The Emerald project includes four pilots, each representing a different type of cloud infrastructure. Preparations for the actual audits are currently underway. This phase involves finalizing the audit scope, which covers the following elements:

• List of controls (requirements): A selected subset of controls drawn from one or more certification frameworks. These are implemented in the Emerald tool as a custom scheme. A custom scheme can also be own set of controls imported in Emerald.
• Control‑to‑metric mapping: Each control is linked to one or more metrics that automatically collect and assess evidence showing whether the requirements are met. The key to successful automated assessment is selecting the right metrics and ensuring they provide sufficient evidence that the criteria are met.
• Definition of the target of evaluation: This includes both the cloud technical resources and the relevant organizational documents.

Preparing for the audit essentially means implementing the defined audit scope in the Emerald so that evidence can be automatically gathered from cloud resources and documentation via the defined metrics.

To ensure readiness, the preparation work is reviewed in a series of stage gates. Stagegate #3, known as “Ready for Audit,” serves as the final checkpoint before the audit can begin. The main readiness criteria for Stagegate #3 are:

• All elements of the audit scope have been fully implemented in the Emerald.
• Evidence collection and analysis have been running continuously for at least one week.
• Practical arrangements for audit execution have been agreed upon and documented in an audit plan.

At present, the design teams are finalizing Emerald’s UI functionality and metric implementation. Once these are completed, the final setup for each pilot environment can be configured in the Emerald.

During the actual audit auditors will evaluate the provided evidence and judge if required controls are correctly documented, communicated and implemented.