Requirement
Requirement lens
Treat this as the control objective. The implementation, evidence, and audit sections explain how to make it operational and provable.
“Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.”
Plain-language meaning
Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services in line with its security requirements.
Cloud is not just another supplier category. It has supplier risk, but also shared responsibility, fluid data locations, standard provider terms, configurable security features, identity integration, support access, resilience assumptions, and exit risk.
Why this matters
Cloud services can improve resilience and speed, but they also create risk when the organization does not understand what the provider secures and what the customer must secure.
Examples:
- customer data stored or supported from unexpected jurisdictions;
- encryption or logging available but not enabled because it costs extra;
- provider standard terms that do not match the organization’s risk appetite;
- unclear responsibility for identity, backup, incident notification, or configuration;
- no exit plan if the provider changes terms, fails, or is replaced;
- incident notices hidden in a portal instead of proactively communicated.
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
1. Define a cloud acquisition process
Before adopting a cloud service, assess:
| Area | Practical question |
|---|---|
| Business need | Why is this cloud service needed? |
| Information exposure | What data will be stored, processed, transmitted, logged, or supported? |
| Data location | Can location be constrained to required regions? |
| Support location | Can support access be constrained or approved? |
| Shared responsibility | What does the provider secure and what must the customer secure? |
| Security features | Are encryption, logging, backup, MFA, key management, and monitoring included or extra? |
| Integration | How will identity, access, logging, and incident response integrate with internal processes? |
| Exit | How will data be exported, deleted, validated, and transitioned? |
2. Maintain a cloud service register
The organization should know which cloud services are approved, who owns them, what information they hold, and how they are reviewed.
Minimum useful fields:
- cloud service name;
- business owner;
- supplier/provider;
- information classification;
- data location and residency constraint;
- support location or access model;
- shared responsibility summary;
- security features enabled;
- agreement reference;
- incident notification method;
- review frequency;
- exit strategy status.
3. Define shared responsibility clearly
Cloud control gaps often happen because both parties assume the other side is responsible.
Examples:
| Responsibility area | Provider may own | Customer may own |
|---|---|---|
| Physical data center security | Facility controls | Provider selection and assurance review |
| Platform availability | Cloud infrastructure resilience | Architecture, backup, continuity objectives |
| Identity | Platform identity features | User lifecycle, MFA, privileged access |
| Encryption | Encryption capability | Enabling encryption and key decisions |
| Logging | Logging services | Enabling, retaining, reviewing logs |
| Incident notification | Provider notice | Internal incident response and escalation |
4. Manage data location and jurisdiction
Cloud data location can be difficult because major providers use distributed architecture. The organization should define where data may be stored, processed, backed up, and supported from.
If the provider can only answer “it depends,” the organization still needs a risk decision.
5. Plan exit from the beginning
Exit strategy is part of cloud security. Define:
- export format;
- migration dependencies;
- deletion and destruction evidence;
- retention and backup handling;
- identity/access removal;
- contract termination steps;
- business continuity during transition;
- validation that data is no longer accessible.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors should verify that cloud service acquisition, use, management, and exit are governed by defined processes and risk decisions.
Audit tests:
- request the cloud service register;
- sample cloud services by criticality and information sensitivity;
- review cloud risk assessments and approval records;
- compare provider terms with organizational security requirements;
- check shared responsibility documentation;
- verify data location, support location, and jurisdiction decisions;
- check whether required security features are enabled;
- review service review meetings, dashboards, or provider reports;
- verify proactive incident notification arrangements;
- check whether provider incident advice was reviewed and acted on;
- review exit plans for critical cloud services.
Auditors should expect some cloud provider terms to be standard and non-negotiable. The issue is not whether every term was negotiated; the issue is whether risks above tolerance were understood and accepted by the right management level.
Evidence examples
Evidence quality
Strong evidence links requirement, owner, action, date, review, and outcome. Weak evidence usually proves only intent.
| Evidence | What it proves |
|---|---|
| Cloud service register | Cloud services are known and owned |
| Cloud risk assessment | Cloud-specific risks are evaluated |
| Shared responsibility matrix | Control ownership is clear |
| Security requirements checklist | Acquisition criteria are defined |
| Cloud agreement/security addendum | Requirements are formally addressed |
| Configuration evidence | Required controls are enabled |
| Provider assurance reports | Provider controls are reviewed |
| Service dashboards/reports | Performance and availability are monitored |
| Incident notification records | Provider incidents are communicated and reviewed |
| Exit plan | Migration, deletion, and termination are planned |
Strong evidence
- Cloud register includes owner, classification, location, support model, provider, and exit status.
- Risk assessment covers data residency, shared responsibility, provider terms, configuration, and exit.
- Security features such as encryption, logging, MFA, backup, and monitoring are explicitly enabled or risk-accepted.
- Provider incident notifications are proactive and internally reviewed.
- Exit plans exist for critical cloud services.
- Risks above tolerance are accepted by appropriate management.
Weak evidence
- Cloud services known only through finance/procurement spend.
- Provider certification accepted without checking the organization’s shared responsibilities.
- Data location and support location are unknown.
- Security features exist but are not enabled.
- Provider portal has incident notices but nobody checks or receives notifications.
- No exit plan because the provider is assumed to be permanent.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Treating cloud as ordinary procurement only | Cloud-specific shared responsibility and location risks are missed |
| No cloud service register | Shadow cloud and unmanaged services persist |
| No data residency decision | Legal and contractual requirements may be breached |
| No shared responsibility matrix | Control gaps remain hidden |
| Paying extra controls not budgeted | Required security features are not enabled |
| No incident notification route | Organization learns about incidents too late |
| No exit plan | Provider change, failure, or termination becomes operationally risky |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- A.5.23 covers acquisition, use, management, and exit, not only cloud procurement.
- Cloud services are supplier relationships, but cloud has specific risks such as shared responsibility, data location, support location, and exit.
- Provider standard terms may still be acceptable if risk is understood and accepted at the right level.
- Provider certification does not prove the customer’s cloud configuration is secure.
- Exit strategy matters as much as onboarding.
Related controls and concepts
- A.5.19 Information Security in Supplier Relationships
- A.5.20 Addressing Information Security Within Supplier Agreements
- A.5.21 Managing Information Security in the ICT Supply Chain
- A.5.22 Monitoring, Review and Change Management of Supplier Services
- A.5.14 Information Transfer
- A.5.15 Access Control
- A.5.18 Access Rights
- Risk Assessment
- Statement of Applicability
- Internal Audit
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
A.5.23 requires defined processes for cloud service acquisition, use, management, and exit. Practical implementation includes a cloud register, cloud risk assessment, shared responsibility matrix, data location decisions, required security configuration, provider monitoring, incident notification, and exit planning.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Organizational controls
- Cloud security
- Supplier security
- Audit
Note Metadata
Aliases: A.5.23, Information Security for Use of Cloud Services
Source: 02 Annex A Organizational Controls/A.5.23 Information Security for Use of Cloud Services.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
11
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Internal Audit
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- A.5 Organizational Controls MOC
- A.5.23 Audit Evidence Pack
- AQ-ISO27001-A.5.23 Information Security for Use of Cloud Services
- ISO 27001 A.8.21 - Security of Network Services
- A.5 Organizational Controls Implementation Guide
- ISO27001-A.5.23 Information Security for Use of Cloud Services
- A.5 Controls Implementation Audit Risk Mapping
- EXAM-008 - Supplier and Cloud Control Distinctions
- ISO 27002 Annex A Control Interpretation Map
- A.5.23 Audit Checklist
- Cloud and Backup Deletion Checklist
- Cloud Security Requirements and Exit Checklist
- Cloud Service Register
- Supplier Security Register
- Supplier Security Responsibility Matrix
- Annex A Controls MOC