What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization’s information security requirements.
Evidence to request
| Evidence | Purpose |
|---|---|
| Cloud service register | Shows cloud services are known and owned |
| Cloud risk assessments | Shows cloud-specific risks are assessed |
| Shared responsibility matrix | Shows responsibility split is understood |
| Security requirements checklist | Shows acquisition criteria are defined |
| Cloud agreements/security addenda | Shows requirements are formally addressed |
| Configuration evidence | Shows required controls are enabled |
| Provider assurance reports | Shows provider controls are reviewed |
| Service dashboards/reports | Shows service performance is monitored |
| Incident notification records | Shows incidents are communicated and reviewed |
| Exit plan | Shows migration, deletion, and termination are planned |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Cloud register includes owner, classification, provider, location, support model, and exit status.
- Risk assessments include data location, support location, shared responsibility, provider terms, configuration, and exit.
- Security features such as encryption, logging, MFA, backup, and monitoring are enabled or risk-accepted.
- Provider incident notifications are proactive and reviewed.
- Critical cloud services have exit plans.
- Risks above tolerance are approved by appropriate management.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Cloud services tracked only through finance spend.
- Provider certification accepted without customer-side responsibility review.
- Data location is unknown.
- Security options exist but are not enabled.
- Incident notifications require manual portal checks only.
- No exit plan.
Sample interview questions
- How are cloud services approved before use?
- Who owns each cloud service?
- How do you know where data is stored or supported from?
- How are shared responsibilities documented?
- Which security features are mandatory for this cloud service?
- How are provider incidents communicated and acted on?
- What is the exit plan for a critical cloud service?
Common nonconformities
- No cloud service register.
- No cloud-specific risk assessment.
- Shared responsibility not defined.
- Required cloud security features not enabled.
- Provider risks above tolerance not formally accepted.
- No cloud exit process.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 23
Note Metadata
Aliases: A.5.23 Evidence
Source: 04 Audit Evidence Packs/A.5.23 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- Audit Evidence MOC
- AQ-ISO27001-A.5.23 Information Security for Use of Cloud Services
- A.5 Organizational Controls Audit Guide
- ISO27001-A.5.23 Information Security for Use of Cloud Services
- A.5.23 Audit Checklist
- Cloud Security Requirements and Exit Checklist
- Cloud Service Register
- Audit Evidence Index