Pilot 2 – Workflow overview

Pilot 2 – Workflow overview

by Natalia Sobieska (CloudFerro) at 11 April, 2025

In the previous fragments, we introduced the high-level concept of Pilot 2 (https://www.emerald-he.eu/pilot-2-description-cloudferros-role-in-emerald/) and shared an overview of our environments (https://www.emerald-he.eu/pilot-2-test-environments-preparation/). Now, we would like to take a closer look at the workflow of Pilot 2 — how different participants will interact with the selected EMERALD components throughout the pilot.

So, let’s start by revisiting the high-level architecture as a foundation for what comes next.

As shown in the diagram above, CloudFerro hosts two dedicated projects within its cloud environment—one representing IaaS and the other PaaS. The EMERALD architecture presented here is a simplified version, focused on the key components essential for Pilot 2.

Within the Pilot 2 workflow, three key roles will be involved:

  • Compliance Manager – responsible for overseeing the entire certification and compliance process.
  • Control Owner – accountable for implementing specific controls within the environment or preparing the necessary documentation (in some cases, the Compliance Manager may also take on this role).
  • Auditor – responsible for conducting the audit of the company.

pilot_2_2

At the beginning of the process, the Compliance Manager must select the certification scheme they aim to comply with using EMERALD. Then, with the support of EMERALD, they review the relevant controls associated with the selected scheme. Thanks to the Repositroy of Controls and Metrics (RCM) component, these controls are displayed to the user in a clear and structured way. The Compliance Manager can also review the metrics associated with each control.

pilot_2_3

Next, the Control Owner responsible for technical controls implements the necessary changes within the cloud environment, while the Control Owner in charge of organizational controls prepares the required documentation—such as policies, procedures, and other supporting materials.

These roles may be held by the same individual or different people, and in some cases, the Compliance Manager may also act as the Control Owner.

pilot_2_4

After the implementation is completed, the Compliance Manager initiates the evidence collection phase. The first step is to select the appropriate evidence collectors.

In this case, Clouditor-Discovery will be used to gather evidence from the cloud environment and verify technical controls, while Assessment and Management of Organisational Evidence (AMOE) will be used for collecting documents and supporting evidence related to organizational controls.

pilot_2_5

The The Mapping Assistant for Regulations with Intelligence (MARI) component allows mapping metrics to individual controls within a selected certification scheme. These metrics are verified against the evidence collected by evidence collectors, and based on this verification, the controls are marked as compliant. Once all controls are compliant, a self-assessment is achieved.

pilot_2_6

Finally, the auditor can review the entire assessment result, including the collected evidence. Additionally, The Trustworthiness System (TWS) component ensures that all actions and data within the certification process are tamper-proof and verifiable.

[ TECHNICAL ADVANCEMENTS ]