Publication Coming Soon

CCMv4.0 Auditing Guidelines
CCMv4.0 Auditing Guidelines

CCMv4.0 Auditing Guidelines

Purpose and Scope of AGs
The document contains a set of auditing guidelines that are tailored to the control specifications for each of the 17 cloud security domains of the Cloud Control Matrix version 4 (CCMv4.0). The guidelines represent an new component for CCMv4.0 and did not exist previously in CCMv3.0.1.The Auditing Guidelines (AGs) are intended to facilitate and guide a CCM audit. To achieve that, auditors are provided with a set of assessment guidelines per CCMv4.0 control specification with an objective to improve the controls’ auditability and help organizations to more efficiently meet compliance (with conducting either internal or external 3rd party cloud security audits). The auditing guidelines are not exhaustive and neither prescriptive in nature, but rather represent a generic guide in form of recommendations for assessment. Auditors will need to customize the descriptions, procedures, risks, controls and documentation and tailor these to the audit work programs for the organization and service(s) in scope of the assessment, in order to address the specific objectives of an audit. 

Relevance to the CCAK
The CCMv4.0 Auditing Guidelines found in this document constitute a future extension to the work that appears in the CCAK guide and its Chapter 7: CCM Auditing Guidelines, and specifically of subsection 7.5: CCM Audit Workbook. CCAK section 7.5 presents the CCM Audit Workbook, that is, a baseline audit template, auditors may wish to adopt in order to facilitate and guide a CCM audit. A major step (among others) when filling out the workbook is for auditors to document how they will test whether the organization meets a given CCM control (that is to develop an audit test plan per CCM control). The work that the CCM WG has done with the CCMv4.0 Auditing Guidelines, is taking that Workbook template and applying it to the CCMv4.0, by a means to developing auditing guidelines that correspond to such a test plan for each and every CCMv4.0 domain and underlying control specification. To summarize, what we did is we took the audit workbook template, and based on that we developed auditing guidelines for all CCMv4.0 controls, something that is missing currently from the CCAK, and which significantly extends the relevant section.

Peer Review Objective
The objective of the peer review is to collect feedback from auditing firms, auditors and cloud  security professionals that will help CSA to refine and improve the guidelines. 

Coming Soon!

This research document is still being finalized. Fill out the following form and we’ll send you the final document once it is released.

CSA is a community driven organization. We would like to send you updates about our ongoing initiatives and opportunities to participate.

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).