A.5.23 — Is there a process for the secure use of cloud services? (NEW in 2022)
Demonstrate that the organization has implemented and follows documented processes for evaluating, approving, securely configuring, and continuously managing cloud services throughout their lifecycle in accordance with information security requirements.
Description
What this control does
This control requires organizations to establish and maintain formal processes governing the acquisition, deployment, configuration, and ongoing management of cloud services, including public, private, and hybrid cloud models. The process must address cloud service provider selection criteria, data classification and handling requirements, security responsibilities under shared responsibility models, vendor risk assessment, contract reviews, and secure configuration baselines. It ensures cloud adoption aligns with organizational security policies and regulatory obligations before services are provisioned.
Control objective
What auditing this proves
Demonstrate that the organization has implemented and follows documented processes for evaluating, approving, securely configuring, and continuously managing cloud services throughout their lifecycle in accordance with information security requirements.
Associated risks
Risks this control addresses
- Unauthorized cloud service adoption (shadow IT) bypasses security controls and creates unmanaged data exposure points
- Misunderstanding of shared responsibility models leads to critical security gaps where neither organization nor provider implements required controls
- Misconfiguration of cloud storage buckets, identity permissions, or network controls exposes sensitive data to public internet access
- Inadequate vendor due diligence results in selection of cloud providers with insufficient security certifications or incident response capabilities
- Data residency and sovereignty violations occur when cloud services store regulated data in prohibited geographic jurisdictions
- Lack of encryption key management processes allows cloud providers unrestricted access to sensitive organizational data
- Insufficient logging and monitoring in cloud environments prevents detection of account compromise or insider threats
Testing procedure
How an auditor verifies this control
- Obtain and review the documented cloud service use policy or procedure, verifying it addresses service evaluation, approval workflows, security configuration requirements, and shared responsibility definitions
- Request the inventory of all approved cloud services currently in use, including service type (IaaS/PaaS/SaaS), data classification handled, and responsible business owners
- Select a sample of 3-5 cloud services from different service models and request approval documentation including security assessments, vendor due diligence reports, and contract security addenda
- For each sampled cloud service, review the documented security baseline configurations covering identity management, network access controls, encryption settings, and logging requirements
- Verify implementation by examining actual cloud service configurations through console screenshots or configuration exports, comparing against documented baseline requirements
- Interview cloud service owners to validate their understanding of shared responsibility boundaries and specific security controls they must implement versus provider-managed controls
- Review cloud service monitoring processes including logs of configuration changes, access reviews, and security incident detection mechanisms specific to cloud environments
- Test the process by requesting evidence of how the organization responds to unauthorized cloud service discovery, including examples of shadow IT identification and remediation