Skip to main content
Image coming soon

SaaS Security Shared Responsibility for Enterprise Deals

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

SaaS Security Shared Responsibility for Enterprise Deals

Build the control-mapping evidence package that stops stalled customer security reviews and shortens deal cycles.

Every enterprise deal touches the same moment: a customer security team sends a shared responsibility questionnaire, and the SaaS vendor's security team scrambles to assemble an answer from trust documentation, SOC 2 extracts, and a spreadsheet built for the last deal. The answer is always late, always inconsistent, and always incomplete in the place the customer CISO cares most about.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Security practitioners at enterprise SaaS vendors are accountable for two things that pull in opposite directions: keeping the platform genuinely secure, and convincing enterprise customers it is secure in the exact terms their procurement and legal teams require. The second job consumes weeks per deal cycle. The artefacts that would accelerate it, a layered control inventory, a tiered inheritance narrative, a reusable evidence package mapped to the frameworks the customer actually runs, do not exist in most vendor security teams because building them has never been scoped as a deliverable. It is treated as ad-hoc sales support. The result is a recurring drag: deals that pause at security review, customers who run parallel pen tests because the documentation was insufficient, and a security team that cannot scale its deal-support capacity without headcount.

What you walk away with

  • Build a reusable shared responsibility matrix that maps platform-managed, customer-configured, and customer-owned controls across the frameworks your enterprise customers require.
  • Write the control inheritance narrative that satisfies a customer CISO's questionnaire without disclosing internal platform architecture.
  • Structure a SOC 2 bridge letter and supplementary evidence package that reduces back-and-forth with customer procurement teams.
  • Develop the FedRAMP inheritance summary your federal prospects need before they can place the platform on their approved list.
  • Create the ISO 27001 Annex A mapping document that closes the gap between your certification scope and what the customer's auditor wants to see.
  • Stand up a lightweight evidence-management process so the next deal cycle does not start from scratch.

The 12 modules

Module 1. The Shared Responsibility Audit
Before building any documentation, map what you actually own versus what the customer configures versus what the customer is fully responsible for. This module walks through a structured control inventory method that produces a three-column accountability register across compute, data, identity, network, and application layers. The output is the foundation every subsequent artefact draws from, and the first deliverable a customer CISO will ask to see.
Module 2. Reading the Customer Questionnaire as a Document Request
Most shared responsibility questionnaires are not security assessments. They are evidence requests in disguise. This module teaches you to parse a customer questionnaire by evidence type, separating certification-based assertions from configuration-state claims from architecture-disclosure requests. You will build a question-to-artefact mapping template that lets your team answer a new questionnaire in hours rather than days by routing each question to the right existing document.
Module 3. The Control Inheritance Narrative for SOC 2
SOC 2 reports describe what the platform does. Customers need to understand what that means for their own control obligations. This module covers the inheritance narrative format: how to describe each SOC 2 Trust Services Criterion in terms of what customer configuration is required to make the control effective, what monitoring responsibility the customer retains, and what evidence of their own implementation a customer auditor will require. Output is a customer-ready SOC 2 supplement.
Module 4. Building the SOC 2 Bridge Letter Process
When a customer's audit period does not align with your report period, they ask for a bridge letter. Most vendor security teams write these ad hoc. This module builds a repeatable bridge letter process: the template language that satisfies a Big 4 auditor, the internal sign-off workflow, the version-control discipline that prevents stale letters from circulating after a system change, and the limit-of-scope language that protects the vendor without alarming the customer.
Module 5. FedRAMP Inheritance for Non-FedRAMP Customers
Federal prospects and contractors ask about FedRAMP even when the platform is not yet authorized. This module covers how to write a FedRAMP-readiness summary that accurately describes which NIST 800-53 controls the platform satisfies at the infrastructure layer, which controls the customer agency must implement, and which are shared. It also covers the language to use when the platform holds a FedRAMP Moderate or High authorization and how to frame the inheritance for an agency customer's system security plan.
Module 6. ISO 27001 Annex A Mapping for Customer Auditors
When a customer's own ISO 27001 auditor reviews their use of the platform, they will ask for an Annex A control mapping. This module builds the mapping document from your existing ISO 27001 scope, identifying which Annex A controls are satisfied by platform architecture, which require customer configuration, and which are out of scope for the platform entirely. Includes the explanatory language that helps a customer auditor understand the scope boundary without a live call.
Module 7. Encryption Evidence Packages
Encryption is the most frequently questioned area in customer security reviews, and the questions are almost always the same: encryption at rest, encryption in transit, key management ownership, and key rotation evidence. This module builds the encryption evidence package for enterprise deals, covering the artefact structure, the language that describes key management responsibility without exposing architecture, and the answer patterns for the three most common encryption edge cases in multi-tenant SaaS: customer-managed keys, field-level encryption requests, and backup encryption attestation.
Module 8. Identity and Access Control Documentation
Enterprise customers want to know who at the vendor can access their data, under what circumstances, and with what audit trail. This module covers the access control attestation package: the privileged access policy summary, the break-glass procedure description, the access review cadence attestation, and the SCIM and SSO integration documentation that satisfies a customer's identity governance team. Includes the language for describing multi-tenant isolation in terms a non-technical customer CISO can present to their board.
Module 9. Vulnerability Management Disclosure for Enterprise Accounts
Customers increasingly ask for evidence of vulnerability management practice, not just penetration test results. This module covers the disclosure artefact for enterprise accounts: how to describe your CVSS-based prioritisation process, your patching SLA by severity tier, your responsible disclosure policy, and your customer notification process for critical vulnerabilities. Includes the boundary language that differentiates disclosure of process from disclosure of findings, which protects both parties.
Module 10. Incident Response Evidence for Enterprise Contracts
Enterprise contracts increasingly require vendor incident response obligations: notification timelines, forensic preservation commitments, and post-incident report delivery. This module builds the incident response evidence package that supports contract negotiation and renewal: the IRP summary for customer distribution, the notification SLA attestation, the tabletop exercise record that demonstrates programme maturity, and the post-incident report template that meets both contractual and regulatory notification requirements across the US, EU, and APAC.
Module 11. The Scalable Evidence-Management Process
Most vendor security teams rebuild their evidence packages for every deal because nothing is maintained between cycles. This module stands up a lightweight evidence-management process: the artefact inventory register, the quarterly review cadence, the version-control discipline, the internal owner assignment for each document, and the intake workflow that routes new customer questionnaire questions back into the artefact library rather than into ad-hoc email threads. The goal is a security assurance function that scales deal support without scaling headcount.
Module 12. The Trust Page and the Living Shared Responsibility Document
The final module builds the two public-facing artefacts that reduce inbound questionnaire volume: the trust page narrative that pre-answers the most common enterprise security questions, and the living shared responsibility document that customers can reference directly. Covers the content architecture, the update workflow, the legal review gate, and the customer communication process when the shared responsibility model changes after a major product update. Produces a trust page brief ready for publication and a shared responsibility document ready for customer distribution.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1-2: Audit what you own and what every questionnaire is actually asking for.
Modules 3-6: Build the framework-specific inheritance narratives for SOC 2, FedRAMP, and ISO 27001.
Modules 7-10: Build the domain evidence packages for encryption, identity, vulnerability management, and incident response.
Modules 11-12: Stand up the process and the public artefacts that make the next deal cycle faster than this one.

What you get with this course

  • Twelve written modules in the Art of Service learning environment, each focused on a specific deliverable in the shared responsibility evidence stack.
  • Downloadable templates for every module: the three-column control inventory register, the SOC 2 inheritance narrative template, the bridge letter template, the FedRAMP inheritance summary, the ISO 27001 Annex A mapping template, the encryption evidence package outline, the access control attestation template, and the evidence-management register.
  • The hand-built implementation playbook, delivered alongside course access, tailored to the specific compliance frameworks and customer profiles relevant to enterprise SaaS security assurance.

What you will have in hand by Day 1, Week 1, Month 1

Course access and the hand-built implementation playbook are provisioned within 24 hours of purchase.

The twelve modules are structured to be worked through in parallel with an active deal cycle, not as a prerequisite. Most practitioners complete the first six modules in the first week and begin producing artefacts from module one before they finish the course.

Before and after

Before

Each enterprise deal triggers a manual scramble to assemble security documentation from prior deals, trust page exports, and SOC 2 extracts. The process takes days, the output is inconsistent, and the customer CISO still asks follow-up questions.

After

A structured evidence library covers the five most common customer security frameworks. New questionnaires route to existing artefacts. The security team closes the assurance loop in hours, not days, and the documentation holds up in customer audits.

What happens if you do not address this

Without a reusable shared responsibility package, every enterprise deal requires the same manual documentation effort. The cost is not just the hours. It is the deals that stall permanently at security review, the renewals that trigger renegotiation because the documentation was insufficient the first time, and the inability to scale deal support without adding headcount.

Who it is for

Security professionals at enterprise SaaS vendors, typically at the level of Security Engineer, Security Program Manager, or Director of Cloud Security, who are responsible for customer-facing security assurance, compliance certification maintenance, and the documentation that supports the sales and renewal cycle. The course is built for the person who owns the trust page and the shared responsibility artefacts, not the person who manages the firewall.

Who this is NOT for. Internal IT security teams at end-user organisations. Compliance consultants who advise clients but do not own a SaaS product's trust posture. Security engineers focused exclusively on detection and response rather than assurance documentation.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 4-6 hours across the twelve modules, plus time to adapt the templates to your platform's specific control inventory. Most practitioners find the template work produces the first reusable artefact within the first two modules.

Why $199 is the right number

Hiring a compliance consultant to build your shared responsibility documentation typically takes 6-12 weeks and costs significantly more than $199. Adapting a generic CAIQ or SIG questionnaire response produces artefacts that are technically accurate but not written for the specific frameworks your enterprise customers run. This course builds the artefacts your team owns and can maintain, in the exact format a customer CISO's team expects to receive.

FAQ

Does this course cover CAIQ and CSA Star?
The modules cover SOC 2, FedRAMP, and ISO 27001 as the three primary frameworks enterprise customers reference in shared responsibility reviews. The control inventory method in Module 1 produces a register that maps directly to CAIQ domains, so the CAIQ response becomes a retrieval exercise rather than a drafting exercise once the register exists.
Is this course relevant if the platform is not yet FedRAMP authorized?
Yes. Module 5 specifically covers the FedRAMP-readiness summary for platforms that are not yet authorized, which is the document federal prospects and contractors ask for before a formal authorization engagement begins.
How is the implementation playbook tailored?
The implementation playbook is hand-built by Gerard after purchase, based on the compliance frameworks, customer profiles, and deal context you describe. It is not a generic template. Reply with your specific situation after purchase and the playbook will be built for your context.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.