Giving you tools to verify Google Cloud’s security
We’ve compiled resources to help answer questions we frequently receive from customers when performing vendor due diligence in the areas of risk and security. Responses fall into two categories: “Trust,” containing Google’s self-attestations and vendor security questionnaires, and “Trust but verify,” containing resources that are independently validated by third-party audits.
These resources provide:
- Familiarity: Answers are aligned to cloud-savvy and industry-standard frameworks
- Speed: On-demand reports deliver quicker knowledge of risk posture and shared responsibility without conducting an individual audit
- Standardization: Standardized reports can be used by interested parties across your entire organization
A security/risk self-assessment is a complimentary offering that documents a provider's security controls to help customers assess the security of the service.
- Google Cloud's Cloud Security Alliance CSA STAR Self Assessment / CAIQ
- Standardized Information Gathering (SIG) Core Questionnaire - used by organizations to perform an initial assessment of third-party vendors, collecting information to help determine how security risks are managed across 18 different risk domains
- IHS Markit KY3P due diligence questionnaire
- Google Cloud's Data Processing and Security Terms (DPST) and Google Workspace’s Data Processing Amendment (DPA)
- Google Cloud security whitepapers (encryption, data privacy, incident response, and more)
Trust but verify: third-party reports
Third-party audit reports
Third-party audit reports, like SOC 2 and CSA STAR (SOC 2+) are generated by auditors independent of the customer-supplier relationship. Reports evaluate security, availability, processing integrity, confidentiality, and privacy of an organization’s information systems.
Access our publicly available audit reports, certificates, and more in our Compliance Reports Manager.
Third-party risk management platform assessments
Third-party risk management platform (TPRM) assessments help customers gain a holistic understanding of the security posture of a specific vendor and their vendor ecosystem.
IHS Markit KY3P assessments,
- Desktop assessment: includes a thorough remote validation of evidence across a full spectrum of Google Cloud controls
- Enhanced desktop assessment: a more comprehensive review of our controls to help satisfy the evidence verification provided by a data center visit
- CyberGRX risk assessment: CyberGRX assessments lay out the cyber security posture of a third-party vendor. They help identify both inherent and residual risks so customers can quickly and confidently act to resolve and mitigate them.