Series: New Controls in ISO/IEC 27001:2022 Annex A

Information Security for Use of Cloud Services

The third edition of the popular information security standard ISO/IEC 27001:2022 was published in February 2022. Annex A of the standard contains a list of 93 security controls which may be implemented by organizations to mitigate security risks. The implementation details of these controls are included in ISO/IEC 27002:2022. While all controls of the previous edition of the standard (ISO/IEC 27001:2013) have been retained in the new edition (some of them have been merged and modified), 11 new controls have also been added.

In this article series, we will analyze the implementation aspects of the new controls of ISO/IEC 27001:2022 Annex A. The second article explores Control 5.23 (Information security for use of cloud services).

Control

Control 5.23 (Information security for use of cloud services) defines the best practices for the management of information security of cloud services. It emphasizes the establishment of processes for the acquisition, use, management and exit from cloud services as per the information security requirements of an organization.

Attributes

Implementation of this control would help an organization prevent security breaches owing to the use of cloud services and hence, protect the confidentiality, integrity and availability of its information systems.

Implementation

The organization should perform risk assessment to identify the information security requirements associated with the use of cloud services. A cloud service agreement should be signed between the organization and the cloud service provider. The agreement should address the confidentiality, integrity, availability, privacy and information handling requirements of the organization. Appropriate security controls need to be implemented by the organization as well as the cloud service provider, including maintenance of regular backups. Roles and responsibilities for the use and management of cloud services need to be assigned.

The organization should also establish procedures for handling information security incidents that may occur owing to the use of cloud services. In case of multiple cloud service providers, the organization needs to define processes for the management of controls, interfaces and changes in services. During service termination, the organization must ensure that the cloud service provider returns all relevant assets, including configuration files, source code and data, which are owned by the organization.

Artefacts

The contents and implementation of the following security policies and procedures may be impacted by the above control:

• Risk Management Policy – An organization should consider the potential impact of cloud-service specific threats during the assessment of security risks and preparation of risk treatment plans.

• Access Control Policy – The access control policy should include rules for accessing cloud services as per the security requirements of the organization.

• Supplier Security Policy – This policy should define the manner in which security of cloud services needs to be maintained by providers.

• Data Protection Policy – This policy should include the requirements for the protection of sensitive data of the organization which may reside with, and be processed by, the cloud service provider.

• Incident Response Procedure – Procedures for the detection and containment of, and recovery from, security incidents, arising out of the use of cloud services, should be established.

• Security Operating Procedures – Procedures for the secure usage of cloud services should be defined and implemented.

How Sujosu Technology Can Help

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.