VND-004 Cloud Service Provider Security Management

Tier 2+

Description

A documented process governs the selection, security assessment, configuration, monitoring, and exit from cloud service providers (IaaS, PaaS, SaaS). Shared responsibility boundaries are documented. CSP security configurations are reviewed against organisational baseline standards. Exit provisions and data portability requirements are addressed contractually.

Rationale

Cloud providers underpin most SaaS architectures but shared responsibility confusion is a leading cause of cloud misconfiguration breaches. Explicit CSP management is required where cloud services are the primary infrastructure.

Framework Mappings (5)

CSA CCM v4.1

IPY-04	Data Portability Contractual Obligations	partial
STA-11	Primary Service and Contractual Agreement	partial

ISO/IEC 27001:2022

5.23

Information security for use of cloud services

full

NIST SP 800-53 Rev 5

SR-2

Supply Chain Risk Management Plan

partial

NIST AI RMF 1.0

GOVERN 6.1

Third-Party AI Risk Policies

partial

Evidence (2)

policymanual

Cloud service provider management policy documenting selection criteria, shared responsibility documentation requirements, configuration baseline standards, and exit procedures.

Example: Cloud Security Policy (Confluence), approved by CISO, defining: CSP due diligence requirements, mandatory shared responsibility matrix, minimum security configuration baselines (e.g. CIS Benchmarks), contractual data portability requirements, and exit planning obligations

Test: Request the cloud security or CSP management policy. Verify: (1) mandates completion of a shared responsibility matrix for each CSP, (2) references a baseline security configuration standard (e.g. CIS Benchmarks for AWS/GCP/Azure), (3) requires contractual data portability terms, (4) includes exit planning requirements, (5) approved within 24 months.

recordmanual

Completed shared responsibility matrix for the primary cloud provider documenting which controls are CSP-managed, organisation-managed, or shared.

Example: Shared Responsibility Matrix (Confluence / spreadsheet) for the primary CSP (e.g. AWS, GCP, Azure) — mapping each control domain to CSP / Organisation / Shared responsibility, with references to CSP documentation confirming CSP-owned controls and internal evidence for organisation-owned controls

Test: Request the shared responsibility matrix for the primary CSP. Verify: (1) covers all major control domains (physical security, network, platform, identity, data, application), (2) organisation-owned controls have corresponding evidence artefacts referenced, (3) matrix has been reviewed within 12 months, (4) reviewed and approved by the CISO or equivalent.

Questions (2)

boolean

Does your organisation have a documented process for selecting, configuring, monitoring and exiting cloud service providers, including a documented shared responsibility matrix?

The process should include security baseline configuration standards (e.g. CIS Benchmarks), documented shared responsibility boundaries, and contractual data portability and exit provisions. Misconfiguration of cloud services is a leading cause of security incidents.

multi

Which elements of cloud service provider security management are formally documented in your organisation?

Shared responsibility matrix for the primary CSPBaseline security configuration standard referencing the CSP (e.g. CIS Benchmarks for AWS, GCP, Azure)Regular review of CSP configurations against the baselineContractual data portability and exit provisionsCSP exit planning and data migration procedureNone of the above are formally documented

A shared responsibility matrix and documented configuration baseline are the minimum expected artefacts. Exit planning is critical to ensure data can be recovered or migrated if the CSP relationship ends.

Search controls

VND-004 Cloud Service Provider Security Management

Framework Mappings (5)

Evidence (2)

Questions (2)