Home · Synthesis · cl-cloud-shared-responsibility

Cloud shared responsibility — CSC/CSP RACI

CSA CCM v4ISO 27017SOC 2MeitY CSPSEBI Cloud

Primary statement

Cloud shared responsibility per CSA GRC-06 (governance responsibility model) + CSA HRS-05 (cloud awareness training) + CSA IAM-11 (CSC privileged access compliance) + ISO 27017 + SOC 2 CC1.2/CC1.3 (organisational structure) + SEBI cloud framework. The CSC must clearly document what is the CSP's responsibility and what is the CSC's — and verify the CSP's side rather than assume.

Audit-fatigue payoff

A unified CSP/CSC RACI per cloud service + verification of CSP-side controls + CSC-side enforcement satisfies shared responsibility requirements across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: information security responsibility model identifying accountable, responsible, consulted, informed parties for each cloud control area. Ceiling source: csa_ccm:CSA.GRC-06 Rationale: CSA GRC-06 RACI scope is the broadest for cloud responsibility.
Threshold
Threshold: documented RACI per cloud service + CSC verification of CSP-side controls (not assumption). Ceiling source: csa_ccm:CSA.GRC-06 Rationale: CSA GRC-06 verification threshold is uniquely strict.
Method
Method: RACI per cloud service + CSP-side verification (SOC 2 Type 2 reports, certifications) + CSC-side controls implementation + cloud awareness training (HRS-05) + CSC privileged access compliance (IAM-11) + Board accountability (SOC 2 CC1.2/CC1.3). Ceiling source: csa_ccm:CSA.GRC-06 Rationale: CSA GRC-06 + HRS-05 + IAM-11 + SOC 2 CC1.x combined are the most prescriptive.
Frequency
RACI review: annual + on CSP service change. CSP verification: annual (SOC 2 Type 2). Cloud awareness training: induction + annual refresher. Ceiling source: csa_ccm:CSA.GRC-06 Rationale: Annual RACI + annual CSP verification is the cadence.
Evidence
Evidence: RACI per cloud service + CSP attestations + CSC-side control evidence + awareness training records + privileged access compliance evidence. Ceiling source: csa_ccm:CSA.GRC-06 Rationale: CSA GRC-06 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect RACI per cloud service. Step 2: Verify CSP-side verification (SOC 2 Type 2). Step 3: Verify CSC-side controls implementation. Step 4: Inspect cloud awareness training records.

Common findings

Common findings: (1) RACI absent; CSC assumes CSP handles things CSP doesn't; (2) CSP-side verification limited to marketing materials; (3) Cloud awareness training absent.