Cloud Security with ISO 27001

How widespread is cloud computing among German companies?

According to Bitkom’s “Cloud Report 2025” (June 11, 2025), 90 percent of companies in Germany now use cloud applications, up from 81 percent the previous year. Another 10 percent are planning to adopt cloud computing or are currently discussing it, meaning that cloud computing is now a topic of concern for virtually all companies.

Cloud computing has long since become a central infrastructure for companies. At the same time, the cloud has become business-critical for many companies: 62 percent of companies would no longer be able to operate without cloud services. Concurrently, concerns about international dependencies are growing: 78 percent of companies view Germany as too dependent on U.S. cloud providers, while 82 percent would like to see strong hyperscalers based in Germany or Europe.

Without appropriate measures to enhance security in the cloud, companies are exposed to significant security risks when managing their customer data—regardless of whether the data is stored domestically or internationally. Potential security measures are described in Control 5.23 “Information Security for the Use of Cloud Services” in ISO 27001, the well-known standard for information security management.

What exactly does this security measure entail, and what aspects must be considered for successful (re)certification?

Why is cloud security important?

Cloud security is important because an increasing amount of business-critical data, applications, and processes are being operated in the cloud. Security gaps or vulnerabilities there can lead to significant data loss, operational disruptions, compliance violations, and substantial financial and reputational damage.

From private to public cloud, whether IaaS, PaaS, or SaaS: cloud structures and cloud services define large parts of today’s information and communication technologies (ICT) used by companies, organizations, and government agencies. Cloud computing has long since become a reality and is fundamentally changing the way IT services are delivered and used.

However, the security risks associated with this increasing use are multifaceted and are not limited to organized crime. Inadequate identity and access management, misconfigurations, and the accidental disclosure of cloud data by employees are also among the greatest threats to cloud security in the enterprise.

Furthermore, a lack of security can impair the availability of services and jeopardize compliance with various regulations and standards that mandate the protection of customer and personal data. This threat landscape prompted the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) to list information security for the use of cloud services as a separate item in the revised ISO 27001:2022.

How can cloud security be improved?

Control 5.23 promotes security solutions and strengthens cloud security by defining clear rules and processes for the selection, use, and management of cloud services, thereby systematically reducing risks and supporting effective security solutions.

This preventive security measure supports information security when using cloud services. It supports—in accordance with an organization’s specific security requirements—the systematic establishment of processes for procurement, use, management, and decommissioning. Given the diversity of services offered, the new Control 5.23 in Annex A of ISO 27001 requires adherence to a “theme-specific approach.”

This is intended to encourage companies to create cloud service policies tailored to individual business functions. Compared to a blanket policy that applies broadly to the secure use of cloud services, compliance requirements can thus be addressed with significantly greater granularity.

Information security for the use of cloud services is addressed in this cloud-specific form as a measure in Annex A of the current ISO 27001:2022. In the previous version from 2013, cloud services were generally covered under the section on supplier relationships.

Given the increasing use and enormous advancements in the cloud sector, it makes sense to systematically secure cloud services with a standalone information security measure and to protect systems. Nevertheless, Control A.5.23 should be closely coordinated with controls A.5.21 and A.5.22, which address information security in the ICT supply chain and the management of supplier services.

How is Control 5.23 implemented to enhance cloud security?

Security measure 5.23 is implemented by companies defining clear requirements, roles, responsibilities, and processes for the selection, use, monitoring, and discontinuation of cloud services and aligning these with the cloud providers’ security measures.

With regard to information security, companies must define a number of aspects for the implementation of Control 5.23. These include all relevant requirements, selection criteria, and areas of application associated with the use of a cloud service. A detailed description of the roles and relevant responsibilities determines how these services are used and managed within an organization.

Externally, this must be coordinated with the service provider:

• What information security measures does the service provider manage?
• Which ones fall within the company’s own area of responsibility?

It is also important to clarify how the security measures provided by the vendor can be made available, optimally utilized, and verified as trustworthy. Especially when using multiple cloud services from different vendors, clearly defined processes support the management of controls, interfaces, and service changes, thereby minimizing vulnerabilities and threats.

However, due to the multiple security risks companies face today, security incidents can never be completely ruled out. In such cases, service-specific incident management procedures help address the challenge in the best possible way.

To manage such risks, cloud services must be monitored, reviewed, and evaluated in accordance with the current ISO 27001 standard using a systematically defined approach. Furthermore, the standard requires that processes be established for changing or discontinuing the use of a service. These must also include explicit exit strategies for cloud services.

Cloud Security: How Important Are Contractual Security Provisions?

Contractual security provisions are crucial for cloud services because they legally define how the confidentiality, integrity, and availability of information are protected, what security measures the provider implements, and how issues such as data locations, incidents, subcontractors, and a secure exit are addressed.

The contractual terms of cloud services are therefore essential for the client company to establish key parameters and ensure legal protection. However, cloud service agreements are often predefined and non-negotiable. Against this backdrop, companies should pay particular attention to these agreements and scrutinize them closely. In this way, they ensure that the essential operational requirements for the information security objectives of “confidentiality, integrity, and availability” and for information processing are met.

To ensure this, a cloud service should provide solutions based on industry-recognized standards for architecture and infrastructure. It should have access controls that meet security requirements and include solutions for monitoring and protection against malware. It must be contractually stipulated that the processing and storage of sensitive information is permitted only at authorized locations or within a specific jurisdiction. This is important, for example, in the case of critical infrastructure.

Handling Security Incidents and Service Providers

The service provider must provide targeted support in the event of a security incident in the cloud service environment and offer general support in the collection of digital evidence. Security requirements must also be met when outsourcing a service to external service providers.

Termination and Changes to Cloud Services

If a company wishes to terminate a service, the provider should continue to commit to support and service availability for a reasonable period of time. Therefore, the provider must also provide backup copies of data and configuration information and, if necessary, manage them securely. Information such as configuration files, source code, and sensitive data owned by the organization must be provided upon request or returned upon termination of service.

A cloud service customer should consider, in accordance with its own security requirements, whether the agreement should include a notification obligation in the event that a cloud provider makes significant changes. These include:

• Changes to the technical infrastructure that affect the service offering
• Processing or storage of information in a new geographic or legal jurisdiction
• Use of or switching to peer cloud service providers or other subcontractors

Side Note: Cybersecurity as the Managing Director’s Responsibility

With the entry into force of the German NIS2 Implementation Act (NIS2UmsuCG), the European NIS 2 Directive is transposed into national law, and the regulatory framework for cybersecurity is significantly tightened. The new requirements significantly expand the scope of affected organizations. They require numerous companies and institutions to implement structured measures to ensure information security, manage cyber risks, and comply with clearly defined reporting obligations in the event of security incidents.

A key element of the NIS2 regulation is the clear responsibility of top management for cybersecurity. Senior management and the board of directors must ensure that appropriate measures for managing cyber risks are implemented and effectively monitored. Cybersecurity thus becomes an explicit management responsibility: Company leadership is responsible for compliance with legal requirements and for ensuring that information security is appropriately embedded within the organization.

What are the benefits of Control 5.23 for companies? A summary.

The new ISO 27001:2022 closes a critical security gap in modern cloud environments with A.5.23. It thus provides organizations with a structured framework to systematically secure cloud services, ensure compliance, and safely manage collaboration with cloud providers.

With this new security measure, ISO and IEC are closing an important gap in the protection of modern ICT architectures and sensitive data belonging to companies, organizations, and government agencies. As a globally established standard, the ISO 27001 information security standard now also contributes to consistent, systematic cloud security.

Regardless of whether your company operates in a public cloud, private cloud, or hybrid cloud environment, cloud security solutions and best practices regarding information security are essential. This is the only way to ensure business continuity and compliance. Especially in times of a skills shortage and decentralized corporate networks, data security in the cloud will continue to grow in importance in the coming years.

With the new Control 5.23 from Annex A, cloud service users are provided with a framework. They can use it to review their existing information security measures and adjust them as needed.

In addition to a variety of fundamental organizational requirements, the new security measure also underscores the importance of close collaboration with the cloud service provider to maintain a constant exchange of information. This promotes mutual mechanisms for monitoring defined service characteristics and for identifying and reporting violations of agreed-upon obligations.

Concentrated audit expertise: Your DQS

DQS was founded in 1985 as Germany’s first certification body. Since then, we have been among the world’s leading audit and certification experts. The founding partners, DGQ (German Society for Quality) and DIN (German Institute for Standardization), are key partners in training and continuing education as well as standardization work. We actively represent our clients on committees and boards and bring our expert knowledge to bear in our audits. Our commitment begins where audit checklists end. Take us at our word!

Trust and Expertise

Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions for our author regarding the content of the texts or our services, we look forward to hearing from you.

Note: For the sake of readability, we use the generic masculine form. However, this approach fundamentally includes people of all gender identities, to the extent necessary for the statement.