The Cloud Service Provider’s management and board of directors shall be responsible for the following requirements and audit procedures.
The Cloud Service Provider’s management and board of directors shall be responsible for the following requirements and audit procedures
The Cloud Service Provider’s management and board of directors shall
-
Managing information security risks related to people, process, technology and governance.
-
Oversight of the effective implementation of the technology controls.
-
Oversight of risk management practices.
-
Determine that the responsibilities of management and board of directors in managing and overseeing information security risks are documented and communicated.
-
Inspect documents such as meeting minutes and committee charter to identify the participants involved in the meeting or committee, their respective job functions and the reporting relationship.
-
Determine whether the management and board of directors meet regularly, at an appropriate and monitored frequency.
-
Determine whether the information security function is headed by a Chief Information Security Officer (CISO) or similar function.
The requirements and audit procedures are the same as those in Level 1.
The requirements are the same as those in Level 2.
The audit procedures are those in Level 1 and the following:
-
Verify risks have been reviewed, understood, and addressed (i.e. including a cost benefit analysis) by management and the board.
I recommend this.
This is the object of the recommendation:
| Object | Value |
|---|---|
Mission |
Accomplished |
As for the measurement targets,
The measurement target shall be measured as:
-
We take a measurement
-
The measurement is consistent with the formula above
-
If the measurement is not consistent with the formula above, then the verification has failed
-