ISO 27001 Cloud Migration Checklist for UK Businesses

Understanding ISO 27001 Requirements in the Cloud

ISO 27001 does not change when you move to the cloud. The same 114 controls from Annex A still apply. The difference is that responsibility for implementing some of those controls now splits between you and your cloud provider. Physical security of data centres becomes the provider's problem, but access management, data classification, and incident response remain firmly yours.

Before any migration activity, map your existing ISMS scope to the new cloud environment. Identify which controls you will inherit from the provider (for example, physical and environmental security) and which you must implement yourself. This shared responsibility model is the foundation of any ISO 27001 cloud migration checklist. Without it, you risk leaving gaps that will fail an external audit.

Pre-Migration Risk Assessment and Gap Analysis

Start with a full risk assessment of the target cloud platform and the services you plan to use. IaaS, PaaS, and SaaS each carry different risk profiles. For UK regulated industries, data classification and data residency are critical. You must ensure that your chosen cloud region meets UK GDPR requirements for personal data. The Information Commissioner's Office expects you to know where your data lives and to have documented justification for cross-border transfers.

Compare your current ISMS with the cloud provider's shared responsibility matrix. The gaps you find will form your risk treatment plan. Common gaps include: lack of cloud-specific asset inventory, missing encryption for data at rest in cloud storage, and inadequate third-party vendor management procedures. Our ISO 27001 implementation service can help you close these gaps before you move a single workload.

Vendor Security Assessment and Due Diligence

You cannot outsource legal responsibility for your data, so due diligence on your cloud provider is essential. Review the provider's SOC 2 Type II report, their own ISO 27001 certificate, and any other relevant certifications (CSA STAR, PCI DSS if applicable). Request their shared responsibility matrix and confirm it covers all your control objectives.

For UK businesses, data sovereignty is a key concern. AWS London, Azure UK South, and GCP London operate within UK jurisdiction. Check that the provider offers data residency controls that match your requirements. Document your due diligence as part of the ISMS supplier management process. A thorough vendor assessment is a standard part of any ISO 27001 cloud migration checklist for UK regulated organisations.

Access Control and Identity Management

The cloud introduces new access vectors: console, API, CLI, and third-party integrations. Your ISO 27001 control A.9 (Access Control) must extend to each one. Implement least-privilege access using IAM roles and policies. Never use the root account for day-to-day operations. Enable multi-factor authentication (MFA) for all cloud console and API access. This is non-negotiable.

Centralise identity management by integrating single sign-on (SSO) with your existing identity provider (Azure AD, Okta, or Ping). This gives you a single point for provisioning, de-provisioning, and access reviews. Combine with privileged access management (PAM) for elevated roles. For deeper guidance on cloud security controls, read our cloud security hardening service description.

Data Encryption and Key Management

Encrypt data at rest and in transit. All major cloud providers offer native encryption with customer-managed keys (CMK) or cloud-managed keys. For most UK regulated environments, we recommend using a cloud key management service (KMS) with your own key material, stored in a hardware security module (HSM) if your risk assessment demands it.

Define key rotation policies and enable access logging for every use of your keys. Do not forget backup encryption. Cross-region replication for disaster recovery must also be encrypted, and your key management policy must cover the second region. The ISO 27001 cloud migration checklist must include a full encryption inventory covering all data flows, databases, object storage, and virtual machine disks.

Continuous Monitoring and Incident Response

Your on-premise incident detection capabilities do not automatically extend to the cloud. Set up cloud-native logging (AWS CloudTrail, Azure Monitor, GCP Cloud Logging) and centralise those logs in a SIEM tool. Define detection rules for cloud-specific scenarios: anonymous bucket access, unusual API calls, cryptojacking activity, or credential misuse.

Incident response playbooks must be updated for cloud environments. For example, if a storage bucket is compromised, do you isolate the bucket or copy the data first? Document these steps. Schedule periodic penetration testing and vulnerability scanning of your cloud infrastructure. Be aware that penetration testing in shared cloud environments has specific rules; you may need pre-approval from the provider.

Post-Migration ISMS Update and Audit

Once migration is complete, update your Statement of Applicability (SoA) to reflect the new cloud controls and the controls you inherit from the provider. Document all changes in your risk treatment plan. Every new service, API, or data store must be captured.

Run an internal audit of the cloud environment before your next external surveillance audit. Check that your evidence aligns with the SoA. For example, if you claim to have MFA enabled for all console users, verify that no exceptions exist. If you claim encryption at rest, confirm it is active on every volume. This post-migration audit is the final step in any rigorous ISO 27001 cloud migration checklist, and it is where we see most organisations slip. Our cloud build and architecture service can help you design an environment that stays compliant from day one.

Frequently asked questions

What is an ISO 27001 cloud migration checklist?

It is a structured list of tasks and controls you must address when migrating business systems to the cloud while maintaining ISO 27001 certification. The checklist covers pre-migration risk assessment, vendor due diligence, access control, encryption, monitoring, and post-migration ISMS updates.

How does ISO 27001 apply to cloud migration?

ISO 27001's 114 controls apply whether your systems are on-premise or in the cloud. During migration, you must re-map those controls to the shared responsibility model, update your risk assessment, and ensure that the cloud provider's controls cover your obligations.

Which cloud providers are ISO 27001 certified?

AWS, Microsoft Azure, and Google Cloud all hold ISO 27001 certification for their core infrastructure services. Smaller providers may also be certified. Always check the scope of the certificate: it should cover the specific services and regions you intend to use.

Do I need to re-certify ISO 27001 after cloud migration?

No, you do not need to re-certify. Your existing certification remains valid, provided you update your ISMS to reflect the new cloud environment and can show the auditor that your controls are still effective. Plan an internal audit before your next surveillance visit.

How do I manage data residency for ISO 27001 in the cloud?

Choose a cloud region that physically hosts your data within the UK or in a jurisdiction that your risk assessment approves. Use data classification tags and cloud provider tools (geofencing, region-specific buckets) to enforce residency. Document your residency decisions as part of the risk treatment plan.

---

Moving to the cloud while holding ISO 27001 certification is a detailed process, but it is manageable with the right plan. If your team needs support with any step of the migration, from pre-migration gap analysis to post-migration audit, talk to us. Our engineers work on fixed price contracts, and we know the UK regulatory environment inside out. Contact our team to discuss your project.

For further reading on UK-specific cloud compliance, see our guide on the NHS cloud migration framework.