10 April 2023 Common Assurance Maturity Model Common-Assurance.com

1

Managing risks in the supply chain

Vladimir JirasekCAMM Steering Group

Twitter @vjirasek

People say that they are concerned that their information is not secure in The Cloud

People do not fully trust The Cloud

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

3

Is the Cloud Secure?

• Can be as secure as any other IT system

• Depends on the model chosen

• Understand the responsibilities

• All eggs in one basket is the real question

• Implicit trust on provider• Exit and lock-in

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

4

Problem to be solved – trust in the supply chain

Your business

Your cloud provider

Suppliers for the cloud

provider

End to end assurance

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

5

What a CIO want

Domain Maturity

scoreGovernance 3

HR 3

Physical 4

IT 4

Business Continuity

3

Incident management

2

Domain Maturity

scoreGovernance 4

HR 4

Physical 4

IT 3

Business Continuity

3

Incident management

4

Provider A Provider B

Maturity levels feed into a supplier selection process

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

6

CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the

supply chain

CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the

supply chain

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

7

Overall structure of CAMM components

Controls framework

WorkBenchApp

Weightingframework

Scoring model

Auditors

Final maturity scores

Audited controls

Maturityscores

Non CAMM audit results

Mapping to other standardsTPAC

Free GRC app

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

8

Utilize your current investmentto an another standard e.g. ISO

• The Statement Of Applicability (SOA) of source standard is used as a baseline for translation

• CAMM Guidance documents will help auditors with ”yellow” area intepretations

e.g. ISO 2700x SOA CAMM

1=1 applicable, no need of intepretation

Auditor intepretation of applicability

Not implemented > to be CAMM audited

Translate

Souce standard Target standard

Stakeholders1. Consumers – Can form trust relationship

based on understantable facts2. Companies – Can form trustworthy

supply chains to provide real trustworthiness to consumers & other customers

3. Governents – Can have more confidence in corporate governance to remove barriers from global single e-markets

4. Service Providers & Consultancies – Can build competences to achieve the target

5. Industry Associations – can excel in defining harmonized model implementations

CAM Commitee

GovernmentConsumer

ProgressIt is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2011. The following details the key

milestones:

Major client, standards and service provider organisations engagedDevelopment of framework and appropriate weighting mechanism underway

Development of the framework Control framework created and reviewed Scoring model created

Development of the guidance Guidance material to be completed by end of October 2011

Pilot Pilot with major organisation planned for summer 2011 Development of Free GRC tool Major GRC vendor engaged to ad CAMM module