ISO 27001:2022 Annex A 5.23 Information security for use of cloud services

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.23 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.23 Information Security for Use of Cloud Services

ISO 27001 Annex A 5.23 is a new control introduced in the 2022 update that specifically requires organizations to manage the information security risks of third-party cloud systems, products, and services. The core objective is to move beyond generic supplier management and address the unique nature of the cloud, where agreements are often non-negotiable and security responsibilities are shared between the provider and the customer. This “preventive” control ensures you have a structured approach for the Acquisition, Use, Management, and Exit of cloud services.

Core requirements for compliance include:

Cloud Security Policy: You must implement a topic-specific policy that defines your organization’s requirements for cloud security, including data residency, encryption, and access controls.
Shared Responsibility Awareness: Compliance requires a clear understanding of the “Shared Responsibility Model.” You must document which security tasks the provider handles (e.g., physical data center security) and which tasks you remain accountable for (e.g., IAM, data encryption).
Vetting & Onboarding: Cloud providers must be vetted before use. Since most cloud contracts (AWS, Google, Microsoft) are non-negotiable, you must review their third-party assurance reports (e.g., SOC 2 Type II or ISO 27001 certificates) to ensure they meet your risk appetite.
Exit Strategy: You must have a defined process for “exiting” a cloud service. This includes how you will retrieve your data and ensure it is securely deleted from the provider’s systems at the end of the contract.
Continuous Monitoring: Cloud security is not static. You must regularly monitor your cloud suppliers for changes in their service, sub-processors, or jurisdictional compliance.

Audit Focus: Auditors will look for “The Shared Responsibility Gap”:

Cloud Register: “Show me your inventory of all cloud services (SaaS, IaaS, PaaS) currently in use. Who is the internal owner for each?”
Assurance Verification: “Pick your most critical SaaS provider. Show me their current security certification. When did you last verify it was still valid?”
Data Disposal: “If you stopped using this cloud tool tomorrow, how do you ensure 100% of your customer data is deleted from their servers?”

Shared Responsibility Matrix (Audit Prep):

Security Layer	Responsibility	SaaS (e.g., Salesforce)	IaaS (e.g., AWS EC2)	ISO 27001:2022 Control
Physical Security	Provider.	Provider Managed.	Provider Managed.	Annex A 5.23 / 7.1
OS Patching	Shared	Provider Managed.	You (Customer)	Annex A 5.23 / 8.8
Network Config	Shared	Provider Managed.	You (Firewall Rules)	Annex A 5.23 / 8.22
User Access (IAM)	YOU	You (MFA/SSO).	You (MFA/SSO).	Annex A 5.23 / 8.15
Data Encryption	YOU	You (Enable Key).	You (Manage Keys).	Annex A 5.23 / 8.24

What is ISO 27001 Annex A 5.23?
Watch the ISO 27001 Annex A 5.23 Tutorial
ISO 27001 Annex A 5.23 Podcast
ISO 27001 Annex A 5.23 Implementation Guidance
How to implement ISO 27001 Annex A 5.23
Responsibility Matrix
How to write a Cloud Security Policy
ISO 27001 Cloud Security Policy Template
ISO 27001 Cloud Security Register Template
How to comply
How to pass the ISO 27001 Annex A 5.23 audit
What the auditor will check
Top 3 ISO 27001 Annex A 5.23 Mistakes People Make and How to Avoid Them
Applicability of ISO 27001 Annex A 5.23 across different business models.
Fast Track ISO 27001 Annex A 5.23 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.23 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute Values

What is ISO 27001 Annex A 5.23?

ISO 27001 Annex A 5.23 is information security in the use of cloud services means you must have a system to handle the information security risks of your third party cloud systems, products and services.

ISO 27001 Annex A 5.23 Information security for use of cloud services is an ISO 27001 control that requires an organisation to specify and manage information security for the use of cloud services.

ISO 27001 Annex A 5.23 Purpose

The purpose of ISO 27001 Annex A 5.23 is a preventive control that ensures you specify and manage information security for the use of cloud services.

ISO 27001 Annex A 5.23 Definition

The ISO 27001 standard defines ISO 27001 Annex A 5.23 as:

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organisation’s information security requirements.
ISO27001:2022 Annex A 5.23 Information security for use of cloud services

Watch the ISO 27001 Annex A 5.23 Tutorial

In the video ISO 27001 Information Security For Use Of Cloud Services Explained – ISO27001:2022 Annex A 5.23 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 5.23 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.23 Information Security For Use Of Cloud Services. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.23 Implementation Guidance

Cloud services can be treated to all intents and purposes like any supplier. The standard calls them out, because, in some ways it feels like they felt they had to. It gives a list of requirements that are unrealistic and then acknowledges it is unlikely you can meet them.

Before we look at what you can do let us paraphrase what the standard thinks as the get out.

It absolutely acknowledges that yes, cloud service agreements are pre defined and not open to negotiation on the whole. So why give a list of requirements? Who knows. This is about basic good practice of supplier management. They could have said that. But they did not.

You will ensure

ISO 27001 Annex A 5.21 Managing Information Security In The ICT Supply Chain

ISO 27001 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services

Follow good third party supplier management as previously covered including risk management and if at any point you are worried seek additional guidance from the standard which will guide you and then say, but we appreciate this cannot be done.

Cloud Service Agreements

I am not even going to cover what the standard thinks should be in cloud service agreements as already stated, the standard acknowledges that these are non negotiable and you take what the cloud service providers gives you. If you are interested, refer to your copy of the ISO 27002 standard.

How to implement ISO 27001 Annex A 5.23

Implementing ISO 27001 Annex A 5.23 requires a strategic shift from managing local infrastructure to governing external providers. This process ensures that your organisation maintains visibility and control over data hosted in the cloud by formalising security requirements, defining clear boundaries of responsibility, and establishing robust exit strategies. By following these action-orientated steps, you can align your cloud environment with the 2022 standard while mitigating the risks of vendor lock-in and data residency violations.

1. Formalise the Topic-Specific Policy on Cloud Services

Establish a documented policy that defines the organisation’s security requirements for the acquisition and use of cloud services. This action results in a standardised framework that prevents the unauthorised or insecure adoption of “Shadow IT” across the business.

Specify the mandatory security criteria for all Cloud Service Providers (CSPs), such as ISO 27001 or SOC 2 certification.
Define the internal approval process for provisioning new SaaS, PaaS, or IaaS solutions.
Outline the data residency requirements to ensure compliance with regional regulations such as the UK GDPR.

2. Define and Document the Shared Responsibility Model

Negotiate and record the specific security obligations of both the organisation and the cloud provider for every service in use. This ensures that no security control (such as patching or IAM) is left unassigned, reducing the risk of a configuration-led breach.

Assign accountabilities for infrastructure security, platform hardening, and application-layer protection.
Detail the “customer-side” responsibilities, including the management of MFA, encryption keys, and user access reviews.
Provision a Responsibility Assignment Matrix (RACI) to map these duties to internal IT and Security roles.

3. Provision Secure Cloud Configuration Baselines

Implement hardened configuration standards for all cloud environments to ensure they meet the organisation’s risk appetite. This action results in a technically dense defensive posture that protects data from common cloud-native threats.

Enforce Multi-Factor Authentication (MFA) for all administrative and privileged IAM roles.
Apply the Principle of Least Privilege (PoLP) to service accounts and cloud storage buckets to prevent data exfiltration.
Utilise automated configuration auditing tools to detect and remediate “publicly readable” assets in real time.

4. Formalise Cloud Service Agreements (CSAs)

Embed specific security clauses and “Right to Audit” requirements into all contracts with cloud providers. This results in a legally enforceable set of security standards that the provider must maintain throughout the lifecycle of the service.

Include mandatory incident notification timeframes (e.g. 24 or 72 hours) for any breach affecting organisational data.
Secure commitments regarding the use of sub-processors and the transparency of their security controls.
Establish Service Level Agreements (SLAs) that specifically address the availability and integrity of security logs.

5. Execute Continuous Compliance Monitoring

Establish a recurring review process to monitor the security posture of the cloud provider and the organisation’s use of the service. This ensure that the control remains effective as the provider’s platform and the organisation’s infrastructure evolve.

Perform an annual review of the provider’s independent audit reports (e.g. ISO 27001 surveillance reports).
Monitor for changes in the provider’s service terms, data hosting locations, or ownership structure.
Conduct regular vulnerability assessments of cloud-hosted applications and virtual network configurations.

6. Formalise the Cloud Service Exit and Transition Strategy

Develop a documented exit plan for critical cloud services to ensure data portability and secure decommissioning. This results in reduced operational risk and prevents data spoliation or unauthorised retention by the provider following contract termination.

Define the technical requirements for data extraction, including file formats and encryption standards.
Establish procedures for the secure deletion of organisational data from the provider’s primary and backup systems.
Verify that all intellectual property and hardware assets are returned or destroyed at the end of the service lifecycle.

Responsibility Matrix

Layer	Responsibility	SaaS (e.g., Salesforce)	IaaS (e.g., AWS EC2)
Physical Data Center	Provider	Salesforce	AWS
OS Patching	Provider	Salesforce	You (Customer)
Network Security	Shared	Salesforce	You (Firewall Rules)
User Access (IAM)	You	You (MFA/SSO)	You (MFA/SSO)
Data Encryption	You	You (Enable Key)	You (Manage Keys)

How to write a Cloud Security Policy

A step-by-step tutorial on how to create a cloud security policy for ISO 27001 in under 10 minutes. I walk you through the process of creating a policy, including what to include in the policy and how to comply with the ISO 27001 standard.

For a deeper understanding of the ISO 27001 Cloud Security Policy see the ultimate guide: Cloud Security Policy: Ultimate Guide (+ template)

ISO 27001 Cloud Security Policy Template

The ultimate ISO 27001 Cloud Security Policy Template.

Cloud Security Policy - ISO 27001 Annex A 5.23 Template

Get the Cloud Security Policy Template

ISO 27001 Cloud Security Register Template

The ultimate ISO 27001 Supplier Register Template to record and manage your cloud suppliers.

ISO 27001 Third Party Supplier Register - ISO 27001 Annex A 5.23 Template

Get the ISO 27001 Cloud Security Register Template

How to comply

To comply with ISO 27001 Annex A 5.23 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to include Cloud Services in supplier management and:

Implement a topic specific policy
Implement a supplier management process
Include in your supplier management process supplier acquisition and supplier transfer
Implement an ISO 27001 supplier register
Have agreements with all suppliers that cover information security requirements
Have information security assurances for critical suppliers as a minimum and ideally all relevant suppliers
Monitor those suppliers
Respond to adverse incidents in a structured way

How to pass the ISO 27001 Annex A 5.23 audit

To pass an audit of ISO 27001 Annex A 5.23 Information security for use of cloud services you are going to make sure that you have supplier management that also covers cloud services and that you have followed the steps above in how to comply.

What the auditor will check

The audit is going to check a number of areas. Lets go through the most common

1. That you have a cloud supplier agreements in place

The auditor is going to check that you have agreements in place with cloud suppliers that cover the information security requirements. It will check that those agreements are in date and cover the products and / or services acquired.

2. That you have an ISO 27001 Cloud Supplier Register

You will need an ISO 27001 Supplier Register to record and manage your cloud suppliers. Make sure it is up to date and reflects your reality.

3. Documentation

They are going to look at audit trails and all your documentation and see that is classified and labelled. All the documents that you show them, as a minimum if they are confidential should be labelled as such. Is the document up to date. Has it been reviewed in the last 12 months. Does the version control match.

Top 3 ISO 27001 Annex A 5.23 Mistakes People Make and How to Avoid Them

The top 3 Mistakes People Make For ISO 27001 Annex A 5.23 are

1. You have do not monitor cloud suppliers

Make sure that there are reviews and monitors in place. Perhaps meetings. Perhaps reports. Perhaps dashboards. Be sure to be able to evidence that you review and monitor those suppliers. You will have processes for adverse advents so do not be surprised if you are asked to evidence an adverse event, problem or issue and that you followed your process.

2. You have no assurance they are doing the right thing for information security

Make sure you have done your security assessment and can place your hands on an in date certificate such as an ISO 27001 Certification for assurance they are doing the right thing. It needs to be in date a cover the products and / or services you have acquired and are using form the supplier.

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 5.23 across different business models.

Business Type	Applicability & Interpretation	Examples of Control
Small Businesses	Configuring SaaS Correctly. You cannot audit giants like Microsoft or Google. Compliance focuses on selecting reputable providers and configuring the security settings (Shared Responsibility) you control.	• MFA Enforcement: Turning on Multi-Factor Authentication for all Office 365/Google Workspace users. • Offboarding: Removing access to cloud CRM/Accounting tools immediately when staff leave.
Tech Startups	Managing the IaaS Gap. While AWS/Azure secure the physical data center, you are responsible for everything “in” the cloud (OS, Data, Firewall). Auditors check if you understand this boundary.	• Cloud Register: Maintaining an inventory of all cloud services (IaaS, PaaS) with assigned internal owners. • Security Groups: Reviewing AWS/Azure firewall rules to ensure databases are not exposed to the public internet.
AI Companies	API & Data Sovereignty. Critical focus on where training data flows. Ensuring third-party AI APIs (e.g., OpenAI, Anthropic) do not retain your data for their own model training.	• Zero-Retention Agreements: configuring API settings to “Opt-Out” of model training on your inputs. • Regional Locking: Ensuring GPU cloud providers process data only within agreed jurisdictions (e.g., EU-only) to satisfy GDPR.

Applicability of ISO 27001 Annex A 5.23 across different business models.

Fast Track ISO 27001 Annex A 5.23 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.23 (Information security for use of cloud services), the requirement is to establish processes for the acquisition, use, management, and exit from cloud services. Since cloud providers are typically non-negotiable in their terms, the focus is on managing the shared responsibility model and ensuring you have an exit strategy.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Strategy Ownership	Rents access to your cloud rules; if you cancel the subscription, your documented exit plans and responsibility definitions vanish.	Permanent Assets: Fully editable Word/Excel Cloud Security Policies and Registers that you own forever.	A localized “Cloud Security Policy” defining your organization’s specific exit strategy for critical IaaS providers.
Governance Utility	Attempts to “automate” cloud security via APIs that cannot decide your risk appetite or verify internal IAM rule adherence.	Governance-First: Formalizes your existing use of AWS, Azure, or Google Cloud into an auditor-ready framework.	A completed “Cloud Responsibility Matrix” proving you have identified which security tasks are yours vs. the provider’s.
Cost Efficiency	Charges an “API Integration Tax” based on the number of connected cloud tools, creating perpetual overhead as your stack grows.	One-Off Fee: A single payment covers your cloud governance for 5 SaaS/IaaS tools or 50.	Allocating budget to advanced cloud encryption or redundant backup services rather than monthly dashboard fees.
Architectural Freedom	Mandates rigid reporting formats that often fail to account for serverless architectures or specialized multi-cloud setups.	100% Agnostic: Procedures adapt to any environment—pure SaaS, complex hybrid, or niche private cloud—without limits.	The ability to evolve your cloud strategy (e.g., migrating from Azure to AWS) without reconfiguring a rigid SaaS module.

Summary: For Annex A 5.23, the auditor wants to see that you have a formal process for managing cloud services and a register of your cloud providers. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.23 FAQ

What is ISO 27001 Annex A 5.23?

ISO 27001 Annex A 5.23 is a corrective and preventive control that requires organisations to establish and implement processes for the secure acquisition, use, management, and exit of cloud services.

Mandates the definition of information security requirements for cloud services.
Requires a clear division of security responsibilities between the provider and the customer.
Focuses on the entire cloud lifecycle from procurement to contract termination.
Ensures that cloud-based data remains protected under the organisation’s ISMS.

What are the mandatory requirements for cloud security in ISO 27001?

To comply with Annex A 5.23, organisations must formalise security requirements within their contracts and maintain a “Topic-Specific Policy on Cloud Services.”

Perform a risk assessment on every cloud service provider (CSP).
Define and agree upon the Shared Responsibility Model.
Implement monitoring for service changes or security incidents within the cloud.
Establish technical requirements for data residency and encryption.

How does the Shared Responsibility Model affect ISO 27001?

The Shared Responsibility Model is the framework that defines which security controls are managed by the cloud provider (e.g., physical security) and which are the responsibility of the organisation (e.g., IAM).

Provider: Responsible for the security of the cloud (Infrastructure, Hardware).
Customer: Responsible for security in the cloud (Data, Identity, Configurations).
Audit Requirement: You must document this split to prove you aren’t neglecting “customer-side” configurations.

What should be included in a Cloud Service Agreement (CSA)?

A Cloud Service Agreement must explicitly state security obligations, right-to-audit clauses, and data handling requirements to meet ISO 27001 standards.

Service Level Agreements (SLAs) for availability and performance.
Specific incident notification timeframes in the event of a breach.
Transparency regarding sub-contractors and secondary processors.
Security measures for data at rest and data in transit.

Is a cloud service exit strategy required for ISO 27001?

Yes, Annex A 5.23 requires organisations to have a formalised exit strategy to ensure data can be migrated or deleted securely when a service is terminated.

Definition of data portability and transfer formats.
Verification processes for the secure deletion of data from provider systems.
Business continuity planning for service transition.
Return of intellectual property and assets.

How do you monitor cloud service providers for compliance?

Monitoring is achieved through regular reviews of provider audit reports (such as SOC 2 or ISO 27001 certificates) and continuous tracking of service changes.

Annual review of the provider’s independent security certifications.
Monitoring for changes in data hosting locations or jurisdictions.
Tracking of administrative access and privileged user logs.
Reviewing vulnerability disclosure reports from the provider.

Does ISO 27001 apply to AWS, Azure, and Google Cloud?

Yes, while major providers like AWS and Azure are ISO 27001 certified, your organisation is still responsible for securing the specific configurations and data you host on their platforms.

Infrastructure is covered by the provider’s certification.
Virtual network, OS hardening, and app security are your responsibility.
Auditors will check your “Security Groups” and “IAM Roles” regardless of the provider’s status.

ISO 27001 Annex A 5.20 Addressing Information Security Within Supplier Agreements

ISO 27001 Annex A 5.19 Information Security In Supplier Relationships

ISO 27001 Controls and Attribute Values

Control type	Information security properties	Operational capabilities	Security domains
Preventive	Confidentiality	Supplier relationships security	Protection
	Integrity		Governance and ecosystem
	Availability

Availability, Confidentiality, Governance and Ecosystem, Integrity, Preventive, Protect, Protection, Supplier Relationships Security

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents

What is ISO 27001 Annex A 5.23?

ISO 27001 Annex A 5.23 Purpose

ISO 27001 Annex A 5.23 Definition

Watch the ISO 27001 Annex A 5.23 Tutorial

ISO 27001 Annex A 5.23 Podcast

ISO 27001 Annex A 5.23 Implementation Guidance

Cloud Service Agreements

How to implement ISO 27001 Annex A 5.23

1. Formalise the Topic-Specific Policy on Cloud Services

2. Define and Document the Shared Responsibility Model

3. Provision Secure Cloud Configuration Baselines

4. Formalise Cloud Service Agreements (CSAs)

5. Execute Continuous Compliance Monitoring

6. Formalise the Cloud Service Exit and Transition Strategy

Responsibility Matrix

How to write a Cloud Security Policy

ISO 27001 Cloud Security Policy Template

ISO 27001 Cloud Security Register Template

How to comply

How to pass the ISO 27001 Annex A 5.23 audit

What the auditor will check

1. That you have a cloud supplier agreements in place

2. That you have an ISO 27001 Cloud Supplier Register

3. Documentation

Top 3 ISO 27001 Annex A 5.23 Mistakes People Make and How to Avoid Them

1. You have do not monitor cloud suppliers

2. You have no assurance they are doing the right thing for information security

3. Your document and version control is wrong

Applicability of ISO 27001 Annex A 5.23 across different business models.

Fast Track ISO 27001 Annex A 5.23 Compliance with the ISO 27001 Toolkit

ISO 27001 Annex A 5.23 FAQ

What is ISO 27001 Annex A 5.23?

What are the mandatory requirements for cloud security in ISO 27001?

How does the Shared Responsibility Model affect ISO 27001?

What should be included in a Cloud Service Agreement (CSA)?

Is a cloud service exit strategy required for ISO 27001?

How do you monitor cloud service providers for compliance?

Does ISO 27001 apply to AWS, Azure, and Google Cloud?

Related ISO 27001 Controls

Further Reading

ISO 27001 Controls and Attribute Values

Stuart Barker