Home · Synthesis · cl-ccm-v4-supply-chain-transparency

Cloud supply chain transparency — STA control family

CSA CCM v4CCPAGDPR

Primary statement

Cloud supply chain per CSA STA-01 (CSP transparency review — subprocessors, locations, certifications) + STA-02 (multi-tenant isolation verification) + STA-03 (third-party cloud security compliance) + STA-04 (audit rights) + STA-05 (supply chain risk assessment). Plus CCPA + GDPR processor obligations.

Audit-fatigue payoff

A unified cloud supply chain transparency programme — CSP review + tenant isolation verification + third-party compliance + audit rights + risk assessment — satisfies cloud supply chain requirements across all 3 contributing frameworks.

Strictness matrix

Scope
Scope: CSP selection includes supply chain transparency review — subprocessors used, geographic locations, security certifications (SOC 2, ISO 27001). Ceiling source: csa_ccm:CSA.STA-01 Rationale: CSA STA-01 comprehensive supply chain scope.
Threshold
Threshold: multi-tenant isolation VERIFIED — CSP attestation + customer-side controls + verification testing. Verification (not assumption) is the binary threshold. Ceiling source: csa_ccm:CSA.STA-02 Rationale: CSA STA-02 verification threshold is uniquely strict.
Method
Method: supply chain risk assessment (STA-05) + CSP transparency review (STA-01) + tenant isolation verification (STA-02) + third-party compliance (STA-03) + audit rights (STA-04) + integration with GDPR Art 28 + CCPA processor contracts. Ceiling source: csa_ccm:CSA.STA-05 Rationale: CSA STA-01 through STA-05 combined are most prescriptive.
Frequency
Risk assessment: pre-onboarding + at least annual + on material change. Audit rights exercise: per critical CSP cycle. Ceiling source: csa_ccm:CSA.STA-05 Rationale: Annual risk assessment is the audit-defensible cadence.
Evidence
Evidence: supply chain risk assessment + CSP transparency review + tenant isolation verification + third-party compliance attestations + audit rights records. Ceiling source: csa_ccm:CSA.STA-05 Rationale: CSA STA-05 evidence with risk assessment is comprehensive.

Auditor test pattern

Step 1: Inspect supply chain risk assessment. Step 2: Verify CSP transparency review. Step 3: Verify tenant isolation testing. Step 4: Inspect third-party compliance attestations. Step 5: Verify audit rights records.

Common findings

Common findings: (1) CSP transparency limited to public marketing; (2) Tenant isolation assumed not verified; (3) Audit rights present but never exercised; (4) Supply chain risk assessment generic.