| Scope and covered activity | CSP covers the cloud service provider side of the split: the infrastructure, platform, and service operations the provider controls and documents as provider responsibility, including the boundary where customer-managed workloads begin. | CSC Role Split covers the customer side of the split: the workloads, data, identities, configurations, and customer decisions that remain customer responsibility after the provider boundary is fixed. | Write the scope memo so teams can see when the provider owns the control, when the customer owns it, and when the same control is shared across both sides. |
|---|
| Who must act | CSP ownership should sit with the cloud provider team that can operate the shared service, maintain logs and assurance evidence, and answer customer questions about the provider-controlled environment. | CSC Role Split ownership should sit with the customer team that can configure the workload, approve data and access choices, and produce customer-side evidence for its own part of the split. | Do not copy owners from one side to the other; map the provider owner, customer owner, reviewer, and approver separately. |
|---|
| Trigger or threshold | CSP work is triggered when the provider changes the service, introduces a new shared control, updates assurance evidence, or revises the service boundary that customers rely on. | CSC Role Split work is triggered when the customer changes a workload, changes data handling or access decisions, or needs to re-map its own duties against the provider boundary. | Use the trigger to route intake: provider change, customer change, assurance refresh, contract update, or operational incident. |
|---|
| Core obligations | CSP requires the provider to maintain the cloud service controls it advertises: defined scope, accountable roles, current logs or reports, and a repeatable review cycle that shows the provider side still works as designed. | CSC Role Split requires the customer to carry out its own duties on top of the provider service: workload configuration, access decisions, data handling choices, and customer-side evidence that its responsibilities were met. | Translate both sides into a single task register only after labeling which requirement or guidance source each task satisfies. |
|---|
| Evidence and records | CSP evidence should show the provider-side process operating: service descriptions, shared responsibility matrices, support tickets, control operation records, test results, review minutes, and assurance reports. | CSC Role Split evidence should show the customer-side process operating: configuration records, access approvals, workload change records, local review minutes, and customer approvals tied to the shared responsibility matrix. | Build an evidence matrix with one row per claim and columns for source, owner, artifact, date, review trigger, and reuse permission. |
|---|
| Timing and cadence | CSP timing follows provider release cycles, scheduled assurance reviews, incident response, supplier review, and service changes rather than a single universal deadline. | CSC Role Split timing follows the customer's configuration changes, access reviews, contract milestones, risk reviews, or the date on which a shared control must be revalidated. | Track dates separately so a provider review cycle does not get mistaken for the customer's own revalidation date. |
|---|
| Enforcement or assurance route | CSP is usually tested through provider audits, customer assurance, management review, or contractual assurance requests that ask the provider to prove its service controls. | CSC Role Split may be enforced through the customer's own audits, internal reviews, attestations, or customer assurance checks on the customer-managed side of the service. | Separate audit readiness from legal compliance and from voluntary framework maturity so executives see the actual consequence of gaps. |
|---|
| Overlap and reuse | CSP can supply reusable provider evidence such as reports, logs, service descriptions, and review outputs when the customer is asking the provider to prove the shared service side. | CSC Role Split can reuse that evidence only when the customer requirement truly matches the provider artifact and the customer still has a separate record for its own obligations. | Reuse evidence only after checking scope, actor, date, data type, service, supplier, and acceptance criteria; otherwise keep separate records. |
|---|
| Practical decision rule | Use CSP when the main work is proving the provider-side service, control, or assurance model. | Use CSC Role Split when the main work is proving the customer-side configuration, data handling, access, or local approvals that sit on top of the provider service. | If both apply, keep the provider obligation visible and use the customer record as supporting structure, not as a substitute source. |
|---|