Exam CCAK topic 1 question 186 discussion

C. Audit the effectiveness of the cloud provider’s supplier management program. When auditing a cloud service provider, it's important to ensure that the provider's suppliers (often referred to as "subservice organizations") are also effectively managed and compliant with relevant standards and requirements. By auditing the effectiveness of the cloud provider's supplier management program, the auditor can assess how well the cloud provider manages its relationships with suppliers, including how it ensures that those suppliers meet necessary compliance and security standards. This approach allows the auditor to evaluate the risks associated with the supply chain without needing to directly audit each individual supplier.

P# 63 If the CSP outsources parts of its infrastructure, operations or maintenance, these third parties may not satisfy or support the requirements that the CSP is contracted to provide to cloud customers. An organization needs to evaluate how the CSP enforces compliance and check if the CSP flows its own requirements down to third parties. Having regular discussions with the CSPs on supply chain contractual requirements and activities through risk/KPI reports helps to identify risks that need mitigation. If the requirements are not being levied on the supply chain, then the threat to the customer increases. This threat increases as an organization uses more CSP services, and it is dependent on individual CSPs and their supply chain policies.