For nearly a decade, the ISO 27001:2013 standard served as the gold standard for information security. However, back in 2013, the “cloud” was often treated as just another type of outsourcing. Fast forward to the 2022 update, and the reality has shifted. Most businesses now live in the cloud. Recognising this, the updated standard introduced a brand-new, dedicated control: Annex A 5.23, Information Security for Use of Cloud Services.
If you are transitioning from the 2013 version, you won’t find a direct 1-to-1 predecessor for this control. It is one of the 11 completely new additions designed to fix a “cloud-shaped hole” in the old framework. Let’s explore what this change means for your ISMS and how to bridge the gap.
Table of contents
The Birth of a Dedicated Cloud Control
In the 2013 version, cloud security was usually addressed by piecing together various controls from Domain A.15 (Supplier Relationships) and Domain A.14 (System Acquisition). It was up to the organisation to decide how these applied to providers like AWS, Azure, or Google Workspace.
The 2022 version changes the game by making Annex A 5.23 a standalone “Organisational Control.” This move acknowledges that cloud services aren’t just “suppliers”, they are part of your infrastructure. According to Hightable.io, this control is a preventive measure that forces organisations to move away from “implicit trust” and toward a documented, high-standard governance model for every cloud service they use.
The Full Lifecycle Approach
The most significant change is the requirement for a “full-lifecycle” process. Annex A 5.23 isn’t just about picking a secure provider; it requires established processes for the entire journey of a cloud service. The standard now explicitly calls for documented procedures in four key stages:
- Acquisition: How you identify and select cloud services based on your security requirements.
- Use: How your employees and systems actually interact with the cloud.
- Management: How you monitor performance, security patches, and configurations.
- Exit: How you safely retrieve your data and terminate the service without leaving digital footprints behind.
As noted by Hightable.io, the “Exit Strategy” is often the most overlooked part of the transition. Auditors now want to see that you have a plan for what happens if you need to leave a provider, ensuring that data is securely deleted and business continuity is maintained.
Shared Responsibility Becomes Explicit
In 2013, the “Shared Responsibility Model” was a concept discussed by cloud providers but wasn’t a formal part of the ISO 27001 language. Annex A 5.23 changes this. It now mandates that you define and communicate who is responsible for what.
Under the 2022 update, you must be able to demonstrate that you know which controls the provider handles (like physical data centre security) and which ones you handle (like user access management and data encryption). Hightable.io highlights that a “Responsibility Matrix” is now a key piece of evidence for passing an audit, proving that there are no “gaps” where security responsibilities might fall through the cracks.
Rigid Agreements and Scrutiny
One of the practical challenges addressed in the 2022 version is that cloud agreements (Terms of Service) are rarely negotiable. Unlike a bespoke supplier contract in 2013, you can’t usually ask a major cloud provider to change their security clauses just for you.
Annex A 5.23 acknowledges this reality but raises the bar for scrutiny. You are now expected to review these non-negotiable agreements to ensure they meet your minimum security standards. If they don’t, you must document the risk and implement “compensating controls” (like adding your own layer of encryption) to bridge the gap.
Practical Impact: New Documentation Requirements
If you are moving from the 2013 version to the 2022 update, you can’t just “map” an old control to this one. You will likely need to create or significantly update your documentation. Key additions include:
- Cloud Service Policy: A topic-specific policy outlining the rules for using cloud services.
- Cloud Supplier Register: A list of all cloud services (SaaS, PaaS, IaaS) and their associated risk levels.
- Evidence of Review: Records showing you have reviewed the provider’s own certifications (like their ISO 27001 or SOC 2 reports).
- Standardized Exit Plans: Procedures for decommissioning cloud assets securely.
Why This New Control is a Step Forward
The transition to ISO 27001:2022 Annex A 5.23 is a direct response to the rise of cloud-specific threats like misconfigured S3 buckets and account takeovers. By giving cloud security its own home, the standard helps organisations treat the cloud with the specialized focus it deserves.
Ultimately, the change moves cloud security from the “IT background” to the “governance foreground.” For organisations looking to streamline this transition, using the cloud-specific risk assessment tools and policy templates available at Hightable.io can help you build a “fortress in the cloud” that meets the rigorous demands of the new 2022 standard.