Human Factors in Security: How People, Culture & Behaviour Impact Your ISMS
The cloud has changed everything about how we store, share, and secure information. But while it brings scalability and speed, it also introduces new risks, especially when sensitive or regulated data moves beyond your direct control.
That’s where Control 5.23 of ISO 27001 comes in. This control ensures that organisations manage information security risks associated with the use of cloud services, from selection and onboarding through to monitoring and exit.
It’s not about avoiding the cloud. It’s about using it intelligently and securely.
Intent of the Control
Control 5.23 is designed to make sure your organisation doesn’t hand over responsibility for security the moment it signs a cloud contract.
Just because a vendor says they’re “ISO certified” doesn’t mean your risk disappears. This control requires you to identify what data is being stored or processed in the cloud, understand who’s responsible for protecting it, and ensure that appropriate controls are in place.
In short: shared service, shared responsibility.
You’re expected to:
- Assess the security posture of your cloud providers.
- Understand data residency, ownership, and contractual obligations.
- Ensure monitoring, access control, and encryption are in place.
- Review security performance and compliance regularly.
It’s about managing your part of the shared model, not outsourcing it.
Why It Matters
The shift to cloud computing has blurred the boundaries of traditional IT security. Your data could be sitting in multiple regions, replicated across dozens of servers, and accessed from anywhere in the world.
Without structured oversight, that flexibility quickly turns into exposure.
Control 5.23 helps you retain control and visibility, so you’re not relying solely on trust or vendor marketing. It ensures due diligence when choosing a provider and continuous assurance throughout the relationship.
Neglecting this control can lead to:
- Data breaches through misconfigured cloud storage.
- Ambiguity over who’s accountable for incident response.
- Loss of data integrity during migration or termination.
- Compliance failures when providers don’t meet regulatory expectations.
In other words, it keeps your head in the cloud, but your feet firmly on the ground.
What Good Looks Like
To meet the intent of Control 5.23, your organisation should:
- Define a clear cloud usage policy that outlines acceptable services, approval processes, and security expectations.
- Maintain a cloud asset register to track all active services and associated risks.
- Evaluate providers against recognised standards (e.g. ISO 27017, ISO 27018, SOC 2).
- Include cloud-specific clauses in contracts covering access, audit rights, data handling, and incident notification.
- Monitor ongoing compliance through reports, dashboards, or security reviews.
Ultimately, good cloud governance is about knowing what you’ve got, where it is, and how it’s being protected.
How de.iterate Helps
Managing cloud-related risk shouldn’t rely on spreadsheets or memory. de.iterate makes the process seamless by helping you:
- Map cloud assets directly to ISO 27001 controls and clauses.
- Assign ownership for each control, ensuring accountability isn’t lost in the cloud.
- Attach evidence such as provider reports, contracts, and configurations—so you can prove compliance during audits.
- Automate reminders for periodic reviews or reassessments of vendor risk.
And when it comes time to update your Statement of Applicability or risk register, de.iterate keeps everything aligned. So you can show, not just tell, how you’re managing your cloud environment securely.
Cloud adoption isn’t the risk. Unmanaged cloud use is.
ISO 27001 Control 5.23 helps you balance innovation with assurance, ensuring the move to cloud doesn’t come at the cost of control.
With the right systems, governance, and technology support, you can have both agility and assurance, because smart compliance doesn’t slow you down, it keeps you running strong.
Tags:
