To properly assess risk in the cloud, organizations should apply any internal risk assessment processes to their cloud deployments.
Additionally, organizations should consider using a risk assessment framework, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). The CCM consists of 16 domains that describe cloud security principles and best practices to help organizations assess the overall security risk of a cloud provider. The 16 domains are as follows:
The CCM also maps individual cloud controls to relevant data protection/information security regulations and standards, such as the American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC 2), Canada Personal Information Protection and Electronic Documents Act (PIPEDA), International Organization for Standardization (ISO) 27001/27002/27017/27018, U.S. Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and many more. The Consensus Assessments Initiative Questionnaire (CAIQ) is a questionnaire consisting of nearly 300 questions across all 16 of the CCM domains to help you assess the risk of your organization and your cloud providers. Go to https://cloudsecurityalliance.org to download a free copy of the questionnaire.