ISO27001A.5.23voice-validated
ISO27001 A.5.23: A.5.23
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation's information security requirements. Theme: Organisational controls. (Full guidance: ISO/IEC 27002:2022 §5.23.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Inadequate acquisition processes may lead to the deployment of cloud services with exploitable public-facing applications, enabling initial access. This directly violates the 'information security requirements' of A.5.23. | 90% |
| T1133 | 1. Poorly defined acquisition and management processes can result in insecurely configured external remote services within cloud environments, providing attackers with initial access. This contravenes the secure 'use' and 'management' aspects of A.5.23. | 85% |
| T1136.003 | 1. Weak cloud service management processes allow attackers to create unauthorized cloud accounts, establishing persistence. A.5.23 mandates established processes for 'management' to prevent such actions. | 90% |
| T1098.001 | 1. Insufficient management processes for cloud accounts can enable attackers to add additional credentials to existing accounts, maintaining persistence. This directly relates to the 'management' of cloud services under A.5.23. | 85% |
| T1078.004 | 1. Over-privileged cloud accounts, resulting from poor 'acquisition' or 'management' processes, can be exploited for privilege escalation. A.5.23 requires adherence to 'information security requirements' for account privileges. | 80% |
| T1562.001 | 1. Insecure configuration of cloud services, due to inadequate 'acquisition' or 'management' processes, may allow attackers to disable or modify security controls like firewalls, facilitating defense evasion. A.5.23 requires secure 'use'. | 80% |
| T1552.001 | 1. Poor cloud service 'management' processes can lead to sensitive credentials being stored insecurely within cloud resources, enabling credential access. A.5.23 requires secure handling of information. | 85% |
| T1087.004 | 1. Lack of robust 'management' processes for cloud accounts allows attackers to easily discover valid cloud accounts and their permissions, aiding discovery. A.5.23 mandates proper account management. | 90% |
| T1526 | 1. Inadequate cloud service 'management' and 'acquisition' processes can result in poor asset visibility, allowing attackers to discover cloud services and resources. A.5.23 requires established processes for 'management'. | 90% |
| T1535 | 1. Incomplete or insecure 'exit from cloud services' processes can leave connections open, enabling attackers to move laterally between cloud and on-premises environments. A.5.23 explicitly covers 'exit' processes. | 80% |
| T1021.001 | 1. Cloud virtual machines configured without adherence to security requirements during 'acquisition' or 'management' may expose insecure remote services like RDP, facilitating lateral movement. A.5.23 requires secure 'use'. | 75% |
| T1530 | 1. Weak cloud service 'management' processes can lead to sensitive data in cloud storage being easily accessible to attackers, enabling data collection. A.5.23 requires adherence to 'information security requirements'. | 90% |
| T1071.001 | 1. If cloud services are not properly 'managed' and monitored, attackers can use legitimate cloud communication channels (e.g., web protocols via storage services) for command and control. A.5.23 covers 'use' and 'management'. | 75% |
| T1537 | 1. Lack of controls over cloud service 'use' and 'management' can allow attackers to transfer sensitive data to their own cloud accounts, resulting in exfiltration. A.5.23 requires processes for 'use'. | 85% |
| T1485 | 1. Poor 'management' of cloud services and their configurations can enable attackers to destroy data within those services, causing significant impact. A.5.23 mandates secure 'management' processes. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1030 | 1. Network segmentation, guided by robust 'acquisition' and 'management' processes for cloud services, limits an attacker's ability to move laterally and access sensitive resources. A.5.23 requires established processes. | 90% |
| M1036 | 1. Strong account use policies, established during cloud service 'acquisition' and enforced during 'management', prevent unauthorized access and persistence. This directly supports A.5.23's 'information security requirements'. | 95% |
| M1038 | 1. Effective user account management processes for cloud services, covering provisioning, review, and de-provisioning, reduce the attack surface. This is central to the 'management' and 'exit' aspects of A.5.23. | 95% |
| M1040 | 1. Implementing network traffic filtering based on security requirements defined during cloud service 'acquisition' and 'management' prevents unauthorized communication. A.5.23 requires secure 'use'. | 85% |
| M1042 | 1. Regular vulnerability scanning of cloud services, integrated into 'acquisition' and 'management' processes, ensures that vulnerabilities are identified and remediated. A.5.23 requires adherence to 'information security requirements'. | 80% |
| M1047 | 1. Auditing cloud service configurations and usage ensures compliance with established 'information security requirements' throughout the 'acquisition', 'use', and 'management' phases. This is a core component of A.5.23. | 90% |
| M1051 | 1. Implementing data backup strategies for cloud services, as part of 'management' and 'exit' processes, mitigates the impact of data destruction or corruption. A.5.23 ensures business continuity. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-284 | 1. Lack of defined processes for cloud service access control during 'acquisition' and 'management' directly leads to improper access control. A.5.23 aims to prevent this by requiring established processes. | 95% |
| CWE-732 | 1. Cloud resources provisioned with overly permissive access due to poor 'acquisition' or 'management' processes result in incorrect permission assignments. A.5.23 mandates adherence to 'information security requirements'. | 90% |
| CWE-200 | 1. Inadequate processes for data handling and configuration in cloud services can lead to the exposure of sensitive information. A.5.23 requires secure 'use' and 'management' to prevent such exposures. | 85% |
| CWE-269 | 1. Poorly defined roles and permissions within cloud environments, stemming from deficient 'management' processes, constitute improper privilege management. A.5.23 addresses this through established processes. | 90% |
| CWE-287 | 1. Weak authentication mechanisms for cloud services, if not properly specified or enforced during 'acquisition' and 'use', represent improper authentication. A.5.23 requires adherence to 'information security requirements'. | 85% |
| CWE-522 | 1. Credentials for cloud services stored or handled insecurely due to a lack of robust 'management' processes lead to insufficiently protected credentials. A.5.23 mandates secure processes. | 80% |
| CWE-668 | 1. Cloud resources exposed publicly or to unintended networks due to poor configuration during 'acquisition' or 'management' represent exposure of resources to the wrong sphere. A.5.23 requires secure 'use'. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0203 compute · voice-rubric self-validated