In the past few weeks I was quite often involved into discussions about cloud security frameworks, proper attestation of security controls, and what criteria should apply for selecting cloud service provider.
The lack of a widely agreed cloud risk or cloud security standard (and an acknowledged certification process of it) makes it difficult for organisations to evaluate and select cloud service providers from risk perspective in addition to the business and cost benefit angle that the cloud service would provide.
Therefore many organisations fall back to already established in-house expertise in vendor selection, which is likely not fully adoptable for the selction of cloud service providers, or just mirror what other organisations do, even if those organisations likely have a different risk and maturity profile.
Hence the title of this blog article - One Size Fits None. That is usually my first answer to a lot of questions I have been asked around this topic...