Cloud Security Alliance Releases Additional Mappings, Update to Cloud Controls Matrix (CCM) v4

Updates allow for streamlined transition to, compliance with CCM v4 and ISO standards

SEATTLE – March 15, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced a series of updates to Cloud Controls Matrix (CCM) v4, CSA’s flagship cybersecurity framework for cloud computing. The updates provide additional features and support in transitioning from CCM v3, as well as identifies the areas of misalignment between CCM v4 and the ISO/IEC 27k family of standards.

“As we prepare to transition to the more robust CCM v4, we are pleased to be able to offer additional guidance to those who have begun the process, as well as provide further functionality for those using CCM v4,” said Eleftherios Skoutaris, CCM Program Manager, Cloud Security Alliance. “With these updates, we continue to lead the security industry and market as the cloud provider and user-centric control framework of choice.”

CCM is a cybersecurity control framework for cloud computing that aligns to the CSA Best Practices and is considered the de-facto standard for cloud security and privacy. CCM v4 constituted a significant upgrade to the previous version (v3.0.1) by introducing changes in the framework structure with a new domain dedicated to Logging and Monitoring (LOG), and modifications in the existing ones including governance, risk and compliance (GRC); auditing and assurance (A&A); unified endpoint management (UEM); and cryptography, encryption and key management (CEK). Updates to CCM v4 provide:

• Mapping to help existing users of CCM v3.0.1 transition to the CCM v4 requirements. This mapping identifies the equivalence between the control specifications of the two versions of CCM and highlights gaps and misalignments.
• Mapping with ISO/IEC 27001/02/17/18 standards, giving organizations a better understanding of how to streamline CCM compliance and relevant ISO standards and reduce the transition cost between ISO certification and the CSA STAR Program.
• The Controls Applicability Matrix (CAM), which acts as a guide to help organizations determine the shared responsibilities between cloud service providers and customers when implementing a CCM control.

CSA also invites interested parties to an open peer review (comment period ends April 15) for the final draft of the CCM v4 Implementation Guidelines (IGs) and the Consensus Assessments Initiative Questionnaire (CAIQ) v4, including an SSRM-based add on. Commenters are encouraged to provide their feedback on refining, improving, and possibly extending the implementation of the IGs, which provide organizations with a how-to guidance for the implementation of each CCM v4 security and privacy control specification, and CAIQ, which helps cloud customers gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably fulfilling fundamental security and privacy requirements.

The CCMv4 is a free resource and is available for download now.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloud security alliance.org, and follow us on Twitter @cloudsa.