Standard: ISO/IEC 27018:2019 — Protection of PII in public clouds acting as PII processors
Tier: 2 — Supporting
Framework role: Data pillar and cloud PII processing controls
ISO/IEC 27018 establishes commonly accepted control objectives for public-cloud PII processors. The framework addresses privacy through data policies, GDPR mappings, and the Data pillar.
| Theme | Framework implementation |
|---|---|
| Consent | GDPR workflows in A034 (reconciliation pending) |
| Purpose limitation | Policy engine, data classification |
| Disclosure of sub-processors | Vendor registry, procurement governance |
| Data location | Multi-tenant config, cloud region policies |
| Data return/deletion | Data subject request workflows (planned/partial) |
| Transparency | Privacy notice templates, ADPA data-protection template |
| Asset | Location |
|---|---|
| Data privacy policy template | blueprint-templates/policy-templates/data-privacy-policy.md |
| ADPA data protection template | adpa/templates/governance-artifacts/standard/data-protection.template.json |
| Data pillar contract tests | tests/contracts/data.contract.test.js |
| GDPR mappings | A034 § 2.1 |
~65–70% — policy and template strength; Purview/DLP live integration still planned (Improvement Focus Area 10).