ISO 27002:2022, Control 5.23 – Information Security for Use of Cloud Services

ISO 27002:2022 Revised Controls

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

Purpose of Control 5.23

5.23 is a new control that outlines the processes that are required for the acquisition, use, management of and exit from cloud services, in relation to the organisation’s unique information security requirements.

Control 5.23 allows organisations to first specify then subsequently manage and administer information security concepts as related to cloud services, in their capacity as a “cloud services customer”.

5.23 is a preventative control that maintains risk by specifying policies and procedures that govern information security, within the sphere of commercial cloud services.

Attributes Table

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
#Preventative#Confidentiality #Integrity #Availability#Protect#Supplier Relationships Security#Governance and Ecosystem #Protection
Jump to Topic

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Ownership of Control 5.23

Such is the proliferation of cloud services over the past decade, Control 5.23 contains a host of procedures that encompass many distinct elements of an organisation’s operation.

Given that not all cloud services are ICT specific – although it could reasonably be asserted that most are – ownership of Control 5.22 should be distributed between an organisation’s CTO or COO, depending upon the prevailing operational circumstances.

Guidance on Control 5.23 – Organisational Obligations

Compliance with Control 5.23 involves adhering to what’s known as a ‘topic-specific’ approach to cloud services and information security.

Given the variety of cloud services on offer, topic-specific approaches encourage organisations to create cloud services policies that are tailored towards individual business functions, rather than adhering to a blanket policy that applies to information security and cloud services across the board.

It should be noted that ISO considers adherence to Control 5.23 as a collaborative effort between the organisation and their cloud service partner. Control 5.23 should also be closely aligned with Controls 5.21 and 5.22, which deal with information management in the supply chain and the management of supplier services respectively.

However an organisation chooses to operate, Control 5.23 should not be taken in isolation and should complement existing efforts to manage supplier relationships.

With information security at the forefront, the organisation should define:

  1. Any relevant security requirements or concerns involved in the use of a cloud platform.
  2. The criteria involved in selecting a cloud services provider, and how their services are to be used.
  3. Granular description of roles and relevant responsibilities that govern how cloud services areto be used across the organisation.
  4. Precisely which information security areas are controlled by the cloud service provider, and those that fall under the remit of the organisation themselves.
  5. The best ways in which to first collate then utilise any information security-related service components provided by the cloud service platform.
  6. How to obtain categorical assurances on any information security-related controls enacted by the cloud service provider.
  7. The steps that need to be taken in order to manage changes, communication and controls across multiple distinct cloud platforms, and not always from the same supplier.
  8. Incident Management procedures that are solely concerned with the provision of cloud services.
  9. How the organisation expects to manage its ongoing use and/or wholesale adoption of cloud platforms, in-line with their broader information security obligations.
  10. A strategy for the cessation or amendment of cloud services, either on a supplier-by-supplier basis, or through the process of cloud to on-premise migration.

Get a Headstart
on ISO 27002

The only compliance
solution you need
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Guidance on Control 5.23 – Cloud Services Agreements

Control 5.23 acknowledges that, unlike other supplier relationships, cloud service agreements are rigid documents that aren’t amendable in the vast majority of cases.

With that in mind, organisations should scrutinise cloud service agreements and ensure that four main operational requirements are met:

  1. Confidentiality
  2. Security/data integrity
  3. Service availability
  4. Information handling

As with other supplier contracts, prior to acceptance, cloud service agreements should undergo a thorough risk assessment that highlights potential problems at source.

At a bare minimum, the organisation should enter into a cloud services agreement only when they are satisfied that the following 10 provisions have been met:

  1. Cloud services are provisioned and implemented based on the organisation’s unique requirements relating to their area of operation, including industry accepted standards and practices for cloud-based architecture and hosted infrastructure.
  2. Access to any cloud platforms meet the border information security requirements of the organisation.
  3. Adequate consideration is given to antimalware and antivirus services, including proactive monitoring and threat protection.
  4. The cloud provider adheres to a predefined set of data storage and processing stipulations, relating to one or more distinct global regions and regulatory environments.
  5. Proactive support is provided to the organisation, should the cloud platform suffer a catastrophic failure or information security-related incident.
  6. If the need arises to sub-contract or otherwise outsource any element of the cloud platform, the supplier’s information security requirements remain a constant consideration.
  7. Should the organisation require any assistance in collating digital information for any relevant purpose (law enforcement, regulatory alignment, commercial purposes), the cloud services provider will support the organisation as far as is possible.
  8. At the end of the relationship, the cloud service provider should provide reasonable support and appropriate availability during the transition or decommissioning period.
  9. The cloud service provider should operate with a robust BUDR plan that is focused on carrying out adequate backups of the organisation’s data.
  10. The transfer of all relevant supplementary data from the cloud services provider to the organisation, including config information and code that the organisation has a claim to.

Are you ready for
the new ISO 27002

We’ll give you an 81% headstart
from the moment you log in
Book your demo

If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Mark Wightman
Chief Technical Officer Aluma
100% of our users pass certification first time
Book your demo

Supplementary Information on Control 5.23

In addition to the above guidance, Control 5.23 suggests that organisations form a close working relationship with cloud service providers, in accordance with the important service they provide not only in information security terms, but across an organisation’s entire commercial operation.

Organisations, where possible, should seek out the following stipulations from cloud service providers to improve operational resilience, and enjoy enhanced levels of information security:

  1. All infrastructure amendments should be communicated in advance, to inform the organisation’s own set of information security standards.
  2. The organisation needs to be kept informed of any changes to data storage procedures that involve migrating data to a different jurisdiction or global region.
  3. Any intention on the part of the cloud service provider to utilise “peer cloud” providers, or outsource areas of their operation to subcontractors that may have information security implications for the organisation.

Supporting Controls

  • 5.21
  • 5.22

Changes from ISO 27002:2013

Control 5.23 is a new control that doesn’t feature in ISO 27002:2013 in any capacity.

How ISMS.online Helps

ISMS.online streamlines the ISO 27002 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.

When you use ISMS.online, you will be able to:

  • Create an ISMS that is compatible with ISO 27001 standards.
  • Perform tasks and submit proof to indicate that they have met the requirements of the standard.
  • Allocate tasks and track progress toward compliance with the law.
  • Get access to a specialised team of advisors that will assist you throughout your path towards compliance.

Get in touch and book a demo.

Book your demo

See how simple
it is with
ISMS.online

Book a tailored hands-on session based on your needs and goals.

Book your demo

New Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.7NewThreat intelligence
5.23NewInformation security for use of cloud services
5.30NewICT readiness for business continuity
7.4NewPhysical security monitoring
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.16NewMonitoring activities
8.23NewWeb filtering
8.28NewSecure coding

Organisational Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
5.105.1.1, 05.1.2Policies for information security
5.206.1.1Information security roles and responsibilities
5.306.1.2Segregation of duties
5.407.2.1Management responsibilities
5.506.1.3Contact with authorities
5.606.1.4Contact with special interest groups
5.7NewThreat intelligence
5.806.1.5, 14.1.1Information security in project management
5.908.1.1, 08.1.2Inventory of information and other associated assets
5.1008.1.3, 08.2.3Acceptable use of information and other associated assets
5.1108.1.4Return of assets
5.12 08.2.1Classification of information
5.1308.2.2Labelling of information
5.1413.2.1, 13.2.2, 13.2.3Information transfer
5.1509.1.1, 09.1.2Access control
5.1609.2.1Identity management
5.17 09.2.4, 09.3.1, 09.4.3Authentication information
5.1809.2.2, 09.2.5, 09.2.6Access rights
5.1915.1.1Information security in supplier relationships
5.2015.1.2Addressing information security within supplier agreements
5.2115.1.3Managing information security in the ICT supply chain
5.2215.2.1, 15.2.2Monitoring, review and change management of supplier services
5.23NewInformation security for use of cloud services
5.2416.1.1Information security incident management planning and preparation
5.2516.1.4Assessment and decision on information security events
5.2616.1.5Response to information security incidents
5.2716.1.6Learning from information security incidents
5.2816.1.7Collection of evidence
5.2917.1.1, 17.1.2, 17.1.3Information security during disruption
5.30NewICT readiness for business continuity
5.3118.1.1, 18.1.5Legal, statutory, regulatory and contractual requirements
5.3218.1.2Intellectual property rights
5.3318.1.3Protection of records
5.3418.1.4Privacy and protection of PII
5.3518.2.1Independent review of information security
5.3618.2.2, 18.2.3Compliance with policies, rules and standards for information security
5.3712.1.1Documented operating procedures

People Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
6.107.1.1Screening
6.207.1.2Terms and conditions of employment
6.307.2.2Information security awareness, education and training
6.407.2.3Disciplinary process
6.507.3.1Responsibilities after termination or change of employment
6.613.2.4Confidentiality or non-disclosure agreements
6.706.2.2Remote working
6.816.1.2, 16.1.3Information security event reporting

Physical Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
7.111.1.1Physical security perimeters
7.211.1.2, 11.1.6Physical entry
7.311.1.3Securing offices, rooms and facilities
7.4NewPhysical security monitoring
7.511.1.4Protecting against physical and environmental threats
7.611.1.5Working in secure areas
7.711.2.9Clear desk and clear screen
7.811.2.1Equipment siting and protection
7.911.2.6Security of assets off-premises
7.1008.3.1, 08.3.2, 08.3.3, 11.2.5Storage media
7.1111.2.2Supporting utilities
7.1211.2.3Cabling security
7.1311.2.4Equipment maintenance
7.1411.2.7Secure disposal or re-use of equipment

Technological Controls

ISO/IEC 27002:2022 Control IdentifierISO/IEC 27002:2013 Control IdentifierControl Name
8.106.2.1, 11.2.8User endpoint devices
8.209.2.3Privileged access rights
8.309.4.1Information access restriction
8.409.4.5Access to source code
8.509.4.2Secure authentication
8.612.1.3Capacity management
8.712.2.1Protection against malware
8.812.6.1, 18.2.3Management of technical vulnerabilities
8.9NewConfiguration management
8.10NewInformation deletion
8.11NewData masking
8.12NewData leakage prevention
8.1312.3.1Information backup
8.1417.2.1Redundancy of information processing facilities
8.1512.4.1, 12.4.2, 12.4.3Logging
8.16NewMonitoring activities
8.1712.4.4Clock synchronization
8.1809.4.4Use of privileged utility programs
8.1912.5.1, 12.6.2Installation of software on operational systems
8.2013.1.1Networks security
8.2113.1.2Security of network services
8.2213.1.3Segregation of networks
8.23NewWeb filtering
8.2410.1.1, 10.1.2Use of cryptography
8.2514.2.1Secure development life cycle
8.2614.1.2, 14.1.3Application security requirements
8.2714.2.5Secure system architecture and engineering principles
8.28NewSecure coding
8.2914.2.8, 14.2.9Security testing in development and acceptance
8.3014.2.7Outsourced development
8.3112.1.4, 14.2.6Separation of development, test and production environments
8.3212.1.2, 14.2.2, 14.2.3, 14.2.4Change management
8.3314.3.1Test information
8.3412.7.1Protection of information systems during audit testing
Updated for ISO 27001 2022
  • 81% of the work done for you
  • Assured Results Method for certification success
  • Save time, money and hassle
Book your demo
img

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more