CSA Integrates Cloud Controls Matrix with SOC 2 Reports for Cloud Providers

By: Peter Clarke, Senior Consultant at A-LIGN

The AICPA recently released an Illustrative Type 2 SOC 2 Report to assist auditors in reporting on the suitability of design and operating effectiveness on cloud security providers. The Cloud Security Alliance (CSA) Cloud Control Matrix (CCM) builds upon the AICPA’s Trust Services Principles (TSP) as the attest standard and was designed to provide complimentary controls to review in conjunction with the security principles to guide cloud vendors and customers in assessing the risk of a cloud provider. With the integration with the AICPA SOC 2 report, cloud providers can now receive a SOC 2 attestation report with the CCM security principles integrated into the report.

This new report will allow cloud service providers to provide better insight to their controls as related to the thirteen cloud specific domains of the CCM. The clarity of the reporting will demonstrate the cloud service provider’s efforts to comply with the SOC 2 TSP as well as the CSA CCM.