You can find certifications for cloud provider products in the Star Program / Registry at the Cloud Security Alliance (CSA). The cloud providers share self assessments including controls under STAR Level 1 and under Star Level 2 document their ISO27001:2013 certification dates and Cloud Controls Matrix verification.
https://cloudsecurityalliance.org/
Even if you are not a federal agency or using a federal cloud, you can also find cloud products that have been authorized at FedRAMP.gov.
------------------------------
Jeanne Ozenne
------------------------------
Original Message:
Sent: 04-21-2023 09:25 AM
From: Beth Robinson
Subject: SOC Reports for commonly used Subservice Organizations
It has been our experience that if we do not have a direct relationship with the subservice orgs you mentioned, they won't provide anything other than a SOC 3, and it's not very helpful. If you can actually get a SOC 1 or 2, go for it, but that has not been our experience.
Original Message:
Sent: 04-20-2023 01:55 PM
From: Matthew Mauldin
Subject: SOC Reports for commonly used Subservice Organizations
Going through vendor SOC reports, I often see the same data service providers noted as subservice organizations. These include but are not limited to Amazon Web Services, Microsoft Azure, Rackspace and Google Cloud Platform. Due to the frequency of these 4th party relationships, I was planning to obtain these SOC reports independently and perform reviews on each one for our file. I'm not quite sure that I would be able to follow up on any concerns noted, but I thought a documented review may prove useful. Is anyone else doing something similar with these large data service providers, or are there any other recommendations?
Thank you,
Matt Mauldin ARM, CRVPM II