC 27002:2013 guidelines and best practices for information security management. Based on EU data protection laws, it gives specific guidance to cloud service providers acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII. ISO/IEC 27018:2019 establishes cloud-specific control objectives and guidelines for PII in accordance with the privacy principles in ISO/IEC 29100:2011.

Azure and ISO/IEC 27018

Microsoft Azure, Dynamics 365, and other Microsoft online services are assessed for compliance with the ISO/IEC 27018 code of practice during regular ISO/IEC 27001 audits conducted by an independent third-party auditing firm. You can review the Azure ISO/IEC 27018 certificate and audit report for more information. These documents demonstrate that Microsoft online services in scope for the audit have incorporated ISO/IEC 27018 controls for the protection of PII.

Applicability

  • Azure
  • Azure Government
  • Azure China (for more information, see Trust Center documentation)

Services in scope

Microsoft online services in scope are shown on the Azure ISO/IEC 27018 certificate:

  • Azure (for detailed insight, see Microsoft Azure Compliance Offerings or Azure ISO/IEC 27018 certificate)
  • Azure DevOps (see separate Azure DevOps ISO/IEC 27018 certificate)
  • Dynamics 365 (for detailed insight, see Azure ISO/IEC 27018 certificate)
  • Microsoft 365 Defender (formerly Microsoft Threat Protection, not in scope for Azure Government)
  • Microsoft Bing for Commerce (not in scope for Azure Government)
  • Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security, MCAS)
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop (not in scope for Azure Government)
  • Microsoft Stream
  • Microsoft Threat Experts (not in scope for Azure Government)
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power BI Embedded
  • Power Virtual Agents (not in scope for Azure Government)
  • Universal Print (not in scope for Azure Government)

Office 365 and ISO/IEC 27018

For more information about Office 365 compliance, see Office 365 ISO/IEC 27018 documentation.

Microsoft Professional Services compliance

For more information about Microsoft Professional Services compliance, see Microsoft Professional Services documentation.

Audit reports and certificates

You can access Azure ISO/IEC 27018 audit documents via the Service Trust Portal (STP) Audit Reports - ISO Reports section. You must login to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Azure DevOps ISO/IEC 27018 certificate is available separately from the Service Trust Portal Audit Reports - ISO Reports section.

Frequently asked questions

To whom does ISO/IEC 27018 apply?
The ISO/IEC 27018 code of practice applies to cloud service providers (CSPs) that process personally identifiable information (PII) under contract for other organizations. At Microsoft, it also applies to the support of those CSPs.

What is the difference between personal information controllers and personal information processors?
In the context of ISO/IEC 27018:

  • Controllers control the collection, holding, processing, or use of personal information; they include those who control it on another company's behalf.
  • Processors process information on behalf of controllers; they do not make decisions as to how the information is used or what the purpose of processing is. In providing its enterprise cloud services, Microsoft (as a vendor to you) is an information processor.

Where can I get the Azure ISO/IEC 27018 audit documentation?
For links to audit documentation, see Audit reports and certificates. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Can I use the Azure ISO/IEC 27018 compliance assurances in my organization’s certification process?
Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you are responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.

Resources