{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:19:52Z","timestamp":1754158792812,"version":"3.41.2"},"reference-count":47,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2017,3,13]],"date-time":"2017-03-13T00:00:00Z","timestamp":1489363200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,3,13]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to provide guidance on cloud computing assurance from an IT governance point of view. The board and executive management are tasked with ensuring proper governance of organizations, which should in the end contribute to a sense of assurance. Assurance is understood to be a part of corporate governance which provides stakeholders with confidence in a subject matter by evaluating evidence about that subject matter. Evidence will include proof that proper controls and structures are in place, that risks are managed and that compliance with internal and external requirements is demonstrated with regard to the subject matter. Decisions regarding the use of cloud computing in organizations bring these responsibilities to the fore.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The design of this paper is based on an extensive review of literature, predominantly best practices and standards, from the fields covering IT governance, cloud computing and assurance.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results from this paper can be used to formulate cloud computing assurance evidence statements, as part of IT governance mandates.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper aims to add value by highlighting the responsibility of managers to ensure assurance when exploiting opportunities presented through IT advances, such as cloud computing; serving to inform management about the advances that have and are being made in the field of cloud computing guidelines; and motivating that these guidelines be used for assurance on behalf of organizations adopting and using cloud computing.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-09-2015-0037","type":"journal-article","created":{"date-parts":[[2017,3,1]],"date-time":"2017-03-01T08:28:36Z","timestamp":1488356916000},"page":"26-46","source":"Crossref","is-referenced-by-count":4,"title":["Cloud computing assurance \u2013 a review of literature guidance"],"prefix":"10.1108","volume":"25","author":[{"given":"Rossouw","family":"von Solms","sequence":"first","affiliation":[]},{"given":"Melanie","family":"Willett","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"3","key":"key2020120812065334200_ref002","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1109\/MIC.2011.58","article-title":"Cloud computing standards: where\u2019s the beef?","volume":"15","year":"2011","journal-title":"IEEE Internet Computing"},{"key":"key2020120812065334200_ref003","unstructured":"Cattedu, D. (2011), \u201cSecurity and resilience in governmental clouds\u201d, available at: www.enisa.europa.eu\/activities\/risk-management\/emerging-and-future-risk\/deliverables\/security-and-resilience-in-governmental-clouds"},{"key":"key2020120812065334200_ref004","unstructured":"Chung, M. and Hermans, J. (2010), From Hype to Future: KPMG\u2019s 2010 Cloud Computing Survey, KPMG, Rotterdam, available at: www.kpmg.com\/ES\/es\/ActualidadyNovedades\/ArticulosyPublicaciones\/Documents\/2010-Cloud-Computing-Survey.pdf"},{"key":"key2020120812065334200_ref005","unstructured":"CIO Council, Chief Acquisition Officers Council (2012), \u201cCreating effective cloud computing contracts for the federal government\u201d, Best Practices for Acquiring IT as a Service, available at: https:\/\/cio.gov\/wp-content\/uploads\/downloads\/2012\/09\/cloudbestpractices.pdf"},{"key":"key2020120812065334200_ref006","unstructured":"Cloud Industry Forum (2011), \u201cCloud adoption and trends for 2012\u201d, available at: www.fasthosts.co.uk\/downloads\/white-papers\/4692406_assoc.pdf"},{"key":"key2020120812065334200_ref007","unstructured":"COSO (2013), \u201cWelcome to COSO\u201d, available at: www.coso.org\/ (accessed 21 January 2013)."},{"article-title":"Security guidance for critical areas of focus in cloud Computing V2.1","year":"2009","author":"CSA","key":"key2020120812065334200_ref008"},{"key":"key2020120812065334200_ref009","unstructured":"CSA (2011a), \u201cQuick guide to the reference architecture\u201d, available at: https:\/\/cloudsecurityalliance.org\/wp-content\/uploads\/2011\/10\/TCI_Whitepaper.pdf"},{"key":"key2020120812065334200_ref010","unstructured":"CSA (2011b), \u201cSecurity guidance for critical areas of mobile computing version 3\u201d, available at: https:\/\/cloudsecurityalliance.org\/research\/security-guidance\/#_overview (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref011","unstructured":"CSA (2011c), \u201cTrusted Cloud reference architecture\u201d, available at: https:\/\/cloudsecurityalliance.org\/research\/tci\/"},{"key":"key2020120812065334200_ref012","unstructured":"CSA (2012), \u201cCloud control matrix\u201d, available at: https:\/\/cloudsecurityalliance.org\/research\/ccm\/"},{"key":"key2020120812065334200_ref013","unstructured":"ENISA (2009a), \u201cCloud computing information assurance framework\u201d, available at: www.enisa.europa.eu\/ (accessed 22 February 2010)."},{"key":"key2020120812065334200_ref014","unstructured":"ENISA (2009b), \u201cCloud computing: benefits, risks and recommendations for information security\u201d, available at: www.ifap.ru\/library\/book451.pdf (accessed 10 June 2010)."},{"key":"key2020120812065334200_ref015","unstructured":"ENISA (2011), \u201cProcure secure: a guide to monitoring of security service levels in cloud contracts\u201d, available at: www.enisa.europa.eu\/activities\/Resilience-and-CIIP\/cloud-computing\/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts"},{"key":"key2020120812065334200_ref016","unstructured":"European Commission (2012), \u201cA roadmap for advanced cloud technologies under H2020\u201d, available at: http:\/\/cordis.europa.eu\/fp7\/ict\/ssai\/docs\/cloud-expert-group\/roadmap-dec2012-vfinal.pdf (accessed 3 January 2013)."},{"key":"key2020120812065334200_ref017","unstructured":"Horwath, C., Chan, W., Leung, E. and Pili, H. (2012), \u201cEnterprise risk manage for cloud computing\u201d, available at: www.coso.org\/-erm.htm (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref018","unstructured":"International Auditing and Assurance Standards Board (2004), \u201cInternational framework for assurance engagements\u201d, available at: www.ifac.org\/sites\/default\/files\/downloads\/b003-2010-iaasb-handbook-framework.pdf"},{"volume-title":"The King report on corporate governance for South Africa (The Institute of Directors in Southern Africa) September 2009","year":"2009","author":"IoDSA","key":"key2020120812065334200_ref019"},{"volume-title":"IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud","year":"2011","author":"ISACA","key":"key2020120812065334200_ref022"},{"key":"key2020120812065334200_ref023","unstructured":"ISACA (2012a), \u201cCalculating cloud ROI: from the customer perspective\u201d, available at: www.isaca.org\/Knowledge-Center\/Research\/ResearchDeliverables\/Pages\/Calculating-Cloud-ROI-From-the-Customer-Perspective.aspx"},{"volume-title":"COBIT 5: A Buiness Framework for the Governance amd Management of Enterprise IT","year":"2012","author":"ISACA","key":"key2020120812065334200_ref024"},{"volume-title":"Security Considerations for Cloud Computing","year":"2012","author":"ISACA","key":"key2020120812065334200_ref025"},{"key":"key2020120812065334200_ref026","unstructured":"ISACA (2013), \u201cWhat we offer & whom we serve\u201d, available at: www.isaca.org\/About-ISACA\/What-We-Offer-Whom-We-Serve\/Pages\/default.aspx (accessed 21 January 2013)."},{"volume-title":"ISO\/IEC 38500:2008 Corporate Governance of Information Technology","year":"2008","author":"ISO","key":"key2020120812065334200_ref027"},{"key":"key2020120812065334200_ref028","unstructured":"ISO (2012a), \u201cISO\/IEC WD 27018\u201d, available at: www.iso.org\/iso\/home\/store\/catalogue_tc\/catalogue_detail.htm?csnumber=61498"},{"key":"key2020120812065334200_ref029","unstructured":"ISO (2012b), \u201cISO\/IEC WD TS 27017\u201d, available at: www.iso.org\/iso\/home\/store\/catalogue_tc\/catalogue_detail.htm?csnumber=43757"},{"key":"key2020120812065334200_ref030","unstructured":"ISO (2013), \u201cAbout ISO\u201d, available at: www.iso.org\/iso\/home\/about.htm (accessed 21 January 2013)."},{"key":"key2020120812065334200_ref032","volume-title":"Board Briefing on IT Governance","author":"ITGI","year":"2003","edition":"2nd ed."},{"key":"key2020120812065334200_ref035","unstructured":"Kundra, V. (2011), \u201cFederal cloud computing strategy\u201d, available at: www.dhs.gov\/sites\/default\/files\/publications\/digital-strategy\/federal-cloud-computing-strategy.pdf (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref037","unstructured":"NIST (2011a), \u201cGuidelines on security and privacy in public cloud computing (NIST Special Publication 800-144)\u201d, available at: www.nist.gov\/manuscript-publication-search.cfm?pub_id=909494 (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref039","unstructured":"NIST (2011c), \u201cNIST US government cloud computing technology roadmap volume III (NIST Special Publication 500-293)\u201d, available at: www.nist.gov\/itl\/cloud\/upload\/NIST_cloud_roadmap_VIII_draft_110111-v3_rbb.pdf (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref040","unstructured":"NIST (2011d), \u201cThe NIST definition of cloud computing (NIST Special Publication 800-145)\u201d, available at: http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-145\/SP800-145.pdf (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref041","unstructured":"NIST (2011e), \u201cUS government cloud computing technology roadmap volume II Release 1.0 (NIST Special Publication 500-293)\u201d, available at: www.nist.gov\/itl\/cloud\/upload\/SP_500_293_volumeII.pdf (accessed 13 January 2012)."},{"key":"key2020120812065334200_ref042","unstructured":"NIST (2012a), \u201cCloud computing synopsis and recommendations (NIST Special Publication 800-146)\u201d, available at: www.nist.gov\/manuscript-publication-search.cfm?pub_id=911075 (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref043","unstructured":"NIST (2012b), \u201cNIST general information\u201d, available at: www.nist.gov\/public_affairs\/general_information.cfm (accessed 21 January 2013)."},{"key":"key2020120812065334200_ref045","doi-asserted-by":"crossref","DOI":"10.1787\/9789264106079-en","volume-title":"OECD Principles of Corporate Governance","author":"OECD","year":"2004"},{"key":"key2020120812065334200_ref046","unstructured":"Pricewaterhouse Coopers (2012), \u201cThe future of IT outsourcing and cloud computing\u201d, available at: www.pwc.tw\/en_TW\/tw\/publications\/events-and-trends\/assets\/e255.pdf (accessed 3 January 2013)."},{"issue":"4","key":"key2020120812065334200_ref047","doi-asserted-by":"crossref","first-page":"73","DOI":"10.4102\/sajbm.v43i4.483","article-title":"Cloud computing service value: a message to the board","volume":"43","year":"2012","journal-title":"South Afrrican Journal of Business Management"},{"key":"key2020120812065334200_ref048","unstructured":"Assurance (2017), \u201cBusiness dictionary\u201d, available at: www.businessdictionary.com\/definition\/assurance.html"},{"volume-title":"Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives","year":"2009","author":"ISACA","key":"key2020120812065334200_ref050"},{"key":"key2020120812065334200_ref049","unstructured":"ISACA & CSA (2012), \u201cCloud computing market maturity study results\u201d, available at: www.isaca.org\/Knowledge-Center\/Research\/ResearchDeliverables\/Pages\/2012-Cloud-Computing-Market-Maturity-Study-Results.aspx (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref051","unstructured":"IT Governance Institute (2007), \u201cCOBIT 4.1\u201d, available at: www.isaca.org\/Knowledge-Center\/cobit\/Pages\/Downloads.aspx (accessed 23 October 2010)."},{"key":"key2020120812065334200_ref052","unstructured":"ITGI; PricewaterhouseCoopers LLP (2009), \u201cAn executive view of IT governance\u201d, available at: www.isaca.org\/Knowledge-Center\/Research\/Documents\/An-Executive-View-of-IT-Gov-Research.pdf (accessed 2 February 2011)."},{"key":"key2020120812065334200_ref053","unstructured":"Jericho Forum (2009), \u201cCloud cube model: selecting cloud formations for secure collaboration\u201d, available at: www.jerichoforum.org (accessed 22 February 2010)."},{"key":"key2020120812065334200_ref054","unstructured":"NIST (2009), \u201cCloud computing\u201d, available at: http:\/\/csrc.nist.gov\/groups\/SNS\/cloud-computing\/ (accessed 13 April 2010)."},{"key":"key2020120812065334200_ref055","unstructured":"NIST (2011b), \u201cNIST cloud computing reference architecture (NIST Special Publication 500-292)\u201d, available at: www.nist.gov\/manuscript-publication-search.cfm?pub_id=909505 (accessed 13 January 2013)."},{"key":"key2020120812065334200_ref056","unstructured":"NIST (2013), \u201cInventory of standards relevant to cloud computing\u201d, available at: http:\/\/collaborate.nist.gov\/twiki-cloud-computing\/bin\/view\/CloudComputing\/StandardsInventory (accessed 13 January 2013)."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2015-0037\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-09-2015-0037\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:10Z","timestamp":1753406590000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/1\/26-46\/109736"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3,13]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,3,13]]}},"alternative-id":["10.1108\/ICS-09-2015-0037"],"URL":"https:\/\/doi.org\/10.1108\/ics-09-2015-0037","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,3,13]]}}}