ISO 27001 Annex A Control 5.23

ISO 27001 control 5.23 Information security for use of cloud services

The basics

ISO 27001 control A.5.23 Information security for use of cloud services requires companies to set security requirements for cloud services, and then purchase, use, manage, and terminate the use of cloud services according to those requirements. This is a new control in the 2022 revision of the standard.

Documentation

ISO 27001 control A.5.23 Information security for use of cloud services can be documented:

  • for smaller companies by writing a Supplier Security Policy
  • for mid-sized and larger companies writing a Cloud Security Policy

These policies are not a mandatory, but are recommended.

Implementation

In order to comply with control A.5.23 Information security for use of cloud services you might implement the following:

  • Technology — the technology to embed information security into used cloud services in most cases will be already available by the cloud provider (e.g., zero-trust network architecture, identity and access management, multi-factor authentication, encryption, continuous logging and monitoring, etc.). Some companies might only need to upgrade their services to a more secure one, while in some rare cases, they will need to change the cloud provider if it does not have the required security features.
  • Organization/processes — you should set up a process to determine security requirements for cloud services and for determining the criteria for selecting a cloud provider; further, you should define a process for determining acceptable use of the cloud, and also the security requirements when canceling the use of a cloud service. You can document those processes through a Supplier Security Policy or a Cloud Security Policy.
  • People — make employees aware of the security risks of using cloud services, and train them on how to use the security features of cloud services.

Audit evidence

During the certification audit, the auditor might look for the following evidence regarding control A.5.23 Information security for use of cloud services: if security requirements for cloud services are defined, and if the cloud is managed accordingly.