5.23 Information Security For The Use of Cloud Services
Control
Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organisation’s information security requirements.
Purpose
In recent years, with more businesses moving towards cloud services, using, and managing cloud services have become a vital aspect. In fact, most small and mid-size businesses use the cloud as the core of their IT infrastructure. While there is significance in using cloud services; misconfiguration, and inadequate management of cloud services could be devastating. This control emphasises establishing a process to better access, use, maintain, and exit from cloud infrastructure.
Implementation Guidance
Information security for use of cloud services should be a top-specific policy. Some organisations might prefer to merge this policy as a part of their infrastructure policy or keep it separate. Either method is acceptable if they specific define and communicate the use of cloud services.An organisation should clearly specify and express its intention regarding the use of cloud services. Whether cloud services would construct the organization’s network wholly or partially. This clarification would draw a clear picture for operational and technical parties within the organization to plan, design and implement the network. Additionally, this would help the organization to understand the responsibilities of cloud service providers and vice-versa. Use of cloud services policy might include, but is not limited to aspects mentioned below:
- Relevant information security requirements associated with the use of cloud services,
- Specifying and understanding information security controls that are managed by the cloud service provider,
- Obtaining assurance of Information security control implemented by a cloud service provider
- Plan, design and manage interfaces and change in services when an organisation uses multiple service providers,
- Clear definition of cloud incidents would be handled
- Specifying the change and stopping cloud services including an exit strategy
ISO 27001:2022
Organisational Controls
AvISO will be updating and reviewing all the information regularly, so keep us bookmarked and keep checking!
Got a question or need help? Don't hesitate to reach out to our team.
27002:2022 Related Controls
CLick to view control
If you would like to know more about ISO Standards, Certification and the value of a good management system you can add to your business we would love to hear from you: Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk
