Auditing Preparedness for a Data Breach in the Cloud

Date: 15 February 2022

Featured Image

All organisations with an online presence are vulnerable to a variety of cyber threats. Data breaches are one of the most prominent of these threats today.

It’s a vulnerability that the public is particularly concerned about, especially in light of high-profile data breaches like the one that hit British Airways in 2021.

There is no way to completely eradicate cyber hazards such as data breaches, but there are a number of auditing strategies that firms may use to manage and reduce these risks.

What are the major causes of cloud data breaches?  

  • Data leakage
  • Insufficient data breach responses
  • Insufficient deletion of personal data and data remanence
  • Sharing of data with third-parties 
  • Insecure data transfers


Data breach management procedures and playbooks

To audit data security concerns in the cloud, an auditor would expect some sort of documented procedures/ breach management playbooks to be established

Incident Response Playbooks should ideally be as precise and easy-to-follow as possible and may include the roles and responsibilities of the data controller and the Cloud Service Provider. These include:

  • Description of the identified and tested communication channels.
  • Data breach evaluation and escalation criteria that enables the data controller to remain in charge.
  • Forensic investigation and measures to ensure electronic evidence’s chain of custody.
  • Content and format of data the CSP will provide to the data controller in case of suspicion of a data breach. 
  • The description of data sources required to manage data breaches. 
  • Protocols/ procedures for shutting down and restricting future access to a damaged system. 
  • Procedures for attempting to retrieve lost data and restarting compromised systems.
  • Evaluating the success of the response and measures to prevent future breaches.
  • Integrated role played by Data controller, incident response team, cloud service provider.

New call-to-action


An auditor would also expect that these procedures/ playbooks are subject to regular testing, improvement, and are being kept up to date. For cloud consumers, it can be challenging to coordinate with the Cloud Service Provider but this is a mandatory consideration. 

Playbook tests can take the form of:

Real simulations are recommended for higher-risk scenarios, whereas tabletop testing can be used as validity checks and to rehearse the entire incident response procedure. The data controllers' public relations, as well as the CSP's personnel, should be involved in the identification, evaluation, assessment, and disclosure of data breaches to supervisory authorities or affected data subjects.

New call-to-action

Conclusion: 

Cloud computing is getting increasingly popular. Before shifting to the cloud, relevant business users acting as data controllers must assess compliance with data protection. They must evaluate personal data breach management and notice obligations. They also need to see if the chosen provider has acceptable procedures to manage data breaches in the cloud.

As an auditor, it is important to appreciate that there is no one solution that fits all scenarios. This exercise requires an understanding of integrated response, communication, escalation and technical procedures and most importantly regular testing of cybersecurity procedures.

In case you are interested in building a career as an IT auditor, having the CISA certification can be of great help. ISACA's Certified Information Systems Auditor (CISA) is the gold standard of achievement for those who wish to build a career in IT Auditing. You can check out our CISA course to know more and to kickstart your journey into the exciting world of IT auditing.

You may also be interested in our CRISC course.



         Author: Abhinav Goyal

Abhinav Goyal is a professional CISSP trainer within Cyber Management Alliance’s training pool. He is CM-Alliance’s CISSP/CISA/ISO 27001/SOX/Information Risk Management/SAP Cyber security trainer. He has an MBA (Finance), along with qualifications in Computer Engineering, CISSP, CISA, ITIL (expert), COBIT (foundations), and SAP security.

New call-to-action