NCA Cloud Cybersecurity Controls focus on cloud service providers and cloud service tenants in scope.
Official source
What the controls are trying to do
Cloud creates shared responsibility. The organization needs to know what the cloud provider controls, what the tenant controls, where data is hosted, who has access, how logging and incident response work, and which subcontractors support the service.
What teams need to do
- Confirm cloud provider or tenant scope.
- Map cloud services, data, locations, identities, administrative access, and subcontractors.
- Review provider controls, tenant controls, logging, monitoring, vulnerability, incident, and
recovery evidence.
- Track cloud changes, outages, advisories, and remediation.
Evidence to maintain
- Cloud inventory and shared-responsibility analysis.
- Provider assurance and tenant control evidence.
- Data location, access, logging, incident, and recovery records.
- Subcontractor and monitoring evidence.
Common gaps
- Shared responsibility is described but not mapped to actual controls.
- Data locations and subcontractors are not refreshed.
- Cloud incidents do not update the risk record.
How Halbarad helps
Halbarad helps map cloud providers, services, data, locations, downstream parties, evidence, incidents, monitoring, and remediation.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.