The conference room went silent when the VP of Engineering asked the question that nobody wanted to answer: "If we move to AWS, do we lose our ISO 27001 certification?"
It was 2017, and I was sitting with the leadership team of a financial services company that had spent two years achieving ISO 27001 certification for their on-premises infrastructure. Now, their board was pushing for cloud migration, and the security team was terrified they'd have to start from scratch.
I smiled and said something that surprised them: "Not only will you keep your certification—if you do this right, your cloud environment will be more compliant and more secure than what you have today."
Seven years and 40+ cloud migration projects later, I stand by that statement. But here's the catch: "if you do this right" carries a lot of weight.
The Cloud Compliance Paradox I've Witnessed
After fifteen years in cybersecurity, with the last eight focused heavily on cloud security, I've observed something fascinating: organizations often assume cloud migration makes compliance harder, when in reality, it makes it more explicit.
Let me explain with a story that perfectly illustrates this.
In 2019, I audited an on-premises data center for a healthcare company. Their ISO 27001 certification looked pristine on paper. But when I started digging:
Physical access controls? A logbook at the front desk that people signed "whenever they remembered"
Change management? Engineers had root access and deployed whenever they wanted
Backup verification? "We think the backups work, but we haven't tested them in eighteen months"
Network segmentation? "Everything's on VLAN 10"
They were certified, but barely compliant in practice.
Fast forward to their AWS migration two years later. Suddenly:
Every access was logged and auditable through CloudTrail
Change management became automated through CI/CD pipelines with approval gates
Backup verification happened automatically with AWS Backup reports
Network segmentation was enforced through VPCs and security groups with infrastructure-as-code
The cloud didn't make compliance harder—it made their gaps impossible to hide.
"Cloud computing doesn't eliminate your ISO 27001 requirements. It transforms them from theoretical policies into enforced technical controls."
Understanding the Shared Responsibility Model (The Part Everyone Gets Wrong)
This is where I see organizations stumble most often. Let me break down what the shared responsibility model actually means for ISO 27001 compliance.
The Classic Misconception
A CTO once told me: "We're moving to AWS, so Amazon handles our security compliance now."
I had to break the news: "Amazon handles their security compliance. Your ISO 27001 certification is still 100% your responsibility."
Here's a framework I've developed after years of explaining this:
ISO 27001 Control Area | Your Responsibility | Cloud Provider Responsibility | Shared Responsibility |
|---|---|---|---|
Physical Security (A.11) | Manage access to cloud console | Secure data center facilities | Device security for admin access |
Access Control (A.9) | User IAM policies, MFA, access reviews | Infrastructure access controls | Service-to-service authentication |
Cryptography (A.10) | Enable encryption, manage keys | Provide encryption services | Key management systems |
Operations Security (A.12) | Security monitoring, log analysis | Infrastructure monitoring | Vulnerability management |
Communications Security (A.13) | Network architecture, security groups | Network infrastructure | TLS/SSL implementation |
Asset Management (A.8) | Track cloud resources, tagging | Physical asset management | Service inventory management |
I learned this the hard way in 2018. A client had achieved ISO 27001 for their AWS environment, but they'd assumed AWS's compliance covered them. During a surveillance audit, the auditor asked for evidence of access reviews (A.9.2.5).
"AWS handles that," the CISO said confidently.
The auditor shook his head. "AWS handles access to their infrastructure. Who's reviewing access to your AWS account?"
Silence. They'd never performed IAM access reviews. They had a major non-conformity and 90 days to fix it or lose certification.
The 114 Controls in the Cloud: What Actually Changes
Let me walk you through what I've learned about implementing ISO 27001 Annex A controls in cloud environments. I'll focus on the areas where cloud fundamentally changes the game.
Controls That Become EASIER in the Cloud
A.12.4.1 - Event Logging
In on-premises environments, I've seen organizations struggle with log collection. Different systems, different formats, gaps in coverage—it's a nightmare.
In the cloud? AWS CloudTrail, Azure Monitor, or GCP Cloud Logging give you comprehensive, immutable audit logs by default. Every API call, every login, every configuration change—logged automatically.
I worked with a company that spent $80,000/year on a SIEM solution just to collect logs from their on-premises environment. In AWS, they got better logging coverage for the cost of storage—about $300/month.
A.12.6.1 - Management of Technical Vulnerabilities
On-premises vulnerability management is manual and painful. Cloud providers offer:
Automated vulnerability scanning (AWS Inspector, Azure Security Center)
Automatic patch management (AWS Systems Manager, Azure Update Management)
Real-time security findings and recommendations
A retail client reduced their mean time to patch critical vulnerabilities from 28 days to 3 days by leveraging AWS Systems Manager.
A.17.1.2 - Implementing Information Security Continuity
Disaster recovery in traditional environments requires duplicate hardware, separate facilities, and complex replication. I've seen DR plans that existed only on paper because they were too expensive to implement.
Cloud changes everything:
Multi-region replication with a few clicks
Automated failover capabilities
Pay-as-you-go DR infrastructure
One client went from a theoretical DR plan to a tested, functional DR capability in six weeks using AWS services.
Controls That Become MORE COMPLEX in the Cloud
A.9.2.1 - User Registration and De-registration
This seems simple until you're managing:
AWS IAM users
Azure AD integration
Google Workspace accounts
Third-party SaaS applications (GitHub, Jira, Slack)
Service accounts and API keys
Temporary credentials and assumed roles
I helped a company discover they had 847 active IAM entities. Only 312 were actual humans. They had no idea what the other 535 were or who had created them.
A.13.1.1 - Network Controls
Traditional network security was perimeter-based. Firewalls at the edge, everything inside trusted.
Cloud networks are dynamic:
VPCs, subnets, and security groups
Service endpoints and private links
Transit gateways and peering connections
Container networking
Serverless function networking
I once reviewed a cloud environment where they had 43 different VPCs across multiple accounts with no documentation of how they connected. The security group relationships alone took three weeks to map.
My Framework for Cloud ISO 27001 Implementation
After implementing ISO 27001 in cloud environments for years, I've developed a framework that actually works. Here's the exact approach I use:
Phase 1: Scope Definition (Weeks 1-2)
The biggest mistake I see is poor scoping. Organizations try to certify "everything in the cloud" without defining boundaries.
My Scoping Checklist:
Scoping Question | Why It Matters | Common Mistake |
|---|---|---|
Which cloud accounts/subscriptions are in scope? | Defines technical boundaries | Including dev/test without controls |
Which services are in scope? | Determines control requirements | Forgetting to include CI/CD, DNS, etc. |
Where does customer data flow? | Identifies data boundaries | Missing data in logs, backups |
Which regions are in scope? | Affects data sovereignty | Not documenting data residency |
What's the boundary with SaaS tools? | Clarifies responsibilities | Assuming SaaS tools are automatic |
I worked with a SaaS company that initially scoped only their production AWS account. During implementation, we discovered:
Their CI/CD pipeline could deploy to production (scope expansion needed)
Customer data flowed through their monitoring system (scope expansion needed)
Database backups replicated to a different account (scope expansion needed)
Their scope grew by 40%, but at least we caught it before the audit.
Phase 2: Control Mapping (Weeks 3-4)
This is where I map traditional ISO 27001 controls to cloud-native implementations. Here's my master mapping for AWS (similar approaches work for Azure and GCP):
ISO 27001 Control | Traditional Implementation | AWS Cloud Implementation | Evidence Required |
|---|---|---|---|
A.9.4.1 - Information Access Restriction | File permissions, ACLs | IAM policies, S3 bucket policies, RDS security | IAM policy screenshots, access analyzer reports |
A.10.1.1 - Policy on Cryptography | Document stating encryption requirements | KMS key policies, S3 encryption settings, RDS encryption | Encryption config screenshots, KMS audit logs |
A.12.1.2 - Change Management | Change advisory board, manual approvals | CodePipeline, approval stages, CloudFormation | Pipeline logs, approval records, deployment history |
A.12.4.1 - Event Logging | Syslog servers, log collectors | CloudTrail, CloudWatch Logs, VPC Flow Logs | CloudTrail configurations, log retention settings |
A.17.1.1 - Availability Planning | Redundant hardware, failover procedures | Auto Scaling, multi-AZ deployment, Route 53 | Architecture diagrams, auto-scaling configs |
Phase 3: Technical Implementation (Months 2-4)
Here's where the rubber meets the road. I'll share the exact controls I implement in every cloud ISO 27001 project:
Identity and Access Management (A.9 Controls)
What I always implement:
Mandatory MFA for all human users (A.9.4.2)
AWS: Enforce through IAM policy conditions
Lesson learned: Had a client lose $60K to cryptomining because one admin account didn't have MFA
Principle of least privilege (A.9.2.3)
Start with zero permissions, add only what's needed
Use AWS managed policies as starting points, then restrict
Real story: Found an intern with AdministratorAccess in production. Nobody knew how long they'd had it.
Regular access reviews (A.9.2.5)
Quarterly IAM access review reports
Automated alerts for unused credentials (90+ days)
I built a Lambda function that emails managers monthly with their team's access rights
Service accounts rotation (A.9.3.1)
Maximum 90-day validity for API keys
Use temporary credentials (STS) wherever possible
War story: Discovered a service account from 2014 still active with full database access
Cryptography Controls (A.10 Controls)
My Cloud Encryption Checklist:
✓ S3 buckets: Default encryption enabled (AES-256 or KMS)
✓ RDS databases: Encryption at rest enabled
✓ EBS volumes: Encryption enabled by default
✓ Application Load Balancers: HTTPS listeners only
✓ CloudFront: TLS 1.2+ minimum
✓ Secrets Manager: For password and API key storage
✓ KMS: Customer-managed keys for sensitive data
✓ Certificate Manager: Automated certificate renewal
I once audited a company that thought they were "encrypted everywhere." They had S3 default encryption enabled... but 40% of their buckets were created before they set the default. Those buckets were completely unencrypted.
Operations Security (A.12 Controls)
This is where cloud really shines. Here's my standard operations setup:
Monitoring and Alerting:
CloudWatch alarms for security events
GuardDuty for threat detection
Security Hub for centralized findings
SNS for alert routing
Lambda for automated remediation
I helped a fintech company detect and block a credential stuffing attack within 4 minutes using this setup. Before cloud, they wouldn't have known about it for days.
Change Management:
All infrastructure as code (Terraform or CloudFormation)
No manual console changes in production (enforced via AWS Config)
Automated compliance checking before deployment
Rollback capabilities built into every change
Phase 4: Documentation (Ongoing)
Here's the documentation I maintain for cloud ISO 27001 compliance:
Document | Purpose | Update Frequency | Cloud-Specific Considerations |
|---|---|---|---|
Statement of Applicability | Which controls apply | Annual or when scope changes | Must address shared responsibility model |
Risk Assessment | Identify and evaluate risks | Annual minimum | Include cloud-specific risks (account hijacking, misconfiguration) |
Network Diagrams | Visual representation of architecture | After significant changes | Show VPCs, subnets, connectivity, data flows |
Data Flow Diagrams | How information moves | After significant changes | Include all AWS services, not just compute |
Access Control Matrix | Who can access what | Quarterly review | Include both human and service accounts |
Encryption Register | What's encrypted and how | Quarterly review | Document encryption keys, rotation schedules |
Asset Inventory | All resources in scope | Real-time (automated) | Use AWS Config, Resource Groups, or third-party tools |
Backup and Recovery Procedures | DR capabilities | Semi-annual testing | Include RTO/RPO for cloud services |
The Multi-Cloud Compliance Challenge
Let me address the elephant in the room: most organizations aren't single-cloud anymore.
I'm currently working with a company using:
AWS for core application infrastructure
Azure for Microsoft 365 and Azure AD
Google Cloud for data analytics
Cloudflare for CDN and DDoS protection
MongoDB Atlas for databases
Auth0 for authentication
Each requires different controls, different evidence, different documentation.
My Multi-Cloud Control Approach
Control Area | Unified Approach | Platform-Specific Implementation |
|---|---|---|
Identity Management | Single source of truth (Azure AD or Okta) | Platform-specific role mappings |
Encryption | Consistent encryption standards | Platform-specific key management |
Logging | Central SIEM (Splunk, Datadog, Elastic) | Platform-specific log forwarding |
Network Security | Zero-trust architecture principles | Platform-specific network controls |
Compliance Monitoring | Unified dashboard (Prisma Cloud, etc.) | Platform-specific compliance tools |
"Multi-cloud isn't a choice anymore—it's a reality. Your compliance framework needs to be cloud-agnostic while your controls are cloud-native."
Common Pitfalls I've Seen (And How to Avoid Them)
Let me share the mistakes that keep appearing across different organizations:
Pitfall #1: The "Lift and Shift" Disaster
The Mistake: A company migrated their on-premises VMs to EC2 instances with zero architectural changes. They thought this was "cloud migration."
The Problem: They brought all their security problems to the cloud:
Unpatched operating systems (still their responsibility)
Legacy applications with hardcoded credentials
No auto-scaling (manual capacity management)
No cloud-native monitoring
The Fix: Rearchitect for cloud. Use managed services. Embrace cloud-native security.
Pitfall #2: The Shadow Cloud
The Mistake: Only the central IT team's AWS account was in scope for ISO 27001. Different departments had their own accounts with customer data, completely unmanaged.
The Reality Check: During an audit, we discovered:
Marketing had an AWS account for campaign analytics (customer emails stored in S3)
Sales had a Google Cloud project for lead scoring (customer data in BigQuery)
Product team had an Azure subscription for prototyping (production database copy for testing)
None were in scope. All contained sensitive data. Massive gap.
The Fix: Implement AWS Organizations with Service Control Policies. Mandate that all cloud usage flows through central security team.
Pitfall #3: Over-Privileged Service Accounts
The Mistake: Developers were given PowerUser or AdministratorAccess because "it's easier than figuring out what they actually need."
The Consequences I've Witnessed:
A compromised developer laptop led to full AWS account compromise
An intern accidentally deleted production databases (had delete permissions)
A contractor maintained access 8 months after contract ended
The Fix:
Start with zero permissions
Add permissions based on actual requirements
Use AWS IAM Access Analyzer to identify unused permissions
Review and remove permissions quarterly
Pitfall #4: Incomplete Logging
The Mistake: CloudTrail was enabled, but:
Log file validation was disabled (logs could be modified)
Multi-region logging was off (missed activity in other regions)
Logs were in the same account (could be deleted by attacker)
No log analysis or monitoring (logs existed but nobody looked at them)
The Audit Fail: Auditor asks: "Show me evidence that privileged actions are monitored." Client: "We have CloudTrail enabled." Auditor: "Show me an alert from the last quarter where suspicious activity was detected." Client: "We don't actually monitor the logs..."
The Fix: Implement complete logging architecture:
CloudTrail to dedicated logging account
GuardDuty for automated threat detection
Security Hub for centralized alerts
Automated response for critical findings
The Cloud-Native Security Controls I Swear By
After implementing dozens of cloud ISO 27001 programs