Purpose of ISO 27001:2022 Annex A 5.23
ISO 27001:2022 Annex A 5.23 is a new control that outlines the processes that are required for the acquisition, use, management of and exit from cloud services, in relation to the organisation’s unique information security requirements.
Annex A Control 5.23 allows organisations to first specify then subsequently manage and administer information security concepts as related to cloud services, in their capacity as a “cloud services customer”.
Annex A 5.23 is a preventative control that maintains risk by specifying policies and procedures that govern information security, within the sphere of commercial cloud services.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
Ownership of Annex A 5.23
Such is the proliferation of cloud services over the past decade, ISO 27001 2022 Annex A Control 5.23 contains a host of procedures that encompass many distinct elements of an organisation’s operation.
Given that not all cloud services are ICT specific – although it could reasonably be asserted that most are – ownership of Annex A Control 5.23 should be distributed between an organisation’s CTO or COO, depending upon the prevailing operational circumstances.
Guidance on ISO 27001:2022 Annex A Control 5.23 – Organisational Obligations
Compliance with Control 5.23 involves adhering to what’s known as a ‘topic-specific’ approach to cloud services and information security.
Given the variety of cloud services on offer, topic-specific approaches encourage organisations to create cloud services policies that are tailored towards individual business functions, rather than adhering to a blanket policy that applies to information security and cloud services across the board.
It should be noted that ISO considers adherence to Annex A Control 5.23 as a collaborative effort between the organisation and their cloud service partner. Annex A Control 5.23 should also be closely aligned with Controls 5.21 and 5.22, which deal with information management in the supply chain and the management of supplier services respectively.
However an organisation chooses to operate, Annex A Control 5.23 should not be taken in isolation and should complement existing efforts to manage supplier relationships.
With information security at the forefront, the organisation should define:
- Any relevant security requirements or concerns involved in the use of a cloud platform.
- The criteria involved in selecting a cloud services provider, and how their services are to be used.
- Granular description of roles and relevant responsibilities that govern how cloud services areto be used across the organisation.
- Precisely which information security areas are controlled by the cloud service provider, and those that fall under the remit of the organisation themselves.
- The best ways in which to first collate then utilise any information security-related service components provided by the cloud service platform.
- How to obtain categorical assurances on any information security-related controls enacted by the cloud service provider.
- The steps that need to be taken in order to manage changes, communication and controls across multiple distinct cloud platforms, and not always from the same supplier.
- Incident Management procedures that are solely concerned with the provision of cloud services.
- How the organisation expects to manage its ongoing use and/or wholesale adoption of cloud platforms, in-line with their broader information security obligations.
- A strategy for the cessation or amendment of cloud services, either on a supplier-by-supplier basis, or through the process of cloud to on-premise migration.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Guidance on Annex A Control 5.23 – Cloud Services Agreements
Annex A Control 5.23 acknowledges that, unlike other supplier relationships, cloud service agreements are rigid documents that aren’t amendable in the vast majority of cases.
With that in mind, organisations should scrutinise cloud service agreements and ensure that four main operational requirements are met:
- Confidentiality.
- Security/data integrity.
- Service availability.
- Information handling.
As with other supplier contracts, prior to acceptance, cloud service agreements should undergo a thorough risk assessment that highlights potential problems at source.
At a bare minimum, the organisation should enter into a cloud services agreement only when they are satisfied that the following 10 provisions have been met:
- Cloud services are provisioned and implemented based on the organisation’s unique requirements relating to their area of operation, including industry accepted standards and practices for cloud-based architecture and hosted infrastructure.
- Access to any cloud platforms meet the border information security requirements of the organisation.
- Adequate consideration is given to antimalware and antivirus services, including proactive monitoring and threat protection.
- The cloud provider adheres to a predefined set of data storage and processing stipulations, relating to one or more distinct global regions and regulatory environments.
- Proactive support is provided to the organisation, should the cloud platform suffer a catastrophic failure or information security-related incident.
- If the need arises to sub-contract or otherwise outsource any element of the cloud platform, the supplier’s information security requirements remain a constant consideration.
- Should the organisation require any assistance in collating digital information for any relevant purpose (law enforcement, regulatory alignment, commercial purposes), the cloud services provider will support the organisation as far as is possible.
- At the end of the relationship, the cloud service provider should provide reasonable support and appropriate availability during the transition or decommissioning period.
- The cloud service provider should operate with a robust BUDR plan that is focused on carrying out adequate backups of the organisation’s data.
- The transfer of all relevant supplementary data from the cloud services provider to the organisation, including config information and code that the organisation has a claim to.
Supplementary Information on Annex A Control 5.23
In addition to the above guidance, Annex A Control 5.23 suggests that organisations form a close working relationship with cloud service providers, in accordance with the important service they provide not only in information security terms, but across an organisation’s entire commercial operation.
Organisations, where possible, should seek out the following stipulations from cloud service providers to improve operational resilience, and enjoy enhanced levels of information security:
- All infrastructure amendments should be communicated in advance, to inform the organisation’s own set of information security standards.
- The organisation needs to be kept informed of any changes to data storage procedures that involve migrating data to a different jurisdiction or global region.
- Any intention on the part of the cloud service provider to utilise “peer cloud” providers, or outsource areas of their operation to subcontractors that may have information security implications for the organisation.
Supporting Annex A Controls
- ISO 27001:2022 Annex A 5.21
- ISO 27001:2022 Annex A 5.22
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What Are the Changes and Differences From ISO 27001:2013?
Annex A Control 5.23 is a new control that doesn’t feature in ISO 27001:2013 in any capacity.
Table of All ISO 27001:2022 Annex A Controls
In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Organisational Controls | Annex A 5.1 |
Annex A 5.1.1 Annex A 5.1.2 |
Policies for Information Security |
| Organisational Controls | Annex A 5.2 | Annex A 6.1.1 | Information Security Roles and Responsibilities |
| Organisational Controls | Annex A 5.3 | Annex A 6.1.2 | Segregation of Duties |
| Organisational Controls | Annex A 5.4 | Annex A 7.2.1 | Management Responsibilities |
| Organisational Controls | Annex A 5.5 | Annex A 6.1.3 | Contact With Authorities |
| Organisational Controls | Annex A 5.6 | Annex A 6.1.4 | Contact With Special Interest Groups |
| Organisational Controls | Annex A 5.7 | NEW | Threat Intelligence |
| Organisational Controls | Annex A 5.8 |
Annex A 6.1.5 Annex A 14.1.1 |
Information Security in Project Management |
| Organisational Controls | Annex A 5.9 |
Annex A 8.1.1 Annex A 8.1.2 |
Inventory of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.10 |
Annex A 8.1.3 Annex A 8.2.3 |
Acceptable Use of Information and Other Associated Assets |
| Organisational Controls | Annex A 5.11 | Annex A 8.1.4 | Return of Assets |
| Organisational Controls | Annex A 5.12 | Annex A 8.2.1 | Classification of Information |
| Organisational Controls | Annex A 5.13 | Annex A 8.2.2 | Labelling of Information |
| Organisational Controls | Annex A 5.14 |
Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3 |
Information Transfer |
| Organisational Controls | Annex A 5.15 |
Annex A 9.1.1 Annex A 9.1.2 |
Access Control |
| Organisational Controls | Annex A 5.16 | Annex A 9.2.1 | Identity Management |
| Organisational Controls | Annex A 5.17 |
Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3 |
Authentication Information |
| Organisational Controls | Annex A 5.18 |
Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6 |
Access Rights |
| Organisational Controls | Annex A 5.19 | Annex A 15.1.1 | Information Security in Supplier Relationships |
| Organisational Controls | Annex A 5.20 | Annex A 15.1.2 | Addressing Information Security Within Supplier Agreements |
| Organisational Controls | Annex A 5.21 | Annex A 15.1.3 | Managing Information Security in the ICT Supply Chain |
| Organisational Controls | Annex A 5.22 |
Annex A 15.2.1 Annex A 15.2.2 |
Monitoring, Review and Change Management of Supplier Services |
| Organisational Controls | Annex A 5.23 | NEW | Information Security for Use of Cloud Services |
| Organisational Controls | Annex A 5.24 | Annex A 16.1.1 | Information Security Incident Management Planning and Preparation |
| Organisational Controls | Annex A 5.25 | Annex A 16.1.4 | Assessment and Decision on Information Security Events |
| Organisational Controls | Annex A 5.26 | Annex A 16.1.5 | Response to Information Security Incidents |
| Organisational Controls | Annex A 5.27 | Annex A 16.1.6 | Learning From Information Security Incidents |
| Organisational Controls | Annex A 5.28 | Annex A 16.1.7 | Collection of Evidence |
| Organisational Controls | Annex A 5.29 |
Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3 |
Information Security During Disruption |
| Organisational Controls | Annex A 5.30 | NEW | ICT Readiness for Business Continuity |
| Organisational Controls | Annex A 5.31 |
Annex A 18.1.1 Annex A 18.1.5 |
Legal, Statutory, Regulatory and Contractual Requirements |
| Organisational Controls | Annex A 5.32 | Annex A 18.1.2 | Intellectual Property Rights |
| Organisational Controls | Annex A 5.33 | Annex A 18.1.3 | Protection of Records |
| Organisational Controls | Annex A 5.34 | Annex A 18.1.4 | Privacy and Protection of PII |
| Organisational Controls | Annex A 5.35 | Annex A 18.2.1 | Independent Review of Information Security |
| Organisational Controls | Annex A 5.36 |
Annex A 18.2.2 Annex A 18.2.3 |
Compliance With Policies, Rules and Standards for Information Security |
| Organisational Controls | Annex A 5.37 | Annex A 12.1.1 | Documented Operating Procedures |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| People Controls | Annex A 6.1 | Annex A 7.1.1 | Screening |
| People Controls | Annex A 6.2 | Annex A 7.1.2 | Terms and Conditions of Employment |
| People Controls | Annex A 6.3 | Annex A 7.2.2 | Information Security Awareness, Education and Training |
| People Controls | Annex A 6.4 | Annex A 7.2.3 | Disciplinary Process |
| People Controls | Annex A 6.5 | Annex A 7.3.1 | Responsibilities After Termination or Change of Employment |
| People Controls | Annex A 6.6 | Annex A 13.2.4 | Confidentiality or Non-Disclosure Agreements |
| People Controls | Annex A 6.7 | Annex A 6.2.2 | Remote Working |
| People Controls | Annex A 6.8 |
Annex A 16.1.2 Annex A 16.1.3 |
Information Security Event Reporting |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Physical Controls | Annex A 7.1 | Annex A 11.1.1 | Physical Security Perimeters |
| Physical Controls | Annex A 7.2 |
Annex A 11.1.2 Annex A 11.1.6 |
Physical Entry |
| Physical Controls | Annex A 7.3 | Annex A 11.1.3 | Securing Offices, Rooms and Facilities |
| Physical Controls | Annex A 7.4 | NEW | Physical Security Monitoring |
| Physical Controls | Annex A 7.5 | Annex A 11.1.4 | Protecting Against Physical and Environmental Threats |
| Physical Controls | Annex A 7.6 | Annex A 11.1.5 | Working In Secure Areas |
| Physical Controls | Annex A 7.7 | Annex A 11.2.9 | Clear Desk and Clear Screen |
| Physical Controls | Annex A 7.8 | Annex A 11.2.1 | Equipment Siting and Protection |
| Physical Controls | Annex A 7.9 | Annex A 11.2.6 | Security of Assets Off-Premises |
| Physical Controls | Annex A 7.10 |
Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5 |
Storage Media |
| Physical Controls | Annex A 7.11 | Annex A 11.2.2 | Supporting Utilities |
| Physical Controls | Annex A 7.12 | Annex A 11.2.3 | Cabling Security |
| Physical Controls | Annex A 7.13 | Annex A 11.2.4 | Equipment Maintenance |
| Physical Controls | Annex A 7.14 | Annex A 11.2.7 | Secure Disposal or Re-Use of Equipment |
| Annex A Control Type | ISO/IEC 27001:2022 Annex A Identifier | ISO/IEC 27001:2013 Annex A Identifier | Annex A Name |
|---|---|---|---|
| Technological Controls | Annex A 8.1 |
Annex A 6.2.1 Annex A 11.2.8 |
User Endpoint Devices |
| Technological Controls | Annex A 8.2 | Annex A 9.2.3 | Privileged Access Rights |
| Technological Controls | Annex A 8.3 | Annex A 9.4.1 | Information Access Restriction |
| Technological Controls | Annex A 8.4 | Annex A 9.4.5 | Access to Source Code |
| Technological Controls | Annex A 8.5 | Annex A 9.4.2 | Secure Authentication |
| Technological Controls | Annex A 8.6 | Annex A 12.1.3 | Capacity Management |
| Technological Controls | Annex A 8.7 | Annex A 12.2.1 | Protection Against Malware |
| Technological Controls | Annex A 8.8 |
Annex A 12.6.1 Annex A 18.2.3 |
Management of Technical Vulnerabilities |
| Technological Controls | Annex A 8.9 | NEW | Configuration Management |
| Technological Controls | Annex A 8.10 | NEW | Information Deletion |
| Technological Controls | Annex A 8.11 | NEW | Data Masking |
| Technological Controls | Annex A 8.12 | NEW | Data Leakage Prevention |
| Technological Controls | Annex A 8.13 | Annex A 12.3.1 | Information Backup |
| Technological Controls | Annex A 8.14 | Annex A 17.2.1 | Redundancy of Information Processing Facilities |
| Technological Controls | Annex A 8.15 |
Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3 |
Logging |
| Technological Controls | Annex A 8.16 | NEW | Monitoring Activities |
| Technological Controls | Annex A 8.17 | Annex A 12.4.4 | Clock Synchronization |
| Technological Controls | Annex A 8.18 | Annex A 9.4.4 | Use of Privileged Utility ProgramsAccess Rights |
| Technological Controls | Annex A 8.19 |
Annex A 12.5.1 Annex A 12.6.2 |
Installation of Software on Operational Systems |
| Technological Controls | Annex A 8.20 | Annex A 13.1.1 | Networks Security |
| Technological Controls | Annex A 8.21 | Annex A 13.1.2 | Security of Network Services |
| Technological Controls | Annex A 8.22 | Annex A 13.1.3 | Segregation of Networks |
| Technological Controls | Annex A 8.23 | NEW | Web filtering |
| Technological Controls | Annex A 8.24 |
Annex A 10.1.1 Annex A 10.1.2 |
Use of Cryptography |
| Technological Controls | Annex A 8.25 | Annex A 14.2.1 | Secure Development Life Cycle |
| Technological Controls | Annex A 8.26 |
Annex A 14.1.2 Annex A 14.1.3 |
Application Security Requirements |
| Technological Controls | Annex A 8.27 | Annex A 14.2.5 | Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents |
| Technological Controls | Annex A 8.28 | NEW | Secure Coding |
| Technological Controls | Annex A 8.29 |
Annex A 14.2.8 Annex A 14.2.9 |
Security Testing in Development and Acceptance |
| Technological Controls | Annex A 8.30 | Annex A 14.2.7 | Outsourced Development |
| Technological Controls | Annex A 8.31 |
Annex A 12.1.4 Annex A 14.2.6 |
Separation of Development, Test and Production Environments |
| Technological Controls | Annex A 8.32 |
Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4 |
Change Management |
| Technological Controls | Annex A 8.33 | Annex A 14.3.1 | Test Information |
| Technological Controls | Annex A 8.34 | Annex A 12.7.1 | Protection of Information Systems During Audit Testing |
[case_study_slider ids=”88859,101932,92016″ autoplay=”true” autoplay_speed=”5000″]
How ISMS.online Helps
ISMS.online streamlines the ISO 27001 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.
When you use ISMS.online, you will be able to:
- Create an ISMS that is compatible with ISO 27001 standards.
- Perform tasks and submit proof to indicate that they have met the requirements of the standard.
- Allocate tasks and track progress toward compliance with the law.
- Get access to a specialised team of advisors that will assist you throughout your path towards compliance.
Get in touch and book a demo.
