Module 12: Evaluating Cloud Service Providers
CSP evaluation questions test whether you can distinguish between marketing claims and verifiable assurance. The exam expects you to evaluate providers using audits, certifications, and contractual guarantees — not trust.
Why CSP Evaluation Matters
Selecting a cloud service provider is a risk management decision, not a technology decision. The exam treats CSP evaluation as a governance function that should consider security controls, compliance capabilities, financial stability, data governance, and exit strategy. Getting this wrong means inheriting all of the provider's risks.
Audit Reports and Certifications
SOC Reports
The exam expects you to distinguish between SOC report types:
- SOC 1: Financial reporting controls. Not directly relevant to security evaluations.
- SOC 2 Type I: Security controls at a point in time. Design effectiveness only.
- SOC 2 Type II: Security controls over a period (typically 6-12 months). Tests both design and operating effectiveness. This is the most valuable for CSP evaluation.
- SOC 3: Public summary of SOC 2. Less detailed, suitable for general assurance.
Exam trap: SOC 2 Type I tells you controls existed on a specific date. SOC 2 Type II tells you controls worked over time. If a question asks for ongoing assurance of a CSP's security controls, Type II is the correct answer. Type I is insufficient for operational assurance.
ISO 27001/27017/27018
ISO 27001 certifies an information security management system (ISMS). ISO 27017 extends 27001 with cloud-specific controls. ISO 27018 addresses personally identifiable information (PII) in public clouds. The exam may ask which ISO certification specifically addresses cloud security controls (27017) versus PII protection (27018).
CSA STAR
The Cloud Security Alliance's Security, Trust, Assurance, and Risk (STAR) registry provides transparency into CSP security controls. The exam recognizes CSA STAR as a cloud-specific assurance framework, complementing SOC and ISO certifications.
Due Diligence Factors
The exam expects you to evaluate CSPs across multiple dimensions:
- Security posture: Encryption capabilities, IAM features, network isolation, incident response processes
- Compliance certifications: SOC 2 Type II, ISO 27001/27017, FedRAMP, HIPAA BAAs, PCI DSS
- Data governance: Data residency options, data sovereignty controls, jurisdictional considerations
- Financial stability: A CSP going bankrupt creates massive data and operational risk
- Vendor lock-in risk: Proprietary services, data portability, standard API support
- Exit strategy: Data return format, deletion verification, transition support
The CSA Cloud Controls Matrix (CCM)
The CCM is a cybersecurity control framework specifically for cloud computing. It maps controls to multiple standards (ISO, NIST, COBIT). The exam may present the CCM as a tool for evaluating CSP controls against organizational requirements and mapping compliance across regulatory frameworks.
Ongoing Monitoring vs. Point-in-Time Assessment
Selecting a CSP is not a one-time event. The exam tests whether you understand continuous monitoring of CSP performance, security posture, and compliance status. Right-to-audit clauses in contracts allow customers to verify ongoing compliance. Continuous monitoring platforms can track CSP security events and configuration changes.
Supply Chain Risk
Your CSP likely uses sub-processors and fourth parties. The exam tests whether you evaluate the entire supply chain, not just your direct provider. A breach at a CSP's sub-processor can expose your data just as effectively as a breach at the CSP itself. Contracts should address sub-processor oversight and notification requirements.
Key Takeaways
CSP evaluation is governance, not technology. SOC 2 Type II provides the most comprehensive assurance. ISO 27017 is cloud-specific. The CSA CCM maps cloud controls to multiple standards. Evaluate security, compliance, data governance, financial stability, and exit strategy. Monitor continuously, not just at selection. Consider supply chain risk from sub-processors.