CCM Compliance Audits for Cloud Service Providers (CSPs)
Whereas Secura’s CBC assessment services focus on directly helping customers of cloud service providers, Secura also assists Cloud Service Providers (CSPs) with providing assurance and guidance to their customers. While larger vendors have already gained the trust of the industries and markets, smaller vendors or CSPs that offer cloud-based SaaS and PaaS services are often asked to provide assurance on their control of data security for their customers.
An ISO27001 certification is of course a good starting point but fails to include cloud-specific controls and compliance aspects. For this reason, there exists an extension to the ISO27002 standard, specifically for cloud providers (ISO27017), and also an extension for personally identifiable information (PII) in the cloud (ISO27018).
Furthermore, the Cloud Security Alliance (CSA) specifically developed the Cloud Controls Matrix (CCM) framework as a stand-alone framework addressing a full gamut of controls with regards to cloud security.
While the CCM standard is positioned to be used by cloud consumers, it is clear from the standard that a significant number of controls cannot be directly checked by a CSP. Instead, what is needed is for an auditor to audit the CSP against this framework, for instance using the International Standard on Audit Engagements 3000 (ISAE 3000) assurance standard. This then enables the CSP to prove to the (prospective) customer that an independent auditor has verified adherence to the CCM.
Secura provides such ISAE3000 assurance audits for CSPs and their customers. Our certified and registered IT-Auditors (Register EDP-auditor, or RE in Dutch) are qualified and Secura’s audit process is efficient and modern, supported by various tools and fully compliant with modern audit standards. What’s more, they can build on the knowledge and experience of our technical experts who perform cloud security assessments for our customers.