The 2022 revision of ISO 27001 introduced 11 new controls that were not present in the 2013 version. One of the most significant is A.5.23 — Information security for use of cloud services. For the first time, the standard explicitly addresses how organisations must manage the security of cloud services they use, not just their own infrastructure.
For the majority of startups and SMEs pursuing certification today, this control is directly relevant: most run significant infrastructure on AWS, Azure, or GCP, and many depend on dozens of SaaS services. Understanding what A.5.23 requires — and what it does not — is essential for a clean audit.
What A.5.23 Actually Requires
A.5.23 requires that processes for acquisition, use, management, and exit from cloud services are established in accordance with the organisation's information security requirements. In practice, this means:
- A policy or procedure for how cloud services are selected and assessed before adoption
- Defined security configuration requirements for cloud services in use
- Monitoring and review of cloud service security posture
- A process for safely exiting a cloud service — data retrieval, deletion, and migration
The Shared Responsibility Model
The most critical concept for understanding A.5.23 is the shared responsibility model. Your cloud provider (AWS, Azure, GCP) is responsible for the security of the cloud infrastructure — the physical data centres, the hypervisor, the network fabric. You are responsible for security in the cloud — your configurations, your data, your access controls, your application security.
Shared Responsibility: Who Owns What
Cloud Provider Responsible For
- — Physical data centre security
- — Network infrastructure
- — Hardware and hypervisor
- — Managed service availability (SLA)
- — Provider's own ISO 27001 / SOC 2 compliance
You Responsible For
- — Identity and access management (IAM)
- — Data encryption configuration
- — Security group / firewall rules
- — Logging and monitoring setup
- — Application and OS security
- — Data classification and handling
Your cloud provider's ISO 27001 certificate covers their responsibilities — not yours. Auditors know this.
Cloud Configuration Evidence Auditors Check
In Stage 2, auditors will want to see that your cloud environment is configured securely, not just that you are using a compliant cloud provider. Evidence you should have ready:
MFA enforced on all IAM accounts, especially root/admin. No use of root account for day-to-day operations. Least-privilege role assignments documented.
CloudTrail / Azure Activity Log / GCP Audit Log enabled and retained for a defined period. Logs centralised and reviewed on a defined schedule.
Storage buckets / databases / block storage encrypted at rest. Encryption in transit enforced (TLS 1.2+). KMS key rotation configured.
Security groups / NSGs restrict access to required ports only. No resources publicly exposed unless intentional and documented. VPC/VNET segmentation in place.
Alerts configured for suspicious activity (failed logins, unusual API calls, unexpected public access changes). Evidence of alerts being reviewed.
Cloud Security Posture Management (CSPM) tool in use — AWS Security Hub, Azure Defender, GCP Security Command Centre — or equivalent periodic configuration review with documented findings.
The SoA Entry for A.5.23
Your Statement of Applicability should list A.5.23 as applicable with a justification along the lines of: "The organisation uses cloud infrastructure and SaaS services to deliver its products and store customer data. A.5.23 is applicable to ensure these services are used securely in accordance with the organisation's information security requirements." The associated implementation evidence is your cloud security policy, configuration documentation, and periodic review records.
SaaS services count too
A.5.23 applies not only to IaaS/PaaS (AWS, Azure, GCP) but to SaaS tools that handle your data — Slack, Google Workspace, GitHub, Salesforce. For each, you should have a policy position on acceptable use, data residency (if relevant), and whether SSO/MFA is enforced. This often overlaps with your supplier management requirements under A.5.19.
If you want help implementing the cloud-specific controls and producing audit evidence, our ISO 27001 consulting service covers cloud security controls as part of a full ISMS implementation.