Control Definition
The organization must define processes that govern the full cloud service lifecycle—how cloud services are selected and acquired, how they are used and managed day to day, and how they are exited—all aligned with its own information security requirements.
Control Objective
To ensure that cloud services are acquired, used, and managed securely throughout their lifecycle, from vendor selection through data migration and exit, protecting organizational information in multi-tenant cloud environments.
What This Really Means
Cloud security governance means establishing formal processes for how your organization selects, contracts, uses, monitors, and eventually exits cloud service providers (AWS, Azure, Google Cloud, SaaS applications like Salesforce, Microsoft 365, Slack). It's about ensuring that when you move data and workloads to the cloud, you don't lose visibility, control, or compliance.
Think of it like renting an apartment vs. owning a house: when you rent (use cloud services), you must verify the landlord's security (vendor due diligence), understand what you're responsible for vs. what they handle (shared responsibility model), have a plan for getting your belongings out if you move (data portability), and ensure your valuables are protected (data encryption, access control).
This control requires you to define cloud adoption standards (what types of cloud services are allowed), conduct vendor security assessments before procurement, establish clear contract terms (SLAs, data location, audit rights, liability), implement cloud-specific security controls (encryption, IAM, logging), monitor cloud usage continuously, and plan for cloud exits (data extraction, account termination). The goal is cloud usage without cloud chaos—governed, secure, and compliant adoption.
Why It Matters
Cloud services are now critical infrastructure, yet many organizations adopt them without proper security governance—leading to data breaches, compliance violations, and vendor lock-in. The 2022 ISO 27001 revision added this control specifically because cloud security failures have become a top threat.
Without proper cloud security governance, organizations face:
- •Data Breaches from Misconfigurations – The overwhelming majority of cloud breaches stem from customer-side misconfigurations (public S3 buckets, overly permissive IAM roles, disabled encryption) rather than cloud provider vulnerabilities
- •Compliance and Regulatory Violations – DPDPA keeps you accountable for personal data wherever it is processed, sectoral rules like RBI's payment data localization mandate India-only storage, and auditors fail organizations that can't demonstrate cloud security controls
- •Shadow IT and Unmanaged Cloud Sprawl – Employees signing up for SaaS tools with corporate credit cards creates ungoverned data repositories, duplicate spending, and security gaps IT doesn't even know exist
- •Vendor Lock-In and Failed Exits – Proprietary APIs, data formats, and integration dependencies make it impossible to switch providers or retrieve data when contracts end or providers fail
- •Loss of Visibility and Control – Traditional security tools don't work in cloud environments; without cloud-native monitoring and CSPM tools, you're flying blind regarding who accessed what data
Indian organizations face additional challenges: CERT-In logging requirements (180-day retention), RBI data localization mandates for payment system data, and DPDPA accountability for personal data processed in the cloud all demand explicit cloud security governance.
Implementation Guidance
Establish Cloud Service Procurement and Approval Process
Define cloud adoption policy: what types of cloud services are allowed (IaaS, PaaS, SaaS), which providers are pre-approved (AWS, Azure, GCP for IaaS; approved SaaS list), approval workflow (IT Security + Legal + DPO must approve all new cloud services), and procurement requirements (security questionnaire, contract review, data protection addendum). Ban unauthorized cloud signups—require central IT approval before any cloud service can process organizational data.
Conduct Vendor Security Assessments and Due Diligence
Before procuring cloud services, evaluate provider security: review SOC 2 Type II, ISO 27001, or other certifications; assess data center locations (data residency needs—e.g. RBI-regulated payment data must stay in India); verify encryption standards (at-rest and in-transit); check incident response procedures; review subprocessor lists; evaluate business continuity and disaster recovery capabilities. For SaaS, use security questionnaires (CAIQ, VSA) or third-party assessments. Document findings and require remediation of high-risk gaps before contract signature.
Define Clear Cloud Security Responsibilities (Shared Responsibility Model)
Document what the cloud provider is responsible for vs. what you must handle. For IaaS (AWS EC2): provider secures physical infrastructure, hypervisor; you secure OS, applications, data, access control. For SaaS (Salesforce): provider secures application infrastructure; you secure user access, data classification, integration security. Create responsibility matrix and ensure all gaps are covered—no assumption that "cloud provider handles security" absolves you of responsibility.
Implement Cloud-Specific Security Controls and Monitoring
Deploy cloud-native security: enable MFA for all cloud accounts (AWS IAM, Azure AD); implement least-privilege IAM policies; enable encryption at rest (AWS KMS, Azure Key Vault) and in transit (TLS); activate cloud logging (AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs) and send to centralized SIEM; use Cloud Security Posture Management (CSPM) tools (Wiz, Prisma Cloud, AWS Security Hub) to detect misconfigurations; implement network segmentation (VPCs, security groups, firewall rules).
Establish Contract Terms and SLAs with Cloud Providers
Negotiate and document: data ownership (all data remains yours), data location/residency (specify allowed regions), security standards (ISO 27001, SOC 2 required), audit rights (right to audit or receive third-party audit reports), breach notification timelines (within 24-72 hours), data deletion procedures upon contract termination, liability and indemnification clauses, exit assistance terms. For Indian organizations: include DPDPA compliance clauses and data residency commitments where sector regulators or customer contracts require them.
Monitor Cloud Usage and Detect Shadow IT
Implement cloud access security broker (CASB) or SaaS management platform (Zluri, Torii, BetterCloud) to discover all cloud services in use, detect unauthorized signups, monitor data uploads/downloads, and enforce DLP policies. Review cloud spending reports monthly to identify unknown subscriptions. Scan network traffic for unsanctioned cloud connections. Enforce acceptable use policy prohibiting unauthorized cloud services.
Plan and Test Cloud Exit Strategy
Document exit plan for each critical cloud service: data extraction procedures (APIs, bulk export), format conversion requirements (from proprietary to open formats), alternative provider options, timeline and costs, contract termination notice periods. Test data export annually to verify you can actually retrieve your data. Avoid vendor lock-in by using open standards, portable data formats, and infrastructure-as-code (Terraform) that works across providers.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.5.23:
Documentation
- Cloud Service Procurement Policy defining approval workflows and security requirements
- Vendor security assessment reports for all cloud providers in use
- Cloud contracts and Data Processing Agreements (DPAs) with security terms documented
- Cloud security architecture diagrams showing responsibility boundaries
- Cloud exit strategy documentation with data extraction procedures tested
Interviews
- IT Security team about cloud security controls and monitoring practices
- Procurement/Legal about contract terms and vendor due diligence processes
- Cloud administrators about IAM policies, encryption, and configuration management
Observations
- Review of CASB or SaaS management platform showing cloud service inventory
- Demonstration of cloud security posture management tool findings
- Verification that MFA, encryption, and logging are enabled for all cloud accounts
- Testing of data export from critical cloud services to validate exit capability
Practitioner Insights
A pattern I see in almost every cloud governance audit: the official SaaS list covers a dozen applications, while CASB or network discovery turns up several times that number—marketing, sales, and HR signing up with corporate credit cards and no security review, and customer PII sitting in form builders and workspace tools nobody governs. Use CASB or network monitoring to discover shadow IT—you cannot govern what you cannot see.
Many Indian companies assume AWS/Azure handle all security because they are "certified." That's wrong. If you misconfigure an S3 bucket to be public, AWS won't stop you—that's your responsibility. I've seen companies fail audits because they couldn't demonstrate they had proper IAM policies, encryption, or logging in their cloud environments. Cloud providers give you the tools; you must use them correctly.
Common Challenges & Solutions
Challenge
Developers and business units adopt cloud services without IT approval, creating shadow IT.
Solution
Implement technical controls: block corporate credit card usage for unauthorized cloud signups (require approval code), use DNS filtering or firewall rules to block unapproved SaaS domains, deploy CASB to detect and alert on new cloud service usage, and enforce acceptable use policy with consequences. Provide fast-track approval for common requests (e.g., pre-approved SaaS list with 24-hour onboarding) so legitimate needs don't drive shadow IT.
Challenge
Cloud contracts from major providers (AWS, Microsoft, Google) are non-negotiable standard terms.
Solution
For major cloud providers, you typically cannot change master agreements. Instead: (1) negotiate addendums for critical terms (data location, audit rights), (2) use Data Processing Agreements (DPAs) required by GDPR/DPDPA which are often negotiable, (3) implement additional controls on your side (encryption with your own keys, access logging), (4) document risk acceptance for non-negotiable terms with management approval.
Challenge
We have no visibility into what data is being uploaded to cloud services or who has access.
Solution
Deploy Cloud Access Security Broker (CASB) with inline or API-based monitoring to scan data uploads, enforce DLP policies, detect anomalous access patterns, and audit user activity across SaaS apps. Use cloud-native tools: AWS Macie for S3 data discovery, Microsoft Cloud App Security for Office 365, Google Cloud DLP for GCP. Require data classification before cloud upload and enforce tagging policies.
Challenge
Cloud providers refuse to commit to the India data residency that sector regulators or enterprise customers demand for personal data.
Solution
For providers without India data centers: (1) Use regions geographically close (Singapore, UAE), (2) Implement additional safeguards: encryption with India-based key management, contractual data transfer agreements, regular audits, (3) Classify data and only send non-sensitive data to non-India clouds, (4) For critical personal data, use India-only cloud providers (Tata Communications, Sify, CtrlS) or on-premise solutions.
Challenge
When we tried to exit a cloud service, data export failed or formats were unusable.
Solution
Test exit procedures annually: export data from each critical cloud service, verify completeness, test import into alternative systems, document gaps. Use open formats (CSV, JSON, SQL dumps) rather than proprietary formats. Implement infrastructure-as-code (Terraform, CloudFormation) to document configurations in portable format. Maintain data backups in provider-independent storage (separate cloud or on-premise). Include exit assistance clauses in contracts.
