Auditing ISO 27001 Annex A 5.23 Information Security for Use of Cloud Services validates the governance and security of cloud-based assets. This process confirms the Primary Implementation Requirement of defining and monitoring the division of security responsibilities between the organization and the Cloud Service Provider (CSP). The Business Benefit ensures data protection, regulatory compliance, and service availability in a shared responsibility environment.
This technical verification tool is designed for lead auditors to establish the security integrity of cloud-based operations and service delivery. Use this checklist to validate compliance with ISO 27001 Annex A 5.23 (Information security for use of cloud services).
1. Cloud Service Usage Policy Formalisation Verified
Verification Criteria: A documented policy exists defining the processes for acquisition, use, management, and exit from cloud services based on organisational security requirements.
Required Evidence: Approved Cloud Security Policy or integrated Procurement Policy with specific cloud governance sections.
Pass/Fail Test: If the organisation uses cloud services (SaaS/IaaS/PaaS) but lacks a formal policy governing their selection and security management, mark as Non-Compliant.
2. Cloud Service Provider (CSP) Risk Assessment Validated
Verification Criteria: Every cloud service in use has undergone a formal security risk assessment prior to onboarding, considering data sensitivity and business criticality.
Required Evidence: Completed Cloud Risk Assessment reports or Vendor Due Diligence Questionnaires (DDQs) for current CSPs.
Pass/Fail Test: If a cloud service processing “Confidential” data was onboarded without a recorded risk assessment, mark as Non-Compliant.
3. Shared Responsibility Model Mapping Confirmed
Verification Criteria: The organisation has explicitly defined and documented the division of security responsibilities between the CSP and the organisation for each service model used.
Required Evidence: Responsibility matrix or internal documentation mapping IaaS/PaaS/SaaS security duties (e.g., patching, IAM, physical security).
Pass/Fail Test: If the organisation cannot demonstrate who is responsible for managing specific controls (e.g., OS patching in IaaS), mark as Non-Compliant.
4. Contractual Security Requirement Alignment Verified
Verification Criteria: Cloud service agreements or Terms of Service (ToS) include mandatory clauses for data protection, breach notification, and right-to-audit (or equivalent assurance).
Required Evidence: Executed Cloud Service Agreements, Data Processing Agreements (DPAs), or reviewed ToS documents.
Pass/Fail Test: If the contract does not mandate a specific timeframe for the CSP to notify the organisation of a security breach, mark as Non-Compliant.
5. Cloud Asset Inventory and Data Residency Confirmed
Verification Criteria: A register of all cloud services is maintained, including the type of data stored and the specific geographic regions where data is hosted.
Required Evidence: Cloud Asset Register and configuration screenshots showing regional data residency settings (e.g., AWS Region, Azure Location).
Pass/Fail Test: If the organisation cannot identify the physical location/region of data stored in a primary cloud service, mark as Non-Compliant.
6. Cloud Access Control and MFA Enforcement Validated
Verification Criteria: Access to cloud management consoles and sensitive cloud applications is restricted via unique identities and Multi-Factor Authentication (MFA).
Required Evidence: IAM configuration reports or Conditional Access Policy screenshots showing mandatory MFA for cloud administrative roles.
Pass/Fail Test: If administrative access to a cloud production environment is possible via single-factor authentication, mark as Non-Compliant.
7. Secure Configuration and Hardening of Cloud Resources Verified
Verification Criteria: Cloud infrastructure (e.g., S3 buckets, virtual machines) is configured according to security best practices to prevent unauthorised public access.
Required Evidence: Cloud Security Posture Management (CSPM) reports or manual configuration screenshots showing “Block Public Access” settings.
Pass/Fail Test: If any cloud storage containing sensitive data is found with “Public” read/write access enabled, mark as Non-Compliant.
8. Cloud Service Monitoring and Logging Integrity Confirmed
Verification Criteria: Security logs from cloud services are enabled, monitored, and protected from unauthorised modification.
Required Evidence: CloudTrail logs, Activity Logs, or SIEM ingestion records showing active monitoring of cloud management events.
Pass/Fail Test: If logging is disabled for a production cloud environment or logs are stored without immutability controls, mark as Non-Compliant.
9. Cloud Backup and Availability Assurance Validated
Verification Criteria: The organisation ensures that cloud data is backed up and that the CSP’s availability SLAs meet business continuity requirements.
Required Evidence: Backup configuration logs, successful restore test records, and documented SLA uptime monitoring.
Pass/Fail Test: If no independent or CSP-native backup exists for critical cloud-hosted data, mark as Non-Compliant.
10. Cloud Service Exit and De-provisioning Strategy Verified
Verification Criteria: A formalised plan exists for the exit from cloud services, including data migration, secure deletion, and account revocation.
Required Evidence: Documented Cloud Exit Strategy or decommissioning checklists for terminated cloud services.
Pass/Fail Test: If the organisation cannot demonstrate how they would recover their data and securely delete it upon termination of a CSP contract, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Shared Responsibility | GRC tool identifies “AWS” as the host and marks physical security as “Compliant”. | Verify the *customer* responsibilities. GRC tools often ignore the fact that the user failed to configure firewall rules or IAM. |
| Data Residency | Tool records “The Cloud” as the location. | Verify the *legal jurisdiction*. If the SaaS host moves data to a non-equivalent jurisdiction without notice, the control fails. |
| Secure Configuration | Tool identifies a “Policy” exists for cloud hardening. | Demand a CSPM report. Policies are useless if a developer manually opened an S3 bucket to the public yesterday. |
| Assurance/Audit | Platform stores a generic SOC2 report from the CSP. | Verify the *User Entity Controls* (UCECs). CSP audits always require the customer to perform specific tasks to be secure. |
| Logging | Tool checks if “Logging is enabled”. | Verify *log ingestion*. If logs are generated but nobody in the SOC is alerted to a “Root Login,” the control is dead. |
| Exit Strategy | GRC tool assumes “the vendor will give us our data back”. | Verify the *format*. If the data is returned in a proprietary format you can’t read, the exit strategy is a failure. |
| MFA | Tool marks MFA as “Active” for the tenant. | Inspect the *exceptions*. GRC tools often miss service accounts or “break-glass” accounts that have MFA disabled. |
About the author
