Cloud Security Alliance 2020 Initiatives Changing the Face of IT Audit and Cloud Assurance

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced a call for subject-matter experts to support the ongoing review of its flagship document, the Cloud Controls Matrix (CCM), Version 4 of which will be released later this year. CCM v4 will reflect the current cloud technology landscape, providing cloud users with a better, more comprehensive security framework and guidelines to facilitate both implementation and audit.

Additionally, CSA is pleased to announce that the Certificate of Cloud Auditing Knowledge (CCAK) subject-matter expert working group has held initial program development meetings and that the CCAK credential and courseware will be previewed at CSA’s SECtember conference (Seattle, Sept. 14-18). The CCAK is a new credential for industry professionals that demonstrates expertise in the essential principles of assessing and auditing cloud computing systems and will be released in the second half of 2020. The CCAK will provide a common baseline of knowledge and shared nomenclature to ensure that IT and security professionals, as well as auditors, have the right expertise and tools to appropriately and accurately understand and measure the effectiveness of cloud security controls.

“For 11 years, the Cloud Security Alliance has led the industry in delivering the necessary innovations to build the trusted cloud ecosystem on a global basis. In 2020, CSA will focus on supporting the cloud community in acquiring the necessary tools, skills, and expertise to ensure that the many iterations of cloud meet robust security and privacy objectives,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance. “As organizations adopt DevOps, CI/CD, and related innovations, the audit function must keep pace. With the release of CCM and CCAK, we continue to support the community in their cloud journeys.”

The Cloud Controls Matrix is the de facto standard in the market. Its latest iteration will include new control objectives in areas such as container and microservices, cryptography, and identity and access management, along with implementation guidance, and will improve upon the auditability of existing controls.

Cloud auditing skills are becoming a mandatory requirement for IT auditors and will become fundamental expertise for any IT manager and professional, especially in the areas of governance, risk management, compliance, and vendor/supply chain management. Traditional IT audit education and certification do not adequately prepare professionals for the challenges cloud provides. Recent breaches demonstrate the knowledge and responsibility gap that comprehensive cloud auditing frameworks such as the CCAK will solve.

Those interested in contributing to the development of the CCAK are encouraged to join the CSA Cloud Audit Expert Group. Group members should be familiar with CSA’s best practices and control frameworks, such as the Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and CSA STAR levels of assessment, as well as have knowledge in such key areas as cloud risk management, compliance, continuous auditing, and more. Members will be tasked with reviewing and providing advice on the scope, curriculum, objectives structure, go-to-market, and value proposition for the CCAK.