Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:
A . regulatory guidelines impacting the cloud customer.
B . audits, assessments, and independent verification of compliance certifications with agreement terms.
C . the organizational chart of the provider.
D . policies and procedures of the cloud customer

View Answer

Answer: B

Explanation:

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include audits, assessments, and independent verification of compliance certifications with agreement terms. This is because cloud services involve multiple parties in the supply chain, such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering the cloud services and ensuring their quality, security, and compliance. Therefore, it is important for the cloud customers to have visibility and assurance of the performance and compliance of the cloud providers and their sub-providers. Audits, assessments, and independent verification of compliance certifications are methods to evaluate the effectiveness of the controls and processes implemented by the cloud providers and their sub-providers to meet the agreement terms. These methods can help the cloud customers to identify any gaps or risks in the supply chain and to take corrective actions if needed. This is part of the Cloud Control Matrix (CCM) domain COM-04: Audit Assurance & Compliance, which states that "The organization should have a policy and procedures to conduct audits and assessments of cloud services and data to verify compliance with applicable regulatory frameworks, contractual obligations, and industry standards."12

Reference: CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 551; Practical Guide to Cloud Service Agreements Version 2.02