As actioned (by myself!) during the most recent IAWG mtg, herewith a first stab at how the CO_SAC could/should be reviewed for potential revisions to accomplish at least the following objectives:

1)       Aligning requirements between CO and 63x, where there is overlap and non-uniformity (col. Q)*;

2)       How a ‘free pass’ might be given for CSPs whose service(s) fall within scope of some InfoSec Management scheme (col. R);

3)       And any other ideas which occurred to me whilst making this initial pass … (col.S).

Hopefully any notes will be sufficiently helpful, but you can badger me next Thursday if that isn’t so.  This is a first stab, so chip in if you can.

* Just a minor caveat.  Potentially, 63A/B criteria may need to change to ensure uniformity, of terms at least, though I think the real changes need to be in the CO_SAC (e.g. remove ‘Service Defn’, stick to ‘CrP’).

Richard G. WILSHER
CEO & Founder,  Zygma Inc.
www.Zygma.biz
+1 714 797 9942