STA-01: SSRM Policy and Procedures

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the application of the Shared Security Responsibility Model (SSRM) within the organization. Review and update the policies and procedures at least annually.

Implementation Guidance

Cloud service implementations involve a shared security responsibility model (SSRM) between the CSP and the CSC. Although specific details vary from service to service (e.g., depending on the cloud service model and the particular implementation), both CSPs and CSCs should have organizational policies and procedures that delineate how the SSRM should be documented, implemented, managed, communicated, enforced, and audited.

Auditing Guidance

  1. Examine policy for adequacy, approval, communication, currency, and effectiveness.
  2. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.