STA-05: SSRM Documentation Review

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Review and validate SSRM documentation for all cloud services offerings the organization uses.

Implementation Guidance

The CSC should engage with the CSP to address any issues identified as a part of this review, and SSRM changes should be incorporated into the CSC's implementation plans. In addition, any CSC changes to the finalized SSRM documentation should be shared with the CSP as enhancement feedback, as appropriate. Following this communication and any preceding adjustments to the SSRM, CSCs should then implement the finalized SSRM controls and test the controls to validate the proper operation of CSC security controls (including CSP integration where there are dependencies). This implementation and testing should occur during production readiness assessments and transitions.

Auditing Guidance

  1. Examine the policy for assessing, demarcating, and documenting the interfaces at the edges of the Organization’s responsibility.
  2. Examine the process for validating the boundaries for cloud services used.
  3. Examine the process for validating the seamlessness of controls for cloud services used.

(Note: This control applies to an Organization that is in the role of a CSC).

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.