Build Your Shared Responsibility Matrix: A Step-by-Step Guide and Template for Businesses
A Practical Template for Mapping Controls with Your CSP, MSP, and SaaS Vendors
Shared Responsibility Matrix (SRM) Research and Development Blueprint
This template provides a structured approach for identifying your service providers, understanding the division of responsibilities, and documenting them in a formal Shared Responsibility Matrix (SRM). This process is critical for effective risk management, compliance, and audit readiness.
Step 1: Inventory All External Service Providers
Before you can assign responsibilities, you must identify every third party that handles your data or performs security-critical functions. This inventory is the foundation of your SRM.
Step 2: Gather Provider Documentation
For each provider identified, collect all relevant security and compliance documentation. This is where you will find the provider’s stated responsibilities. Key documents include:
Service Level Agreements (SLAs)
Master Service Agreements (MSAs)
Provider-published Shared Responsibility Model documentation
Third-party audit reports and certifications (e.g., SOC 2, ISO 27001, FedRAMP)
Customer Responsibility Matrix (CRM), if provided
Step 3: Select a Control Framework
Select a well-established cybersecurity framework that is specifically suited to your industry and complies with relevant regulatory requirements. Adopting such a framework will furnish you with a comprehensive and structured set of controls that can be effectively tailored to your organization’s security posture.
Some widely recognized frameworks include:
NIST SP 800-171: This framework is essential for organizations seeking compliance with the Cybersecurity Maturity Model Certification (CMMC), particularly those involved in handling Controlled Unclassified Information (CUI) in defense contracts. It outlines 14 families of security requirements and provides a roadmap for implementing sound cybersecurity practices.
ISO/IEC 27001: As an international standard, ISO 27001 offers a systematic approach to managing sensitive company information, ensuring that it remains secure. It helps organizations establish, implement, maintain, and continually improve an information security management system (ISMS) while also providing guidelines for assessing risk and enforcing controls.
CIS Controls: Developed by the Center for Internet Security, the CIS Controls are a set of best practices designed to mitigate the most common cyber threats. They encompass a prioritized and actionable set of cyber defense measures, making them suitable for organizations of all sizes looking to bolster their cybersecurity efforts.
By carefully selecting and implementing one of these frameworks, you can enhance your organization’s security landscape and fulfill applicable compliance obligations.
Step 4: Build the Shared Responsibility Matrix
Using your chosen framework, create a matrix that maps every applicable control to the responsible party. For each control, clearly define who is responsible for implementation and what evidence is required to prove it.
Step 5: Review, Align, and Approve
The completed SRM must be a formal document.
Align with Contracts: Ensure the responsibilities documented in the SRM match the legal obligations in your SLAs and contracts. Any discrepancies must be resolved.
Internal Review: Get formal sign-off from internal leadership, including IT, security, and compliance teams, to ensure organizational accountability.
Provider Confirmation: Where possible, have your MSP or MSSP review and confirm their responsibilities as documented in the matrix.
The Advantage of Third-Party Validated Service Partners
Choosing service partners—whether they are CSPs, MSSPs, or SaaS vendors—who have undergone rigorous, independent third-party assessments significantly streamlines the process of creating and maintaining your SRM. It simplifies how you document and inherit the controls they are responsible for, providing a high level of validated assurance.
Here’s how it makes the process easier:
Reduces the Burden of Verification: When a provider has a certification like ISO 27001 or a compliance attestation like a SOC 2 report, it means an independent auditor has already evaluated and validated their security controls. This saves you from having to assess those controls yourself, allowing you to “inherit” a portion of your compliance from the provider.
Provides Clear Documentation: Leading cloud providers offer detailed compliance artifacts and reports through online portals. These documents, such as a FedRAMP Customer Responsibility Matrix (CRM) or a PCI DSS Responsibility Matrix, explicitly state which controls the provider manages. This gives you a clear, pre-documented starting point for the “Provider Responsibility” column in your own SRM.
Simplifies Audits and Assessments: During a compliance audit (such as for CMMC or ISO 27001), you can present your provider’s third-party attestation as evidence that their portion of the shared responsibility model is being met. For example, instead of needing to prove how your CSP secures its data centers, you can simply provide its SOC 2 report, which covers physical and environmental controls. This provides clear evidence to assessors and demonstrates your due diligence in vendor risk management.
Establishes a Foundation of Trust: A third-party validation demonstrates a provider’s formal commitment to security and compliance. This is far more reliable than relying on marketing claims or verbal assurances. It gives you confidence that the provider has mature processes in place for everything from incident response to change management, which are critical components of the shared responsibility model.
In practice, when filling out your SRM for a control managed by a validated provider, your entry can be direct and defensible. For the “Evidence” column, you can simply reference the provider’s official compliance documentation, such as “Covered by AWS SOC 2 Type 2 Report, Section X” or “Inherited control per Microsoft Azure FedRAMP High ATO.” This makes the entire process more efficient, accurate, and easier to defend during an audit.
Here is a sample SRM that you can use with your own MSPs.
https://docs.google.com/spreadsheets/d/e/2PACX-1vRFXoAGcVj8QqO4Ad1DQEaIVVJCi89IsPSQSVBEngDmG9Ngs4nE7Cs6w0-tg81nuJzS4OyV7654KH0V/pubhtml
If you would like some recommendations on CSP, MSP, and MSSPs, based on your use cases, I would be happy to offer some recommendations.
Another option is to gift a subscription to this newsletter to a team member or a mentor. Subscription fees help fund the blog’s operating costs and cover the coffee that fuels the late nights and early mornings I spend researching these topics for you.
Some security tools you can consider for improving your business security posture:
CrowdStrike Falcon: An AI-driven platform for securing your infrastructure at scale and keeping up with AI advancements. https://crowdstrike2001.partnerlinks.io/Cpf-coaching
INE Security Awareness and Training is essential for your team to stay updated with the evolving threat landscape, enhancing the effectiveness of the teams supporting your organization. https://get.ine.com/cpf-coaching
Tenable helps identify weaknesses in your infrastructure, whether on-premises, in the cloud, or in your software, providing your vulnerability management with the visibility it needs. https://shop.tenable.com/cpf-coaching
Cyvatar.AI Managed endpoint protection solution for SMBs and digital cloud environment https://cyvataraif5706.referralrock.com/l/CHRISTOPHE77/
Omnistruct helps you with privacy, GRC, and security programs. They can serve as your BISO to help scale your team and security program. https://omnistruct.com/partners/influencers-meet-omnistruct/
Guidde helps you turn your tribal, undocumented processes into easy-to-follow documented videos and instructions. https://affiliate.guidde.com/cpf-coaching
Cyberupgrade simplifies the process of enhancing your cyber and digital risk management, allowing you to grow your business without having to be a compliance expert. We take care of the complexities associated with frameworks like DORA, ISO 27001, and NIS2, enabling your team to concentrate on building, scaling, and serving your customers. https://join.cyberupgrade.net/cpf-coaching
1Password secures your secrets, tokens, passwords, documents, and more, whether you’re at home, work, or school. They offer programs suited for everyone. https://1password.partnerlinks.io/cpf-coaching