ISO/IEC 27001 Control 5.23: Information security for use of cloud services

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint can automatically manage access to cloud services.

This control deals mostly with contractual arrangements with cloud service providers, it is not focused on technical measures. However, midPoint plays an important role in managing cloud services at large. MidPoint is designed to manage access control to cloud services, creating accounts, assigning accounts to groups, granting and revoking privileges. Application inventory capability can be used to catalog cloud services in the first place, enabling classification of cloud services based on level of security or sensitivity of processes information. MidPoint can quickly provision access to a new application in case that an existing cloud application is disrupted or replaced, which is a natural part of exit strategy for almost every cloud application.