5.23 is a new control that outlines the processes that are required for the acquisition, use, management of and exit from cloud services, in relation to the organisation’s unique information security requirements.
Control 5.23 allows organisations to first specify then subsequently manage and administer information security concepts as related to cloud services, in their capacity as a “cloud services customer”.
5.23 is a preventative control that maintains risk by specifying policies and procedures that govern information security, within the sphere of commercial cloud services.
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
---|---|---|---|---|
#Preventative | #Confidentiality #Integrity #Availability | #Protect | #Supplier Relationships Security | #Governance and Ecosystem #Protection |
Such is the proliferation of cloud services over the past decade, Control 5.23 contains a host of procedures that encompass many distinct elements of an organisation’s operation.
Given that not all cloud services are ICT specific – although it could reasonably be asserted that most are – ownership of Control 5.22 should be distributed between an organisation’s CTO or COO, depending upon the prevailing operational circumstances.
Compliance with Control 5.23 involves adhering to what’s known as a ‘topic-specific’ approach to cloud services and information security.
Given the variety of cloud services on offer, topic-specific approaches encourage organisations to create cloud services policies that are tailored towards individual business functions, rather than adhering to a blanket policy that applies to information security and cloud services across the board.
It should be noted that ISO considers adherence to Control 5.23 as a collaborative effort between the organisation and their cloud service partner. Control 5.23 should also be closely aligned with Controls 5.21 and 5.22, which deal with information management in the supply chain and the management of supplier services respectively.
However an organisation chooses to operate, Control 5.23 should not be taken in isolation and should complement existing efforts to manage supplier relationships.
With information security at the forefront, the organisation should define:
Control 5.23 acknowledges that, unlike other supplier relationships, cloud service agreements are rigid documents that aren’t amendable in the vast majority of cases.
With that in mind, organisations should scrutinise cloud service agreements and ensure that four main operational requirements are met:
As with other supplier contracts, prior to acceptance, cloud service agreements should undergo a thorough risk assessment that highlights potential problems at source.
At a bare minimum, the organisation should enter into a cloud services agreement only when they are satisfied that the following 10 provisions have been met:
We’ll give you an 81% headstart
from the moment you log in
Book your demo
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
In addition to the above guidance, Control 5.23 suggests that organisations form a close working relationship with cloud service providers, in accordance with the important service they provide not only in information security terms, but across an organisation’s entire commercial operation.
Organisations, where possible, should seek out the following stipulations from cloud service providers to improve operational resilience, and enjoy enhanced levels of information security:
Control 5.23 is a new control that doesn’t feature in ISO 27002:2013 in any capacity.
ISMS.online streamlines the ISO 27002 implementation process by providing a sophisticated cloud-based framework for documenting information security management system procedures and checklists to assure compliance with recognised standards.
When you use ISMS.online, you will be able to:
Get in touch and book a demo.
Book a tailored hands-on session based on your needs and goals.
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
5.7 | New | Threat intelligence |
5.23 | New | Information security for use of cloud services |
5.30 | New | ICT readiness for business continuity |
7.4 | New | Physical security monitoring |
8.9 | New | Configuration management |
8.10 | New | Information deletion |
8.11 | New | Data masking |
8.12 | New | Data leakage prevention |
8.16 | New | Monitoring activities |
8.23 | New | Web filtering |
8.28 | New | Secure coding |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
6.1 | 07.1.1 | Screening |
6.2 | 07.1.2 | Terms and conditions of employment |
6.3 | 07.2.2 | Information security awareness, education and training |
6.4 | 07.2.3 | Disciplinary process |
6.5 | 07.3.1 | Responsibilities after termination or change of employment |
6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
6.7 | 06.2.2 | Remote working |
6.8 | 16.1.2, 16.1.3 | Information security event reporting |
ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
---|---|---|
7.1 | 11.1.1 | Physical security perimeters |
7.2 | 11.1.2, 11.1.6 | Physical entry |
7.3 | 11.1.3 | Securing offices, rooms and facilities |
7.4 | New | Physical security monitoring |
7.5 | 11.1.4 | Protecting against physical and environmental threats |
7.6 | 11.1.5 | Working in secure areas |
7.7 | 11.2.9 | Clear desk and clear screen |
7.8 | 11.2.1 | Equipment siting and protection |
7.9 | 11.2.6 | Security of assets off-premises |
7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
7.11 | 11.2.2 | Supporting utilities |
7.12 | 11.2.3 | Cabling security |
7.13 | 11.2.4 | Equipment maintenance |
7.14 | 11.2.7 | Secure disposal or re-use of equipment |