Domain 1 of 6 · Chapter 5 of 5

Cloud Service Provider Evaluation

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • What CSP evaluation actually asks
  • Organizational attestations: SOC, ISO, and CSA STAR
  • Assurance depth: self-attestation versus third-party audit
  • Product certifications: Common Criteria and FIPS 140-2/3
  • Exam-pattern recognition

Which assurance artifact answers which question

ArtifactAssurance layerWhat it provesWho verifies it
SOC 2 (Type I / II)Organizational attestationTrust Services Criteria controls designed (I) or operating over a period (II)Licensed CPA firm (AICPA SSAE 18)
ISO/IEC 27001Organizational attestationA certified information security management system (ISMS) exists and is maintainedAccredited certification body
ISO/IEC 27017 / 27018Organizational attestationCloud-specific controls (27017) and cloud PII protection (27018) on top of 27001Accredited certification body
CSA STAR (L1 / L2)Organizational attestationCCM/CAIQ-mapped controls: self-assessed (L1) or third-party audited (L2)Provider (L1) or accredited assessor (L2)
Common Criteria (EAL)Product / system certificationA product meets a security target at an Evaluation Assurance LevelAccredited evaluation lab under a CC scheme
FIPS 140-2 / 140-3Product / system certificationA cryptographic module is validated at a security level (1-4)NIST CMVP accredited lab
PCI DSSRegulatory / industry mandateControls protecting cardholder data are in place for the assessed scopeQSA (or self-assessment via SAQ for small merchants)

Decision tree

A component, or thewhole provider?One componentCrypto module / HSM?vs general productCryptoProductFIPS 140-2/3L3 for HSMCommon CriteriaEAL 1-7Whole providerRegulated data?cardholder / PHI / PIIYesPCI / HIPAA / 27018match to mandateNoScreen manyor assess one?Screen manyCSA STAR / CAIQCCM common control setAssess onePoint in timeor over a period?Over a periodSOC 2 Type IIcontrols operated, auditedPoint in timeSOC 2 Type Idesign only

Cheat sheet

  • Evaluate a provider on independent evidence, not its own claims
  • Match the assurance artifact to the layer your question lives in
  • Who verified the claim is the sharpest axis on any artifact
  • SOC 2 is the security report; SOC 1 is for financial reporting
  • SOC 2 Type II beats Type I because it tests controls over time
  • SOC 3 is a public summary with no detailed test results
  • ISO/IEC 27001 certifies a managed ISMS, not a single control
  • ISO/IEC 27017 is cloud controls; 27018 is cloud PII protection
  • CSA STAR has two levels: self-assessment, then third-party audit
  • CCM is the control framework, CAIQ the questionnaire, STAR the registry
  • Use CSA STAR and CAIQ to screen many providers against one control set
  • Common Criteria's EAL measures evaluation rigor, not absolute security
  • FIPS 140-2/3 validates cryptographic modules at four security levels
  • An HSM for high-value keys typically targets FIPS 140-2/3 Level 3
  • FIPS 140-3 is the current standard, superseding 140-2
  • Confirm a crypto module runs in its validated FIPS-approved mode
  • Match a regulated workload to its specific mandate, then check scope
  • PCI DSS allows a self-assessment path or a QSA audit by volume
  • An attestation covers a fixed scope and a past window, not forever
  • A provider's attestation never discharges the customer's own duty
  • SLA service credits are usually the sole, capped remedy, not damages
  • Judge an SLA by actual historical uptime, not just the stated percentage
  • FedRAMP High is for severe-or-catastrophic-impact data and is continuously monitored
  • ISO/IEC 27036 is the supplier-relationship and supply-chain security standard
  • Under GDPR Article 28 a CSP needs controller consent for subprocessors and stays liable

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://www.isc2.org/certifications/ccsp/ccsp-certification-exam-outline
  2. https://cloudsecurityalliance.org/star
  3. https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
  4. https://cloudsecurityalliance.org/research/cloud-controls-matrix
  5. https://csrc.nist.gov/projects/cryptographic-module-validation-program