This Standard is designed to use as a reference for selecting PII protection controls within the process of implementing a cloud computing ISMS based on ISO/IEC 27001, or as a guidance document for implementing commonly accepted PII protection controls for CSPs. In particular, this International Standard has been based on ISO/IEC 27002, taking into consideration the specific risk environment(s) arising from those PII protection requirements which might apply to CSPs acting as PII processors.



Why is ISO/IEC 27018:2014 required?

CSPs who process Personally Identifiable Information (PII) under contract to their customers have to operate their services in a fashion that allow both the contracting parties to adhere to the requirements of legislation which governs how PII is allowed to be processed (i.e. collected, used, transferred and disposed of) is sometimes referred to as data protection legislation.


  • A cloud service provider is a ‘PII processor’
  • The cloud service customer can range from a natural person, a ‘PII principal’, or
  • An organization, a ‘PII controller’, processing PII relating to many PII principals


The additional list of controls include:

Description Controls
Consent and choice Obligation to co-operate regarding PII principals’ rights
Purpose legitimacy and specification Public cloud PII processor’s purpose
Public cloud PII processor’s commercial use
Data minimization Secure erasure of temporary files
Use, retention and disclosure limitation PII disclosure notification
Openness, transparency and notice Disclosure of sub-contracted PII processing
Accountability Notification of a data breach involving PII
Retention period for administrative security policies and guidelines
PII return, transfer and disposal
Information security Confidentiality or non-disclosure agreements
Restriction of the creation of hardcopy material
Control and logging of data restoration
Protecting data on storage media leaving the premises
Use of unencrypted portable storage media and devices
Encryption of PII transmitted over public data-transmission networks
Secure disposal of hardcopy materials
Unique use of user IDs
Records of authorized users
User ID management
Contract measures
Sub-contracted PII processing
Access to data on pre-used data storage space
Privacy compliance Geographical location of PII
Intended destination of PII


Is Tata Communications ISO/IEC 20000-1:2011 certified?

Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for protection of PII (Personally Identifiable Information) processed by GSMC for Managed Cloud Services – IZO Private Cloud and IZO Cloud Storage.



ISO/IEC 27018: 2014 in-scope services:

IZO Private Cloud & IZO Cloud Storage In-Scope services
Compute Cloud services, Virtual Services, Auto Scaling
Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV
Storage/Backup Block, File and ICS (Object) backup
Scheduled data backup and data restoration
Database Managed Oracle, MS-SQL, DB2 or MySQL database administration
Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache
Application maintenance
Hypervisor VMware, Hyper-V and KVM
Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance
Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth


Review all of our global compliance programs

Contact us

Contact us to learn how we can help you unleash collaboration, creativity, and commercial innovation.