ISO 27001 Control 5.23: Information Security for Use of Cloud Services
Cloud services introduce new attack vectors and compliance risks that many SMBs overlook. Control 5.23 requires documented processes for every stage of cloud service lifecycle—from vendor evaluation to secure offboarding. Without proper controls, you risk data exposure, regulatory violations, and costly breaches.
What this means
This control mandates that your organization establish formal processes governing cloud service adoption and management. You must align cloud service use with your information security requirements at acquisition, during active use, during management changes, and at contract termination. This includes vendor assessment, security controls validation, data protection during exit, and continuous monitoring.
How to comply
- 1.Document a cloud service acquisition process that requires security assessment before vendor selection
- 2.Establish information security requirements specific to each cloud service type (SaaS, PaaS, IaaS)
- 3.Create a vendor evaluation checklist covering data residency, encryption, audit rights, and compliance certifications
- 4.Define roles and responsibilities for cloud service ownership and ongoing security monitoring
- 5.Implement contractual controls requiring vendors meet your security standards and audit requirements
- 6.Create a cloud service inventory with categorization by sensitivity and compliance requirements
- 7.Establish exit procedures including data retrieval timelines, secure deletion verification, and access revocation
- 8.Schedule periodic reviews of cloud service security posture and compliance status
Evidence auditors look for
- Approved cloud service vendor evaluation framework with security criteria
- Completed vendor risk assessments and security questionnaires
- Cloud service contracts with information security clauses and audit rights
- Cloud service inventory documenting owner, data sensitivity, and security controls
- Evidence of data classification applied to cloud-stored information
- Cloud service security incident logs and remediation records
- Exit procedures documentation with data deletion confirmations
- Audit reports or compliance certifications from cloud vendors (SOC 2, ISO 27001)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch simplifies cloud service compliance by centralizing vendor assessments, contract requirements, and exit checklists in one platform—automatically tracking security controls across your entire cloud portfolio and flagging gaps before audits.
See how GRCWatch handles this control automatically
Start free trial