STA-02: SSRM Supply Chain

Info icon.

Control is new to this version of the control set.

Control Statement

Apply, document, implement and manage the SSRM throughout the supply chain for the cloud service offering.

Implementation Guidance

The SSRM must explicitly detail each specific service based on the cloud service model and implementation specifics. Accordingly, each party in the supply chain must document, implement and manage their SSRM responsibilities for their specific service. This includes supporting service providers such as infrastructure as a service (IaaS) providers engaged by primary software as a service (SaaS) CSPs and specialized CSPs (e.g., IDaaS, CASB, DDOS/CDN/DNS services) employed by the CSP and/or the CSC.

Auditing Guidance

  1. Examine the policy for provisions related to service delivery.
  2. Evaluate the process for communication of requirements and service levels to vendors and other third-parties.
  3. Determine if a review of effectiveness is in place, especially with respect to contractual requirements.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.