CSA Swiss Chapter

How to enforce effective controls and compliance therewith:

CSA Swiss Chapter Research Topics

October 30, 2025

Use an industry standard control framework such as CSA CCM, add TPAM, for PII / CID: within jurisdiction storage & processing, Location Aware Access Controls
Demand a clean SOC2 Type 2 or CSA Star L2 with all details and controls scope, plus an independent pen test with remediation confirmation, which are renewed annually and given to you in full detail, for all Third Party Service Providers and all of their Supply Chain
Audit the controls and insist on detailed feedback with supporting evidence, raise findings, ask for remediation, for all Third Party Service Providers and all of their Supply Chain
For all findings on control or operating effectiveness failures, demand design change proposals and nail them in the contract with sanctions and exit clause
Review implementation of the design changes
Review continuously adherence to the controls and design agreed, for all Third Party Service Providers and all of their Supply Chain
Demand implementation with evidence of the 12 Golden Controls:
- Temporary Privileged Access Management
- Multi-Factor Authentication
- HSM backed key vault with Customer Specific Keys
- Unstructured data classification and encryption and DLP
- Log immutability
- Records immutability
- Jurisdiction specific storage and processing: If you process PII or CID in the SaaS: demand for and ask for proving evidence of within jurisdiction storage and processing and Location Aware Access Control for all users including support staff, including privileged / admin roles
- Data segregation by customer
Nail the above concretely in your contracts for all Third Party Service Providers and applicability for their respective contracts with all of their Supply Chain sub-service providers, with sanctions and exit clause

Unpacking the EU's New Cloud Sovereignty Framework: A Guide to Digital Autonomy?

In today'sdigital world, the cloud is essential. But with reliance comes questions ofcontrol, security, and independence. The European Commission has addressedthese concerns head-on with its new Cloud Sovereignty Framework, a pivotaldocument designed to define, measure, and enforce digital sovereignty for cloudservices within the EU.

Elevating Board-Level Accountability: Cybersecurity Duties and the New BSI Guideline

In today’s interconnected world, the NIS 2 Directive sets out unambiguous obligations for executive management: it makes clear that ultimate accountability for an organisation’s cybersecurity cannot be outsourced to IT teams alone and must remain firmly with the board. Among other things, NIS 2 requires that board members undertake regular, targeted training so they acquire the necessary knowledge and skills to fulfil these duties.

How to enforce effective controls and compliance therewith:

More like this

Unpacking the EU's New Cloud Sovereignty Framework: A Guide to Digital Autonomy?

Elevating Board-Level Accountability: Cybersecurity Duties and the New BSI Guideline

How to enforce effective controls and compliance therewith: