Cloud Usage Policy - SME

The P27S Cloud Usage Policy establishes comprehensive yet practical requirements for managing cloud services in small and medium enterprise (SME) environments. Recognizing that SMEs often lack full-scale IT departments, this policy is designed with clear and streamlined responsibilities, such as assigning key decisions to the General Manager and IT provider or technical support, rather than specialized CISO or SOC roles, while still ensuring strong alignment with ISO/IEC 27001:2022, GDPR, NIS2, and DORA frameworks. The policy applies to all cloud-based services, whether free or paid, covering common business applications like document sharing platforms, SaaS tools, video conferencing, email, backup, and customer platforms. Anyone accessing company data, even via mobile or tablet, must follow these rules, which insist on prior approval for all cloud services and outright prohibit the use of personal cloud accounts for business data, preventing the risks of shadow IT. A clearly defined Cloud Service Register must be maintained to track every authorized platform, responsible individual, location of data, access permissions, and support information. Security controls are mandatory: all cloud platforms must enforce multi-factor authentication (MFA) for users and administrators; use strong, complex passwords; provide activity logging and access restriction (such as IP allow-listing where available); and have regular reviews of shared content. Any violation, such as forgotten user disablement or public sharing of sensitive data, is classified as a security incident and is subject to corrective action, including revocation of access, user retraining, or, if necessary, legal response. The policy sets strict requirements for data retention and backup, instructing that business-critical or regulated data must be regularly backed up, retained to satisfy legal or customer obligations, and export capability from cloud platforms should be confirmed to avoid vendor lock-in. Contracts for paid cloud services must specify data protection, breach notifications, data ownership, and defined escalation. Compliance is monitored with at least twice-annual checks on access, password, and admin status, and all policy exceptions must be formally justified and approved by the General Manager, with compensating measures and deadlines for resolution. Review and continuous improvement are embedded: the policy requires an annual review, as well as updates after incidents, introduction of new platforms, or regulatory changes. Archived records are retained securely as per the data retention policy, ensuring all cloud activity is auditable for internal and external (including ISO) requirements. With its focused scope, this policy provides SMEs with a robust but manageable structure for governing cloud usage, enabling regulatory compliance, risk management, and operational continuity.