This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.23 Information security for use of cloud services.
ISO 27001: 2022 Control Description
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.
Purpose
To specify and manage information security for the use of cloud services.
Guidance on implementation
The organisation should establish and communicate a topic-specific policy on the use of cloud services to all relevant interested parties.
The organisation should define and communicate how it intends to manage information security risks associated with the use of cloud services. This can be an extension or part of the existing approach for how an organisation manages services provided by external parties.
The use of cloud services can involve shared responsibility for information security and requires collaborative effort between the cloud service provider and the organisation acting as the cloud service customer. It is essential that the responsibilities for both the cloud service provider and the organisation, acting as the cloud service customer, are clearly defined and implemented appropriately.
The organisation should define:
a) All relevant information security requirements associated with the use of cloud services;
b) Cloud service selection criteria and the scope of cloud service usage;
c) Roles and responsibilities related to the use and management of cloud services;
d) Which information security controls are managed by the cloud service provider and which are managed by the organisation as the cloud service customer;
e) How to obtain and utilise information security capabilities provided by the cloud service provider;
f) How to obtain assurance on information security controls implemented by cloud service providers;
g) How to manage controls, interfaces, and changes in services when an organisation uses multiple cloud services, particularly from different cloud service providers;
h) Procedures for handling information security incidents related to the use of cloud services;
i) The approach for monitoring, reviewing, and evaluating the ongoing use of cloud services to manage information security risks;
j) How to change or stop the use of cloud services, including exit strategies for cloud services.
Cloud service agreements are often pre-defined and not open to negotiation. For all cloud services, the organisation should review cloud service agreements with the cloud service provider(s). A cloud service agreement should address the confidentiality, integrity, availability, and information handling requirements of the organisation, with appropriate cloud service level objectives and cloud service qualitative objectives. The organisation should also undertake relevant risk assessments to identify the risks associated with using the cloud service. Any residual risks connected to the use of the cloud service should be clearly identified and accepted by the appropriate management of the organisation.
An agreement between the cloud service provider and the organisation, acting as the cloud service customer, should include the following provisions for the protection of the organisation’s data and the availability of services:
a) Providing solutions based on industry-accepted standards for architecture and infrastructure;
b) Managing access controls of the cloud service to meet the requirements of the organisation;
c) Implementing malware monitoring and protection solutions;
d) Processing and storing the organisation’s sensitive information in approved locations (e.g. a particular country or region) or within or subject to a particular jurisdiction;
e) Providing dedicated support in the event of an information security incident in the cloud service environment;
f) Ensuring that the organisation’s information security requirements are met if cloud services are further sub-contracted to an external supplier (or prohibiting cloud services from being sub-contracted);
g) Supporting the organisation in gathering digital evidence, taking into consideration laws and regulations for digital evidence across different jurisdictions;
h) Providing appropriate support and service availability for an adequate timeframe when the organisation wishes to exit the cloud service;
i) Providing the required backup of data and configuration information and securely managing backups as applicable, based on the capabilities of the cloud service provider used by the organisation, acting as the cloud service customer;
j) Providing and returning information such as configuration files, source code, and data owned by the organisation, acting as the cloud service customer, when requested during the service provision or at termination of the service.
The organisation, acting as the cloud service customer, should consider whether the agreement should require cloud service providers to provide advance notification prior to any substantive changes that may impact the customer being made to the way the service is delivered to the organisation, including:
a) Changes to the technical infrastructure (e.g. relocation, reconfiguration, or changes in hardware or software) that affect or change the cloud service offering;
b) Processing or storing information in a new geographical or legal jurisdiction;
c) The use of peer cloud service providers or other sub-contractors (including changing existing or using new parties).
The organisation using cloud services should maintain close contact with its cloud service providers. These contacts enable mutual exchange of information about information security for the use of the cloud services, including a mechanism for both the cloud service provider and the organisation, acting as the cloud service customer, to monitor each service characteristic and report failures to the commitments contained in the agreements.