Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

Auditing Guidelines dev. Team Call - May 7th [Meeting Minutes]

  • 1.  Auditing Guidelines dev. Team Call - May 7th [Meeting Minutes]

    Posted May 11, 2021 06:22:00 AM

    Hi everyone,
                        please find below a status update for the CCM AGs dev. exercise and the minutes from our recent call session.

    The activity is currently missing an auditor to help us out on the development of auditing guidelines for the IAM domain ( contact the PM (Lefteris), if interested).

    Relevant documentation:
    • CCMv4.0 Auditing Guidelines worksheet (Input document)
    • CCAK extract: module 7 CCM Auditing Guidelines (supportive documentation)
    • CCAK extract: CCM Audit Workbook (supportive documentation)


    Agenda Items (AIs):

    1.Touch base on the progress status of Auditing Guidelines (AGs) development
    2. Other topics of discussion during the session
    3. AoB


    Participants (7):
    Parminder Bawa
    Renu Bedi
    Angell Duran
    Sanjeev Gupta
    Vani Murthy
    Agnidipta Sarkar
    Lefteris Skoutaris (PM)

     

    Meeting Minutes (MMs)

    1. Touch base on the progress status of Auditing Guidelines (AGs) development
    • AGs are drafted for a total of 12/17 CCMv4.0 domains,
    • 9 CCMv4.0 domain have their AGs completed and reviewed by a 2nd reviewer,
    • 3 domains have the AGs drafted and are pending a 2nd review, while in 2 domains (CEK, UEM) work is in progress,
    • Renu and Agni have delivered the first draft of AGs for the LOG domain and SEF domains respectively,
    • Professionals participating in the exercise are kindly invited to consult the 'Progress Status' tab (column H) for any pending actions on their end (AP1),
    • Hard Deadline is set on 31/5 for delivering a first draft of auditing guidelines for all CCMv4.0 domains.

    Snapshot taken from 'progress status' tab of the AG workbook



    2. Other topics of discussion during the session

    • Agni suggested that an Auditor includes requirements that are in the Control Area (or Domain), but not in the particular Control,
    • An example is where a Control specifies "review", but an earlier (or other) Control specifies "annual review",
    • The language proposed is that: 'Auditors should look at CCM controls as a whole, and not each individual control in itself. Although a Finding can be made only on a specific Control, they are encouraged to consider the impact of other Controls on the one under review.'

    3. AoB
    • Next CCMv4.0 AG dev. call is scheduled on May 14th, 4 pm EEST (6am PST / 9am EST / 3pm CET).

    Action Points (APs)

    AP1: Professionals participating in the exercise are kindly invited to consult the 'Progress Status' tab (column H) for any pending actions on their end.



    Please let me know if anything important is missed above. 
    Thank you all for your attendance and support.
    Best regards,

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------