The standard intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for organizations for implementing commonly accepted PII protection controls” [quoted from the DIS version].
The standard is primarily concerned with public-cloud computing service providers (such as Amazon Web Services and Google’s Compute Engine) acting as PII processors . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [from the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls.
The standard interprets rather than duplicates ISO/IEC 27002:2013 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors.
ISO/IEC 27000, 27001 and 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788 “Cloud computing - overview and vocabulary” and ISO/IEC 29100 “Privacy framework”.