Book of the Month: Controls and Assurance in the Cloud: Using COBIT® 5

Cloud computing has probably been the most argued technological subject of the past 5-6 years. Throughout this period, cloud has evolved to become the top priority subject in organizations’ agendas, both in terms of governance (strategic decisions) and also as the unknown factor affecting the business.
The book, Controls and Assurance in the Cloud: Using COBIT 5, is a guide that addresses both issues.

More specifically, the book starts with a section outlining all of the business factors that make the transition to cloud an attractive business strategy. It then goes a step further by laying out cloud service and delivery (or deployment) models alongside the associated benefits and risks to an organization, whilst detailing cloud computing challenges that organizations need to address.

Having a deep understanding of the fact that any strategic decision needs to be accompanied by the relevant risk management approach, ISACA provides in the book a thorough risk assessment, coupling the impact of cloud migration with the associated cloud service model and deployment model being considered.

What makes this publication unique though is that it not only directly addresses major concerns regarding cloud migration and, more specifically, information security, it also provides a guide on the exact questions organizations need to ask before deciding on cloud service and deployment models.

As a cloud security officer, I have come across questions like “Are cloud infrastructures secure?” or “Will my data remain confidential in the cloud?” And what I have always tried to explain to organizations is that these questions cannot be answered without a point of reference. So, for example, the question “Are cloud infrastructures secure?” must be prefaced by, “In relation to my governance mandates, security strategy and security program currently in place,” for a chief information security officer (CISO) and upper management to obtain a clear view regarding what cloud migration entails. And this is exactly where the book succeeds and stands out from similar publications.

In a comprehensive section on governance and management in the cloud, the book puts into perspective and addresses major questions related to governance and the responsibilities of upper management. It then provides an overview of how the COBIT 5 framework can be leveraged to manage the migration to cloud, in strategic, as well as, tactical and operational terms. And, taking it even further, the book then proceeds to outline the path to a cloud decision and beyond, through practical guidance. A stepped approach, decision making models, considerations through the preparation phase, cloud provider selection, and assurance functions’ details are just few of the factors that are analyzed in an easy to read and follow manner.

Understanding that information security is the top consideration faced by organizations, the book then delivers an across-the-board threat matrix alongside mitigating actions and mapping to COBIT 5. It delivers an up-to-date list of cloud assurance frameworks and a detailed responsibility matrix for cloud service providers and potential customers.

The book could have concluded with mere notes and summaries of the issues addressed in its chapters. The uniqueness, however, of this publication is that it stands as a practical guidance, and as such it features seven appendices, full of ready to use information by organizations either wishing to migrate to the cloud or evaluating the offering they already have. The appendices provide COBIT 5 governance and management practices, the template of cloud computing assurance program, a process capability assessment, cloud risk scenarios, contractual provisions that need to be taken into account, a cloud enterprise risk management governance checklist, and a practical approach to measuring cloud return on investment (ROI).

All-in-all, Controls and Assurance in the Cloud:  Using COBIT 5 is the most definitive guide addressing all aspects of cloud computing migration and evaluation.

The book was recently featured as the Book of the Month in ISACA’s Bookstore. For more information click here.

Editor’s Note: Dr. Stergiou, CISM, was an expert reviewer of Controls and Assurance in the Cloud:  Using COBIT 5.

Dr. Theodoros Stergiou, security solutions product manager & cloud security officer, Intracom Telecom

[ISACA Now Blog]