Skip to contentCYBERINFO
|

Control 5.23 : Information Security for Use of Cloud Services

Summary

Processes for acquisition, use, management, and exit from cloud services should be established in accordance with the organization's information security requirements. This ensures that the unique risks of cloud computing, such as shared responsibility and data residency, are formally managed.

Applicability

In-Scope: Mandatory for organizations utilizing Microsoft 365, Azure, or any other SaaS/IaaS platforms. It addresses the legal and technical requirements for operating in a multi-tenant environment.

Out-of-Scope: Only applicable if the organization maintains a 100% on-premises infrastructure with no cloud dependencies.

Implementation Guidance

Microsoft 365 / Entra ID

  • Shared Responsibility: Utilize the Microsoft Service Trust Portal to understand and document which controls are Microsoft's responsibility versus the organization's.

  • Data Residency: Configure Microsoft 365 Multi-Geo or regional data residency settings to ensure data is stored in compliance with local laws (e.g., Canadian data residency).

  • Exit Strategy: Document a process for data extraction from Microsoft 365 using eDiscovery or Export tools to ensure the organization can reclaim its data upon contract termination.

Evidence Checklist

  • Cloud Security Policy: A policy defining the criteria for selecting and managing cloud service providers.

  • Configuration Baseline: Documentation of the security hardening steps taken within the Microsoft 365 tenant (e.g., Secure Score recommendations).

  • Risk Assessment: A cloud-specific risk assessment addressing data sovereignty and unauthorized access by the provider.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How did the organization assess the security posture of Microsoft 365 before migrating sensitive business data to the platform?

  • What technical controls are in place to prevent cloud sprawl or the unauthorized use of unvetted cloud applications?

  • Can you demonstrate how you monitor for misconfigurations within your cloud environment that could lead to data exposure?

  • What is the plan for reclaiming and securely deleting data if the organization decides to leave its current cloud provider?