The most important factor when scoping assessments of cloud-based third parties that access, process, and retain personal data is to identify the type of cloud hosting deployment or service model. This is because different cloud models have different implications for the allocation of security responsibilities between the third party and the cloud hosting provider. For example, in a Software as a Service (SaaS) model, the cloud provider is responsible for most of the security controls, while in an Infrastructure as a Service (IaaS) model, the third party is responsible for securing its own data and applications. Therefore, it is essential to understand the type of cloud model and the corresponding security roles and responsibilities before conducting an assessment. This will help to avoid gaps, overlaps, or conflicts in security controls and expectations. References:

Guidance on Cloud Security Assessment and Authorization - ITSP.50.105, Canadian Centre for Cyber Security, May 2020, Section 2.1.1

The Importance of Properly Scoping Cloud Environments, PCI Security Standards Council and Cloud Security Alliance, August 2021

Third party and cloud: Regulatory challenges, KPMG, 2022, Section 2.1

Certified Third Party Risk Professional (CTPRP) Study Guide, Shared Assessments, 2021, Section 4.2.2