Cloud security with ISO 27001:2022

CONTENT

• Why is cloud security important?
• Improved information security
• Cloud security through Control 5.23
• Implementation of Control 5.23
• Importance of contractual security aspects
• Cloud security - Conclusion
• DQS: Simply leveraging Quality

Why is cloud security important?

From private to public cloud, whether IaaS, PaaS or SaaS: cloud structures and cloud services determine large parts of today's ICT landscapes of companies, organizations or authorities. Cloud computing has long since become a reality and is fundamentally changing the way IT services are provided and used.

However, the security risks associated with its increasing use are complex and are not limited to organized crime. Inadequate identity and access management, misconfigurations and the inadvertent disclosure of cloud data by employees are also among the biggest threats.

This is confirmed by the 2022 annual report of the Cloud Security Alliance (CSA). In addition, a lack of security can affect the availability of services and jeopardize compliance with various regulations and standards that require the protection of customer and personal data.

All these threats prompted the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) to list information security for the use of cloud services as a separate item in the new ISO/IEC 27001:2022.

Improved information security and compliance

The new preventive measure serves to ensure information security when using cloud services. It supports - in accordance with the respective security requirements of an organization - the systematic definition of processes for acquisition, use, management and exit.

Given the variety of services on offer, the new Control 5.23 in Annex A requires compliance with a "subject-specific approach".

This is intended to encourage companies to create cloud service policies tailored to individual business functions. Compared to a blanket policy that applies across the board to the secure use of cloud services, compliance requirements can be addressed in a much more granular way.

Cloud security through new Control 5.23

Information security for the use of cloud services in this cloud-specific form is a newly introduced measure in Annex A of the new ISO 27001:2022. In the previous version, cloud services were generally located in the area of supplier relationships.

Due to the increasing use and enormous developments in the cloud sector, it makes sense to systematically secure cloud services with an independent information security measure. Nevertheless, control A.5.23 should be closely coordinated with measures A.5.21 and A.5.22, which deal with information security in the ICT supply chain and the management of supplier services.

Implementation of Control 5.23

With regard to information security, companies must define a number of aspects for the implementation of Control 5.23 . These include all relevant requirements, selection criteria and areas of application associated with the use of a cloud service. A detailed description of the roles and relevant responsibilities determines how these services are used and managed within an organization.

On the external side, this must be agreed with the service provider:

• Which information security measures does the service provider manage?
• Which ones are the responsibility of the company itself?

It is also important to clarify how the security measures provided by the provider can be made available, ideally used and reliably checked. Especially when using multiple cloud services from different providers, clearly defined processes support the handling of controls, interfaces and changes to the services.

However, due to the multiple security risks to which companies are exposed these days, security incidents can never be completely ruled out. In such cases, service-specific incident management procedures help to deal with the challenge in the best possible way.

To manage such risks, cloud services must be monitored, reviewed and assessed using a systematically defined approach in accordance with the revised ISO 27001. In addition, the standard requires processes to be defined for changing or discontinuing the use of a service. These must also include explicit exit strategies for cloud services.

Importance of contractual security aspects

The contractual design of cloud services is essential for the customer company in order to establish important framework parameters and provide legal protection. However, cloud service agreements are often predefined and non-negotiable. With this in mind, companies should pay particular attention to these agreements and scrutinize them closely. In this way, they ensure that the essential operational requirements for the protection objectives of information security "confidentiality, integrity, availability" and information processing are met.

To ensure this, a cloud service should provide solutions based on industry-recognized standards for architecture and infrastructure. It should have access controls that meet security requirements and include solutions for monitoring and protection against malware. It should be contractually stipulated that the processing and storage of sensitive information is only permitted in authorized locations or within a specific jurisdiction. This is important for critical infrastructures, for example.

The service provider must provide targeted support in the event of a security incident in the cloud service environment and offer general support in the collection of digital evidence. The security requirements must also be met when a service is passed on to external service providers.

If a company wants to leave a service, the provider should remain committed to support and service availability for a reasonable period of time. They must therefore also provide backup copies of data and configuration information and manage these securely if necessary. Information such as configuration files, source code and sensitive data owned by the organization must be provided upon request or returned upon termination of service.

A cloud service customer should consider, in line with its own security requirements, whether the agreement should include a duty to inform if a cloud provider makes significant changes. These include:

• Changes to the technical infrastructure that affect the service offering
• Processing or storage of information in a new geographical or legal jurisdiction

Use or change of peer cloud service providers or other subcontractors

Cloud security through the new Control 5.23 - Conclusion

According to a study conducted by Statista in 2022, 84% of all German companies use cloud services. In addition, 13 percent are in the decision-making or planning phase for their use. This means that the protection of personal information and confidential data is becoming increasingly important.

With the new security measure, ISO and IEC are closing an important gap in the protection of modern ICT architectures and sensitive data of companies, organizations and authorities. It means that the information security standard ISO 27001, as a global standard, now also contributes to consistent, systematic cloud security.

Regardless of whether your company operates in a public cloud, private cloud or hybrid cloud environment, information security solutions and best practices are essential. This is the only way to ensure business continuity and compliance. Especially in times of skills shortages and decentralized corporate networks, data security in the cloud will continue to grow in importance in the coming years.

The new Control 5.23 from Appendix A provides users of cloud services with a framework. They can use it to put their existing information security measures to the test and adjust them if necessary.

In addition to a large number of basic organizational requirements, the new control also underlines the importance of close cooperation with the cloud service provider in order to maintain the mutual exchange of information at all times. This promotes reciprocal mechanisms to monitor defined service features and to identify and report breaches of the agreed obligations.

What does the update mean for your certification?

The new ISO/IEC 27001:2022 was published in English on October 25, 2022. This results in the following deadlines and periods for the transition for users

Conversion of all existing certificates to the new version:

• A 3-year transition period applies from October 31, 2022.
• Certificates issued in accordance with ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 are only valid until October 31, 2025, after which the old standards are considered withdrawn.

Last date for initial certifications and recertifications according to the "old" ISO 27001:

• April 30, 2024 - from May1, 2024, DQS will only conduct initial and recertification audits according to the new 2022 version.

DQS Group: Concentrated audit know-how

As the deadlines show, companies only have a limited amount of time left to adapt their information security management system to the new requirements and have it certified. The duration and effort of the entire change process should not be underestimated.

As audit and certification experts with almost 40 years of expertise, we are happy to support you in evaluating your current status, for example as part of a delta audit. Ask our experienced auditors about the main changes and their relevance for your organization. Together, we will discuss your potential for improvement and support you until you receive the new certificate.

Trust and expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, we look forward to hearing from you.