ISACA has issued a new guide of practical steps for assurance and control in the cloud, Controls and Assurance in the Cloud: Using COBIT 5.
The guide, meant to help companies find value in and adopt cloud solutions, also focuses on avoiding information security challenges.
According to the ISACA (formerly known as the Information Systems Audit and Control Association), these 13 items often lead to cloud challenges:
1. Location of data
2. Commingled data
3. Security policy/procedure transparency (or lack thereof)
4. Cloud data ownership
5. Lock-in with cloud service provider’s proprietary application program interfaces
6. Record protection for forensic audits
7. Identity and access management
8. Screening of other cloud computing clients
9. Compliance requirements
10. Data disposal
11. Portability
12. Service provider viability
13. Backup and rollout capabilities
The publication provides the following tools to meet these challenges and provide effective governance and management of cloud initiatives:
Cloud risk scenarios
Contractual provisions
A cloud governance checklist
A practical approach to measuring cloud ROI
A cloud computing assurance program
A process capability assessment
Questions boards of directors need to consider
“Cloud initiatives transform business and need to be treated holistically, including addressing governance, risk management, operational, assurance and security considerations,” stated Phil Lageschulte, partner at KPMG and chair of ISACA’s guidance and practices committee. “This guide looks at all of those areas and helps companies ensure that their cloud initiatives are not only delivering value and meeting business goals—but also managing the new and potentially elevated risks.”
Controls and Assurance in the Cloud is a complete update to ISACA’s earlier IT Control Objectives for Cloud Computing. The book, which ISACA members can download free of charge, is available at
