As actioned (by myself!) during the most recent IAWG mtg, herewith a first stab at how the CO_SAC could/should be reviewed for potential revisions to accomplish at least the following objectives: 1) Aligning requirements between CO and 63x, where there is overlap and non-uniformity (col. Q)*; 2) How a 'free pass' might be given for CSPs whose service(s) fall within scope of some InfoSec Management scheme (col. R); 3) And any other ideas which occurred to me whilst making this initial pass . (col.S). Hopefully any notes will be sufficiently helpful, but you can badger me next Thursday if that isn't so. This is a first stab, so chip in if you can. * Just a minor caveat. Potentially, 63A/B criteria may need to change to ensure uniformity, of terms at least, though I think the real changes need to be in the CO_SAC (e.g. remove 'Service Defn', stick to 'CrP'). Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz +1 714 797 9942