A.5.23 Information Security for Use of Cloud Services
M365 Admin Path: Microsoft Entra admin centre > Protection > Conditional Access
What is this control?
ISO 27001 control A.5.23 Information Security for Use of Cloud Services specifies and manages information security, privacy, and PII protection throughout the cloud service lifecycle including introduction, use, management, and exit. All cloud services must undergo formal due diligence and adhere to a mandatory technical security baseline covering identity, data protection, monitoring, and endpoint access.
How to implement in Microsoft 365
Implement A.5.23 with due diligence for all new cloud services completing the supplier due diligence process verifying provider security posture via ISO 27001 or SOC 2, contractual alignment with A.5.20 requirements, and technical capability for Entra ID SSO and Sentinel log export. Enforce the mandatory technical baseline requiring Microsoft Entra as sole identity provider, Conditional Access requiring MFA, PIM for privileged access, data subject to Purview DLP policies classified via Sensitivity Labels, audit logs ingested into Microsoft Sentinel, and endpoint access only from Intune-managed compliant devices. Azure resources must be deployed via IaC and scanned by Defender for DevOps.
What an auditor looks for
Auditors will verify completed supplier due diligence checklists for all cloud services showing CISO sign-off. They will check Conditional Access policies enforcing MFA and device compliance for cloud services. Auditors will verify Microsoft Sentinel data connectors are configured and active for all cloud services including Azure, M365, and third-party services.
They will review sensitivity label classifications applied to data processed in cloud services. Auditors will verify Purview DLP policies are configured to protect sensitive data. They will check service termination documentation showing B2B account disablement and data destruction certificates.