Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

Working Group

Enterprise Authority to Operate (EATO)

This working group’s mission is to achieve and maintain certification for small and mid-sized vendors and service providers to be accepted by larger corporate clients.
Enterprise Authority to Operate Working Group Charter 2023
Enterprise Authority to Operate Working Group Charter 2023


Enterprise Authority to Operate (EATO)
Enterprise Authority to Operate (EATO) targets risks inherent in Anything as a Service (XaaS) products, underlying cloud based infrastructure or platforms, information security and privacy, and the topics of Business Continuity, Data Retention, Archiving, and vendor/service provider controls and risks.

The EATO Working Group defines and sets auditing requirements and minimum standards required to be achieved to pass the EATO assessment and certification. The EATO Working Group defines requirements towards consultancy companies to support small and mid-sized vendors/service providers, with the aim of enabling them to derive architectures and designs compliant with the EATO certification schemes.

What do we discuss?

The objective of the program will be to harmonize with existing third-party certifications and audit standards to avoid duplication of effort and cost.
The EATO Working Group will define the control and assessment framework, assessment guidance and auditing principles and requirements.

The EATO is based on the technical best practices and control frameworks defined within relevant CSA’s Working Groups, such as for instance the Cloud Control Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), the Level Agreement research initiatives, as well as the IoT Control Framework.

Working Group Leadership

Rolf Becker
Rolf Becker

Rolf Becker

Co-Founder and Chair at UBS

Rolf A. Becker is Head Service Control Governance at UBS, globally responsible for Cloud Governance regarding Risk and Control over the UBS Group Cloud adoption and for outsourcing to external cloud-based 3rd party services. Previous roles have been the management of the Cyber and Information Security Portfolio reporting to the UBS CISO at a global level, and the management of the Client Data Confidentiality Program Unstructured Data Protec...

Read more

Working Group Co-Chairs

Sébastien Contreras
Sébastien Contreras

Sébastien Contreras

Sébastien Contreras is responsible for Pictet Group Outsourcing Framework, as well as for Cloud Security Governance. Prior to that, he was responsible for Group Confidentiality & Information Management at Tetra Laval Group and for Information Security Strategy & Architecture at Merck and Merck Serono.

20 years of experience in Information Security across highly regulated industries such as Banking, Pharmaceutical & BioTech, Manufactur...

Read more

Publications in ReviewOpen Until
Guidelines for Auditing AIJul 31, 2024
Data Privacy Engineering Working Group Charter 2024Aug 08, 2024
Using Asymmetric Cryptography to Help Achieve Zero Trust ObjectivesAug 12, 2024
View all
Who can join?

Anyone can join a working group, whether you have years of experience or want to just participate as a fly on the wall.

What is the time commitment?

The time commitment for this group varies depending on the project. You can spend a 15 minutes helping review a publication that's nearly finished or help author a publication from start to finish.

Open Peer Reviews

Peer reviews allow security professionals from around the world to provide feedback on CSA research before it is published.

Learn how to participate in a peer review here.

Guidelines for Auditing AI

Open Until: 07/31/2024

Guidelines for Auditing AI presents a comprehensive framework for auditing AI systems, emphasizing the need for tr...

Data Privacy Engineering Working Group Charter 2024

Open Until: 08/08/2024

The Data Privacy Engineering Working Group (DPE WG) is chartered with the mission to integrate privacy-centric methodologie...

Using Asymmetric Cryptography to Help Achieve Zero Trust Objectives

Open Until: 08/12/2024

This paper investigates the convergence of asymmetric cryptography and Zero Trust architecture, exploring the utilization o...