Perform independent audit and assurance assessments according to risk-based plans and policies.
Independent audit and assurance assessments should be based on risk-based plans that define audit objectives, scope, resources, timeline and deliverables, documentation and reporting requirements, use of relevant technology and data analysis techniques, costs, communication, and escalation protocols. Both CSPs and CSCs may take guidance from industry standards like the Committee of Sponsoring Organizations (COSO) or the International Organization for Standardization (ISO) 31000 for risk management and risk-based planning.
- Examine the process for determining the risks applicable to the organization's systems and environments.
- Determine if a list of such risks is maintained and reviewed.
- Determine if senior management exercises oversight over the applicable risks.
- Determine if the audit plan is risk-based, and is scheduled on an annual basis.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.