CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
Privacy Controls · Public Cloud Processors

ISO/IEC 27018 — PII in Public Cloud

The PII-in-cloud certification customers ask for first.

ISO/IEC 27018 is the international standard for privacy protection when processing PII in public clouds. Provides 25+ controls and an audit trail customers can see — covering consent, data location, deletion and customer notification.

Request AuditTalk to a consultant
Download sample audit report
CERT-In format · anonymised
Aligned to
  • ISO/IEC 27018:2019
  • ISO/IEC 27001:2022 (parent)
  • ISO/IEC 27701 (PIMS — synergistic)
  • GDPR Article 28 + Article 32
  • DPDP Section 8 — Reasonable Security
Why this matters

Compliance is leverage, not paperwork.

When customers entrust personal data to your cloud, ISO 27018 is the certification they look for in your security questionnaire. Combined with DPDP / GDPR readiness, it shortens enterprise sales cycles by 30%+. Macksofy implements ISO 27018 as an extension to ISO 27001 (or alongside ISO 27701 for full PIMS).

Applicability
  • Public cloud processors handling customer PII
  • Multi-tenant SaaS in EU / India / US enterprise sales
  • DPDP Significant Data Fiduciaries
  • GDPR processors (Article 28)
  • Healthtech storing patient data in cloud
Standards & frameworks

Aligned to the regulations that matter.

ISO/IEC 27018:2019
ISO/IEC 27001:2022 (parent)
ISO/IEC 27701 (PIMS — synergistic)
GDPR Article 28 + Article 32
DPDP Section 8 — Reasonable Security
Methodology

How we run a ISO 27018 engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

ISO 27018 · Start
  1. Phase 01

    1 · PII inventory + processor classification

    • Customer-PII vs. organisation-PII separation
    • Cross-border + sub-processor mapping
    • Customer consent / contract review
    01
    Phase 01

    1 · PII inventory + processor classification

    • Customer-PII vs. organisation-PII separation
    • Cross-border + sub-processor mapping
    • Customer consent / contract review
  2. Phase 02

    2 · 27018-specific controls

    • Customer consent for data use beyond service
    • Disclosure to law enforcement controls
    • Data return / erasure on contract end
    • Sub-processor disclosure
    02
    Phase 02

    2 · 27018-specific controls

    • Customer consent for data use beyond service
    • Disclosure to law enforcement controls
    • Data return / erasure on contract end
    • Sub-processor disclosure
  3. Phase 03

    3 · Customer-visible controls

    • Public privacy notice review
    • Customer audit-rights workflow
    • Notification to customers of breach (Article 33-style)
    03
    Phase 03

    3 · Customer-visible controls

    • Public privacy notice review
    • Customer audit-rights workflow
    • Notification to customers of breach (Article 33-style)
  4. Phase 04

    4 · Audit

    • Combined ISO 27001 + 27018 internal audit
    • Stage 1 + Stage 2 with certification body
    04
    Phase 04

    4 · Audit

    • Combined ISO 27001 + 27018 internal audit
    • Stage 1 + Stage 2 with certification body
Closure + retest
Deliverables

Everything you need to satisfy auditors.

  • PII processing register (customer + organisation split)
  • Sub-processor disclosure list (publishable)
  • Customer audit + breach-notification playbooks
  • ISO 27001 + 27018 combined SoA
  • Stage 1 / 2 certification support
Recent engagements
Customer-data SaaS (Mumbai + Singapore)

ISO 27001 + 27018 combined

Outcome: Customer security questionnaires shortened 60%; closed two ₹5cr+ enterprise deals on the certification alone

At a glance

The shape of a ISO 27018 engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

0
Methodology phases
0
Documented activities
0
Auditor-ready deliverables
0 day
Day retest window
Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

18CONTROLS MAPPEDacross 6 pillars
Coverage breakdown
  • PII classification in cloud3 pts
  • Consent & purpose limitation3 pts
  • Customer-controlled keys & encryption3 pts
  • Sub-processor & cross-border3 pts
  • Data-subject rights workflow3 pts
  • Privacy incident handling3 pts
Pillar 01
PII classification in cloud

Knowing what's PII and where it lives is half the audit.

  • PII inventory in cloud workloads
  • Sensitivity & jurisdiction tagging
  • Pseudonymisation + minimisation posture
Pillar 02
Consent & purpose limitation

The 27018-specific controls on use of PII.

  • Customer-consent recording
  • Purpose-binding evidence
  • Marketing / secondary-use restriction
Pillar 03
Customer-controlled keys & encryption

Who holds the keys is what 27018 hinges on.

  • BYOK / HYOK key-management evidence
  • Encryption-at-rest + in-transit
  • Key-rotation + access audit
Pillar 04
Sub-processor & cross-border

Transparency and notice requirements that GDPR and DPDP also lean on.

  • Sub-processor register + notice flow
  • Cross-border transfer mechanisms
  • Onward-transfer due-diligence
Pillar 05
Data-subject rights workflow

How requests flow from customer → provider → resolution.

  • Access / correction / erasure intake
  • Customer-controller hand-off SLA
  • Audit-trail of subject-rights actions
Pillar 06
Privacy incident handling

The notification timelines and forensic readiness specific to PII.

  • 72-hour customer notification flow
  • Forensic preservation of PII-related logs
  • Post-incident privacy review
Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a ISO 27018 engagement. Click any station for detail in the methodology section above.

01
Week 1
PII inventory + processor classification
02
Week 2
27018-specific controls
03
Week 3
Customer-visible controls
04
Week 4
Audit
What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

Google
4.9 · 612 reviews
Trustpilot
4.8 · 412 reviews
LinkedIn
20K+ · followers
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
Read all 612 reviews on Google →
FAQ

Things compliance leads ask before signing.

Yes — 27018 is an extension. Pair with ISO 27017 if you also operate as a cloud provider.
Other audit engagements

Cybersecurity Audit Services

An honest mirror to your security posture.

Learn more

Compliance & Regulatory Audits

Compliance, simplified.

Learn more

Cybersecurity Risk Assessment

Know what to fix first. With math.

Learn more
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.