Cloud Service Security Management
Ensure secure cloud service use with proper procedures for acquisition, management, and exit.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
30 Mar 2026
🎯 Maturity levels
N/A
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization''s information security requirements.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure that any cloud services your organisation uses are secure. It means setting clear rules and processes for choosing, using, managing, and leaving these services. Without it, sensitive data could be at risk, contracts might be unclear, and exiting a cloud service could become complicated, potentially causing disruptions or data breaches.
Why it matters
Poorly managed cloud services can lead to data breaches or loss of data access, affecting operational continuity and reputational integrity.
Operational notes
Regularly review cloud security needs and update agreements with providers to manage risks and maintain current service requirements.
Implementation tips
- The IT Manager should develop a cloud service policy. This policy should include security requirements and protocols for cloud service use, and ensure its communication to all employees.
- The Procurement team should establish criteria for selecting cloud services. They should evaluate potential cloud providers based on these criteria, which could include security standards, compliance with Australian regulations, and service level agreements.
- The IT Manager should define roles and responsibilities for managing cloud services. Assign specific tasks such as monitoring security controls and handling data migration during the exit.
- The Risk Management team should perform a risk assessment for potential cloud services. This involves identifying and evaluating risks to confidentiality, integrity, and availability of data on the cloud.
- The IT Manager should establish procedures for cloud service exit strategies. These should cover data retrieval, service shut down processes, and ensure continuity while maintaining security during the transition.
Audit / evidence tips
-
Ask: the organisation''s cloud service policy document
Look at: the specified security requirements and management processes
Good: document will detail protocols and be well communicated across the organisation
-
Ask: to see records of cloud service selection criteria and decisions. Check the criteria compliance with security and regulatory standards. Good records will show thorough evaluations against predefined criteria
-
Good: structure will detail specific responsibilities and oversight mechanisms
-
Ask: the latest risk assessment report concerning cloud services
Look at: identified risks and mitigation strategies concerning data protection
Good: report will clearly outline potential risks and planned responses
-
Ask: the procedures and any past instances of cloud service exits. Examine how data was securely retrieved and how services were discontinued. Good evidence will show a planned, secure, and documented approach
Cross-framework mappings
How Annex A 5.23 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Supports (1) | ||
| E8-RA-ML2.11 | Annex A 5.23 requires lessons from incidents to be used to improve security controls | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| ISM-1529 | ISM-1529 requires that outsourced SECRET and TOP SECRET cloud services are only delivered using community or private cloud deployment models | |
| ISM-1909 | ISM-1909 requires root cause analysis (RCA) when resolving vulnerabilities so underlying causes are identified and whole vulnerability cl... | |
| Supports (3) | ||
| ISM-0043 | Annex A 5.23 requires the organisation to learn from security incidents and use those lessons to improve security controls and prevent re... | |
| ISM-0576 | Annex A 5.23 requires that incidents drive improvements to security controls through learning and corrective action | |
| ISM-1638 | ISM-1638 requires documenting outsourced cloud services and key governance attributes such as purpose, data classification, contractual a... | |