Cloud Service Provider Evaluation
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- What CSP evaluation actually asks
- Organizational attestations: SOC, ISO, and CSA STAR
- Assurance depth: self-attestation versus third-party audit
- Product certifications: Common Criteria and FIPS 140-2/3
- Exam-pattern recognition
Which assurance artifact answers which question
| Artifact | Assurance layer | What it proves | Who verifies it |
|---|---|---|---|
| SOC 2 (Type I / II) | Organizational attestation | Trust Services Criteria controls designed (I) or operating over a period (II) | Licensed CPA firm (AICPA SSAE 18) |
| ISO/IEC 27001 | Organizational attestation | A certified information security management system (ISMS) exists and is maintained | Accredited certification body |
| ISO/IEC 27017 / 27018 | Organizational attestation | Cloud-specific controls (27017) and cloud PII protection (27018) on top of 27001 | Accredited certification body |
| CSA STAR (L1 / L2) | Organizational attestation | CCM/CAIQ-mapped controls: self-assessed (L1) or third-party audited (L2) | Provider (L1) or accredited assessor (L2) |
| Common Criteria (EAL) | Product / system certification | A product meets a security target at an Evaluation Assurance Level | Accredited evaluation lab under a CC scheme |
| FIPS 140-2 / 140-3 | Product / system certification | A cryptographic module is validated at a security level (1-4) | NIST CMVP accredited lab |
| PCI DSS | Regulatory / industry mandate | Controls protecting cardholder data are in place for the assessed scope | QSA (or self-assessment via SAQ for small merchants) |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- https://www.isc2.org/certifications/ccsp/ccsp-certification-exam-outline
- https://cloudsecurityalliance.org/star
- https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
- https://cloudsecurityalliance.org/research/cloud-controls-matrix
- https://csrc.nist.gov/projects/cryptographic-module-validation-program