Information Security for Use of Cloud Services - ISO 27001 Annex A Control
ISO 27001 Annex A 5.23
Cloud is someone else's computer - the security obligations remain yours.
ISO 27001 Annex A 5.23 - Information Security for Use of Cloud Services
Cloud services were given their own control in the 2022 edition of ISO 27001 because cloud is now where most business information actually lives. The control covers the lifecycle - selecting a cloud service, configuring it securely, operating it under defined responsibilities, and being able to leave it cleanly if needed.
The shared responsibility model is at the heart of cloud security. The provider is responsible for some controls. The customer is responsible for others. Where the line falls depends on the type of service - SaaS, PaaS, IaaS - and the specific provider. The organisation has to understand the model for each cloud service in use and make sure its share of the controls is in place.
Exit planning is the part that often gets neglected. The control asks for an exit plan covering data extraction, deletion at the provider, transition arrangements and continuity of service. The plan does not need to anticipate every scenario, but it does need to confirm that exit is feasible without a major business disruption.
The cloud register is what gives us the visibility. We list every cloud service in use, the data we put into it, the responsible owner internally, the supplier review cycle and the exit plan. Without that register it would be hard to answer simple audit questions like which providers hold customer data and where.
For each cloud service we work to understand the shared responsibility model so we know what the provider does and what we have to do.
Practical Compliance Guidance
Cloud computing arrangements are described in the IMS1 Manual in section 8.2 alongside information security arrangements and section 8.3 on IT equipment. The cloud register holds the master list of cloud services in use, with an exit plan for each.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | The full alphaZ ISO 27001 toolkit including the IMS1 Manual, policies, procedures, registers and audit checklists. |
| F-IMS39 Cloud Computing Register | The register of cloud services in use, with information held, owner, supplier review cycle and exit arrangements. Maintain this as the central record for the cloud control. |
| P-100 Cloud Computing Policy | The Cloud Computing Policy outlines the requirements for all staff working in an organisation that are involved in the use of cloud computing. |
| F-Q108 Cloud Emergency Exit Strategy Planning | This form can be used to complete a more detailed review of cloud service provision. Cloud services are something that many organisations are increasingly reliant on and this form allows an overall review of what is held in the cloud, how reliable the cloud platform being used are and ultimately if the level of risk after consideration of the controls in place is acceptable. |
| PP-8-09 Cloud Computing Policy Procedure |
Policy-procedure detailing the arrangements in place to outline the process for cloud computing used within the company and the controls in place. |
Note - all the above files can be downloaded with an alphaZ subscription.
