Skip to content
Fundament Docs

ADR-0019: Data protection certification

Proposed
Status

proposed

Date

2026-03-10

Group

cross-cutting

Depends-on

ADR-0016

Context

Government workloads process personal data and sensitive government information. GDPR compliance is a legal requirement, not a choice. The question is which certification framework to adopt to demonstrate data protection beyond legal compliance.

Options

Option 1: ISO 27018 (PII protection in public cloud)

  • Pros: cloud-specific data protection standard; extends ISO 27001 with PII controls; covers consent, data minimization, transparency, and sub-processor management; recognized by EU data protection authorities; complements ISO 27001 + 27017 (ADR-0018) naturally

  • Cons: focused on PII, does not cover all government data classifications; code of practice, not separately certifiable

Option 2: GDPR compliance program only (no additional certification)

  • Pros: legal compliance is mandatory anyway; no additional certification cost; DPIA and records of processing cover the basics

  • Cons: no independent verification; "we comply with GDPR" is a claim without evidence; does not differentiate the platform

Option 3: ISO 27018 + ISAE 3000 Type II assurance report

  • Pros: ISO 27018 for technical controls; ISAE 3000 provides independent third-party assurance over a period; strongest evidence of data protection for procurement evaluations

  • Cons: ISAE 3000 is expensive and time-consuming; may be premature for initial platform launch

Decision

ISO 27018 as part of the ISO 27001 certification scope (ADR-0018). This extends the ISMS with cloud-specific PII controls at minimal additional cost since it shares the same audit framework. ISAE 3000 assurance can be pursued later when the platform is operational and has a track record to audit.

Consequences

  • PII controls from ISO 27018 must be included in the ISO 27001 Statement of Applicability

  • Data processing agreements must reflect ISO 27018 requirements

  • Tenant data residency enforcement (all data stays within the platform’s sovereign boundary) must be architecturally guaranteed, not just policy

  • Sub-processor management must be formalized