Cloud Computing

Cloud users remain responsible for information security

Regardless, Cloud users remain responsible for the proper operation of the outsourced parts of their IT. Since for Cloud users auditing Cloud providers is rarely practical, they need to rely on other measures to fulfil their responsibility for the operation of the outsourced part of their IT as well as the security of the data being transferred.

Audit reports are an essential building block, especially because they are issued by reliable and independent third parties. Auditors issue corresponding reports, also known as Third Party Assurance reports, which provide a better understanding of the Cloud provider’s operations and the effectiveness of the implemented safeguards.

PwC offers customised services for Cloud providers and Cloud users

For Cloud providers

We have extensive experience with Cloud compliance projects and have a strong focus in the compliance schemes of BSI C5, SOC 1 (ISAE 3402), SOC 2 (AICPA TSC), and SOC 3. Additionally, we conduct projects regarding ISO/IEC 2700x, ISO 9001, ISO/IEC 20000, and ISO 22301 for large, international cloud providers as well as smaller and medium-sized Cloud providers. In doing so, we often combine audit projects to keep the effort and the impact on the Cloud provider’s daily business as low as possible.

While projects for larger Cloud providers tend to focus multi-dimensional, integrated compliance programs, we evenly support smaller and mid-sized providers with determining the suitable compliance scheme and assessing the readiness of their control system (e.g., with regards to BSI C5) as well as setting up the corresponding consulting or audit project.

Focus: Data Protection for Cloud Service Providers

Until now, it has been particularly difficult for Cloud Providers to obtain certification from independent bodies that their individual Cloud Services meet the data protection requirements in accordance with the General Data Protection Regulation (GDPR). This is where the research project "AUDITOR" (European Cloud Service Data Protection Certification) comes in. The goal is the conceptual design, sample implementation and testing of a sustainably applicable EU-wide data protection certification of Cloud Services in accordance with Art. 42 GDPR, which carries out data processing within the scope of Art. 28 GDPR.

Find out more

For Cloud users

When planning to use Cloud services, it is essential to thoroughly steer the selection as well as the operation processes and to understand the compliance-related aspects of the Cloud service. Among other things, this creates the challenge of aligning and adapting IT-related control and monitoring systems to cover changes in the IT risk profile. These changes are specific and depend on the Cloud user’s individual situation such as the type of service and the deployment scenario.

With our extensive experience in IT-related control systems and Cloud-specific risks, we can help Cloud users to select appropriate Cloud providers, plan and conduct audits at Cloud providers, as well as review and update existing Cloud governance processes. Furthermore, we support with Risk Management and Compliance.