When developing a cloud compliance program, the primary reason for a cloud customer to

determine how those services will fit within its policies and procedures is to ensure that the cloud

services are aligned with the customer’s business objectives, risk appetite, and compliance

obligations. Cloud services may have different characteristics, features, and capabilities than

traditional on-premises services, and may require different or additional controls to meet the

customer’s security and compliance requirements. Therefore, the customer needs to assess how the

cloud services will fit within its existing policies and procedures, such as data classification, data

protection, access management, incident response, audit, and reporting. The customer also needs to

identify any gaps or conflicts between the cloud services and its policies and procedures, and

implement appropriate measures to address them. By doing so, the customer can ensure that the

cloud services are used in a secure, compliant, and effective manner12.

Reference:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 19-20.

Cloud Compliance Frameworks: What You Need to Know