Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

Auditing Guidelines dev. Team Call - April 2nd [Meeting Minutes]

  • 1.  Auditing Guidelines dev. Team Call - April 2nd [Meeting Minutes]

    Posted Apr 05, 2021 10:18:00 AM
    Edited by Lefteris Skoutaris Apr 05, 2021 10:19:00 AM

    Hi everyone,
                        please find below the minutes from our recent call session on 2/4 about the CCMv4 AGs development (including latest updates).

    Relevant documentation:
    • CCMv4.0 Auditing Guidelines worksheet (Input document)
    • CCAK extract: module 7 CCM Auditing Guidelines (supportive documentation)
    • CCAK extract: CCM Audit Workbook (supportive documentation)


    Agenda Items (AIs):

    1.Teams to touch base on the progress status of Auditing Guidelines (AGs) development
    2. Discussion on 'Control Audit Frequency' (column H) and its purpose
    3. Call for professionals to sign up to CCMv4.0 AGs development (call for participation)
    4. AoB


    Participants (8):
    Madhav Chablani
    Brian Dorsey
    Sanjeev Gupta
    Max Pritikin
    Agnidipta Sarkar
    Steve Sparkes
    Lefteris Skoutaris (PM)
    Ashish Vashishtha

     

    Meeting Minutes (MMs)

    1. Teams to touch base on the progress status of Auditing Guidelines (AGs) development
    • Renu and Ashish have delivered a first draft of the AGs for the domains CCC, GRC and TVM (special thanks!),
    • Sanjeev has drafted the AGs for A&A domain. Ashish is kindly invited to perform the 2nd review and provide his feedback (AP1),
    • Steve has completed the AGs for DSP, but also drafted the 'audit objectives and criteria' under columns F & G. Brian (or alternatively Gokhan - please let me know) is kindly invited to review DSP AGs objectives and criteria (AP2),
    • Agni has drafted the 'audit objectives and criteria' under columns F & G for the BCR domain and is kindly invited to begin the development of the AGs (AP3),
    • Parminder has begun drafting the AGs for the DCS domain, and sent a reminder to carry on,
    • Renu has started working on the LOG domain, and sent a reminder to carry on,
    • All professionals are kindly invited to consult the 'Progress Status' tab (column H) for any pending actions on their end (AP4),
    • Hard Deadline is set on 30/4 for delivering a first draft of all CCMv4.0 AGs (next step is that AGs will be set for open peer review in May).

    Snapshot taken from 'progress status' tab of the AG workbook

    2. Discussion on 'Control Audit Frequency' (column H) and its purpose
    • Sanjeev asked the group whether the 'control audit frequency' (column H) refers to the frequency of assessments an organization has to conduct internally based on the identified risk or in the context of an external 3rd party audit,
    • Max rephrased the question by asking if it is the case that the frequency and AGs are to be used as guidance to the auditor or to the organization? If it is guidance to the organization, then the organization should conduct a control's assessment in alignment to the control's assessment requirement (if such frequency is specified within the control itself) and in the case of an annual 3rd party audit, conformance is to be examined based on that control's assessment frequency required.
    • But what happens when the assessment frequency for a control specification is not stipulated within the control specification itself?
    • The panel aligned in that the 'control audit frequency' column should reflect an organization's frequency of internal assessments (for a given CCM control that is implemented) based on applicable requirements (business, contractual, legal) and standard (see 'Reference' tab, 6-B), unless such a frequency is stipulated by the control specification itself.

    3. Call for professionals to sign up to CCMv4.0 AGs development (call for participation)
    • Would like to kindly invite Auditors to help us out with the AGs development for HRS, IPY,  UEM (see red '?' in progress status tab above)

    4. AoB
    • Next CCMv4.0 AG dev. call is scheduled on April 9th, 5 pm EEST (7am PST / 10am EST / 4pm CET).

    Action Points (APs)

    AP1: Ashish is kindly invited to perform the 2nd review on the AGs of A&A and provide his feedback
    AP2: Brian (or alternatively Gokhan - please let me know) is kindly invited to review the DSP's AGs objectives and criteria
    AP3: Agni has drafted the 'audit objectives and criteria' under columns F & G for the BCR domain and is kindly invited to begin the development of the AGs (as part of the Pilot)
    AP4: All professionals are kindly invited to consult the 'Progress Status' tab (column H) for any pending actions on their end



    Please let me know if anything important is missed above. 
    Thank you all for your attendance and support.
    Best regards,

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------