Cloud Service Provider assessment considerations

Answer:

One of the most useful CSA's resources is the Cloud Controls Matrix, currently on version 3.0.1. It is a mapping of CSA recommended practices to the most known standards and regulations regarding information protection. Considering ISO standards, this matrix maps CSA practices to:

ISO/IEC 27001:2013 (information security management)
ISO/IEC 27002:2013 (information security practices)
ISO/IEC 27017:2015 (information security in cloud environments)
ISO/IEC 270018:2015 (protection of PII)

So, if someone whishes to create a vendor assessment guideline alignend with CSA practices, he can use the Cloud Controls Matrix to identify which CSA recommendations are mapped to supplier management practices from ISO 27001 (items marked with A.15.x.x) and ISO 27002 (items marked with 15.x.x), and choose those that are best fit for his organization. He also can use the same method to align his guideline to ISO 27017 (s ecurity in cloud services) and ISO 27018 (protection of PII).

The Cloud Controls Matrix can be found in this link: https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/