New ISACA Resource Illuminates Best Practices and Strategies for Continuous Oversight in the Cloud


More and more, the latest technologies are being intertwined with cloud services. As organisations deploy artificial intelligence (AI), big data analytics, or Internet of Things (IoT) technologies, awareness they are indirectly linked to a web of cloud computing services is essential.

The new white paper from ISACA and SecurityScorecard, Continuous Oversight in the Cloud: How to Improve Cloud Security, Privacy and Compliance, explores the elements that information assurance practitioners should factor into their continuous oversight of these cloud services in order to address potential key areas of risk.

Continuous Oversight in the Cloud walks these practitioners through the current digital business landscape—including cloud computing, Bring Your Own Device (BYOD), big data analytics, IoT and AI—noting that organisations not only need to address these emerging technologies but also to ensure that legacy systems and old stored data are protected.

“Information security management has long been a challenge for practitioners to effectively implement,” says Fouad Khalil, CISA, ITIL, Vice President of Compliance, SecurityScorecard. “With evolving regulations, emerging technologies and the increased use of cloud services, this means that enterprises need to exercise even more care and diligence in ensuring security and privacy compliance—with continuous oversight as part of that equation.”

The white paper makes the case for continuous oversight as a means to monitor for and mitigate risk, outlining the many benefits of implementing continuous internal monitoring, continuous cloud assurance, continuous supply chain management and continuous improvement, including:

  • Identifying risk early to help anticipate incidents, prevent breaches and avoid potential costs, fines and damage to business reputation;
  • Providing senior leaders and executives with information to make timely, cost-effective risk management decisions; and
  • Supporting proactive responsibility and accountability for controls and risk management throughout the enterprise and its third parties.

Additionally, Continuous Oversight in the Cloud provides practitioners with strategies they can use to identify and mitigate risk in the cloud, starting with the fundamental components of information security and privacy programs and then drilling down into the key responsibilities and action items that should be taken by key stakeholders throughout the process. The white paper also details the specific steps that practitioners should take to maintain a continuous cloud service assurance and oversight program—incorporating the continual improvement tasks outlined in ISACA’s COBIT 2019 Design Guide.

“Engaging in continuous oversight of cloud services can seem like a massive undertaking at first glance,” says Rebecca Herold, CISA, CISM, CIPP/US, CIPT, CISSP, FIP, FLMI; CEO, The Privacy Professor and Founder, SIMBUS, LLC, and the lead developer for the white paper. “However, by taking a clear, organised approach and by utilising a wealth of existing resources, such as guidance and frameworks from COBIT 2019 and the National Institute of Standards and Technology (NIST), practitioners can meet any challenges head on and effectively mitigate risk.”

The white paper then provides an overview of some key metrics that organisations should consider in order to most effectively engage in continuous monitoring, based on the type of cloud services being used—including those related to supply chain, incidents and breaches, and other common challenges.

Now in its 50th anniversary year, ISACA® is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips practitioners with the knowledge, credentials, education and community to advance their careers and transform their organisations. ISACA leverages the expertise of its 460,000 engaged practitioners—including its 140,000 members—in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.