CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v4.0.

3
v4.0.3

Introduction

Consensus Assessments Initiative Questionnaire (CAIQ):

This tab includes the questionnaire associated with the Cloud Control Matrix (CCM) controls, commonly known as the CAIQ.

The Consensus Assessments Initiative Questionnaire version 4 (or CAIQv4) aligns

with the CCMv4 control specifications. The CAIQv4’s purpose is to help
organizations conduct self-assessments to test their compliance against the CCM
V4. It is developed under CSA’s STAR-Level 1 program umbrella, allowing
organizations to complete and submit self-assessments to CSA’s STAR Registry.

CAIQv4 features 261 questions structured and formulated based on the 17

domains and underlying control specifications of the CCM.

Each question is described using the following attributes:

Question ID

The question identifiers.

_x005F_x000D_ Skillable INTERNAL

#
Assessment Question

The description of the question.

In addition, this tab includes the following sections (groups of columns).

CSP CAIQ Answer

The Cloud Service Provider (CSP) must respond with “Yes”/ ”No”/ ”NA” next to the corresponding assessment question, and for the portion(s) of the CC
specification they are responsible and accountable for implementing.

Meaning of possible replies:

• “Yes”: The portion(s) of the CCM control requirement corresponding to the assessment question is met.

• “No”: The portion(s) of the CCM control requirement corresponding to the assessment question is not met.

• “N/A”: The question is not in scope and does not apply to the cloud service under assessment.

NOTES:
A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM con
and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.

A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implem
responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemen
has to be done for its implementation by that party.

_x005F_x000D_ Skillable INTERNAL

#
A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left
out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).

Shared Security Responsibility Model (SSRM) control ownership

The CSP control responses shall identify control applicability and ownership for their specific service.

• CSP-owned: The CSP is entirely responsible and accountable for the CCM control implementation.

• CSC-owned: The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.

• Third-party outsourced: The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP i

• Shared CSP and CSC: Both the CSP and CSC share CCM control implementation responsibility and accountability.

• Shared CSP and third party: Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accou

Note: The CAIQv4 SSRM schema is tailored to CCMv4’s Supply Chain Management, Transparency, and Accountability (STA) domain, controls 1-6, and
implementation guidelines.

CSP implementation description (optional/recommended)

A description (with references) of how the cloud service provider meets (or does not meet) the portion(s) of the SSRM control they are responsible for. If

_x005F_x000D_ Skillable INTERNAL

#
CSC responsibilities (optional/recommended)

A summary description of the cloud service customer security responsibilities for the portion(s) of the SSRM control that is responsible for, with correspo
references.

End of Introduction
© Copyright 2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud S
“Consensus Assessments Initiative Questionnaire (CAIQ) Version 4.0.3” at http://www.cloudsecurityalliance.org subject to the following: (a) the Consens
Initiative Questionnaire v4.0.3 may be used solely for your personal, informational, non-commercial use; (b) the Consensus Assessments Initiative Questio
not be modified or altered in any way; (c) the Consensus Assessments Initiative Questionnaire v4.0.3 may not be redistributed; and (d) the trademark, copy
notices may not be removed. You may quote portions of the Consensus Assessments Initiative Questionnaire v4.0.3 as permitted by the Fair Use provision
States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Consensus Assessments Initiative Questionnaire Version 4.0.
interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact [email protected].

_x005F_x000D_ Skillable INTERNAL

#
TIVE QUESTIONNAIRE v4.0.3

Introduction

essments Initiative Questionnaire (CAIQ):

atrix (CCM) controls, commonly known as the CAIQ.

Qv4) aligns
p
he CCM
wing
Registry.

17

_x005F_x000D_ Skillable INTERNAL

#
 .

A” next to the corresponding assessment question, and for the portion(s) of the CCM control

o the assessment question is met.

o the assessment question is not met.

rvice under assessment.

mplemented. The CSP indicates the responsible and accountable parties (SSRM control ownership),
arty CSP and/or CSC.

t implemented, while in scope of the assessment. The CSP has to assign the implementation
control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what”

_x005F_x000D_ Skillable INTERNAL

#
ut of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed
mentation Description”).

rship for their specific service.

CCM control implementation.

le and accountable for the CCM control implementation.

an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.

lementation responsibility and accountability.

sibility is shared between CSP and the third party, but the CSP remains fully accountable.

n Management, Transparency, and Accountability (STA) domain, controls 1-6, and their corresponding

(or does not meet) the portion(s) of the SSRM control they are responsible for. If “NA,” explain why.

_x005F_x000D_ Skillable INTERNAL

#
ilities for the portion(s) of the SSRM control that is responsible for, with corresponding guidance and

End of Introduction
ay download, store, display on your computer, view, print, and link to the Cloud Security Alliance
” at http://www.cloudsecurityalliance.org subject to the following: (a) the Consensus Assessments
ormational, non-commercial use; (b) the Consensus Assessments Initiative Questionnaire v4.0.3 may
nitiative Questionnaire v4.0.3 may not be redistributed; and (d) the trademark, copyright or other
Assessments Initiative Questionnaire v4.0.3 as permitted by the Fair Use provisions of the United
ud Security Alliance Consensus Assessments Initiative Questionnaire Version 4.0.3. If you are
dresses in the copyright notice, please contact [email protected].

_x005F_x000D_ Skillable INTERNAL

#
 CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v4.0.3
v4.0.3

CSP CAIQ
Question ID Question
Answer

Are audit and assurance policies, procedures, and standards established, documented, Yes
approved, communicated, applied, evaluated, and maintained?
A&A-01.1

Are audit and assurance policies, procedures, and standards reviewed and updated Yes
at least annually?
A&A-01.2

Are independent audit and assurance assessments conducted according to relevant Yes
standards at least annually?
A&A-02.1

Are independent audit and assurance assessments performed according to risk-based Yes
plans and policies?
A&A-03.1

_x005F_x000D_ Skillable INTERNAL

#
 Is compliance verified regarding all relevant standards, regulations, legal/contractual, Yes
and statutory requirements applicable to the audit?
A&A-04.1

Is an audit management process defined and implemented to support audit planning, Yes
risk analysis, security control assessments, conclusions, remediation schedules,
report generation, and reviews of past reports and supporting evidence?
A&A-05.1

Is a risk-based corrective action plan to remediate audit findings established, Yes

documented, approved, communicated, applied, evaluated, and maintained?
A&A-06.1

Is the remediation status of audit findings reviewed and reported to relevant Yes
stakeholders?
A&A-06.2

Are application security policies and procedures established, documented, Yes

approved, communicated, applied, evaluated, and maintained to guide appropriate
planning, delivery, and support of the organization's application security capabilities?
AIS-01.1

_x005F_x000D_ Skillable INTERNAL

#
 Are application security policies and procedures reviewed and updated at least Yes
annually?

AIS-01.2

Are baseline requirements to secure different applications established, documented, Yes

and maintained?
AIS-02.1

Are technical and operational metrics defined and implemented according to Yes
business objectives, security requirements, and compliance obligations?
AIS-03.1

Is an SDLC process defined and implemented for application design, development, Yes
deployment, and operation per organizationally designed security requirements?
AIS-04.1

Does the testing strategy outline criteria to accept new information systems, Yes
upgrades, and new versions while ensuring application security, compliance adherence,
and organizational speed of delivery goals?
AIS-05.1

_x005F_x000D_ Skillable INTERNAL

#
 Is testing automated when applicable and possible? Yes

AIS-05.2

Are strategies and capabilities established and implemented to deploy application Yes
code in a secure, standardized, and compliant manner?
AIS-06.1

Is the deployment and integration of application code automated where possible? Yes

AIS-06.2

Are application security vulnerabilities remediated following defined processes? Yes

AIS-07.1

Is the remediation of application security vulnerabilities automated when Yes

possible?
AIS-07.2

Are business continuity management and operational resilience policies and Yes
procedures established, documented, approved, communicated, applied, evaluated,
and maintained?
BCR-01.1

_x005F_x000D_ Skillable INTERNAL

#
 Are the policies and procedures reviewed and updated at least annually? Yes

BCR-01.2

Are criteria for developing business continuity and operational resiliency Yes
strategies and capabilities established based on business disruption and risk
impacts?
BCR-02.1

Are strategies developed to reduce the impact of, withstand, and recover from Yes
business disruptions in accordance with risk appetite?
BCR-03.1

Are operational resilience strategies and capability results incorporated Yes

to establish, document, approve, communicate, apply, evaluate, and maintain a
BCR-04.1 business continuity plan?

Is relevant documentation developed, identified, and acquired to support business Yes

continuity and operational resilience plans?
BCR-05.1

_x005F_x000D_ Skillable INTERNAL

#
 Is business continuity and operational resilience documentation available Yes
to authorized stakeholders?
BCR-05.2

Is business continuity and operational resilience documentation reviewed periodically? Yes

BCR-05.3

Are the business continuity and operational resilience plans exercised and Yes
tested at least annually and when significant changes occur?
BCR-06.1

Do business continuity and resilience procedures establish communication with Yes

stakeholders and participants?
BCR-07.1

Is cloud data periodically backed up? Yes

BCR-08.1

_x005F_x000D_ Skillable INTERNAL

#
 Is the confidentiality, integrity, and availability of backup data ensured? Yes

BCR-08.2

Can backups be restored appropriately for resiliency? Yes

BCR-08.3

Is a disaster response plan established, documented, approved, applied, evaluated, Yes

and maintained to ensure recovery from natural and man-made disasters?
BCR-09.1

Is the disaster response plan updated at least annually, and when significant Yes
changes occur?
BCR-09.2

Is the disaster response plan exercised annually or when significant changes Yes
occur?
BCR-10.1

_x005F_x000D_ Skillable INTERNAL

#
 Are local emergency authorities included, if possible, in the exercise? No

BCR-10.2

Is business-critical equipment supplemented with redundant equipment independently Yes

located at a reasonable minimum distance in accordance with applicable industry
standards?
BCR-11.1

Are risk management policies and procedures associated with changing organizational Yes
assets including applications, systems, infrastructure, configuration, etc., established,
documented, approved, communicated, applied, evaluated and maintained (regardless
of whether asset management is internal or external)?

CCC-01.1

Are the policies and procedures reviewed and updated at least annually? Yes

CCC-01.2

_x005F_x000D_ Skillable INTERNAL

#
 Is a defined quality change control, approval and testing process (with established Yes
baselines, testing, and release standards) followed?
CCC-02.1

Are risks associated with changing organizational assets (including applications, Yes
systems, infrastructure, configuration, etc.) managed, regardless of whether asset
management occurs internally or externally (i.e., outsourced)?
CCC-03.1

Is the unauthorized addition, removal, update, and management of organization Yes

assets restricted?
CCC-04.1

Are provisions to limit changes that directly impact CSC-owned environments Yes
and require tenants to authorize requests explicitly included within the service
level agreements (SLAs) between CSPs and CSCs?
CCC-05.1

Are change management baselines established for all relevant authorized changes Yes
on organizational assets?
CCC-06.1

_x005F_x000D_ Skillable INTERNAL

#
 Are detection measures implemented with proactive notification if changes Yes
deviate from established baselines?
CCC-07.1

Is a procedure implemented to manage exceptions, including emergencies, in Yes

the change and configuration process?
CCC-08.1

'Is the procedure aligned with the requirements of the GRC-04: Policy Exception Yes
Process?'
CCC-08.2

Is a process to proactively roll back changes to a previously known "good Yes

state" defined and implemented in case of errors or security concerns?
CCC-09.1

Are cryptography, encryption, and key management policies and procedures established, Yes
documented, approved, communicated, applied, evaluated, and maintained?
CEK-01.1

Are cryptography, encryption, and key management policies and procedures reviewed Yes
and updated at least annually?
CEK-01.2

_x005F_x000D_ Skillable INTERNAL

#
 Are cryptography, encryption, and key management roles and responsibilities Yes
defined and implemented?
CEK-02.1

Are data at-rest and in-transit cryptographically protected using cryptographic Yes
libraries certified to approved standards?
CEK-03.1

Are appropriate data protection encryption algorithms used that consider data Yes
classification, associated risks, and encryption technology usability?
CEK-04.1

Are standard change management procedures established to review, approve, Yes

implement and communicate cryptography, encryption, and key management technology
changes that accommodate internal and external sources?
CEK-05.1

Are changes to cryptography-, encryption- and key management-related systems, Yes

policies, and procedures, managed and adopted in a manner that fully accounts
for downstream effects of proposed changes, including residual risk, cost, and
benefits analysis?
CEK-06.1

_x005F_x000D_ Skillable INTERNAL

#
 Is a cryptography, encryption, and key management risk program established Yes
and maintained that includes risk assessment, risk treatment, risk context, monitoring,
and feedback provisions?
CEK-07.1

Are CSPs providing CSCs with the capacity to manage their own data encryption No
keys?
CEK-08.1

Are encryption and key management systems, policies, and processes audited Yes
with a frequency proportional to the system's risk exposure, and after any security
event?
CEK-09.1

Are encryption and key management systems, policies, and processes audited Yes
(preferably continuously but at least annually)?

CEK-09.2

Are cryptographic keys generated using industry-accepted and approved cryptographic Yes
libraries that specify algorithm strength and random number generator specifications?

CEK-10.1

_x005F_x000D_ Skillable INTERNAL

#
 Are private keys provisioned for a unique purpose managed, and is cryptography Yes
secret?
CEK-11.1

Are cryptographic keys rotated based on a cryptoperiod calculated while considering Yes
information disclosure risks and legal and regulatory requirements?
CEK-12.1

Are cryptographic keys revoked and removed before the end of the established Yes
cryptoperiod (when a key is compromised, or an entity is no longer part of the
organization) per defined, implemented, and evaluated processes, procedures, and
technical measures to include legal and regulatory requirement provisions?
CEK-13.1

Are processes, procedures and technical measures to destroy unneeded keys Yes
defined, implemented and evaluated to address key destruction outside secure environments,
revocation of keys stored in hardware security modules (HSMs), and include applicable
legal and regulatory requirement provisions?
CEK-14.1

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical measures to create keys in a pre-activated Yes
state (i.e., when they have been generated but not authorized for use) being defined,
implemented, and evaluated to include legal and regulatory requirement provisions?

CEK-15.1

Are processes, procedures, and technical measures to monitor, review and approve Yes
key transitions (e.g., from any state to/from suspension) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
CEK-16.1

Are processes, procedures, and technical measures to deactivate keys (at the Yes
time of their expiration date) being defined, implemented, and evaluated to include
legal and regulatory requirement provisions?
CEK-17.1

Are processes, procedures, and technical measures to manage archived keys Yes
in a secure repository (requiring least privilege access) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
CEK-18.1

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical measures to use compromised keys to Yes
encrypt information in specific scenarios (e.g., only in controlled circumstances
and thereafter only for data decryption and never for encryption) defined,
implemented, and evaluated to include legal and regulatory requirement provisions?
CEK-19.1

Are processes, procedures, and technical measures to assess operational continuity Yes
risks (versus the risk of losing control of keying material and exposing protected
data) being defined, implemented, and evaluated to include legal and regulatory
requirement provisions?

CEK-20.1

Are key management system processes, procedures, and technical measures being Yes
defined, implemented, and evaluated to track and report all cryptographic materials
and status changes that include legal and regulatory requirements provisions?

CEK-21.1

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures for the secure disposal of equipment used outside Yes
the organization's premises established, documented, approved, communicated, enforced,
and maintained?
DCS-01.1

Is a data destruction procedure applied that renders information recovery Yes

information impossible if equipment is not physically destroyed?

DCS-01.2

Are policies and procedures for the secure disposal of equipment used outside Yes
the organization's premises reviewed and updated at least annually?

DCS-01.3

Are policies and procedures for the relocation or transfer of hardware, software, Yes
or data/information to an offsite or alternate location established, documented,
approved, communicated, implemented, enforced, maintained?

DCS-02.1

_x005F_x000D_ Skillable INTERNAL

#
 Does a relocation or transfer request require written or cryptographically Yes
verifiable authorization?

DCS-02.2

Are policies and procedures for the relocation or transfer of hardware, software, Yes
or data/information to an offsite or alternate location reviewed and updated at
least annually?

DCS-02.3

Are policies and procedures for maintaining a safe and secure working environment NA
(in offices, rooms, and facilities) established, documented, approved, communicated,
enforced, and maintained?
DCS-03.1

Are policies and procedures for maintaining safe, secure working environments NA
(e.g., offices, rooms) reviewed and updated at least annually?

DCS-03.2

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures for the secure transportation of physical media NA
established, documented, approved, communicated, enforced, evaluated, and maintained?
DCS-04.1

Are policies and procedures for the secure transportation of physical media Yes
reviewed and updated at least annually?
DCS-04.2

Is the classification and documentation of physical and logical assets based Yes
on the organizational business risk?
DCS-05.1

Are all relevant physical and logical assets at all CSP sites cataloged and Yes
tracked within a secured system?
DCS-06.1

Are physical security perimeters implemented to safeguard personnel, data, Yes

and information systems?

DCS-07.1

_x005F_x000D_ Skillable INTERNAL

#
 Are physical security perimeters established between administrative and business NA
areas, data storage, and processing facilities?

DCS-07.2

Is equipment identification used as a method for connection authentication? Yes

DCS-08.1

Are solely authorized personnel able to access secure areas, with all ingress Yes
and egress areas restricted, documented, and monitored by physical access control
mechanisms?
DCS-09.1

Are access control records retained periodically, as deemed appropriate by Yes

the organization?

DCS-09.2

Are external perimeter datacenter surveillance systems and surveillance systems Yes
at all ingress and egress points implemented, maintained, and operated?
DCS-10.1

_x005F_x000D_ Skillable INTERNAL

#
 Are datacenter personnel trained to respond to unauthorized access or egress Yes
attempts?
DCS-11.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to ensure risk-based protection of power and telecommunication cables
from interception, interference, or damage threats at all facilities, offices,
and rooms?
DCS-12.1

Are data center environmental control systems designed to monitor, maintain, Yes
and test that on-site temperature and humidity conditions fall within accepted
DCS-13.1 industry standards effectively implemented and maintained?

Are utility services secured, monitored, maintained, and tested at planned Yes
intervals for continual effectiveness?
DCS-14.1

Is business-critical equipment segregated from locations subject to a high Yes

probability of environmental risk events?
DCS-15.1

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures established, documented, approved, communicated, Yes
enforced, evaluated, and maintained for the classification, protection, and handling
of data throughout its lifecycle according to all applicable laws and regulations,
standards, and risk level?
DSP-01.1

Are data security and privacy policies and procedures reviewed and updated Yes
at least annually?

DSP-01.2

Are industry-accepted methods applied for secure data disposal from storage Yes
media so information is not recoverable by any forensic means?
DSP-02.1

Is a data inventory created and maintained for sensitive and personal information Yes
(at a minimum)?
DSP-03.1

Is data classified according to type and sensitivity levels? Yes

DSP-04.1

_x005F_x000D_ Skillable INTERNAL

#
 Is data flow documentation created to identify what data is processed and Yes
where it is stored and transmitted?

DSP-05.1

Is data flow documentation reviewed at defined intervals, at least annually, Yes

and after any change?

DSP-05.2

Is the ownership and stewardship of all relevant personal and sensitive data Yes
documented?
DSP-06.1

Is data ownership and stewardship documentation reviewed at least annually? Yes

DSP-06.2

Are systems, products, and business practices based on security principles Yes
by design and per industry best practices?
DSP-07.1

_x005F_x000D_ Skillable INTERNAL

#
 Are systems, products, and business practices based on privacy principles Yes
by design and according to industry best practices?

DSP-08.1

Are systems' privacy settings configured by default and according to all applicable Yes
laws and regulations?

DSP-08.2

Is a data protection impact assessment (DPIA) conducted when processing personal Yes
data and evaluating the origin, nature, particularity, and severity of risks according
to any applicable laws, regulations and industry best practices?
DSP-09.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to ensure any transfer of personal or sensitive data is protected from
unauthorized access and only processed within scope (as permitted by respective
laws and regulations)?
DSP-10.1

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to enable data subjects to request access to, modify, or delete personal
data (per applicable laws and regulations)?
DSP-11.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to ensure personal data is processed (per applicable laws and regulations
and for the purposes declared to the data subject)?
DSP-12.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated for the transfer and sub-processing of personal data within the service
supply chain (according to any applicable laws and regulations)?
DSP-13.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to disclose details to the data owner of any personal or sensitive data
access by sub-processors before processing initiation?
DSP-14.1

Is authorization from data owners obtained, and the associated risk managed, Yes
before replicating or using production data in non-production environments?
DSP-15.1

_x005F_x000D_ Skillable INTERNAL

#
 Do data retention, archiving, and deletion practices follow business requirements, Yes
applicable laws, and regulations?
DSP-16.1

Are processes, procedures, and technical measures defined and implemented Yes
to protect sensitive data throughout its lifecycle?
DSP-17.1

Does the CSP have in place, and describe to CSCs, the procedure to manage Yes
and respond to requests for disclosure of Personal Data by Law Enforcement Authorities
according to applicable laws and regulations?

DSP-18.1

Does the CSP give special attention to the notification procedure to interested Yes
CSCs, unless otherwise prohibited, such as a prohibition under criminal law to
preserve confidentiality of a law enforcement investigation?

DSP-18.2

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical measures defined and implemented Yes
to specify and document physical data locations, including locales where data
DSP-19.1 is processed or backed up?

Are information governance program policies and procedures sponsored by organizational Yes
leadership established, documented, approved, communicated, applied, evaluated,
and maintained?

GRC-01.1

Are the policies and procedures reviewed and updated at least annually? Yes

GRC-01.2

Is there an established formal, documented, and leadership-sponsored enterprise Yes

risk management (ERM) program that includes policies and procedures for identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy
risks?
GRC-02.1

_x005F_x000D_ Skillable INTERNAL

#
 Are all relevant organizational policies and associated procedures reviewed Yes
at least annually, or when a substantial organizational change occurs?
GRC-03.1

Is an approved exception process mandated by the governance program established Yes

and followed whenever a deviation from an established policy occurs?
GRC-04.1

Has an information security program (including programs of all relevant CCM Yes
domains) been developed and implemented?
GRC-05.1

Are roles and responsibilities for planning, implementing, operating, assessing, Yes
and improving governance programs defined and documented?
GRC-06.1

Are all relevant standards, regulations, legal/contractual, and statutory Yes

requirements applicable to your organization identified and documented?
GRC-07.1

Is contact established and maintained with cloud-related special interest Yes

groups and other relevant entities?
GRC-08.1

_x005F_x000D_ Skillable INTERNAL

#
 Are background verification policies and procedures of all new employees (including Yes
but not limited to remote employees, contractors, and third parties) established,
documented, approved, communicated, applied, evaluated, and maintained?

HRS-01.1

Are background verification policies and procedures designed according to Yes

local laws, regulations, ethics, and contractual constraints and proportional
to the data classification to be accessed, business requirements, and acceptable
risk?

HRS-01.2

_x005F_x000D_ Skillable INTERNAL

#
 Are background verification policies and procedures reviewed and updated at Yes
least annually?

HRS-01.3

Are policies and procedures for defining allowances and conditions for the Yes
acceptable use of organizationally-owned or managed assets established, documented,
approved, communicated, applied, evaluated, and maintained?
HRS-02.1

Are the policies and procedures for defining allowances and conditions for Yes
the acceptable use of organizationally-owned or managed assets reviewed and updated
at least annually?
HRS-02.2

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures requiring unattended workspaces to conceal confidential Yes
data established, documented, approved, communicated, applied, evaluated, and
maintained?
HRS-03.1

Are policies and procedures requiring unattended workspaces to conceal confidential Yes
data reviewed and updated at least annually?

HRS-03.2

Are policies and procedures to protect information accessed, processed, or Yes

stored at remote sites and locations established, documented, approved, communicated,
applied, evaluated, and maintained?
HRS-04.1

Are policies and procedures to protect information accessed, processed, or Yes

stored at remote sites and locations reviewed and updated at least annually?

HRS-04.2

Are return procedures of organizationally-owned assets by terminated employees Yes

established and documented?
HRS-05.1

_x005F_x000D_ Skillable INTERNAL

#
 Are procedures outlining the roles and responsibilities concerning changes Yes
in employment established, documented, and communicated to all personnel?
HRS-06.1

Are employees required to sign an employment agreement before gaining access Yes
to organizational information systems, resources, and assets?
HRS-07.1

Are provisions and/or terms for adherence to established information governance Yes
and security policies included within employment agreements?
HRS-08.1

Are employee roles and responsibilities relating to information assets and Yes
security documented and communicated?
HRS-09.1

Are requirements for non-disclosure/confidentiality agreements reflecting Yes

organizational data protection needs and operational details identified, documented,
and reviewed at planned intervals?
HRS-10.1

Is a security awareness training program for all employees of the organization Yes
established, documented, approved, communicated, applied, evaluated and maintained?
HRS-11.1

_x005F_x000D_ Skillable INTERNAL

#
 Are regular security awareness training updates provided? Yes

HRS-11.2

Are all employees granted access to sensitive organizational and personal Yes
data provided with appropriate security awareness training?

HRS-12.1

Are all employees granted access to sensitive organizational and personal Yes
data provided with regular updates in procedures, processes, and policies relating
to their professional function?
HRS-12.2

Are employees notified of their roles and responsibilities to maintain awareness Yes
and compliance with established policies, procedures, and applicable legal, statutory,
or regulatory compliance obligations?
HRS-13.1

_x005F_x000D_ Skillable INTERNAL

#
 Are identity and access management policies and procedures established, documented, Yes
approved, communicated, implemented, applied, evaluated, and maintained?
IAM-01.1

Are identity and access management policies and procedures reviewed and updated Yes
at least annually?
IAM-01.2

Are strong password policies and procedures established, documented, approved, Yes
communicated, implemented, applied, evaluated, and maintained?
IAM-02.1

Are strong password policies and procedures reviewed and updated at least Yes
annually?
IAM-02.2

Is system identity information and levels of access managed, stored, and reviewed? Yes

IAM-03.1

Is the separation of duties principle employed when implementing information Yes

system access?
IAM-04.1

_x005F_x000D_ Skillable INTERNAL

#
 Is the least privilege principle employed when implementing information system Yes
access?
IAM-05.1

Is a user access provisioning process defined and implemented which authorizes, Yes
records, and communicates data and assets access changes?
IAM-06.1

Is a process in place to de-provision or modify the access, in a timely manner, Yes

of movers / leavers or system identity changes, to effectively adopt and communicate
identity and access management policies?
IAM-07.1

Are reviews and revalidation of user access for least privilege and separation Yes
of duties completed with a frequency commensurate with organizational risk tolerance?
IAM-08.1

Are processes, procedures, and technical measures for the segregation of privileged Yes
access roles defined, implemented, and evaluated such that administrative data
access, encryption, key management capabilities, and logging capabilities are
distinct and separate?
IAM-09.1

_x005F_x000D_ Skillable INTERNAL

#
 Is an access process defined and implemented to ensure privileged access roles Yes
and rights are granted for a limited period?
IAM-10.1

Are procedures implemented to prevent the culmination of segregated privileged Yes

access?
IAM-10.2

Are processes and procedures for customers to participate, where applicable, NA

in granting access for agreed, high risk as (defined by the organizational risk
assessment) privileged access roles defined, implemented and evaluated?
IAM-11.1

Are processes, procedures, and technical measures to ensure the logging infrastructure Yes
is "read-only" for all with write access (including privileged access roles) defined,
implemented, and evaluated?
IAM-12.1

_x005F_x000D_ Skillable INTERNAL

#
 Is the ability to disable the "read-only" configuration of logging infrastructure Yes
controlled through a procedure that ensures the segregation of duties and break
glass procedures?
IAM-12.2

Are processes, procedures, and technical measures that ensure users are identifiable Yes
through unique identification (or can associate individuals with user identification
usage) defined, implemented, and evaluated?
IAM-13.1

Are processes, procedures, and technical measures for authenticating access Yes
to systems, application, and data assets including multifactor authentication
for a least-privileged user and sensitive data access defined, implemented, and
evaluated?
IAM-14.1

_x005F_x000D_ Skillable INTERNAL

#
 Are digital certificates or alternatives that achieve an equivalent security Yes
level for system identities adopted?

IAM-14.2

Are processes, procedures, and technical measures for the secure management Yes
of passwords defined, implemented, and evaluated?
IAM-15.1

Are processes, procedures, and technical measures to verify access to data Yes
and system functions authorized, defined, implemented, and evaluated?
IAM-16.1

Are policies and procedures established, documented, approved, communicated, Yes

applied, evaluated, and maintained for communications between application services
(e.g., APIs)?

IPY-01.1

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures established, documented, approved, communicated, NA
applied, evaluated, and maintained for information processing interoperability?

IPY-01.2

Are policies and procedures established, documented, approved, communicated, NA

applied, evaluated, and maintained for application development portability?

IPY-01.3

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures established, documented, approved, communicated, NA
applied, evaluated, and maintained for information/data exchange, usage, portability,
integrity, and persistence?

IPY-01.4

Are interoperability and portability policies and procedures reviewed and NA

updated at least annually?

IPY-01.5

Are CSCs able to programmatically retrieve their data via an application interface(s) No
to enable interoperability and portability?
IPY-02.1

Are cryptographically secure and standardized network protocols implemented Yes

for the management, import, and export of data?
IPY-03.1

_x005F_x000D_ Skillable INTERNAL

#
 Do agreements include provisions specifying CSC data access upon contract termination, and Yes
have the following?
a. Data format
b. Duration data will be stored
IPY-04.1 c. Scope of the data retained and made available to the CSCs
d. Data deletion policy

Are infrastructure and virtualization security policies and procedures established, Yes
documented, approved, communicated, applied, evaluated, and maintained?
IVS-01.1

Are infrastructure and virtualization security policies and procedures reviewed Yes
and updated at least annually?
IVS-01.2

Is resource availability, quality, and capacity planned and monitored in a Yes

way that delivers required system performance, as determined by the business?
IVS-02.1

_x005F_x000D_ Skillable INTERNAL

#
 Are communications between environments monitored? Yes

IVS-03.1

Are communications between environments encrypted? Yes

IVS-03.2

Are communications between environments restricted to only authenticated and Yes

authorized connections, as justified by the business?

IVS-03.3

Are network configurations reviewed at least annually? Yes

IVS-03.4

_x005F_x000D_ Skillable INTERNAL

#
 Are network configurations supported by the documented justification of all Yes
allowed services, protocols, ports, and compensating controls?

IVS-03.5

Is every host and guest OS, hypervisor, or infrastructure control plane hardened Yes
(according to their respective best practices) and supported by technical controls
as part of a security baseline?
IVS-04.1

Are production and non-production environments separated? Yes

IVS-05.1

Are applications and infrastructures designed, developed, deployed, and configured Yes
such that CSP and CSC (tenant) user access and intra-tenant access is appropriately
segmented, segregated, monitored, and restricted from other tenants?
IVS-06.1

_x005F_x000D_ Skillable INTERNAL

#
 Are secure and encrypted communication channels including only up-to-date Yes
and approved protocols used when migrating servers, services, applications, or
data to cloud environments?
IVS-07.1

Are high-risk environments identified and documented? Yes

IVS-08.1

Are processes, procedures, and defense-in-depth techniques defined, implemented, Yes

and evaluated for protection, detection, and timely response to network-based
attacks?
IVS-09.1

Are logging and monitoring policies and procedures established, documented, Yes
approved, communicated, applied, evaluated, and maintained?

LOG-01.1

Are policies and procedures reviewed and updated at least annually? Yes

LOG-01.2

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to ensure audit log security and retention?
LOG-02.1

Are security-related events identified and monitored within applications and Yes
the underlying infrastructure?

LOG-03.1

Is a system defined and implemented to generate alerts to responsible stakeholders Yes

based on security events and their corresponding metrics?

LOG-03.2

Is access to audit logs restricted to authorized personnel, and are records Yes
maintained to provide unique access accountability?
LOG-04.1

Are security audit logs monitored to detect activity outside of typical or Yes
expected patterns?
LOG-05.1

_x005F_x000D_ Skillable INTERNAL

#
 Is a process established and followed to review and take appropriate and timely Yes
actions on detected anomalies?
LOG-05.2

Is a reliable time source being used across all relevant information processing Yes
systems?
LOG-06.1

Are logging requirements for information meta/data system events established, Yes
documented, and implemented?

LOG-07.1

Is the scope reviewed and updated at least annually, or whenever there is Yes
a change in the threat environment?

LOG-07.2

Are audit records generated, and do they contain relevant security information? Yes

LOG-08.1

_x005F_x000D_ Skillable INTERNAL

#
 Does the information system protect audit records from unauthorized access, Yes
modification, and deletion?
LOG-09.1

Are monitoring and internal reporting capabilities established to report on Yes

cryptographic operations, encryption, and key management policies, processes,
LOG-10.1 procedures, and controls?

Are key lifecycle management events logged and monitored to enable auditing Yes
and reporting on cryptographic keys' usage?
LOG-11.1

Is physical access logged and monitored using an auditable access control Yes
system?
LOG-12.1

Are processes and technical measures for reporting monitoring system anomalies Yes
and failures defined, implemented, and evaluated?
LOG-13.1

Are accountable parties immediately notified about anomalies and failures? Yes

LOG-13.2

_x005F_x000D_ Skillable INTERNAL

#
 Are policies and procedures for security incident management, e-discovery, Yes
and cloud forensics established, documented, approved, communicated, applied,
SEF-01.1 evaluated, and maintained?

Are policies and procedures reviewed and updated annually? Yes

SEF-01.2

Are policies and procedures for timely management of security incidents established, Yes
documented, approved, communicated, applied, evaluated, and maintained?
SEF-02.1

Are policies and procedures for timely management of security incidents reviewed Yes
and updated at least annually?
SEF-02.2

Is a security incident response plan that includes relevant internal departments, Yes
impacted CSCs, and other business-critical relationships (such as supply-chain)
established, documented, approved, communicated, applied, evaluated, and maintained?

SEF-03.1

_x005F_x000D_ Skillable INTERNAL

#
 Is the security incident response plan tested and updated for effectiveness, Yes
as necessary, at planned intervals or upon significant organizational or environmental
changes?
SEF-04.1

Are information security incident metrics established and monitored? Yes

SEF-05.1

Are processes, procedures, and technical measures supporting business processes Yes
to triage security-related events defined, implemented, and evaluated?
SEF-06.1

Are processes, procedures, and technical measures for security breach notifications Yes
defined and implemented?

SEF-07.1

Are security breaches and assumed security breaches reported (including any Yes
relevant supply chain breaches) as per applicable SLAs, laws, and regulations?

SEF-07.2

_x005F_x000D_ Skillable INTERNAL

#
 Are points of contact maintained for applicable regulation authorities, national Yes
and local law enforcement, and other legal jurisdictional authorities?
SEF-08.1

Are policies and procedures implementing the shared security responsibility Yes
model (SSRM) within the organization established, documented, approved, communicated,
applied, evaluated, and maintained?

STA-01.1

Are the policies and procedures that apply the SSRM reviewed and updated annually? Yes

STA-01.2

Is the SSRM applied, documented, implemented, and managed throughout the supply Yes
chain for the cloud service offering?
STA-02.1

_x005F_x000D_ Skillable INTERNAL

#
 Is the CSC given SSRM guidance detailing information about SSRM applicability Yes
throughout the supply chain?
STA-03.1

Is the shared ownership and applicability of all CSA CCM controls delineated Yes
according to the SSRM for the cloud service offering?
STA-04.1

Is SSRM documentation for all cloud services the organization uses reviewed Yes
and validated?
STA-05.1

Are the portions of the SSRM the organization is responsible for implemented, Yes
operated, audited, or assessed?
STA-06.1

Is an inventory of all supply chain relationships developed and maintained? Yes

STA-07.1

Are risk factors associated with all organizations within the supply chain Yes
periodically reviewed by CSPs?
STA-08.1

_x005F_x000D_ Skillable INTERNAL

#
 Do service agreements between CSPs and CSCs (tenants) incorporate at least the following Yes
mutually agreed upon provisions and/or terms?
• Scope, characteristics, and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third-party assessment
STA-09.1 • Service termination
• Interoperability and portability requirements
• Data privacy

Are supply chain agreements between CSPs and CSCs reviewed at least annually? Yes
STA-10.1

Is there a process for conducting internal assessments at least annually to Yes

confirm the conformance and effectiveness of standards, policies, procedures,
STA-11.1 and SLA activities?

Are policies that require all supply chain CSPs to comply with information Yes
security, confidentiality, access control, privacy, audit, personnel policy, and
service level requirements and standards implemented?
STA-12.1

_x005F_x000D_ Skillable INTERNAL

#
 Are supply chain partner IT governance policies and procedures reviewed periodically? Yes

STA-13.1

Is a process to conduct periodic security assessments for all supply chain Yes
organizations defined and implemented?
STA-14.1

Are policies and procedures established, documented, approved, communicated, Yes

applied, evaluated, and maintained to identify, report, and prioritize the remediation
of vulnerabilities to protect systems against vulnerability exploitation?
TVM-01.1

Are threat and vulnerability management policies and procedures reviewed and Yes
updated at least annually?

TVM-01.2

Are policies and procedures to protect against malware on managed assets established, Yes
documented, approved, communicated, applied, evaluated, and maintained?
TVM-02.1

_x005F_x000D_ Skillable INTERNAL

#
 Are asset management and malware protection policies and procedures reviewed Yes
and updated at least annually?
TVM-02.2

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to enable scheduled and emergency responses to vulnerability identifications
(based on the identified risk)?
TVM-03.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to update detection tools, threat signatures, and compromise indicators
weekly (or more frequent) basis?
TVM-04.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to identify updates for applications that use third-party or open-source
libraries (according to the organization's vulnerability management policy)?
TVM-05.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated for periodic, independent, third-party penetration testing?
TVM-06.1

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated for vulnerability detection on organizationally managed assets at least
monthly?
TVM-07.1

Is vulnerability remediation prioritized using a risk-based model from an Yes

industry-recognized framework?
TVM-08.1

Is a process defined and implemented to track and report vulnerability identification Yes
and remediation activities that include stakeholder notification?
TVM-09.1

Are metrics for vulnerability identification and remediation established, Yes

monitored, and reported at defined intervals?
TVM-10.1

Are policies and procedures established, documented, approved, communicated, Yes

applied, evaluated, and maintained for all endpoints?
UEM-01.1

Are universal endpoint management policies and procedures reviewed and updated Yes
at least annually?
UEM-01.2

_x005F_x000D_ Skillable INTERNAL

#
 Is there a defined, documented, applicable and evaluated list containing approved Yes
services, applications, and the sources of applications (stores) acceptable for
use by endpoints when accessing or storing organization-managed data?
UEM-02.1

Is a process defined and implemented to validate endpoint device compatibility Yes

with operating systems and applications?
UEM-03.1

Is an inventory of all endpoints used and maintained to store and access company Yes
data?
UEM-04.1

Are processes, procedures, and technical measures defined, implemented and Yes
evaluated, to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data?
UEM-05.1

Are all relevant interactive-use endpoints configured to require an automatic Yes

lock screen?
UEM-06.1

_x005F_x000D_ Skillable INTERNAL

#
 Are changes to endpoint operating systems, patch levels, and/or applications Yes
managed through the organizational change management process?
UEM-07.1

Is information protected from unauthorized disclosure on managed endpoints Yes

with storage encryption?
UEM-08.1

Are anti-malware detection and prevention technology services configured on Yes

managed endpoints?
UEM-09.1

Are software firewalls configured on managed endpoints? Yes

UEM-10.1

Are managed endpoints configured with data loss prevention (DLP) technologies No
and rules per a risk assessment?
UEM-11.1

Are remote geolocation capabilities enabled for all managed mobile endpoints? Yes
UEM-12.1

Are processes, procedures, and technical measures defined, implemented, and Yes
evaluated to enable remote company data deletion on managed endpoint devices?
UEM-13.1

_x005F_x000D_ Skillable INTERNAL

#
 Are processes, procedures, and technical and/or contractual measures defined, Yes
implemented, and evaluated to maintain proper security of third-party endpoints
with access to organizational assets?
UEM-14.1

End of Standard
© Copyright 2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud S
Alliance “Consensus Assessments Initiative Questionnaire (CAIQ) Version 4.0.3” at http://www.cloudsecurityalliance.org subject to the following: (a) the
Consensus Assessments Initiative Questionnaire v4.0.3 may be used solely for your personal, informational, non-commercial use; (b) the Consensus Asse
Initiative Questionnaire v4.0.3 may not be modified or altered in any way; (c) the Consensus Assessments Initiative Questionnaire v4.0.3 may not be redis
and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Consensus Assessments Initiative Questionnaire v4.
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Consensus
Assessments Initiative Questionnaire Version 4.0.3. If you are interested in obtaining a license to this #material for other usages not addresses in the copyr
notice, please contact [email protected].

_x005F_x000D_ Skillable INTERNAL

#
 SSRM Control CSP Implementation Description CSC Responsibilities CCM
Ownership (Optional/Recommended) (Optional/Recommended) Control ID

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

Skillable provides a SaaS virtual

environment for customers to develop A&A-01
CSP-owned Skillable’s “Yes” to a CSP CAIQ
custom learning and testing
Answer is part of its execution of a
experiences (referred to as “labs”).
well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. A&A-02

3rd-party outsourced Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. A&A-03

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” to a CSP CAIQ
Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. A&A-04

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.
A&A-05

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

A&A-06
CSP-owned Skillable’s “Yes” to a CSP CAIQ
Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

AIS-01

_x005F_x000D_ Skillable INTERNAL

#
 AIS-01
CSP-owned Skillable’s “Yes” to a CSP CAIQ
Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. AIS-02

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified AIS-03
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. AIS-04

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

AIS-05

_x005F_x000D_ Skillable INTERNAL

#
 AIS-05
CSP-owned

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

AIS-06
CSP-owned

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.
AIS-07
CSP-owned

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

BCR-01

_x005F_x000D_ Skillable INTERNAL

#
 BCR-01
CSP-owned Skillable’s “Yes” to a CSP CAIQ
Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. BCR-02

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified BCR-03
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. BCR-04

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

BCR-05

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” to a CSP CAIQ
Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001. BCR-05

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified BCR-06
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” to a CSP CAIQ

Answer is part of its execution of a
well-defined ISMS that is certified BCR-07
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

BCR-08

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. BCR-08

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

BCR-09
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
BCR-10

_x005F_x000D_ Skillable INTERNAL

#
 BCR-10
CSP-owned Local emergency authorities are
included in Skillable planning for data
security, but are not included for man-
made disasters (Skillable is an all-
remote company) or exercises.
CSP-owned

BCR-11

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CCC-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned

CCC-02

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CCC-03

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified CCC-04
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CCC-05

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CCC-06

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified CCC-07
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CCC-08
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned

CCC-09

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CEK-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified CEK-02
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-03

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-05

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-06

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-07

CSP-owned

CEK-08

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CEK-09
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-10

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified CEK-11
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-12

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-13

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-14

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-15

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-16

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-17

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. CEK-18

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-19

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CEK-20

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
CEK-21

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
DCS-01

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#

DCS-02
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
DCS-02

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable is an all-remote company.

DCS-03
CSP-owned Skillable is an all-remote company.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

DCS-04
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified DCS-05
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified DCS-06
under SOC and ISO-27001.

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties.

DCS-07

_x005F_x000D_ Skillable INTERNAL

#
 DCS-07
CSP-owned Skillable is an all-remote company.

CSP-owned
DCS-08

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties.

DCS-09
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties. DCS-10

_x005F_x000D_ Skillable INTERNAL

#
3rd-party outsourced Skillable datacenters in Seattle, WA;
Ashburn, VA; London, UK; and
Singapore are managed by certified DCS-11
third parties.

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties.
DCS-12

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties. DCS-13

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified DCS-14
third parties.

Shared CSP and 3rd-party Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified DCS-15
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

DSP-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified DSP-02
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-03

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of DSP-04
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

DSP-05
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
DSP-06
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified DSP-07
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

DSP-08
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned

DSP-09

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
DSP-10

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-11

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-12

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-13

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-14

CSP-owned

DSP-15

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-16

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified DSP-17
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

DSP-18
CSP-owned

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. DSP-19

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

GRC-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
GRC-02

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified GRC-03
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. GRC-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified GRC-05
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. GRC-06

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified GRC-07
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified GRC-08
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

HRS-01

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

HRS-02
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

HRS-03
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

3rd-party outsourced Skillable datacenters in Seattle, WA;

Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties.

HRS-04
Shared CSP and 3rd-party Skillable datacenters in Seattle, WA;
Ashburn, VA; London, UK; and
Singapore are managed by certified
third parties.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified HRS-05
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified HRS-06
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified HRS-07
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. HRS-08

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified HRS-09
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. HRS-10

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

HRS-11

_x005F_x000D_ Skillable INTERNAL

#
 HRS-11
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

HRS-12
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
HRS-13

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

IAM-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

IAM-02
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified IAM-03
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified IAM-04
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified IAM-05
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. IAM-06

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
IAM-07

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. IAM-08

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
IAM-09

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

IAM-10
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSC-owned Skillable solely manages the SaaS

platform and does not grant access
outside of Skillable. The access
management to cloud virtual IAM-11
environments provided customers is
customer responsibility.

CSP-owned

IAM-12

_x005F_x000D_ Skillable INTERNAL

#
 IAM-12
CSP-owned

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
IAM-13

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

IAM-14

_x005F_x000D_ Skillable INTERNAL

#
 IAM-14
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified IAM-15
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified IAM-16
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable SaaS platform is offered as a
turnkey solution that does not require
code or product interoperability, with
the exception of identity and access
management (IAM) via Azure Entra ID
and the execution of utilities within the
provided Microsoft cloud vm
environment.

CSP-owned Skillable SaaS platform is offered as a

turnkey solution that does not require
code or product interoperability, with
the exception of identity and access
management (IAM) via Azure Entra ID
and the execution of utilities within the
provided Microsoft cloud vm IPY-01
environment.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable SaaS platform is offered as a
turnkey solution that does not require
code or product interoperability, with
the exception of identity and access
management (IAM) via Azure Entra ID
and the execution of utilities within the
provided Microsoft cloud vm
environment.

CSP-owned Skillable SaaS platform is offered as a

turnkey solution that does not require
code or product interoperability, with
the exception of identity and access
management (IAM) via Azure Entra ID
and the execution of utilities within the
provided Microsoft cloud vm
environment.

CSP-owned CSCs use functionality within the TMS

and Insights products for data
management and export.
IPY-02

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified IPY-03
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned

IPY-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

IVS-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. IVS-02

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
IVS-03

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
IVS-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of IVS-05
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned

IVS-06

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. IVS-07

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of IVS-08
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. IVS-09

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

LOG-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified LOG-02
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

LOG-03
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified LOG-04
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

LOG-05

_x005F_x000D_ Skillable INTERNAL

#
 LOG-05
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. LOG-06

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

LOG-07
CSP-owned

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified LOG-08
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified LOG-09
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. LOG-10

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified LOG-11
under SOC and ISO-27001.

Shared CSP and 3rd-party Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified LOG-12
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

LOG-13
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

SEF-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

SEF-02
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
SEF-03

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. SEF-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of SEF-05
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. SEF-06

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

SEF-07
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. SEF-08

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

STA-01
CSP-owned

CSP-owned

STA-02

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned

STA-03

CSP-owned

STA-04

CSP-owned

STA-05

CSP-owned

STA-06

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of STA-07
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified STA-08
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned

STA-09

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of STA-10
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. STA-11

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. STA-12

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified STA-13
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified STA-14
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

TVM-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

TVM-02

_x005F_x000D_ Skillable INTERNAL

#
 TVM-02
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. TVM-03

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. TVM-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. TVM-05

Shared CSP and 3rd-party Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. TVM-06

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. TVM-07

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified TVM-08
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. TVM-09

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified TVM-10
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

UEM-01
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001.
UEM-02

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified UEM-03
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. UEM-04

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. UEM-05

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified UEM-06
under SOC and ISO-27001.

_x005F_x000D_ Skillable INTERNAL

#
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified UEM-07
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified UEM-08
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of
a well-defined ISMS that is certified UEM-09
under SOC and ISO-27001.

CSP-owned Skillable’s “Yes” answer to a CSP

CAIQ Answer is part of its execution of UEM-10
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned Skillable currently implements DLP
technologies on centralized
organization services, such as Outlook, UEM-11
etc. The use of DLP on endpoint
devices is under consideration.
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of UEM-12
a well-defined ISMS that is certified
under SOC and ISO-27001.
CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. UEM-13

_x005F_x000D_ Skillable INTERNAL

#
 CSP-owned Skillable’s “Yes” answer to a CSP
CAIQ Answer is part of its execution of
a well-defined ISMS that is certified
under SOC and ISO-27001. UEM-14

print, and link to the Cloud Security

bject to the following: (a) the
use; (b) the Consensus Assessments
naire v4.0.3 may not be redistributed;
s Initiative Questionnaire v4.0.3 as
Security Alliance Consensus
es not addresses in the copyright

_x005F_x000D_ Skillable INTERNAL

#
 CCM Control Specification CCM Control Title

Establish, document, approve, communicate, apply, evaluate and maintain

audit and assurance policies and procedures and standards. Review and update
the policies and procedures at least annually.

Audit and Assurance Policy

and Procedures

Conduct independent audit and assurance assessments according to

relevant standards at least annually.
Independent Assessments

Perform independent audit and assurance assessments according to

risk-based plans and policies.
Risk Based Planning
Assessment

_x005F_x000D_ Skillable INTERNAL

#
Verify compliance with all relevant standards, regulations, legal/contractual,
and statutory requirements applicable to the audit.
Requirements Compliance

Define and implement an Audit Management process to support audit

planning, risk analysis, security control assessment, conclusion, remediation
schedules, report generation, and review of past reports and supporting evidence.
Audit Management Process

Establish, document, approve, communicate, apply, evaluate and maintain

a risk-based corrective action plan to remediate audit findings, review and
report remediation status to relevant stakeholders.

Remediation

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for application security to provide guidance to the
appropriate planning, delivery and support of the organization's application
security capabilities. Review and update the policies and procedures at least
annually.

Application and Interface

Security Policy and
Procedures
_x005F_x000D_ Skillable INTERNAL
#
security capabilities. Review and update the policies and procedures at least
annually.

Application and Interface

Security Policy and
Procedures

Establish, document and maintain baseline requirements for securing

different applications.
Application Security Baseline
Requirements

Define and implement technical and operational metrics in alignment

with business objectives, security requirements, and compliance obligations.
Application Security Metrics

Define and implement a SDLC process for application design, development,

deployment, and operation in accordance with security requirements defined by
the organization. Secure Application Design
and Development

Implement a testing strategy, including criteria for acceptance of

new information systems, upgrades and new versions, which provides application
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible.

Automated Application
Security Testing

_x005F_x000D_ Skillable INTERNAL

#
new information systems, upgrades and new versions, which provides application
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible.

Automated Application
Security Testing

Establish and implement strategies and capabilities for secure, standardized,

and compliant application deployment. Automate where possible.

Automated Secure
Application Deployment

Define and implement a process to remediate application security

vulnerabilities, automating remediation when possible.

Application Vulnerability
Remediation

Establish, document, approve, communicate, apply, evaluate and maintain

business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually.

Business Continuity
Management Policy and
Procedures
_x005F_x000D_ Skillable INTERNAL
#
business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually.

Business Continuity
Management Policy and
Procedures

Determine the impact of business disruptions and risks to establish

criteria for developing business continuity and operational resilience strategies
and capabilities.
Risk Assessment and Impact
Analysis

Establish strategies to reduce the impact of, withstand, and recover

from business disruptions within risk appetite.
Business Continuity Strategy

Establish, document, approve, communicate, apply, evaluate and maintain

a business continuity plan based on the results of the operational resilience
strategies and capabilities. Business Continuity Planning

Develop, identify, and acquire documentation that is relevant to

support the business continuity and operational resilience programs. Make the
documentation available to authorized stakeholders and review periodically.

Documentation

_x005F_x000D_ Skillable INTERNAL

#
Develop, identify, and acquire documentation that is relevant to
support the business continuity and operational resilience programs. Make the
documentation available to authorized stakeholders and review periodically.

Documentation

Exercise and test business continuity and operational resilience

plans at least annually or upon significant changes. Business Continuity
Exercises

Establish communication with stakeholders and participants in the

course of business continuity and resilience procedures.
Communication

Periodically backup data stored in the cloud. Ensure the confidentiality,

integrity and availability of the backup, and verify data restoration from backup
for resiliency.

Backup

_x005F_x000D_ Skillable INTERNAL

#
integrity and availability of the backup, and verify data restoration from backup
for resiliency.

Backup

Establish, document, approve, communicate, apply, evaluate and maintain

a disaster response plan to recover from natural and man-made disasters. Update
the plan at least annually or upon significant changes.

Disaster Response Plan

Exercise the disaster response plan annually or upon significant

changes, including if possible local emergency authorities.

Response Plan Exercise

_x005F_x000D_ Skillable INTERNAL

#
Exercise the disaster response plan annually or upon significant
changes, including if possible local emergency authorities.

Response Plan Exercise

Supplement business-critical equipment with redundant equipment independently

located at a reasonable minimum distance in accordance with applicable industry
standards.
Equipment Redundancy

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for managing the risks associated with applying changes
to organization assets, including application, systems, infrastructure, configuration,
etc., regardless of whether the assets are managed internally or externally
(i.e., outsourced). Review and update the policies and procedures at least annually.

Change Management Policy

and Procedures

_x005F_x000D_ Skillable INTERNAL

#
Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards.
Quality Testing

Manage the risks associated with applying changes to organization

assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced). Change Management
Technology

Restrict the unauthorized addition, removal, update, and management

of organization assets. Unauthorized Change
Protection

Include provisions limiting changes directly impacting CSCs owned

environments/tenants to explicitly authorized requests within service level
agreements between CSPs and CSCs.
Change Agreements

Establish change management baselines for all relevant authorized

changes on organization assets.
Change Management
Baseline

_x005F_x000D_ Skillable INTERNAL

#
Implement detection measures with proactive notification in case
of changes deviating from the established baseline. Detection of Baseline
Deviation

'Implement a procedure for the management of exceptions, including

emergencies, in the change and configuration process. Align the procedure with
the requirements of GRC-04: Policy Exception Process.'

Exception Management

Define and implement a process to proactively roll back changes to

a previous known good state in case of errors or security concerns.
Change Restoration

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for Cryptography, Encryption and Key Management. Review
and update the policies and procedures at least annually.

Encryption and Key

Management Policy and
Procedures

_x005F_x000D_ Skillable INTERNAL

#
Define and implement cryptographic, encryption and key management
roles and responsibilities. CEK Roles and
Responsibilities

Provide cryptographic protection to data at-rest and in-transit,

using cryptographic libraries certified to approved standards.
Data Encryption

Use encryption algorithms that are appropriate for data protection,

considering the classification of data, associated risks, and usability of the
encryption technology. Encryption Algorithm

Establish a standard change management procedure, to accommodate

changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
Encryption Change
changes.
Management

Manage and adopt changes to cryptography-, encryption-, and key management-related

systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis.
Encryption Change Cost
Benefit Analysis

_x005F_x000D_ Skillable INTERNAL

#
Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback.
Encryption Risk Management

CSPs must provide the capability for CSCs to manage their own data
encryption keys. CSC Key Management
Capability

Audit encryption and key management systems, policies, and processes

with a frequency that is proportional to the risk exposure of the system with
audit occurring preferably continuously but at least annually and after any
security event(s).

Encryption and Key

Management Audit

Generate Cryptographic keys using industry accepted cryptographic

libraries specifying the algorithm strength and the random number generator
used.
Key Generation

_x005F_x000D_ Skillable INTERNAL

#
Manage cryptographic secret and private keys that are provisioned
for a unique purpose.
Key Purpose

Rotate cryptographic keys in accordance with the calculated cryptoperiod,

which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements. Key Rotation

Define, implement and evaluate processes, procedures and technical

measures to revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the
organization, which include provisions for legal and regulatory requirements.
Key Revocation

Define, implement and evaluate processes, procedures and technical

measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements.
Key Destruction

_x005F_x000D_ Skillable INTERNAL

#
Define, implement and evaluate processes, procedures and technical
measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements.
Key Activation

Define, implement and evaluate processes, procedures and technical

measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements.
Key Suspension

Define, implement and evaluate processes, procedures and technical

measures to deactivate keys at the time of their expiration date, which include
provisions for legal and regulatory requirements.
Key Deactivation

Define, implement and evaluate processes, procedures and technical

measures to manage archived keys in a secure repository requiring least privilege
access, which include provisions for legal and regulatory requirements.
Key Archival

_x005F_x000D_ Skillable INTERNAL

#
Define, implement and evaluate processes, procedures and technical
measures to use compromised keys to encrypt information only in controlled
circumstance,
and thereafter exclusively for decrypting data and never for encrypting data,
which include provisions for legal and regulatory requirements. Key Compromise

Define, implement and evaluate processes, procedures and technical

measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements.
Key Recovery

Define, implement and evaluate processes, procedures and technical

measures in order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and regulatory
requirements.
Key Inventory Management

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure disposal of equipment used outside the
organization's premises. If the equipment is not physically destroyed a data
destruction procedure that renders recovery of information impossible must be
applied. Review and update the policies and procedures at least annually.

Off-Site Equipment Disposal

Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually.

_x005F_x000D_ Skillable INTERNAL

#

Off-Site Transfer
Authorization Policy and
Review and update the policies and procedures at least annually.

Off-Site Transfer
Authorization Policy and
Procedures

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for maintaining a safe and secure working environment
in offices, rooms, and facilities. Review and update the policies and procedures
at least annually.

Secure Area Policy and

Procedures

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure transportation of physical media. Review
and update the policies and procedures at least annually.

Secure Media Transportation

Policy and Procedures

Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
Assets Classification

Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system. Assets Cataloguing and
Tracking

Implement physical security perimeters to safeguard personnel, data,

and information systems. Establish physical security perimeters between the
administrative and business areas and the data storage and processing facilities
areas.

Controlled Access Points

_x005F_x000D_ Skillable INTERNAL

#
and information systems. Establish physical security perimeters between the
administrative and business areas and the data storage and processing facilities
areas.

Controlled Access Points

Use equipment identification as a method for connection authentication.

Equipment Identification

Allow only authorized personnel access to secure areas, with all

ingress and egress points restricted, documented, and monitored by physical
access control mechanisms. Retain access control records on a periodic basis
as deemed appropriate by the organization.

Secure Area Authorization

Implement, maintain, and operate datacenter surveillance systems

at the external perimeter and at all the ingress and egress points to detect
unauthorized ingress and egress attempts. Surveillance System

_x005F_x000D_ Skillable INTERNAL

#
Train datacenter personnel to respond to unauthorized ingress or
egress attempts. Unauthorized Access
Response Training

Define, implement and evaluate processes, procedures and technical

measures that ensure a risk-based protection of power and telecommunication
cables from a threat of interception, interference or damage at all facilities,
offices and rooms.
Cabling Security

Implement and maintain data center environmental control systems

that monitor, maintain and test for continual effectiveness the temperature
and humidity conditions within accepted industry standards. Environmental Systems

Secure, monitor, maintain, and test utilities services for continual

effectiveness at planned intervals.
Secure Utilities

Keep business-critical equipment away from locations subject to high

probability for environmental risk events.
Equipment Location

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the classification, protection and handling of data
throughout its lifecycle, and according to all applicable laws and regulations,
standards, and risk level. Review and update the policies and procedures at
least annually.

Security and Privacy Policy

and Procedures

Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
Secure Disposal

Create and maintain a data inventory, at least for any sensitive

data and personal data.
Data Inventory

Classify data according to its type and sensitivity level.

Data Classification

_x005F_x000D_ Skillable INTERNAL

#
Create data flow documentation to identify what data is processed,
stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change.

Data Flow Documentation

Document ownership and stewardship of all relevant documented personal

and sensitive data. Perform review at least annually.

Data Ownership and

Stewardship

Develop systems, products, and business practices based upon a principle

of security by design and industry best practices. Data Protection by Design
and Default

_x005F_x000D_ Skillable INTERNAL

#
Develop systems, products, and business practices based upon a principle
of privacy by design and industry best practices. Ensure that systems' privacy
settings are configured by default, according to all applicable laws and regulations.

Data Privacy by Design and

Default

Conduct a Data Protection Impact Assessment (DPIA) to evaluate the

origin, nature, particularity and severity of the risks upon the processing
of personal data, according to any applicable laws, regulations and industry
best practices. Data Protection Impact
Assessment

Define, implement and evaluate processes, procedures and technical

measures that ensure any transfer of personal or sensitive data is protected
from unauthorized access and only processed within scope as permitted by the
respective laws and regulations.
Sensitive Data Transfer

_x005F_x000D_ Skillable INTERNAL

#
Define and implement, processes, procedures and technical measures
to enable data subjects to request access to, modification, or deletion of their
personal data, according to any applicable laws and regulations. Personal Data Access,
Reversal, Rectification and
Deletion

Define, implement and evaluate processes, procedures and technical

measures to ensure that personal data is processed according to any applicable
laws and regulations and for the purposes declared to the data subject.
Limitation of Purpose in
Personal Data Processing

Define, implement and evaluate processes, procedures and technical

measures for the transfer and sub-processing of personal data within the service
supply chain, according to any applicable laws and regulations.
Personal Data Sub-processing

Define, implement and evaluate processes, procedures and technical

measures to disclose the details of any personal or sensitive data access by
sub-processors to the data owner prior to initiation of that processing.
Disclosure of Data Sub-
processors

Obtain authorization from data owners, and manage associated risk

before replicating or using production data in non-production environments. Limitation of Production
Data Use

_x005F_x000D_ Skillable INTERNAL

#
Data retention, archiving and deletion is managed in accordance with
business requirements, applicable laws and regulations.
Data Retention and Deletion

Define and implement, processes, procedures and technical measures

to protect sensitive data throughout it's lifecycle.
Sensitive Data Protection

The CSP must have in place, and describe to CSCs the procedure to
manage and respond to requests for disclosure of Personal Data by Law Enforcement
Authorities according to applicable laws and regulations. The CSP must give
special attention to the notification procedure to interested CSCs, unless otherwise
prohibited, such as a prohibition under criminal law to preserve confidentiality
of a law enforcement investigation.

Disclosure Notification

_x005F_x000D_ Skillable INTERNAL

#
Define and implement, processes, procedures and technical measures
to specify and document the physical locations of data, including any locations
in which data is processed or backed up. Data Location

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for an information governance program, which is sponsored
by the leadership of the organization. Review and update the policies and procedures
at least annually.

Governance Program Policy

and Procedures

Establish a formal, documented, and leadership-sponsored Enterprise

Risk Management (ERM) program that includes policies and procedures for
identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy
risks. Risk Management Program

_x005F_x000D_ Skillable INTERNAL

#
Review all relevant organizational policies and associated procedures
at least annually or when a substantial change occurs within the organization. Organizational Policy
Reviews

Establish and follow an approved exception process as mandated by

the governance program whenever a deviation from an established policy occurs.
Policy Exception Process

Develop and implement an Information Security Program, which includes

programs for all the relevant domains of the CCM. Information Security
Program

Define and document roles and responsibilities for planning, implementing,

operating, assessing, and improving governance programs.
Governance Responsibility
Model

Identify and document all relevant standards, regulations, legal/contractual,

and statutory requirements, which are applicable to your organization. Information System
Regulatory Mapping

Establish and maintain contact with cloud-related special interest

groups and other relevant entities in line with business context.
Special Interest Groups

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for background verification of all new employees (including
but not limited to remote employees, contractors, and third parties) according
to local laws, regulations, ethics, and contractual constraints and proportional
to the data classification to be accessed, the business requirements, and acceptable
risk. Review and update the policies and procedures at least annually.

Background Screening Policy

and Procedures

_x005F_x000D_ Skillable INTERNAL

#
 and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for defining allowances and conditions for the acceptable
use of organizationally-owned or managed assets. Review and update the policies
and procedures at least annually.

Acceptable Use of
Technology Policy and
Procedures

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures that require unattended workspaces to not have openly
visible confidential data. Review and update the policies and procedures at
least annually.

Clean Desk Policy and

Procedures

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures to protect information accessed, processed or stored
at remote sites and locations. Review and update the policies and procedures
at least annually.

Remote and Home Working

Policy and Procedures

Establish and document procedures for the return of organization-owned

assets by terminated employees.
Asset returns

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, and communicate to all personnel the procedures
outlining the roles and responsibilities concerning changes in employment.
Employment Termination

Employees sign the employee agreement prior to being granted access

to organizational information systems, resources and assets. Employment Agreement
Process

The organization includes within the employment agreements provisions

and/or terms for adherence to established information governance and security
policies. Employment Agreement
Content

Document and communicate roles and responsibilities of employees,

as they relate to information assets and security. Personnel Roles and
Responsibilities

Identify, document, and review, at planned intervals, requirements

for non-disclosure/confidentiality agreements reflecting the organization's
needs for the protection of data and operational details.
Non-Disclosure Agreements

Establish, document, approve, communicate, apply, evaluate and maintain

a security awareness training program for all employees of the organization
and provide regular training updates.

Security Awareness Training

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
a security awareness training program for all employees of the organization
and provide regular training updates.

Security Awareness Training

Provide all employees with access to sensitive organizational and

personal data with appropriate security awareness training and regular updates
in organizational procedures, processes, and policies relating to their professional
function relative to the organization.

Personal and Sensitive Data

Awareness and Training

Make employees aware of their roles and responsibilities for maintaining

awareness and compliance with established policies and procedures and applicable
legal, statutory, or regulatory compliance obligations.
Compliance User
Responsibility

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, implement, apply, evaluate
and maintain policies and procedures for identity and access management. Review
and update the policies and procedures at least annually.

Identity and Access

Management Policy and
Procedures

Establish, document, approve, communicate, implement, apply, evaluate

and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually.

Strong Password Policy and

Procedures

Manage, store, and review the information of system identities, and

level of access.
Identity Inventory

Employ the separation of duties principle when implementing information

system access.
Separation of Duties

_x005F_x000D_ Skillable INTERNAL

#
Employ the least privilege principle when implementing information
system access.
Least Privilege

Define and implement a user access provisioning process which authorizes,

records, and communicates access changes to data and assets.
User Access Provisioning

De-provision or respectively modify access of movers / leavers or

system identity changes in a timely manner in order to effectively adopt and
communicate identity and access management policies.
User Access Changes and
Revocation

Review and revalidate user access for least privilege and separation
of duties with a frequency that is commensurate with organizational risk tolerance.
User Access Review

Define, implement and evaluate processes, procedures and technical

measures for the segregation of privileged access roles such that administrative
access to data, encryption and key management capabilities and logging capabilities
are distinct and separated. Segregation of Privileged
Access Roles

_x005F_x000D_ Skillable INTERNAL

#
Define and implement an access process to ensure privileged access
roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access.

Management of Privileged
Access Roles

Define, implement and evaluate processes and procedures for customers

to participate, where applicable, in the granting of access for agreed, high
risk (as defined by the organizational risk assessment) privileged access roles.
CSCs Approval for Agreed
Privileged Access Roles

Define, implement and evaluate processes, procedures and technical

measures to ensure the logging infrastructure is read-only for all with write
access, including privileged access roles, and that the ability to disable it
is controlled through a procedure that ensures the segregation of duties and
break glass procedures.

Safeguard Logs Integrity

_x005F_x000D_ Skillable INTERNAL

#
is controlled through a procedure that ensures the segregation of duties and
break glass procedures.

Safeguard Logs Integrity

Define, implement and evaluate processes, procedures and technical

measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs.
Uniquely Identifiable Users

Define, implement and evaluate processes, procedures and technical

measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities.

Strong Authentication

_x005F_x000D_ Skillable INTERNAL

#
level of security for system identities.

Strong Authentication

Define, implement and evaluate processes, procedures and technical

measures for the secure management of passwords.
Passwords Management

Define, implement and evaluate processes, procedures and technical

measures to verify access to data and system functions is authorized.
Authorization Mechanisms

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for interoperability and portability including
requirements for:
a. Communications between application interfaces
b. Information processing interoperability
c. Application development portability
d. Information/Data exchange, usage, portability, integrity, and persistence
Review and update the policies and procedures at least annually.

_x005F_x000D_ Skillable INTERNAL

#
d. Information/Data exchange, usage, portability, integrity, and persistence
Review and update the policies and procedures at least annually.

Interoperability and
Portability Policy and
Procedures

_x005F_x000D_ Skillable INTERNAL

#
 Procedures

Provide application interface(s) to CSCs so that they programmatically

retrieve their data to enable interoperability and portability.
Application Interface
Availability

Implement cryptographically secure and standardized network protocols

for the management, import and export of data. Secure Interoperability and
Portability Management

_x005F_x000D_ Skillable INTERNAL

#
Agreements must include provisions specifying CSCs access to data
upon contract termination and will include:
a. Data format
b. Length of time the data will be stored
c. Scope of the data retained and made available to the CSCs Data Portability Contractual
d. Data deletion policy Obligations

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for infrastructure and virtualization security. Review
and update the policies and procedures at least annually.

Infrastructure and
Virtualization Security Policy
and Procedures

Plan and monitor the availability, quality, and adequate capacity

of resources in order to deliver the required system performance as determined
by the business. Capacity and Resource
Planning

_x005F_x000D_ Skillable INTERNAL

#
Monitor, encrypt and restrict communications between environments
to only authenticated and authorized connections, as justified by the business.
Review these configurations at least annually, and support them by a documented
justification of all allowed services, protocols, ports, and compensating controls.

Network Security

_x005F_x000D_ Skillable INTERNAL

#
Harden host and guest OS, hypervisor or infrastructure control plane
according to their respective best practices, and supported by technical controls,
as part of a security baseline.
OS Hardening and Base
Controls

Separate production and non-production environments.

Production and Non-
Production Environments

Design, develop, deploy and configure applications and infrastructures

such that CSP and CSC (tenant) user access and intra-tenant access is appropriately
segmented and segregated, monitored and restricted from other tenants.
Segmentation and
Segregation

_x005F_x000D_ Skillable INTERNAL

#
Use secure and encrypted communication channels when migrating servers,
services, applications, or data to cloud environments. Such channels must include
only up-to-date and approved protocols.
Migration to Cloud
Environments

Identify and document high-risk environments.

Network Architecture
Documentation

Define, implement and evaluate processes, procedures and defense-in-depth

techniques for protection, detection, and timely response to network-based attacks.

Network Defense

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for logging and monitoring. Review and update the policies
and procedures at least annually.

Logging and Monitoring

Policy and Procedures

_x005F_x000D_ Skillable INTERNAL

#
Define, implement and evaluate processes, procedures and technical
measures to ensure the security and retention of audit logs.
Audit Logs Protection

Identify and monitor security-related events within applications

and the underlying infrastructure. Define and implement a system to generate
alerts to responsible stakeholders based on such events and corresponding metrics.

Security Monitoring and

Alerting

Restrict audit logs access to authorized personnel and maintain records

that provide unique access accountability. Audit Logs Access and
Accountability

Monitor security audit logs to detect activity outside of typical

or expected patterns. Establish and follow a defined process to review and take
appropriate and timely actions on detected anomalies.

Audit Logs Monitoring and

Response

_x005F_x000D_ Skillable INTERNAL

#
Monitor security audit logs to detect activity outside of typical
or expected patterns. Establish and follow a defined process to review and take
appropriate and timely actions on detected anomalies.

Audit Logs Monitoring and

Response

Use a reliable time source across all relevant information processing

systems.
Clock Synchronization

Establish, document and implement which information meta/data system

events should be logged. Review and update the scope at least annually or whenever
there is a change in the threat environment.

Logging Scope

Generate audit records containing relevant security information.

Log Records

_x005F_x000D_ Skillable INTERNAL

#
The information system protects audit records from unauthorized access,
modification, and deletion.
Log Protection

Establish and maintain a monitoring and internal reporting capability

over the operations of cryptographic, encryption and key management policies,
processes, procedures, and controls. Encryption Monitoring and
Reporting

Log and monitor key lifecycle management events to enable auditing

and reporting on usage of cryptographic keys.
Transaction/Activity Logging

Monitor and log physical access using an auditable access control

system.
Access Control Logs

Define, implement and evaluate processes, procedures and technical

measures for the reporting of anomalies and failures of the monitoring system
and provide immediate notification to the accountable party.

Failures and Anomalies

Reporting

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for Security Incident Management, E-Discovery, and Cloud
Forensics. Review and update the policies and procedures at least annually.

Security Incident
Management Policy and
Procedures

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for the timely management of security incidents. Review
and update the policies and procedures at least annually.

Service Management Policy

and Procedures

'Establish, document, approve, communicate, apply, evaluate and maintain

a security incident response plan, which includes but is not limited to: relevant
internal departments, impacted CSCs, and other business critical relationships
(such as supply-chain) that may be impacted.'
Incident Response Plans

_x005F_x000D_ Skillable INTERNAL

#
Test and update as necessary incident response plans at planned intervals
or upon significant organizational or environmental changes for effectiveness.

Incident Response Testing

Establish and monitor information security incident metrics.

Incident Response Metrics

Define, implement and evaluate processes, procedures and technical

measures supporting business processes to triage security-related events.
Event Triage Processes

Define and implement, processes, procedures and technical measures

for security breach notifications. Report security breaches and assumed security
breaches including any relevant supply chain breaches, as per applicable SLAs,
laws and regulations.

Security Breach Notification

_x005F_x000D_ Skillable INTERNAL

#
Maintain points of contact for applicable regulation authorities,
national and local law enforcement, and other legal jurisdictional authorities.
Points of Contact
Maintenance

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for the application of the Shared Security Responsibility
Model (SSRM) within the organization. Review and update the policies and procedures
at least annually.

SSRM Policy and Procedures

Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
SSRM Supply Chain

_x005F_x000D_ Skillable INTERNAL

#
Provide SSRM Guidance to the CSC detailing information about the
SSRM applicability throughout the supply chain.
SSRM Guidance

Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
SSRM Control Ownership

Review and validate SSRM documentation for all cloud services offerings
the organization uses. SSRM Documentation
Review

Implement, operate, and audit or assess the portions of the SSRM

which the organization is responsible for. SSRM Control
Implementation

Develop and maintain an inventory of all supply chain relationships.

Supply Chain Inventory

CSPs periodically review risk factors associated with all organizations

within their supply chain. Supply Chain Risk
Management

_x005F_x000D_ Skillable INTERNAL

#
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment Primary Service and
• Service termination Contractual Agreement
• Interoperability and portability requirements
• Data privacy

Review supply chain agreements between CSPs and CSCs at least annually.
Supply Chain Agreement
Review

Define and implement a process for conducting internal assessments

to confirm conformance and effectiveness of standards, policies, procedures,
and service level agreement activities at least annually. Internal Compliance Testing

Implement policies requiring all CSPs throughout the supply chain

to comply with information security, confidentiality, access control, privacy,
audit, personnel policy and service level requirements and standards.
Supply Chain Service
Agreement Compliance

_x005F_x000D_ Skillable INTERNAL

#
Periodically review the organization's supply chain partners' IT
governance policies and procedures. Supply Chain Governance
Review

Define and implement a process for conducting security assessments

periodically for all organizations within the supply chain. Supply Chain Data Security
Assessment

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures to identify, report and prioritize the remediation of
vulnerabilities, in order to protect systems against vulnerability exploitation.
Review and update the policies and procedures at least annually.

Threat and Vulnerability

Management Policy and
Procedures

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures to protect against malware on managed assets. Review
and update the policies and procedures at least annually.

Malware Protection Policy

and Procedures

_x005F_x000D_ Skillable INTERNAL

#
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to protect against malware on managed assets. Review
and update the policies and procedures at least annually.

Malware Protection Policy

and Procedures

Define, implement and evaluate processes, procedures and technical

measures to enable both scheduled and emergency responses to vulnerability
identifications,
Vulnerability Remediation
based on the identified risk.
Schedule

Define, implement and evaluate processes, procedures and technical

measures to update detection tools, threat signatures, and indicators of compromise
on a weekly, or more frequent basis.
Detection Updates

Define, implement and evaluate processes, procedures and technical

measures to identify updates for applications which use third party or open
source libraries according to the organization's vulnerability management policy.
External Library
Vulnerabilities

Define, implement and evaluate processes, procedures and technical

measures for the periodic performance of penetration testing by independent
third parties. Penetration Testing

_x005F_x000D_ Skillable INTERNAL

#
Define, implement and evaluate processes, procedures and technical
measures for the detection of vulnerabilities on organizationally managed assets
at least monthly.
Vulnerability Identification

Use a risk-based model for effective prioritization of vulnerability

remediation using an industry recognized framework.
Vulnerability Prioritization

Define and implement a process for tracking and reporting vulnerability

identification and remediation activities that includes stakeholder notification.
Vulnerability Management
Reporting

Establish, monitor and report metrics for vulnerability identification

and remediation at defined intervals. Vulnerability Management
Metrics

Establish, document, approve, communicate, apply, evaluate and maintain

policies and procedures for all endpoints. Review and update the policies and
procedures at least annually.

Endpoint Devices Policy and

Procedures

_x005F_x000D_ Skillable INTERNAL

#
Define, document, apply and evaluate a list of approved services,
applications and sources of applications (stores) acceptable for use by endpoints
when accessing or storing organization-managed data.
Application and Service
Approval

Define and implement a process for the validation of the endpoint

device's compatibility with operating systems and applications.
Compatibility

Maintain an inventory of all endpoints used to store and access company

data.
Endpoint Inventory

Define, implement and evaluate processes, procedures and technical

measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data.
Endpoint Management

Configure all relevant interactive-use endpoints to require an automatic

lock screen.
Automatic Lock Screen

_x005F_x000D_ Skillable INTERNAL

#
Manage changes to endpoint operating systems, patch levels, and/or
applications through the company's change management processes.
Operating Systems

Protect information from unauthorized disclosure on managed endpoint

devices with storage encryption.
Storage Encryption

Configure managed endpoints with anti-malware detection and prevention

technology and services. Anti-Malware Detection and
Prevention

Configure managed endpoints with properly configured software firewalls.

Software Firewall

Configure managed endpoints with Data Loss Prevention (DLP) technologies

and rules in accordance with a risk assessment.
Data Loss Prevention

Enable remote geo-location capabilities for all managed mobile endpoints.

Remote Locate

Define, implement and evaluate processes, procedures and technical

measures to enable the deletion of company data remotely on managed endpoint
devices. Remote Wipe

_x005F_x000D_ Skillable INTERNAL

#
Define, implement and evaluate processes, procedures and technical
and/or contractual measures to maintain proper security of third-party endpoints
with access to organizational assets.
Third-Party Endpoint
Security Posture

_x005F_x000D_ Skillable INTERNAL

#
CCM Domain Title

Audit & Assurance

_x005F_x000D_ Skillable INTERNAL

#
Audit & Assurance

_x005F_x000D_ Skillable INTERNAL

#
Application & Interface
Security

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
 Business Continuity
Management and Operational
Resilience

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
 Change Control and
Configuration Management

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
 _x005F_x000D_ Skillable INTERNAL
#

Cryptography, Encryption &

Cryptography, Encryption &
Key Management

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
Datacenter Security

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
Data Security and Privacy
Lifecycle Management

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
Governance, Risk and
Compliance
_x005F_x000D_ Skillable INTERNAL
#
Governance, Risk and
Compliance

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
Human Resources

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
Identity & Access
Management _x005F_x000D_ Skillable INTERNAL
#
Identity & Access
Management

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
_x005F_x000D_ Skillable INTERNAL
#
Interoperability & Portability

_x005F_x000D_ Skillable INTERNAL

#
Interoperability & Portability

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
 Infrastructure &
Virtualization Security

_x005F_x000D_ Skillable INTERNAL

#
 Infrastructure &
Virtualization Security

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
 _x005F_x000D_ Skillable INTERNAL
#

Logging and Monitoring

Logging and Monitoring

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
 Security Incident
Management, E-Discovery,
& Cloud Forensics
_x005F_x000D_ Skillable INTERNAL
#
 Security Incident
Management, E-Discovery,
& Cloud Forensics

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
Supply Chain Management,
Transparency, and
Accountability

_x005F_x000D_ Skillable INTERNAL

#
Transparency, and
Accountability

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
Threat & Vulnerability
Management

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#
Universal Endpoint
Management

_x005F_x000D_ Skillable INTERNAL

#
Universal Endpoint
Management

_x005F_x000D_ Skillable INTERNAL

#
_x005F_x000D_ Skillable INTERNAL
#