The digital landscape is evolving faster than ever, and with it comes an increasing responsibility to safeguard personal data in the cloud. To address these growing challenges, the new ISO/IEC 27018:2025 standard has just been published. This updated code of practice sets the benchmark for protecting Personally Identifiable Information (PII) in public cloud environments.

For organisations that deal with cloud environments, adopting this standard isn’t just about compliance—it’s about demonstrating leadership in data privacy, reinforcing customer trust, and staying ahead of global regulatory demands.

What’s New in ISO/IEC 27018:2025?

The 2025 revision brings significant enhancements designed to strengthen privacy, security, and accountability in the cloud. Here are the highlights:

  • Alignment with ISO/IEC 27002:2022
    The standard now reflects the latest cybersecurity controls, ensuring our privacy practices remain fully integrated with modern security measures.
  • Clearer Roles & Accountability
    It introduces sharper definitions for data controllers and processors, with greater emphasis on monitoring, responsibility, and compliance.
  • Stronger Sub-processor Management
    Enhanced guidance ensures that privacy and security obligations extend across the supply chain, reducing risks from third-party vendors.
  • Greater Transparency & Auditability
    New requirements stress the importance of timely breach notifications and robust auditing capabilities—vital for both regulatory reviews and client assurance.
  • Modernized Privacy Controls
    Annex B now provides extended implementation guidance, incorporating best practices aligned with evolving regulations like GDPR and CCPA.

Why It Matters

Transitioning to ISO/IEC 27018:2025 is more than an operational update—it’s a strategic move. Here’s why it’s so important:

  1. Stronger Compliance – Stay aligned with global data protection laws, including GDPR, CCPA, and beyond.
  2. Greater Customer Confidence – Reassure clients, particularly in banking and financial services, that their data is safeguarded by the highest standards.
  3. Integrated Governance – Enhance alignment between ISMS (ISO 27001), PIMS (ISO 27701), and cloud security practices.
  4. Reduced Risk – Minimize the chance of data breaches or non-compliance with a modernized, more resilient control set.

Next Steps for a Smooth Transition

To unlock the full benefits of ISO/IEC 27018:2025, organizations should begin preparing now. Key actions include:

  • Gap Analysis – Assess current frameworks against new requirements.
  • Transition Plan – Define timelines, resources, and milestones for implementation.
  • Stakeholder Engagement – Involve Legal, Compliance, Security, and Engineering teams to update policies and technical controls.

Final Thoughts

ISO/IEC 27018:2025 is more than a compliance standard—it’s a roadmap to building trust, resilience, and competitive advantage in a cloud-first world. By embracing these changes, we reinforce our commitment to safeguarding customer data and ensuring our governance framework remains future-ready.