Cloud Access Security Broker (CASB) Audit Program 

Bookstore Purchase the Download:  Member US $25 | Non-Member US $49

  Provide feedback on this document
Knowledge Center  Visit the Audit community

With increased adoption of cloud services, enterprises have shown an interest in leveraging the flexibility and agility offered by cloud platforms. Along with those advantages, however, comes the need to consider potential risks such those associated with the various deployment models, identity management, and compliance with data drive regulations to which the enterprise is subject. Cloud access security brokers (CASBs) are a solution being employed by enterprises to manage these risks.

Audit Objectives

To assist IT auditors as they assess the effectiveness of CASB solutions, ISACA has created a Cloud Access Security Broker (CASB) Audit Program. This audit program takes into consideration assurance around:

  • Data security, particularly as related to expectations of regulated data
  • Identity management of users, inclusive of privileged users and enhanced access groups
  • Mitigation of risks associated with different deployment models
  • Asset management and protection through security initiatives such as physical security and though program management (key management and incident response as examples)

CASB solutions may vary as enterprises design solutions that best fit their needs. The audit program, however, provides a solid basis for all enterprises to assess whether operational and compliance expectations can be met given its CASB deployment.

As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.