ISO 27001 Control 5.23 Cloud Services

Rafia Rizwan

March 3, 2026

ISO 27001 Control 5.23 cloud services requires clear governance, vendor review, configuration security, and ongoing monitoring. Use this audit-ready script and evidence checklist to prepare clean, defensible proof.

ISO/IEC 27002:2022 • Control 5.23 • Internal Audit–Ready

ISO 27001 Control 5.23 Cloud Services

What Auditors Ask and How to Prepare Evidence (Internal Audit–Ready)

Control 5.23 is one of the fastest places auditors find gaps because cloud services move quickly, ownership is unclear, and evidence is scattered.
This guide gives internal auditors a practical question script and an evidence checklist you can produce in minutes, not days.

What auditors want

Proof of governance: inventory, requirements, approval, monitoring, and exit.

Common gap

Evidence is scattered across procurement, IT, security, and vendors.

This guide gives

Interview script + evidence checklist you can produce fast.

Why Control 5.23 matters in an internal audit

ISO/IEC 27002:2022 Control 5.23 (Information security for use of cloud services) expects the organization to define, implement, and monitor information security requirements when using cloud services.

Internal audits often surface the same issues:

Cloud is used, but no one can prove governance
Security requirements exist, but they aren’t applied to real cloud services
Supplier reviews are done once, but not monitored
Evidence is buried across procurement, IT, security, and vendors

If your ISMS includes cloud services, you need to show:

which cloud services are in use
what security requirements apply
how those requirements are assured over time

What Control 5.23 is really asking for (plain English)

Auditors are looking for proof that you can answer these four questions:

What cloud services do we use and why?
What security requirements apply to each service?
How did we assess the vendor and service before using it?
How do we monitor it after approval (not just onboarding)?

Internal Audit Interview Script: What auditors ask

Auditor tip

Use these questions exactly as written. Ask “Show me…” and “Walk me through…”. Keep answers factual and evidence-based.

A. Scope and ownership

Goal: prove governance has clear owners and recorded approvals.

Auditor questions

What cloud services are in scope for the ISMS (SaaS, IaaS, PaaS)?
Who owns cloud governance (security, IT, procurement, legal)? Show me the RACI.
Who approves a new cloud service before it’s used?

Evidence to request

ISMS scope statement referencing cloud services
Cloud governance policy/standard (or supplier security standard including cloud)
RACI or documented responsibilities
Cloud service approval workflow (ticket, form, procurement process)

Common red flags:
“No owner”; Shadow IT/Shadow AI unmanaged; approvals verbal with no record.

B. Cloud inventory and classification

Goal: prove you know what’s in use and what data is in each service.

Auditor questions

Show me the inventory of cloud services in use today. How is it kept current?
How do you classify the data stored/processed in each cloud service?
Which cloud services handle personal or sensitive data?

Evidence to request

Cloud services register (name, owner, purpose, data types, criticality)
Data classification policy + mappings
One-page data flow summary for high-risk services

Common red flags:
no inventory (or outdated); missing owners/data types; no classification applied.

C. Security requirements: what you demand from cloud services

Goal: prove requirements are defined and applied per service.

Auditor questions

What baseline security requirements must a cloud provider meet?
How do requirements change based on data sensitivity and criticality?
Show me the requirement set and how it’s applied to one real service.

Examples auditors expect to see

Identity and access: MFA, SSO, RBAC, least privilege
Logging and monitoring: audit logs available, retention defined
Encryption: in transit + at rest (where applicable)
Data location/processing: cross-border handling
Incident notification: timelines and contacts
Subprocessors: visibility and controls
Backup/availability: RTO/RPO expectations
Vulnerability management: security updates
Exit/portability: export and terminate cleanly

Evidence to request

Cloud security requirements checklist (baseline + enhanced)
Supplier security clause templates (contracts / DPA / addendum)
Risk acceptance process for unmet requirements

Common red flags:
requirements are generic; contract has no security clauses; incident notification undefined.

D. Due diligence before approval

Goal: prove assessment → decision → sign-off is traceable.

Auditor questions

For a new cloud service, what due diligence happens before go-live?
Show me one approved vendor’s evidence: assessment, risk decision, and sign-off.
Who can accept risk if requirements are not fully met?

Evidence to request (sample one service end-to-end)

Vendor assessment results (questionnaire, SOC 2, ISO, pen test summary)
Risk assessment record + treatment plan
Approval record (procurement + security sign-off)
Contract/DPA with security + privacy clauses

Common red flags:
“Reviewed SOC 2 once” with no notes; risk acceptances have no expiry/owner; critical vendor has no assessment.

E. Configuration and operational security in your cloud environment

Goal: prove configuration controls exist and are monitored over time.

This is where audits become evidence-heavy because auditors expect proof you configured security controls, not just “we use the cloud.”

Auditor questions

How do you enforce secure configuration for your tenant/environment?
Do you have baseline settings (M365 baselines, AWS guardrails, Azure policies)?
How do you detect misconfigurations and respond?

Evidence to request

Baseline configuration standard (M365 baseline, Azure policies, AWS guardrails)
Admin account list + privileged access controls
MFA/SSO configuration proof
Security monitoring records (alerts, tickets, response evidence)
Configuration review logs / periodic checks

Common red flags:
admin access not reviewed; MFA not enforced for admins; no monitoring for risky sign-ins; no periodic reviews.

F. Monitoring and review after approval

Goal: prove governance continues after onboarding.

Auditor questions

How do you monitor cloud providers after onboarding?
How often do you re-review critical cloud services?
What triggers an out-of-cycle review (incident, major change, new subprocessors)?

Evidence to request

Review cadence (annual vendor review; quarterly for critical vendors)
Proof of periodic review (SOC 2 renewals, reassessment notes, issue tracking)
Vendor incident/change notifications log
Supplier performance monitoring (uptime, incidents, support)

Common red flags:
approval is “one and done”; no re-review schedule; no tracking of vendor changes/subprocessors.

G. Exit strategy and resilience

Goal: prove you can exit cleanly and recover critical services.

Auditor questions

If we needed to exit a cloud service, how would we export data and switch?
What is the offboarding process (access removal, deletion confirmation)?
Have we tested restoration or migration for critical services?

Evidence to request

Exit plan for critical cloud services
Offboarding checklist + completed examples
Data deletion certificates (where applicable)
Backup/restore tests for critical systems/data

Common red flags:
no exit plan; offboarding manual/inconsistent; no deletion confirmation evidence.

Evidence Pack Checklist (what to prepare before the audit)

If you prepare only one thing, prepare this 5.23 evidence pack. It makes internal audits smooth and repeatable.

Minimum evidence pack

Cloud services inventory (owner, purpose, data type, criticality)
Cloud security requirements checklist (baseline + enhanced)
Due diligence record for one sampled critical service
Contract/DPA/security addendum evidence
Ongoing monitoring evidence (cadence + last review proof)

Strong evidence pack (good looks like)

Cloud risk assessment + treatment plan linked to the service
Configuration baseline evidence (M365/Azure/AWS guardrails)
Privileged access review (admin list, MFA enforced, review record)
Logging/monitoring evidence (audit logs, workflow, sample tickets)
Exit/offboarding evidence (checklist + completed example)

Sample evidence artifacts auditors love (fast to produce)

Screenshot/export of MFA enforcement for admins
Screenshot/export of conditional access policies (if applicable)
Admin role assignments list + monthly/quarterly review record
One vendor review file: SOC 2 received → review notes → risks → decision
One-sheet cloud service register with owners + data type
Small ticket set showing security review, approval, and follow-ups

Common nonconformities for 5.23 (and how to prevent them)

Pre-check before your internal audit

Pattern 1: No inventory
Fix: Maintain a cloud services register and update via procurement and SSO/app discovery.

Pattern 2: No evidence of vendor review
Fix: Standardize an assessment template + store SOC 2/ISO evidence + review notes.

Pattern 3: Cloud configured, but not governed
Fix: Baselines + periodic review + admin access control evidence.

Pattern 4: One-time approval
Fix: Define review cadence and keep proof of the last review.

Pattern 5: No exit plan
Fix: Add an exit/offboarding checklist for critical services and keep one completed example.

How to audit 5.23 properly (a simple sampling method)

A practical method

Select 3 cloud services: 1 critical, 1 handling personal/sensitive data, 1 low risk.
For each, test: inventory, classification, due diligence, mapped requirements, ongoing review evidence.
Trace one service end-to-end: request → approval → risk decision → contract → configuration → monitoring → review.

This produces clear, factual findings without excessive scope.

Want an internal audit-ready 5.23 evidence pack?

If your cloud evidence is scattered across emails, procurement folders, and admin portals, we can package it into an audit-ready structure.

Canadian Cyber vCISO teams build:

a cloud services register
a reusable 5.23 evidence pack
a review cadence and ownership model
audit-ready artifacts that match how your cloud works

Book a 15-Min Call

Quick “Auditor’s Cheat Sheet” (one-page summary)

If you want to keep 5.23 simple, remember:

List the cloud services
Classify the data
Set requirements
Approve with evidence
Monitor over time
Exit cleanly

That’s what the control is asking for.

Download the 5.23 Internal Audit Toolkit

Want to run a clean internal audit for cloud services? Get the toolkit with templates and a ready-to-use audit structure.

Includes:

auditor interview script (copy/paste)
cloud services inventory template
vendor due diligence checklist
evidence pack folder structure
sampling guide for internal audits

Talk to a vCISO

Follow Canadian Cyber

Practical cybersecurity + compliance guidance for Canadian teams:

Website

LinkedIn

YouTube

Instagram

TikTok

2026

Mar

Audit Evidence Sampling 101

A practical ISO 27001 internal audit case study showing how to choose defensible audit evidence samples. Includes sampling logic, traceability steps, and a copy/paste sampling record template.

0 Comment

Rafia Rizwan

2026

Mar

ISO 27001 Management Review Minutes Template

A complete ISO 27001 management review minutes template for Clause 9.3. Includes agenda structure, required inputs and outputs, evidence checklist, and common audit findings to avoid.

0 Comment

Rafia Rizwan

Feb

CIS Controls v8

CIS Controls v8 give Canadian SMBs a practical, prioritized cybersecurity roadmap. Learn how to start with IG1, reduce real-world risk, and build a strong foundation for ISO 27001, SOC 2, and cyber insurance readiness without an enterprise budget.

0 Comment

Rafia Rizwan