ISO 27001:2022 A 5.23 Information security for use of cloud services

Modern enterprises have swiftly adopted cloud-based services for their business operations. If they haven’t done so already, they’re rapidly integrating such services. ISO defines Cloud services as “One or more capabilities offered via cloud computing invoked using a defined interface.” and Cloud Computing as ” Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand. Examples of resources include servers, operating systems, networks, software, applications, and storage equipment.” Organizations place their trust in cloud providers to ensure a secure environment. Unfortunately, that approach has numerous problems — namely that cloud providers don’t always know the risk associated with a customer’s systems and data. They don’t have visibility into other components in the customer’s ecosystem and the security requirements of those components. Failing to take ownership of cloud security is a serious downfall that could lead organizations to suffer data loss, system breaches and devastating attacks. This control provides guidance and references for acquiring, using, managing, and exiting third-party cloud services. This control requires an organization to define the roles and responsibilities of the cloud service provider and understand who is responsible for what. When organizations opt for cloud services, such engagements can involve shared responsibilities for information security. This results in a collaborative effort between the cloud service customer (i.e., organization) and the cloud service provider. The roles and responsibilities of both parties must be defined clearly. A cloud service customer does not have negotiation powers, as cloud service agreements are pre-defined and offered in a ‘take it-or leave it’ manner. For all possible cloud services an organization has availed, it must review relevant contracts to understand the distribution of risks related to cloud services between the service provider and the customer.


Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.


To specify and manage information security for the use of cloud services.

ISO 27002 Implementation Guidance

The organization should establish and communicate topic-specific policy on the use of cloud services to all relevant interested parties. The organization should define and communicate how it intends to manage information security risks
associated with the use of cloud services. It can be an extension or part of the existing approach for how an organization manages services provided by external parties. The use of cloud services can involve shared responsibility for information security and collaborative effort between the cloud service provider and the organization acting as the cloud service customer. It is essential that the responsibilities for both the cloud service provider and the organization, acting as the cloud service customer, are defined and implemented appropriately. The organization should define:

  1. all relevant information security requirements associated with the use of the cloud services;
  2. cloud service selection criteria and scope of cloud service usage;
  3. roles and responsibilities related to the use and management of cloud services;
  4. which information security controls are managed by the cloud service provider and which are managed by the organization as the cloud service customer;
  5. how to obtain and utilize information security capabilities provided by the cloud service provider;
  6. how to obtain assurance on information security controls implemented by cloud service providers;
  7. how to manage controls, interfaces and changes in services when an organization uses multiple cloud services, particularly from different cloud service providers;
  8. procedures for handling information security incidents that occur in relation to the use of cloud services;
  9. its approach for monitoring, reviewing and evaluating the ongoing use of cloud services to manage information security risks;
  10. how to change or stop the use of cloud services including exit strategies for cloud services.

Cloud service agreements are often pre-defined and not open to negotiation. For all cloud services, the organization should review cloud service agreements with the cloud service provider(s). A cloud service agreement should address the confidentiality, integrity, availability and information handling requirements of the organization, with appropriate cloud service level objectives and cloud service qualitative objectives. The organization should also undertake relevant risk assessments to identify the risks associated with using the cloud service. Any residual risks connected to the use of the cloud service should be clearly identified and accepted by the appropriate management of the organization. An agreement between the cloud service provider and the organization, acting as the cloud service customer, should include the following provisions for the protection of the organization’s data and availability of services:

  1. providing solutions based on industry accepted standards for architecture and infrastructure;
  2. managing access controls of the cloud service to meet the requirements of the organization;
  3. implementing malware monitoring and protection solutions;
  4. processing and storing the organization’s sensitive information in approved locations (e.g. particular country or region) or within or subject to a particular jurisdiction;
  5. providing dedicated support in the event of an information security incident in the cloud service environment;
  6. ensuring that the organization’s information security requirements are met in the event of cloud services being further sub-contracted to an external supplier (or prohibiting cloud services from being sub-contracted);
  7. supporting the organization in gathering digital evidence, taking into consideration laws and regulations for digital evidence across different jurisdictions;
  8. providing appropriate support and availability of services for an appropriate time frame when the organization wants to exit from the cloud service;
  9. providing required backup of data and configuration information and securely managing backups as applicable, based on the capabilities of the cloud service provider used by the organization, acting as the cloud service customer;
  10. providing and returning information such as configuration files, source code and data that are owned by the organization, acting as the cloud service customer, when requested during the service provision or at termination of service.

The organization, acting as the cloud service customer, should consider whether the agreement should require cloud service providers to provide advance notification prior to any substantive customer impacting changes being made to the way the service is delivered to the organization, including:
a) changes to the technical infrastructure (e.g. relocation, reconfiguration, or changes in hardware or software) that affect or change the cloud service offering;
b) processing or storing information in a new geographical or legal jurisdiction;
c) use of peer cloud service providers or other sub-contractors (including changing existing or using new parties).
The organization using cloud services should maintain close contact with its cloud service providers. These contacts enable mutual exchange of information about information security for the use of the cloud services including a mechanism for both cloud service provider and the organization, acting as the cloud service customer, to monitor each service characteristic and report failures to the commitments contained in the agreements.

Other information

This control considers cloud security from the perspective of the cloud service customer. Additional information relating to cloud services can be found in ISO 17788, ISO 17789 and ISO 22123-1. Specifics related to cloud portability in support of exit strategies can be found in ISO 19941. Specifics related to information security and public cloud services are described in ISO 27017. Specifics related to PII protection in public clouds acting as PII processor are described in ISO 27018. Supplier relationships for cloud services are covered by ISO 27036-4 and cloud service agreements and their contents are dealt with in the ISO 19086 series, with security and privacy specifically covered by ISO 19086-4.

This control outlines the processes that are required for the acquisition, use, management of and exit from cloud services, in relation to the organisation’s unique information security requirements.When an organization avails of a cloud service, the service provider signs an agreement with the organization that specifies the nature of service, terms and conditions, and service level agreements, among other important information. This agreement must specify the controls for which the service provider is responsible and the controls for which the organization is responsible. It should also include roles and responsibilities related to the usage of cloud services, along with detailed information on using, changing, or stopping cloud services. It allows organisations to first specify then subsequently manage and administer information security concepts as related to cloud services, in their capacity as a “cloud services customer”.It contains a host of procedures that encompass many distinct elements of an organisation’s operation. Compliance involves adhering to what’s known as a ‘topic-specific’ approach to cloud services and information security. Given the variety of cloud services on offer, topic-specific approaches encourage organisations to create cloud services policies that are tailored towards individual business functions, rather than adhering to a blanket policy that applies to information security and cloud services across the board. Adherence to Control is a collaborative effort between the organisation and their cloud service partner. Control should also be closely aligned with information management in the supply chain and the management of supplier services . However an organisation chooses to operate, this control should not be taken in isolation and should complement existing efforts to manage supplier relationships. With information security at the forefront, the organisation should define:

  • Any relevant security requirements or concerns involved in the use of a cloud platform.
  • The criteria involved in selecting a cloud services provider, and how their services are to be used.
  • Granular description of roles and relevant responsibilities that govern how cloud services areto be used across the organisation.
  • Precisely which information security areas are controlled by the cloud service provider, and those that fall under the remit of the organisation themselves.
  • The best ways in which to first collate then utilise any information security-related service components provided by the cloud service platform.
  • How to obtain categorical assurances on any information security-related controls enacted by the cloud service provider.
  • The steps that need to be taken in order to manage changes, communication and controls across multiple distinct cloud platforms, and not always from the same supplier.
  • Incident Management procedures that are solely concerned with the provision of cloud services.
  • How the organisation expects to manage its ongoing use and/or wholesale adoption of cloud platforms, in-line with their broader information security obligations.
  • A strategy for the cessation or amendment of cloud services, either on a supplier-by-supplier basis, or through the process of cloud to on-premise migration.

In addition to the potential for data breaches and lack of visibility,the most common cloud security challenges are:

  • misconfigurations and inadequate change controls;
  • lack of cloud security architecture and strategy;
  • insufficient identity, credential, access and key management;
  • account hijacking;
  • insecure interfaces and APIs; and
  • abuse and nefarious use of cloud services.

The fallout from the cloud attack is often exponential For example, an attack on a single user’s credentials reaches far
beyond the targeted victim, often affecting the entire organization and its customers. To prevent cloud attack the organization can:

  • vet and oversee potential providers;
  • inspect provider security model
  • deploy enhanced authentication, such as multifactor authentication (MFA), where possible;
  • encrypt data in motion and at rest in the cloud;
  • patch consistently
  • utilize manual and automatic methods to discover and inventory cloud assets.
  • Manage access

Steps to Create Cloud Security Policy

Step 1: Account for Relevant Laws
If company must adhere to some privacy or compliance regulation,All cloud-based activities must conform to legal obligations.

Step 2: Assess the Security Controls of the Cloud Vendor
Different providers offer different levels of security control. Inspect Provider’s security practices and form solutions that align with the offering.

Step 3: Assign Roles and Access Rights
Specify clear roles for personnel and set their access to applications and data. Give employees access only to the assets they need to perform their tasks. Additionally, define how your company logs and reviews access.

Step 4: Protect Data
Determine how to protect company data. Most businesses choose to encrypt all sensitive data moving through the cloud and the Internet. The policy must document security rules for internal and external data stores. Typically, providers offer Application Program Interfaces (APIs) as part of their services. Consider using an API to enforce encryption and Data Loss Prevention (DLP) policies.

Step 5: Defend the Endpoints
A single infected endpoint can lead to data breaches in multiple clouds. Therefore, there must be a set clear rules surrounding connections with the cloud to avoid this issue. This step includes secure sockets layers (SSLs), network traffic scanning, and monitoring rules.

Step 6: Define Responses
A policy must not only cover prevention. Consider ideal ways for teams to handle data breaches, outline reporting processes, and specify forensic functions. It also helps if you establish protocols for disaster recovery.

Step 7: Ensure Good Integrations
Integrate properly multiple safety solutions. Poorly combined solutions create vulnerabilities, so find a way to integrate and leverage your company’s security devices.

Step 8: Perform Security Audits
Conduct regular reviews and upgrade components to remain ahead of the latest threats. Also, perform routine checks of the vendor’s SLAs .

Leave a Reply