The assessment follows dedicated procedures and uses templates. Both shall guarantee constant high quality and comparability.
To ensure traceability and accountability - related to both CSPs towards the Monitoring Body and the Monitoring Body towards supervisory authorities - information relevant for the assessment and its administration will be exchanged supported by a ticket system. This also enhances security of potentially confidential information as such information does not need to be exchanged by email.
Different to other mechanisms it is important to note that It is not the Monitoring Body that will be investigating for and determining relevant and applicable information. It is the CSP that needs to provide satisfactory responses that enables the Monitoring Body to make itself a convincing picture of your Cloud Services and related measures implemented.
CSPs will have to convincingly explain how the requirements of the Code are met. The Monitoring Body will refer to questionnaires. First set of questions is a derivative of the Controls Catalogue. Depending on the information provided there will be follow-up questions or requests; questions are mostly related to better understand the actual measures; requests are mostly related to further evidence and samples. In case provided information leave doubts of a CSPs compliance requests may also be related to particular remedies and or confirmations.