ISO 27001 Annex A 5.23 for AI Companies

ISO 27001 Annex A 5.23 Information security for use of cloud services is a security control that requires organizations to establish processes for the acquisition, use, management, and exit of cloud services. For AI companies, this control is essential to secure critical infrastructure like GPU clusters and model hosting environments, ensuring that cloud-based intellectual property is protected according to the shared responsibility model.

As an AI company, you operate at the cutting edge of technology, heavily relying on cloud services for everything from computationally intensive model training to real-time inference and data storage. The agility and scalability of the cloud are foundational to your innovation. Recognising this shift, the ISO 27001:2022 standard introduced ISO 27001 Annex A 5.23 Information security for use of cloud services, a crucial new control that directly addresses the security of cloud services.

This guide is designed to demystify this control, analyse the unique cloud security risks faced by AI companies, provide a clear and actionable plan for compliance, and present a practical solution to streamline the entire process.

The “No-BS” Translation: Decoding the Requirement
The Business Case: Why This Actually Matters for AI Companies
DORA, NIS2 and AI Regulation: Cloud is Critical
ISO 27001 Toolkit vs SaaS Platforms: The Cloud Trap
Understanding Control A.5.23: What It Means for Your AI Company
The High Stakes: Unique Cloud Security Risks in AI Workflows
Your Action Plan: A Step-by-Step Guide to Compliance
The Evidence Locker: What the Auditor Needs to See
Common Pitfalls & Auditor Traps
Handling Exceptions: The “Break Glass” Protocol
The Process Layer: “The Standard Operating Procedure (SOP)”

The “No-BS” Translation: Decoding the Requirement

Let’s strip away the consultant-speak. Annex A 5.23 is about acknowledging that you don’t own your servers anymore. It requires you to act responsibly on rented land.

The Auditor’s View (ISO 27001)	The AI Company View (Reality)
“Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation’s information security requirements.”	Shared Responsibility is Key. 1. Don’t assume AWS backs up your data. They back up the infrastructure. You back up the data. 2. If you leave the Vector Database provider, how do you get your embeddings out? Do you have a script for that?
“Cloud service agreements should address… information security requirements.”	Read the small print. Does your “free tier” LLM provider have the right to train on your input data? If so, you just gave away your IP. Check the box “Do not train.”

The Business Case: Why This Actually Matters for AI Companies

Why should a founder care about “Cloud Security”? Because your entire business exists inside someone else’s computer.

The Sales Angle

Enterprise clients will ask: “Which regions do you process data in?” and “What is your exit strategy if Azure goes down?”. If your answer is “We rely 100% on us-east-1 and hope for the best,” you lose. If your answer is “We have a multi-region failover strategy documented in our Cloud Policy,” you win. A 5.23 proves resilience.

The Risk Angle

The “Vendor Lock-in” Ransom: You build your entire product on a proprietary AI platform (e.g., using only OpenAI’s specific Assistants API). If they double the price or change the terms, you are dead. A 5.23 forces you to have an “Exit Strategy” – effectively an insurance policy for your business continuity.

DORA, NIS2 and AI Regulation: Cloud is Critical

Regulators view cloud providers as critical infrastructure.

DORA (Article 28): Requires a “Strategy for ICT Third-Party Risk.” You must have an exit strategy for critical cloud services. If you cannot migrate your data easily, you are non-compliant.
NIS2 Directive: Mandates security in the supply chain. You must assess the security measures of your cloud providers. Using a cheap, unverified GPU cloud provider could be a violation.
EU AI Act: High-risk systems require technical documentation. You must document the computational resources used. If your cloud provider cannot guarantee resource availability (compute), your system’s reliability is in question.

ISO 27001 Toolkit vs SaaS Platforms: The Cloud Trap

SaaS platforms monitor your cloud configuration (e.g., “S3 bucket open”), but they don’t manage the relationship or the contract. Here is why the ISO 27001 Toolkit is superior.

Feature	ISO 27001 Toolkit (Hightable.io)	Online SaaS Platform
Scope	Full Lifecycle. Covers Acquisition (Selection), Use, and Exit (Termination).	Use Only. Platforms check if you are using it securely now, but don’t help you select or exit a vendor.
Ownership	Your Strategy. You own the “Cloud Security Policy” and “Exit Strategy” documents.	Config Checks. Platforms provide a dashboard of pass/fail checks. If you cancel, you lose the record of your compliance posture.
Simplicity	Templates. “Here is what to put in your contract with a SaaS vendor.”	No Legal Help. Platforms tell you “MFA is off,” but don’t help you negotiate the Data Processing Agreement (DPA).
Cost	One-off fee. Pay once. Secure your cloud.	Usage-Based. Some platforms charge based on the number of cloud resources you connect. Scaling your infrastructure increases your compliance cost.

Understanding Control A.5.23: What It Means for Your AI Company

At its core, this control is about moving beyond ad-hoc cloud adoption and establishing a formal, lifecycle-based process for managing all your cloud services securely. The purpose is to ensure that information security risks are identified and managed throughout your entire relationship with the provider.

The High Stakes: Unique Cloud Security Risks in AI Workflows

While any company faces cloud security risks, for an AI business, these risks are existential.

Exposure of Sensitive Training Datasets

Your AI models are built on unique data assets. A failure to secure cloud services can lead to the catastrophic loss of proprietary labeled datasets. This extends beyond PII breaches to the theft of the core intellectual property that underpins your algorithms.

Disruption of Algorithmic Processes

Your business relies on continuous availability. A security incident can interrupt critical MLOps pipelines or cause model drift to go undetected. Such disruptions can halt operations and inflict significant reputational damage.

Vulnerabilities in the AI Supply Chain

The AI development lifecycle is a complex supply chain. Inheriting vulnerabilities from third-party model repositories underscores the importance of scrutinising the security of every cloud-based supplier.

Your Action Plan: A Step-by-Step Guide to Compliance

Compliance here is not about bureaucratic box-checking; it is about building a robust operational framework.

Acquisition: Selecting and Onboarding Cloud Providers

Establish a disciplined acquisition process. Perform AI-centric risk assessments and scrutinise agreements for data recovery and exit strategies.

Use: Implementing Policies and Controls

Establish topic-specific policies. Understand the Shared Responsibility Model and map every key security function to either you or the provider. Implement robust access controls and enforce the principle of least privilege.

Management: Monitoring and Review

Treat cloud security as a continuous discipline. Conduct continuous monitoring and manage service changes. Perform regular security assessments and maintain an up-to-date Cloud Security Register.

Exit: Securely Transitioning Away from a Service

Design a secure exit strategy. Proactively document the procedures for retrieving your data and ensure model and data portability.

The Evidence Locker: What the Auditor Needs to See

When the audit comes, prepare these artifacts:

Cloud Security Policy (PDF): A document defining your rules for using cloud services.
Cloud Services Register (Excel): A list of all SaaS/IaaS/PaaS providers, their owner, and their status.
Shared Responsibility Matrix (Excel/PDF): A simple grid showing who does what (e.g., “AWS secures the data center, We secure the OS”).
Exit Strategy Plans (PDF): A documented plan for leaving your most critical provider (e.g., “How to migrate from AWS to GCP”).

Common Pitfalls & Auditor Traps

Here are the top 3 ways AI companies fail this control:

The “Free Tier” Trap: You use a free tool for production. Free tiers often have no SLA and no security guarantees. Auditor asks: “What happens if they delete your account?” You have no answer.
The “Untracked” SaaS: Marketing signed up for an AI copywriter tool using a corporate card. It isn’t in the register. It has access to customer data. Non-conformity.
The “Default” Config: You spun up an S3 bucket but left the default “Block Public Access” settings off (or changed them without knowing).

Handling Exceptions: The “Break Glass” Protocol

What if your cloud provider locks you out (e.g., billing dispute or 2FA failure)?

The Cloud Lockout Workflow:

Preparation: Maintain a “Break Glass” account (root user) with credentials stored physically offline (safe) or in a separate system.
Alternative Contact: Have the “Enterprise Support” phone number saved offline.
Data Backup: Ensure critical data is backed up to a different cloud provider (Cross-Cloud Backup) so you aren’t held hostage.

The Process Layer: “The Standard Operating Procedure (SOP)”

How to operationalise A 5.23 using your existing stack (Linear, Notion).

Step 1: Selection (Manual). Engineer creates a “New Tool Request” in Linear.
Step 2: Review (Manual). Security Lead reviews the tool’s security page (SOC 2, ISO 27001) and Terms of Service (Data ownership).
Step 3: Register (Manual). Add tool to “Cloud Register” in Notion. Assign an Owner.
Step 4: Configure (Automated). Use Terraform to deploy infrastructure with standard security tags (Project, Owner, DataClass).
Step 5: Monitor (Automated). CloudWatch/Datadog alerts on configuration drift (e.g., “Security Group changed to 0.0.0.0/0”).

By formalising how you acquire, use, manage, and exit cloud services, you build a resilient foundation for your technology. A structured approach, guided by a practical solution like the High Table ISO 27001 Toolkit, removes the guesswork.

ISO 27001 Annex A 5.23 for AI Companies FAQ

What is ISO 27001 Annex A 5.23 for AI companies?

ISO 27001 Annex A 5.23 requires AI companies to define and manage security requirements for the use of cloud services. For AI firms, this involves ensuring 100% of cloud-hosted assets—including GPU compute clusters, Large Language Model (LLM) weights, and massive training datasets—are protected under a formal cloud security policy.

Why is cloud security critical for AI model development?

Cloud security is critical because approximately 82% of data breaches involve cloud-based data. For AI companies, the cloud is the primary environment for training and inference; Annex A 5.23 mitigates the risk of catastrophic intellectual property theft or unauthorised model fine-tuning by enforcing rigorous configuration management and access controls.

What are the specific cloud security requirements for AI firms?

AI organisations must implement technical safeguards tailored to high-performance compute environments to satisfy Annex A 5.23. Key requirements include:

Shared Responsibility Matrix: Documenting the exact security boundary between the AI firm and providers like AWS, Azure, or GCP.
Data-at-Rest Encryption: Mandatory AES-256 encryption for 100% of proprietary datasets and model checkpoints stored in cloud buckets.
Compute Isolation: Ensuring that GPU instances used for model training are logically isolated and protected by strict security groups.
Exit Strategy: Maintaining a documented plan to migrate or delete AI models and data if the cloud service provider (CSP) relationship terminates.

How does the Shared Responsibility Model apply to AI firms?

The Shared Responsibility Model dictates that while the CSP secures the underlying infrastructure, the AI firm is 100% responsible for securing the data and models placed within it. Under Annex A 5.23, AI firms must prove they have configured IAM roles, encryption keys, and network firewalls to protect their training pipelines.

What evidence is required for an Annex A 5.23 audit?

Auditors require documented proof of cloud oversight and secure configuration. Essential evidence includes the Cloud Service Policy, a shared responsibility matrix for each CSP, technical logs showing 100% MFA enforcement for cloud console access, and records of periodic security configuration reviews for GPU and storage assets.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.23 Information security for use of cloud services for AI Companies

Table of contents