ISO 27001:2022 Has Changed the Cloud Conversation. Here’s What It Means for You.

If your organisation is working towards ISO 27001:2022 certification, or preparing for surveillance or re-certification, there is one update you cannot afford to overlook.

Cloud is now explicitly in scope.

Under the 2022 revision, ISO 27001 clarifies that cloud services are part of your Information Security Management System. This is not implied. It is specified. And it specifically requires that these services are appropriately backed up.

For many UK organisations, this is where a gap starts to appear.

What Has Changed in ISO 27001:2022?

The 2022 update places greater emphasis on modern IT environments. Most businesses now operate across SaaS, IaaS, PaaS, and hybrid infrastructure. ISO 27001 has evolved to reflect that reality.

Two controls are particularly important.

Control 5.23 – Information security for use of cloud services

Control 5.23 requires organisations to ensure appropriate information security when using cloud services. This includes governance, risk management, contractual considerations, and technical controls.

Crucially, it reinforces shared responsibility. Just because your data lives in Microsoft or Google’s infrastructure does not mean it is automatically protected to the level your ISO scope requires.

If you use services such as:

• Microsoft 365, Dynamics, or Entra ID
• Google Workspace
• Salesforce
• GitHub, GitLab, or Jira
• Trello, Notion, Monday.com, or Asana

They are now firmly within the scope of your ISMS.

Auditors are increasingly asking a direct question: How are you protecting and backing up data on these platforms?

Control 8.13 – Information backup

Control 8.13 states:

“Backup copies of information, software, and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.”

This applies to:

• On-premise systems
• SaaS platforms
• IaaS and PaaS environments
• Hybrid infrastructure

Importantly, it includes data from cloud-based platforms that the organisation does not directly manage.

This is where many businesses are exposed.

The Common Misunderstanding

We regularly speak to IT managers, compliance leads, and managed service providers who assume their SaaS provider is “handling the backups”.

The reality is more nuanced.

Most SaaS platforms focus on platform availability, not comprehensive, point-in-time, customer-controlled backups. They protect their infrastructure. They do not necessarily protect you from:

• Accidental deletion
• Malicious insider activity
• Ransomware affecting synced environments
• Data corruption
• Retention policy misconfiguration
• Permanent deletion after the recycle bin expiry
• Physical threat; damaging of a datacenter (Iran attacking Qatar AWS datacenter).

For ISO 27001:2022, that distinction matters.

If you cannot demonstrate defined backup policies, retention periods, regular testing, and recovery capability across your cloud estate, you may struggle to evidence compliance with Control 8.13.

What Auditors Are Now Looking For

From our experience supporting UK organisations, auditors increasingly expect to see:

• A documented backup policy covering cloud services
• Evidence that SaaS platforms are included in scope
• Defined retention periods aligned to business and regulatory requirements
• Regular backup testing and documented restore exercises
• Clear accountability within the shared responsibility model

Simply stating “Microsoft backs it up” is no longer sufficient.

You must demonstrate control.

Why This Matters for UK Businesses

Whether you operate in professional services, financial services, legal, healthcare, or the public sector, ISO 27001 certification is often a commercial requirement.

Losing certification or failing an audit can affect:

• Client trust
• Tender eligibility
• Regulatory posture
• Cyber insurance alignment

More importantly, a real-world data loss event in Microsoft 365 or another SaaS platform can halt operations just as quickly as an on-premise server failure.

Cloud has changed the infrastructure. It has not removed the risk.

How BackupVault Supports ISO 27001:2022 Compliance

At BackupVault, we work specifically with UK organisations that need secure, policy-driven backup aligned with compliance frameworks.

Our approach is built around three principles.

1. Cloud data must be treated as business-critical

Microsoft 365, Google Workspace, and other SaaS platforms contain core operational data. Email, SharePoint, Teams, OneDrive, CRM records, development repositories, and data within project management systems and code/IP are all business assets.

They should be protected accordingly.

2. Backup must be independent and recoverable

A compliant backup strategy means:

• Independent storage
• Granular recovery options
• Defined retention
• Regular testing

If you cannot restore it reliably, it is not a backup.

3. Compliance must be demonstrable

We help organisations evidence:

• Documented backup configurations
• Clear retention policies
• Audit-ready reporting
• Recovery testing

This supports Control 8.13 directly and strengthens your position under Control 5.23.

A Practical Next Step

If you are preparing for certification or an upcoming audit, ask yourself:

• Are all cloud services formally included in scope?
• Do we have defined backup policies for SaaS platforms?
• Have we tested restores in the last 12 months?
• Can we evidence this clearly and confidently to an auditor?

If any of those answers are unclear, it is time to review your approach.

At BackupVault, we do not believe backup should be reactive, improvised, or a tick-box exercise. It should be structured, secure, and demonstrably aligned to recognised standards such as ISO 27001:2022.

We work with UK organisations to implement independent, policy-driven cloud backup that stands up to scrutiny. That means clear retention, reliable recovery, documented testing, and reporting that makes audits straightforward rather than stressful.

If you would like a clear view of whether your current cloud backup strategy aligns with Controls 5.23 and 8.13, speak to our team.

We will review your environment, identify any compliance gaps, and provide practical recommendations that strengthen both your resilience and your audit position.

ISO 27001:2022 has raised the bar for cloud security. BackupVault helps you meet it with confidence.