top of page

ISO27001:2022─Information security for use of cloud services

Companies that use cloud services in their business processes should pay attention! The audit focus of the old version of ISO27001:2013 on the cloud is usually A.15 supplier relationship, A.13.1.1 network control measures. As cloud technology has become more and more prosperous in recent years, in response to the trend of the times, the new ISO27001:2022 A5.23 Cloud Services and Information Security (Information security for use of cloud services) requires the establishment of processes for acquiring, using, managing and exiting cloud services.

ISO27001 users who use cloud services should be most concerned about are whether there would be new requirements for contracts in the future? The answer is yes!

For agreements signed between users (customers) and cloud service providers, ISO27001:2022 requires providers to include the following clauses to protect customers' data and ensure their services: 1. Providing solutions in accordance with industry standards 2. Managing access control according to customer requirements 3. Monitoring Malware & Protection 4.Processing and storing customers' sensitive information in designated regions/countries/jurisdictions 5. Providing assistance in the event of an information security incident 6. Meeting the organization's information security requirements 7. Supporting organizations to collect digital evidence 8. Providing appropriate support and service availability when the customer requests to withdraw from the cloud service 9. Providing data backup and configuration information 10. Information returned when the service is terminated

In addition, suppliers are obliged to inform customers of changes in technological infrastructure, processing or storage of information in new legal jurisdictions, subcontracting of some services, etc.


bottom of page