Introduction

The cloud has transformed how organizations store, share, and process data. But while the cloud brings flexibility and scalability, it also comes with shared responsibility: you can outsource services, but not accountability.
ISO 27001 Control 5.22 ensures that security is addressed and enforced in all cloud service arrangements, so your sensitive data stays safe no matter where it’s hosted.

Summary of Control 5.22: Addressing Information Security in Cloud Services

🔒 Control Title: Addressing Information Security in Cloud Services
📘 Source: ISO/IEC 27002:2022, Section 5.22
🧩 Control Category: Organizational
🔍 Attributes:

• Control Type: #Preventive / #Detective
• Security Properties: #Confidentiality, #Integrity, #Availability
• Cybersecurity Concepts: #Protect, #Detect
• Operational Capabilities: #Cloud_Security, #Third_Party_Risk_Management
• Security Domain: #Protection_and_Defense

🎯 Control Objective

To ensure that information security requirements for cloud services are identified, agreed upon, and implemented covering risks such as data breaches, loss of control, and compliance failures.

🛠 Implementation Guidance

1) Clarify the Shared Responsibility Model:

• Define what the cloud provider secures (e.g., infrastructure) vs. what you must secure (e.g., data, user access)

2) Set Security Requirements in Cloud Contracts:

• Include clauses for:
• Data protection and privacy compliance
• Data location and residency
• Incident reporting and response timelines
• Audit rights and compliance reporting

3) Assess Provider Security:

• Review certifications (e.g., ISO 27017, ISO 27018, SOC 2)
• Request penetration test results or security reports

4) Monitor Cloud Environments:

• Use cloud security tools (CASB, SIEM integrations) to detect misconfigurations and threats

5) Plan for Exit and Portability:

• Ensure you can retrieve and securely delete your data when switching providers

Why This Control Matters

Without cloud-specific security measures:

• Data could be stored in jurisdictions with weak privacy laws
• Misconfigurations could expose sensitive information
• Regulatory compliance could be jeopardized

With strong cloud security management:

• Your data stays secure and compliant, even in multi-cloud setups
• Roles and responsibilities are clearly defined
• Business continuity is safeguarded

Common Pitfalls to Avoid

• Assuming “the provider handles everything”
• Not knowing where your data is physically stored
• Overlooking subcontractors (e.g., third parties your provider relies on)
• Failing to monitor and audit cloud environments regularly

Canadian Cyber’s Take

At Canadian Cyber, we specialize in cloud security and compliance.
From Microsoft 365 and Azure to multi-cloud environments, we help businesses implement ISO 27001, ISO 27017, and ISO 27018-aligned practices that keep their cloud usage secure and compliant.

Want Peace of Mind in the Cloud?

We can help you assess your cloud providers, tighten security configurations, and embed compliance into your cloud strategy.
👉 Click here to secure your cloud journey.

• Share the blog on: