When providing digital services to customers as a cloud service, the responsibility for the safe use of the service lies with both the service provider and the customer. For example, the service provider may be responsible for the technical security of the service, but the customer is responsible for managing access and instructing the correct use of the service.
For each digital service provided, the organization must review the CSA CCM controls and document who is responsible for implementing each control. Relevant responsibility choices include:
- service provider is fully responsible
- customer is fully responsible
- service provider is responsible, but has outsourced the implementation
- responsibility is shared between the service provider and customer
- shared implementation between the service provider and the third party, but the service provider is responsible
In addition, based on the choice of responsibilities, the service provider must describe either:
- how the service provider has implemented the control
- which part of the control is the customer's responsibility
- why the control is not suitable
To accomplish this, use Cyberday's CSA CCM Compliance Report (to illustrate implementation) and the Consensus Assessments Initiative Questionnaire (CAIQ) template provided by CSA.
