ISO 27002:2022 Control 5.23 InfoSec for Cloud Services Use

ISO 27002 is used as a guidance document to determine and implement controls for ISO’s information security management system (ISMS) based on ISO 27001 standards. The latest version of ISO 27002, i.e., ISO 27002:2022, introduces substantial changes to the ISMS framework. Our compliance experts believe this will impact organizations’ certification and re-certification process.

Released on February 15, 2022, ISO 27002:2022 replaces the 2013 version. While the document has structural changes, the purpose remains the same: providing guidance for implementing security controls in an ISMS. In this article, we look at Control 5.23, which focuses on Information Security for Cloud Services.

Major Changes in ISO 27002

In the 2013 version of ISO 27002, controls were grouped into fourteen domains. With the introduction of the 2022 version, there are a total of four themes: organizational (clause 5), people controls (clause 6), physical controls (clause 7), and technological controls (clause 8). There are two annexes wherein Annex A deals with using attributes while Annex B provides a relationship with the 2013 version of the document.

The total number of controls has come down to 93, from 114 in the 2013 version. This is mainly because of the consolidation of similar security controls. Out of 93 controls, 11 are new, 24 have merged, and 58 have been updated. Another significant change is the introduction of attribute values for each control. There can be a total of five attributes for each control: Control types, Information Security Properties, Cybersecurity Concepts, Operational Capabilities, and Security Domains.

In the 2022 version, the controls receiving a lot of traction in mainstream security discussions include Secure Coding (control 8.28), Threat Intelligence (control 5.7), and Information Security for use of Cloud Services (control 5.23).

Control 5.23: Information security for use of cloud services,

Modern enterprises have swiftly adopted cloud-based services for their business operations. If they haven’t done so already, they’re rapidly integrating such services. While undertaking compliance initiatives, organizations often assume that since they are storing information on the cloud, the responsibility for information security risks rests with the cloud service provider. However, this cannot always be the case.

Control 5.23 is an organizational control that provides guidance and references for acquiring, using, managing, and exiting third-party cloud services. This control requires an organization to define the roles and responsibilities of the cloud service provider and understand who is responsible for what.

When organizations opt for cloud services, such engagements can involve shared responsibilities for information security. This results in a collaborative effort between the cloud service customer (i.e., organization) and the cloud service provider. The roles and responsibilities of both parties must be defined clearly. A cloud service customer does not have negotiation powers, as cloud service agreements are pre-defined and offered in a ‘take it-or leave it’ manner. For all possible cloud services an organization has availed, it must review relevant contracts to understand the distribution of risks related to cloud services between the service provider and the customer.

How to show evidence for Control 5.23?

When an organization avails of a cloud service, the service provider signs an agreement with the organization that specifies the nature of service, terms and conditions, and service level agreements, among other important information. This agreement must specify the controls for which the service provider is responsible and the controls for which the organization is responsible. It should also include roles and responsibilities related to the usage of cloud services, along with detailed information on using, changing, or stopping cloud services.

Should you be worried right now?

Currently, organizations do not need to take any major actions. This is because ISO 27002:2022 only provides general guidance, and the updated ISO 27001 has not been published by ISO yet. However, the guidance provides a timely opportunity for organizations to review their cloud service agreements and contents to get ahead. This will ensure that organizations are ahead of the expected ISO 27001 update for 2022.

If you’re interested in scheduling an ISO pentest, please contact us to discuss your specific needs and requirements. They will be able to provide you with more information on the process, including scoping the project, identifying potential risks, and conducting the testing itself.