Alert

How to Transition to the Latest ISO 27018 Standard for Cloud Service Providers

Bryan Schader, Principal, Cybersecurity Consulting Services
January 8, 2026
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
Transition to the 2025 ISO 27018 Standard Thumbnail

The ISO/IEC 27018:2025 standard is the latest international code of practice for protecting personally identifiable information (PII) within public cloud environments and now aligns with the updated ISO/IEC 27001:2022 standard. While previous versions of ISO/IEC 27018 existed, the 2025 update is a significant revision that reflects the current global data protection landscape. This standard is specifically designed for cloud service providers (CSPs) who process PII on behalf of customers, acting as PII processors.

The core of this new standard is its alignment with modern regulations like the GDPR and CCPA. It goes beyond general security practices by providing explicit guidance on PII-specific controls. Key areas of focus include enhanced transparency, ensuring robust consent mechanisms, and clear rules for data deletion and transfer. The update also clarifies the responsibilities of both the cloud provider and the customer, helping to close potential security gaps in the shared responsibility model.

Why Adopt This Update?

Adopting ISO/IEC 27018:2025 helps CSPs demonstrate a strong commitment to privacy, which builds customer trust and offers a competitive advantage. The standard offers a structured framework for managing data risks and supports compliance efforts, streamlining the process of meeting complex international and local data protection laws. This makes it an essential guideline for any organization handling sensitive data in the public cloud.

Prepare for a Smooth Transition

If your organization is currently certified to ISO/IEC 27018:2019, you should begin planning your transition to the updated 2025 version.

  1. Conduct a Gap Analysis

    Review your current Information Security Management System (ISMS) against the new requirements of the ISO/IEC 27018:2025 standard. The goal is to identify new controls, modified requirements, or revised implementation guidance that need to be addressed.

  2. Update Policies, Procedures, and Controls

    Based on the gap analysis, update your organization’s policies, procedures, and controls to align with the new standard. This may involve updating the Statement of Applicability (SoA), revising risk assessments, and training staff on the new requirements.

  3. Work with Your Certification Body

    Engage with your certification body to schedule and prepare for a transition audit. This audit confirms that the necessary changes have been implemented effectively and that the ISMS is compliant with the ISO/IEC 27018:2025 standard. Once the audit is successfully completed, the certification body will issue an updated certificate to reflect the new standard.

These steps help to ensure a smooth and effective transition while maintaining compliance.

We’re Here to Help

For more information on maintaining your ISMS operation, contact your Baker Tilly professional.

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
Sustaining ISO/IEC 27001 Certification
See how to protect your organization by maintain the operational efficiency of your ISO/IEC 27001 certification.
Article
Article
Comparing SOC 2 and ISO/IEC 27001 FAQ
Discover how SOC 2® and ISO/IEC 27001 can enhance your organization's security landscape and build customer trust.
Article
View More