The 2022 update to ISO 27001 introduced a new control for the use of Cloud services. It outlines the policies and procedures that are required when acquiring, using, managing or exiting Cloud services.
Adding this control was an obvious and necessary step given just how many organisations use Cloud services as part of their core business activities.
An estimated 96% of all organisations use at least one Internet-based IT resource, such as Amazon Web Services or Microsoft Azure.
Whenever an organisation implements a new resource on which sensitive data is stored or upon which key business activities rely, it must assess any security or reliability issues that come with it.
With the addition of Control A 5.23 to ISO 27001, organisations have specific guidance that they can follow when using this technology.
Meeting your Cloud services requirements
To meet the requirements of control A 5.23, you will need to consider all three aspects of information security management – people, processes and technology.
As the Cloud is itself a technological resource, many organisations will focus on technological measures. This is especially likely given that many Cloud services already have security measures built into them, meaning organisations don’t have to proactively consider the ways they are protecting their data.
These security measures include the likes of multi-factor authentication to ensure that only authorised users can access sensitive information stored on the Cloud and encryption to protect the data should it be lost or stolen.
Whenever you integrate a Cloud service into your operations, you should make sure these security measures are in place.
This might be as simple as ensuring that in-built measures are properly configured, but in some cases extra work is required. You might need to upgrade your service or switch providers altogether if its security measures are not adequate to your needs.
The choices you make here should be governed by established policies and procedures regarding the use of Cloud services. Your organisation must understand what security requirements you need from a Cloud service, and these must be considered during the acquisition stage.
You will also need documentation to ensure that employees use these services in a responsible and secure manner. You will need acceptable use policies but should also consider how Cloud use integrates with your other security requirements, such as password management, remote working and offboarding.
Meanwhile, for processes to be truly effective, you must ensure that your employees are aware of them and understand what’s expected of them. You should make a concerted effort to educate employees on these requirements, whether that’s through reminders to read policies or, where necessary, more structured staff awareness training.
Completing your ISO 27001 transition
Control A 5.23 is just one of many new controls added to ISO 27001:2022, while several other controls were combined or removed. When these changes were published in the updated version of the Standard, organisations were given three years to implement the changes into their ISMS (information security management system).
That transition period ended in October 2025, meaning your organisation should now have fully transitioned into the new version of ISO 27001.
However, this is obviously easier said than done. Your initial implementation project would have been a significant job, and you might not have been able to dedicate the time or resources into completing the transition and doing the necessary audits to make sure everything works as intended and that nothing has been overlooked.
Nonetheless, it’s essential that you prioritise these actions, because you otherwise undermine the effectiveness of your security measures and jeopardise your certification status.
So, whether you still have work to do with ISO 27001 or want to check that your updated practices align with the Standard’s requirements, you should consider a formal assessment of your compliance status.
That’s what our ISO 27001 Transition Gap Analysis can help you achieve. Our experts will gather information to ensure a comprehensive understanding of your organisation’s current security posture.
We’ll then conduct a detailed comparison, assessing your ISMS (information security management system) against the stringent requirements of ISO 27001. By identifying gaps and nonconformities, we’ll provide you with a clear roadmap for improvement.
We’ll then create a revised risk treatment plan, aligned with the updated Standard, offering a strategic approach to strengthen your information security framework.
The post How To Comply with ISO 27001’s New Cloud Services Control appeared first on IT Governance Blog.
