In this ultimate how to audit guide to ISO 27001 Annex A 5.23 Information Security for Use of Cloud Services, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Cloud Service Usage Policy Formalisation Verified
- 2. Cloud Service Provider (CSP) Risk Assessment Validated
- 3. Shared Responsibility Model Mapping Confirmed
- 4. Contractual Security Requirement Alignment Verified
- 5. Cloud Asset Inventory and Data Residency Confirmed
- 6. Cloud Access Control and MFA Enforcement Validated
- 7. Secure Configuration and Hardening of Cloud Resources Verified
- 8. Cloud Service Monitoring and Logging Integrity Confirmed
- 9. Cloud Backup and Availability Assurance Validated
- 10. Cloud Service Exit and De-provisioning Strategy Verified
Auditing ISO 27001 Annex A 5.23 Information Security for Use of Cloud Services validates the governance and security of cloud-based assets. This process confirms the Primary Implementation Requirement of defining and monitoring the division of security responsibilities between the organization and the Cloud Service Provider (CSP). The Business Benefit ensures data protection, regulatory compliance, and service availability in a shared responsibility environment.
1. Cloud Service Usage Policy Formalisation Verified
Verification Criteria: A documented policy exists defining the processes for acquisition, use, management, and exit from cloud services based on organisational security requirements.
Required Evidence: Approved Cloud Security Policy or integrated Procurement Policy with specific cloud governance sections.
Pass/Fail Test: If the organisation uses cloud services (SaaS/IaaS/PaaS) but lacks a formal policy governing their selection and security management, mark as Non-Compliant.
2. Cloud Service Provider (CSP) Risk Assessment Validated
Verification Criteria: Every cloud service in use has undergone a formal security risk assessment prior to onboarding, considering data sensitivity and business criticality.
Required Evidence: Completed Cloud Risk Assessment reports or Vendor Due Diligence Questionnaires (DDQs) for current CSPs.
Pass/Fail Test: If a cloud service processing “Confidential” data was onboarded without a recorded risk assessment, mark as Non-Compliant.
3. Shared Responsibility Model Mapping Confirmed
Verification Criteria: The organisation has explicitly defined and documented the division of security responsibilities between the CSP and the organisation for each service model used.
Required Evidence: Responsibility matrix or internal documentation mapping IaaS/PaaS/SaaS security duties (e.g., patching, IAM, physical security).
Pass/Fail Test: If the organisation cannot demonstrate who is responsible for managing specific controls (e.g., OS patching in IaaS), mark as Non-Compliant.
