This rule is about cloud supplier management, which means a company must have a system to handle the information security risks of its third party cloud systems, products and services.
Table of contents
What is ISO 27001 Annex A 5.23?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security For Use Of Cloud Services”.
What is the ISO 27001 Annex A 5.23 control objective?
The formal definition and control objective in the standard is: “Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organisation’s information security requirements.“
What is the purpose of ISO 27001 Annex A 5.23?
The purpose of ISO 27001 Annex A 5.23 is “To ensure you specify and manage information security for the use of cloud services.“
Is ISO 27001 Annex A 5.23 Mandatory?
ISO 27001 Annex A control 5.23 (Information Security For Use Of Cloud Services in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.23 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
You can treat cloud services almost like any other supplier you use. The standard mentions them, likely because it felt it needed to. It lists rules that are not realistic, then agrees that meeting all of them is probably impossible for you.
Before we look at what you can do, let’s look at what the standard says is your way out.
Your Way Out of Unrealistic Rules
The standard completely accepts that most cloud service agreements are written beforehand and are not open for you to change. So why does it list those strict rules? We do not know. The main point is really just to follow basic, good supplier practices.
You need to make sure you follow these two rules:
- ISO 27001 Annex A 5.21: This rule is about managing information security within the entire technology supply chain that you use.
- ISO 27001 Annex A 5.22: This rule asks you to watch, check, and manage any changes to the supplier services you use.
You should follow good supplier management steps, including checking for risks, just as you do for other suppliers. If you ever feel worried, you can look up the standard for extra advice. It will guide you, and then it will basically say, “but we know you probably cannot follow all this advice.”
Cloud Service Agreements
We will not cover what the standard says should be in your cloud service agreements. As we already said, the standard knows you cannot bargain over these. You must accept what the cloud company offers you. If you are curious, you can check your copy of the ISO 27002 standard.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Cloud Supplier Agreements
You must have formal agreements with all your cloud providers. The auditor will check these to make sure they clearly state the security rules you expect. They will also confirm that these agreements are current and cover all the services or products you buy from them.
2. ISO 27001 Cloud Supplier Register
You need an ISO 27001 Supplier Register to list and keep track of your cloud providers. Be certain this list is up to date and correctly shows your current business setup.
3. Reviewing Your Documents
The auditor will examine your records and all your documentation. They want to see that your documents are classified and labelled. At the very least, any sensitive document you show them must be marked as confidential. They will also check:
- Is the document current?
- Did someone review it within the last year?
- Does the version number on the document match your official records?
