Definition

cloud audit

Paul Kirvan

By

Paul Kirvan

What is a cloud audit?

A cloud audit is a periodic examination an organization does to assess and document its cloud vendor's performance. The goal of such an audit is to see how well a cloud vendor is doing in meeting a set of established controls and best practices.

The Cloud Security Alliance (CSA) provides audit documents, guidance and controls that an IT organization can use to examine its cloud vendors. Third-party auditors can also use CSA audit materials. CSA resources are considered the primary audit tools to perform and optimize a comprehensive cloud audit.

The term CloudAudit refers to a specification the CSA developed in 2019 for the presentation of information about how a cloud service provider addresses control frameworks. The goal of CloudAudit was to provide cloud service providers with a way to make their performance and security data readily available for potential customers.

How do you conduct a cloud audit?

An audit of a cloud environment is similar to an IT audit. Both examine a variety of operational, administrative, security and performance controls. Cloud audit controls are also similar to IT audit controls but with a focus on the nuances of cloud environments.

Cloud vendors offer several on-demand, as-a-service resources, such as software as a service and platform as a service. Audits help assure these offerings are delivered with the appropriate attention to specific controls, especially those involving security policies and risk management. Audits of cloud computing services look for evidence that a cloud vendor is using best practices, complies with appropriate standards and meets certain benchmarks in delivering its services.

cloud audit steps — Find out the seven steps involved in an effective cloud audit.

When performing a cloud audit, take the following basic steps:

Gather evidence. Collect relevant documents and other evidence, such as screenshots.
Interview. Ask cloud vendor personnel how the provider operates and delivers its services. CSA has cloud audit questions and checklists that can be useful to both external and internal auditors. CSA has partnered with ISACA to define what constitutes relevant cloud audit knowledge and provide accreditation resources for cloud audit professionals.
Analyze. Look at how well the vendor's processes align with CSA and ISACA controls.
Compile results. Combine analysis with the evidence from documentation and interviews into work papers that are used to prepare a final report and recommendations.
Prepare final report. Submit it to the organization's management, usually during a formal audit briefing.
Take action. Management sets dates for responses to the recommended actions and assigns a team to respond to the audit report.

Cloud audit tools

CSA provides tools and guidance auditors need to perform a cloud audit. The table below lists these items and their availability.

Resource	Description	Link
Cloud Controls Matrix (CCM) v4	Cybersecurity control framework for cloud computing aligned to CSA best practices	CCM and Consensus Assessment Initiative Questionnaire (CAIQ) v4 (downloadable document)
Security, Trust, Assurance and Risk (STAR) security questionnaire	Checklist tool to ask cloud vendors about security controls	STAR Level 1 Security Questionnaire (downloadable document)
STAR Registry	List of cloud vendors' security and regulatory compliance postures	STAR Registry listing
CSA best practices	Guidance on cloud security, performance and auditing	CSA Security Guidance (downloadable document)
Mapping to other standards	Mapping CCM v4 to other industry standards, such as the International Organization for Standardization 27000 series and Payment Card Industry Data Security Standard	Included in CCM and CAIQ v4
Controls Applicability Matrix	Help for auditors to decide the most appropriate controls to use for a specific vendor	Included in CCM and CAIQ v4
CCM Metrics	Compendium of security metrics for clouds to support governance, risk and compliance activities	Included in CCM and CAIQ v4
CCM v4 Implementation Guidelines	Guidelines for using the CCM v4 audit standards	Included in CCM and CAIQ
Continuous Audit Metrics Catalog	Guidance to plan and implement continuous cloud audit activities	Continuous Audit Metrics (downloadable document)
CCM v4 Auditing Guidelines	Guidance for planning, organizing and conducting a cloud audit engagement using CCM v4	Available Q4 2021

Cloud audit professional credentials

The CSA and ISACA jointly offer the following cloud audit credentials:

Certificate of Cloud Security Knowledge is a body of knowledge in cloud technology areas, including cloud processing and security. It is a first step in preparation for the companion certification in cloud auditing knowledge.
Certificate of Cloud Auditing Knowledge trains candidates in how to audit cloud platforms and security.

Both certificates complement ISACA credentials. They provide evidence of an auditor's knowledge of cloud infrastructure and systems, security and vulnerabilities, and they show that the auditor knows how to conduct a cloud audit.

Find out what to include in a cloud audit checklist to optimize your organization's cloud compliance strategy.

This was last updated in November 2021

Continue Reading About cloud audit

7 tips to manage cloud sprawl in your enterprise

The benefits of an IT management response

Optimize business continuity with 6 ITGC audit controls

What does your backup and recovery audit checklist need?

Backup audit: What is a backup audit and why do we need them?

Dig Deeper on Cloud provider platforms and tools

SearchDataCenter

How to implement file classification in file servers
File classification with File Server Resource Manager enables admins to classify and organize data. This tutorial shows how to ...
Semiconductor companies face a long road back to growth
Even with government money soon headed their way, top-tier semiconductor companies will still have to deal with a range of ...
The implications of blockchain in the chip shortage
Blockchain has been a significant contributor to the global chip shortage. Explore the role this rising technology has played.

SearchITOperations

Kubernetes security reaches maturity milestone with v1.25
Kubernetes Pod Security Admission has reached stable status, replacing Pod Security Policies, as the core Kubernetes framework ...
Emerging approaches to HCI for IT services
Hyper-converged infrastructure's increased support for containers, composability and hybrid cloud deployments has attracted IT ...
Compare running Kubernetes on VMs vs. bare-metal servers
Planning to run a cloud-native application with Kubernetes? Compare the advantages and drawbacks of deployments on VMs and ...

SearchAWS

AWS Control Tower aims to simplify multi-account management
Many organizations struggle to manage their vast collection of AWS accounts, but Control Tower can help. The service automates ...
Break down the Amazon EKS pricing model
There are several important variables within the Amazon EKS pricing model. Dig into the numbers to ensure you deploy the service ...
Compare EKS vs. self-managed Kubernetes on AWS
AWS users face a choice when deploying Kubernetes: run it themselves on EC2 or let Amazon do the heavy lifting with EKS. See ...

SearchVMware

VMware Explore 2022 news and conference coverage
This year's VMware conference runs from Aug. 29 to Sept. 1. Read the latest news and announcements about and from the event, ...
Learn how to use VMware's OS Optimization Tool
Background features and processes can often take up precious OS resources. With VMware's OS Optimization Tool, you can run ...
Tanzu vs. OpenShift vs. Ezmeral: 3 rivals' Kubernetes offerings
Learn how container management products from VMware, Red Hat and Hewlett Packard Enterprise compare when it comes to their ...

Close