CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

24-W: Cloud Services

This section evaluates how your organization selects, configures, and governs cloud services used to deliver or support your offerings.

The questions focus on how you assess cloud providers, define and manage shared responsibility for security, protect data in transit and at rest, control access and administration, and monitor cloud environments for misuse or misconfiguration.

Overall, this section confirms that cloud services are used in a secure, well-managed way rather than as unmanaged “shadow IT.”

Explanation: Defining roles and responsibilities ensures clear accountability for securing data and services in the cloud. It reduces misunderstandings regarding who manages specific security tasks (e.g., encryption, monitoring, compliance).

Risks of Incorrect Answer: Misaligned responsibilities could lead to unaddressed security vulnerabilities.

Lack of clarity could result in non-compliance with industry standards.

Applicable Frameworks: NIST CSF (ID.GV-1): Governance and roles definition.

ISO 27001 (A.15.1.1): Information security policy for supplier relationships.

SOC 2 (CC3.0): Responsibility and accountability for risk management.

Explanation: Encrypting data at rest ensures that sensitive information is protected even if unauthorized access to storage systems occurs.

Risks of Incorrect Answer: Unencrypted data could be accessed in the event of a breach or physical theft of storage media.

Non-compliance with privacy regulations that mandate encryption.

Applicable Frameworks: NIST CSF (PR.DS-1): Protection of data at rest.

ISO 27001 (A.10.1): Cryptographic controls.

HIPAA (164.312(a)(2)(iv)): Encryption for electronic protected health information.

Explanation: Documentation of audit programs verifies the cloud provider’s compliance with security standards and ensures their controls meet industry requirements.

Risks of Incorrect Answer: Lack of transparency about the provider’s security posture increases risks.

Potential use of non-compliant cloud services could jeopardize regulatory adherence.

Applicable Frameworks: NIST CSF (ID.AM-5): Resource audits and management.

ISO 27001 (A.15.2.2): Monitoring and review of third-party services.

GDPR (Article 28): Requirements for processors to demonstrate compliance.

Explanation: Data segmentation prevents one client’s data from being accessed or affected by another, ensuring tenant isolation in multi-tenant environments.

Risks of Incorrect Answer: Lack of segmentation could lead to unauthorized access or accidental data leakage.

Increased vulnerability to cross-tenant attacks.

Applicable Frameworks: NIST CSF (PR.DS-5): Segregation of data.

ISO 27001 (A.13.1.1): Network segregation controls.

PCI DSS (Requirement 1.2.1): Segmentation of cardholder data environments

Explanation: A defined schedule ensures compliance with legal requirements and prevents unnecessary retention of data that could pose security risks.

Risks of Incorrect Answer: Retaining unnecessary data increases the attack surface and liability.

Non-compliance with regulations such as GDPR and CCPA, which mandate timely data deletion.

Applicable Frameworks: NIST CSF (PR.IP-7): Retention policy management.

ISO 27001 (A.8.3.2): Secure disposal of media.

GDPR (Article 17): Right to erasure and data retention policies.

Explanation: Continuous monitoring detects and responds to threats in real time, reducing the likelihood of successful attacks. Third-party monitoring ensures unbiased and expert oversight.

Risks of Incorrect Answer: Lack of monitoring increases the time to detect and respond to security incidents.

Internal-only monitoring may lack the expertise or independence needed for thorough analysis.

Applicable Frameworks: NIST CSF (DE.CM-1): Monitoring network and physical environments.

ISO 27001 (A.12.4.1): Event logging and monitoring.

SOC 2 (CC6.0): Monitoring and threat detection capabilities.

THANK YOU.

You have completed the
Cloud Services portion
of the vendor assessment


Press Submit
so that we can process
your responses

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.