top of page

ISO27001:2022 - A5.23 Information Security for use of Cloud Services

Updated: May 14

This is one of the new controls in ISO27001, and along with the other Annex controls A5.19, A5.20, A5.21, and A5.22 it focuses on the need to manage your Cloud services carefully. It’s a recognition that many organisations are now using Cloud services, and these providers are critical to the largest and smallest organisations around.


What does the standard require?

The standard states that “Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisations information security requirements..” (A5.23 Information Security for use of Cloud Services).


Why is this required?

It would be difficult to imagine a business today that does not use some form of Cloud service provider.  Even large organisations that have ‘on prem’ servers will use some form of Cloud provider. Ans this is an important point that should not be missed.


When people think of Cloud services they often think of Cloud storage providers such as Google, Amazon and Microsoft. They may also use smaller, private Cloud providers for data storage too. However, ‘data storage’ doesn’t just mean your operating files. Cloud services such as your Sales and Marketing tools, Customer Relationship Management (CRM) software, finance records and HR records are storing data in a ‘cloud’ environment.


Cloud computing offers many benefits to your business, not least of which is economies of scale and ease of use and implementation.  But it also represents significant risk too. 


Keep in mind that ‘Cloud’ simple means “someone else’s computer”.  It’s your job to make sure that this ‘someone else’s computer’ is being managed correctly. 


To illustrate this issue, in the early days of businesses adopting Cloud services, we spoke to a company that were providing Cloud service to manage thousands of peoples websites. All these business relied on this Cloud provider to store their websites safely and securely. We were there to help them achieve ISO27001 certification, which was something they most certainly needed because of the service they were offering.  However, on visiting their location, we found that there were no access controls on the systems, the room that housed the computing power for their Cloud service wasn’t locked, it had no air-conditioning (so would over heat regularly and take down all these sites), and they had no security training for staff!


We doubt their customers had thought to ask for a review of the security of this Cloud service provider, and simply trusted their website that claimed they provided “Secure Cloud Hosting for Websites”!


Of course we’re not saying all providers are like this, but this new ISO27001 control expects you to take a close look at all your service providers.


What the auditor is looking for

As previously described in the other Annex A controls related to supplier management, the auditor won’t be looking for a specific policy or procedure, but will be looking for evidence that you have a repeatable process for the acquisition, use and ongoing management of Cloud service providers.  If you have followed these Annex A controls sequentially, you’ll already have a list of your critical suppliers held in a central register (A5.19), and the auditor will expect to see that Cloud service providers are listed on there.


What do you need to do?

Remember that Cloud service providers are not just Cloud data storage. Yes you should include Google, Amazon and Microsoft on your Supplier register, but also consider departmental use of Cloud services.  For example, here are a few suppliers of services which would be described as Cloud service providers;


  • Finance – Xero, Sage, QuickBooks, FreshBooks, Zoho Books

  • HR – Personio, PeopleHR, BreathHR, Zoho People,

  • Sales – SalesForce, HubSpot, Zendesk, Zoho

  • Marketing – HubSpot, SalesForce,


This is not an exhaustive list by any imagine, and is only touching on the most obvious Cloud service providers. For example, your IT function may also be using a ticketing system (like Zendesk), or time management and network monitoring Cloud services (e.g. Workday, and NetApp).


Your auditor will expect to see evidence that there is some form of due diligence carried out on your Cloud providers, which should include an evaluation of their security capabilities.  They will expect to see monitoring and reviewing of your Cloud service providers (see A5.22 for more information), and they will expect to see a process for moving Cloud providers (if this is required).


If you have implemented a robust Supplier Management process, then this shouldn’t be difficult to evidence. We firmly believe that the purpose of this control is to elevate the need to evaluate all Cloud service providers (as described above). Therefore don’t neglect to speak to your departments about the different software packages they use, as they may not even consider these as Cloud providers (which they clearly are).



Q & A

Do I need to evaluate Google, Dropbox, Microsoft and Amazon?!

In a word, yes.  They are Cloud providers, and you should still evaluate the use of them. The acquisition process should include an evaluation of their security capabilities, which can easily be completed by searching online for information about their security.  Simply type “Security overview for Amazon AWS” and you’ll be presented a whole host of documents which will outline the positive security capabilities of Amazon AWS. You could also evaluate it by comparing it to another provider by searching for “Security for Microsoft Azure vs Amazon AWS” . You can then make an informed decision on which Cloud service is best for you.


All these platforms also offer dashboards which allow you to monitor and review their services, and should you wish to change the service then this should be discussed and a project planned developed which shows how you will carry it out.


Is Cloud secure?

That’s a big question, and deserves a whole blog of its own. But in short; Yes, the Cloud is secure because companies like Microsoft and Amazon spends billions on making sure the environment is secure. However the way we use Cloud is less secure. Think of it this way; Are banks secure? Yes, generally speaking they are. But bank accounts are still plundered on a daily basis! How? It’s the way they are accessed.. It’s people who don’t know how to protect their accounts. It’s technology that is not secured with malware protection etc.


So yes, the Cloud is secure, but the way we access it isn’t. 



Difficulty rating

We rate this a 2 out of 5 difficulty rating. This means that it requires a little technical skill to understand the requirement. This is because you will need to evaluate the security capabilities of several providers, and some make it quite difficult to understand. Not because they purposely do this, but because they have so many options available, it becomes difficult to know what you need. This is where you need to work with your IT function, and others in the business, to evaluate what is right for you and what you need.


This is where your Management Review Team (MRT) are most useful as they can help you make an informed and fully round decision.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.


7 views0 comments


bottom of page