ISO 27001 A.5.23: Information security for use of cloud services
What This Control Requires
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization's information security requirements.
In Plain Language
Nearly every organisation runs on cloud services now, and the 2022 revision of ISO 27001 added this control to reflect that reality. Cloud introduces security challenges that do not fit neatly into traditional supplier management - the shared responsibility model being the biggest one. The control covers the full cloud lifecycle: evaluating and selecting providers, configuring services securely, understanding who is responsible for what, monitoring your cloud security posture, and having a plan for when you need to move off a provider. The shared responsibility model is the critical concept here. Your cloud provider secures the infrastructure. You secure everything you put on it - your data, your access controls, your application configurations. The exact split depends on whether you are using IaaS, PaaS, or SaaS, and getting this wrong is one of the most common sources of cloud breaches.
How to Implement
Write a cloud security policy covering: which cloud service models and deployment types are approved, security criteria for selecting providers, data classification restrictions for cloud environments, shared responsibility requirements, and exit strategy expectations. Set up a proper provider evaluation process. Assess against: certifications (SOC 2 Type II, ISO 27001, CSA STAR), data protection capabilities (encryption, key management, data residency), IAM features, logging and monitoring, incident response and breach notification, and data portability support. Implement your side of the shared responsibility model thoroughly. For each cloud service, document who owns what. Harden configurations using CIS benchmarks or equivalent baselines. Set up strong IAM with MFA, RBAC, and just-in-time access for admin functions. Do not rely on default settings. Deploy cloud security monitoring. Use cloud-native tools (AWS Security Hub, Azure Security Center, GCP Security Command Center) and consider CSPM tools if you are running multi-cloud. Watch for misconfigurations, overly broad permissions, unencrypted data, and publicly exposed resources. Add workload protection for compute resources. Plan your exit strategy from day one. Understand data export options, formats, and migration paths before you are locked in. Include exit clauses in agreements covering data return, deletion confirmation, and transition support. Test data export and recovery periodically. Avoid deep vendor lock-in by using portable standards and abstraction layers where practical.
Evidence Your Auditor Will Request
- Cloud security policy defining requirements for cloud service usage
- Cloud provider security assessments and selection records
- Shared responsibility documentation for each major cloud service
- Cloud security configuration baselines and compliance monitoring results
- Cloud exit strategy documentation and data portability testing records
Common Mistakes
- No formal cloud security policy or cloud provider assessment process
- Shared responsibility model is not understood or documented for each service
- Cloud services are misconfigured with default settings that expose data publicly
- No cloud security posture management or monitoring for misconfigurations
- No exit strategy resulting in vendor lock-in without data portability options
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Partial overlap |
| SOC 2 | CC9.2 | Related |
| GDPR | Art.28 | Related |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(e) | Related |
Frequently Asked Questions
Is this control new in ISO 27001:2022?
What is the shared responsibility model?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment