Documentation of the responsibility for organizing CSA CCM controls for provided digital service

In its internal auditing procedures and in conducting internal audits, the organization shall take into account that, with respect to the digital services provided, the audits seek to assess the implementation of security responsibilities from a supply chain perspective. If necessary, the audit must also take into account e.g. customer service level promises.

The organization shall ensure that, in its provision / use of cloud services, it meets the areas of shared responsibility for which it is responsible for each service / system.

When providing digital services to customers as a cloud service, the responsibility for the safe use of the service lies with both the service provider and the customer. For example, the service provider may be responsible for the technical security of the service, but the customer is responsible for managing access and instructing the correct use of the service.

For each digital service provided, the organization must review the CSA CCM controls and document who is responsible for implementing each control. Relevant responsibility choices include:

• service provider is fully responsible
• customer is fully responsible
• service provider is responsible, but has outsourced the implementation
• responsibility is shared between the service provider and customer
• shared implementation between the service provider and the third party, but the service provider is responsible

In addition, based on the choice of responsibilities, the service provider must describe either:

• how the service provider has implemented the control
• which part of the control is the customer's responsibility
• why the control is not suitable

To accomplish this, use Cyberday's CSA CCM Compliance Report (to illustrate implementation) and the Consensus Assessments Initiative Questionnaire (CAIQ) template provided by CSA.

The organization must inform and guide the customer using the digital service about the distribution of security responsibilities between the various organizations in the supply chain.

When providing digital services to customers as a cloud service, the responsibility for the secure use of the service lies with both the service provider and the customer. For example, the service provider may be responsible for the technical security of the service, but the customer is responsible for managing access and instructing the proper use of the service.

The organization must define how the implementation of the "Shared Security Responsibility Model" (SSRM) for the digital services provided will be implemented. Content related to the Shared Security model must be reviewed at least annually.

The organization must review and verify Shared Security Responsibility Model (SSRM) documentation with critical systems used by the organization. System supplier must review issues that come up.