Cloud Security Principle 4: Governance framework

Created:  21 Sep 2016
Updated:  21 Sep 2016
The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

Having an effective governance framework will ensure that procedure, personnel, physical and technical controls continue to work through the lifetime of a service. It should also respond to changes in the service, technological developments and the appearance of new threats. 


You should have sufficient confidence that the service has a governance framework and processes which are appropriate for your intended use.

Good governance will typically provide:

  • A clearly identified, and named, board representative (or a person with the direct delegated authority) who is responsible for the security of the cloud service. This is typically someone with the title ‘Chief Security Officer’, ‘Chief Information Officer’ or ‘Chief Technical Officer’.
  • A documented framework for security governance, with policies governing key aspects of information security relevant to the service.
  • Security and information security are part of the service provider’s financial and operational risk reporting mechanisms, ensuring that the board would be kept informed of security and information risk.
  • Processes to identify and ensure compliance with applicable legal and regulatory requirements.

Implementation approaches




Assertion thatthe goals are met

The service provider asserts the 4 points above are met by the provider in relation to the service.

As with all service provider assertions, you would need to decide whether you are content with the level of confidence this gives you.

Conformance with a recognised standard

Some common security standards include controls which cover how well a governance framework manages a particular service. Examples include: 
CSA CCM v3.0 
ISO/IEC 27001

Standards differ in the level of detail applied. The scope of any supporting certification should be validated to ensure that the governance framework goals set out above are covered.



< last principle   next principle >

Was this guidance helpful?

We need your feedback to improve this content.

Yes No