This situation poses a significant concern for a cloud auditor because it indicates a potential gap in the technical team's ability to effectively manage and secure the IaaS platform provided by the alternative vendor. Without proper training on the specific features, security practices, and operational procedures of the new platform, the organization may face increased risks of misconfiguration, security vulnerabilities, and inefficiencies in cloud operations. It is crucial for the technical team to have a comprehensive understanding of all platforms in use to ensure they can maintain the security and performance standards required for a robust cloud environment.
Reference = The concern is based on common cloud auditing challenges, such as controlling and monitoring user access, and ensuring the IT team is equipped to manage the cloud environment effectively12. Additionally, best practices suggest that network segmentation, user authentication, and access control are critical areas to address in a cloud audit3. These principles are widely recognized in the field of cloud security and compliance.

The Cloud Controls Matrix (CCM) by the Cloud Security Alliance provides a comprehensive control framework that aligns with industry standards, regulations, and best practices, offering a structured approach for cloud security and compliance management. This mapping capability makes it highly valuable in cloud audits as noted in the CCAK, which relies on CCM for its comprehensive applicability in regulatory compliance and security (referenced in CSA CCM V4 documentation and ISACA CCAK content).

The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. The Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches, misconfigurations, insufficient identity and access management, and account hijacking. The report also provides recommendations for security, compliance, risk and technology practitioners to mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of current literature and media reports. The report is intended to raise awareness of the risks and challenges associated with cloud computing and promote strong security practices.12 Reference := CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing: Egregious 11

The most important factor to consider when implementing cloud-related controls is the shared responsibility model. The shared responsibility model is a framework that defines the roles and responsibilities of cloud service providers (CSPs) and cloud customers (CCs) in ensuring the security and compliance of cloud computing environments. The shared responsibility model helps to clarify which security tasks are handled by the CSP and which tasks are handled by the CC, depending on the type of cloud service model (IaaS, PaaS, SaaS) and the specific contractual agreements. The shared responsibility model also helps to avoid gaps or overlaps in security controls, and to allocate resources and accountability accordingly12.
Reference:
Shared responsibility in the cloud - Microsoft Azure
Understanding the Shared Responsibilities Model in Cloud Services - ISACA

To qualify for CSA STAR attestation, the SOC 2 report must cover both the Cloud Controls Matrix (CCM) and ISO/IEC 27001:2013 controls. The CSA STAR Attestation integrates SOC 2 reporting with additional cloud security criteria from the CSA CCM. This combination provides a comprehensive framework for assessing the security and privacy controls of cloud services, ensuring that they meet the rigorous standards required for STAR attestation. Reference = The information is supported by the Cloud Security Alliance's resources, which outline the STAR program's emphasis on transparency, rigorous auditing, and harmonization of standards as per the CCM. Additionally, the CSA STAR Certification process leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix