Is your SaaS startup up-to-date with the latest iteration of ISO 27001? If you are unsure, keep reading to see how you can get up to speed with your compliance.
The ISO 27001 is a universally-accepted framework for information security management systems (ISMS), which is the standard SaaS companies must adhere to in order to be compliant. As technology evolves, so do security threats, which is why there are occasionally updates added to this standard.
Annex A of the ISO 27001 includes a list of additional controls that companies must meet in order to be compliant. In this article, we will specifically break down Control 5.23 and explain what this means for your business.
What is Control 5.23?
The ISO 27001:2022 5.23 states the following:
“Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.”
What does this mean for you? You must clearly define how you acquire, use, and discontinue cloud services with them to secure the management of sensitive information. This means making decisions on the following:
- Whether your organization will work with one cloud provider or several.
- How much responsibility will be divided between your organization and the cloud provider.
- How IT will be involved in the process.
- When and how frequently to conduct risk assessments with the cloud provider (ideally, at the preliminary stages of a project).
- If you want to discontinue services with a cloud provider, how you will exit and transition into the next.
What is the purpose of Control 5.23?
Since many SaaS startups outsource their data storage and management to cloud services, this control was put in place to ensure that sensitive information is being protected throughout the process of working with them, from start to finish.
Just as you prioritize security for your business and clients, it’s important that you and your cloud provider are aligned on security and compliance standards to minimize risk.
How can I ensure my cloud service provider is compliant?
If you are looking for a cloud service provider, there are likely many factors that your organization is considering to make sure there is a good fit, such as pricing, accessibility, etc. However, one factor that is important to include on that checklist is whether or not they have the right approach to data security.
Here are some helpful questions to ask while looking for the right provider:
- Do you have experience with data breaches? How frequently do they happen?
- What is the protocol if a data breach were to occur?
- Are you compliant with the standards that are required for my organization, such as ISO 27001, HIPAA, or SOC-2?
- How much visibility and control will we have over our data?
- What happens to our data if we switch providers?
Want to learn about the other controls in Annex A?
Control 5.23 is just one of many updates introduced in Annex A of ISO 27001:2022. To ensure your organization stays compliant, check out our other articles for a deeper dive into compliance with these controls.
