Cloud Service Security Management
Ensure secure cloud service use with proper procedures for acquisition, management, and exit.
Plain language
This control is about making sure that any cloud services your organisation uses are secure. It means setting clear rules and processes for choosing, using, managing, and leaving these services. Without it, sensitive data could be at risk, contracts might be unclear, and exiting a cloud service could become complicated, potentially causing disruptions or data breaches.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
30 Mar 2026
Maturity levels
N/A
Official control statement
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization''s information security requirements.
Why it matters
Poorly managed cloud services can lead to data breaches or loss of data access, affecting operational continuity and reputational integrity.
Operational notes
Regularly review cloud security needs and update agreements with providers to manage risks and maintain current service requirements.
Implementation tips
- The IT Manager should develop a cloud service policy. This policy should include security requirements and protocols for cloud service use, and ensure its communication to all employees.
- The Procurement team should establish criteria for selecting cloud services. They should evaluate potential cloud providers based on these criteria, which could include security standards, compliance with Australian regulations, and service level agreements.
- The IT Manager should define roles and responsibilities for managing cloud services. Assign specific tasks such as monitoring security controls and handling data migration during the exit.
- The Risk Management team should perform a risk assessment for potential cloud services. This involves identifying and evaluating risks to confidentiality, integrity, and availability of data on the cloud.
- The IT Manager should establish procedures for cloud service exit strategies. These should cover data retrieval, service shut down processes, and ensure continuity while maintaining security during the transition.
Audit / evidence tips
-
Askthe organisation''s cloud service policy document
Look atthe specified security requirements and management processes
Gooddocument will detail protocols and be well communicated across the organisation
-
Askto see records of cloud service selection criteria and decisions. Check the criteria compliance with security and regulatory standards. Good records will show thorough evaluations against predefined criteria
-
Goodstructure will detail specific responsibilities and oversight mechanisms
-
Askthe latest risk assessment report concerning cloud services
Look atidentified risks and mitigation strategies concerning data protection
Goodreport will clearly outline potential risks and planned responses
-
Askthe procedures and any past instances of cloud service exits. Examine how data was securely retrieved and how services were discontinued. Good evidence will show a planned, secure, and documented approach
Cross-framework mappings
How Annex A 5.23 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.11 | Annex A 5.23 requires lessons from incidents to be used to improve security controls | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1529 | ISM-1529 requires that outsourced SECRET and TOP SECRET cloud services are only delivered using community or private cloud deployment models | |
| ISM-1909 | ISM-1909 requires root cause analysis (RCA) when resolving vulnerabilities so underlying causes are identified and whole vulnerability cl... | |
| handshake Supports (3) expand_less | ||
| ISM-0043 | Annex A 5.23 requires the organisation to learn from security incidents and use those lessons to improve security controls and prevent re... | |
| ISM-0576 | Annex A 5.23 requires that incidents drive improvements to security controls through learning and corrective action | |
| ISM-1638 | ISM-1638 requires documenting outsourced cloud services and key governance attributes such as purpose, data classification, contractual a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.