Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CSA and the Cyber Risk Institute: CCM Addendum for the Financial Sector

Published 06/28/2022

CSA and the Cyber Risk Institute: CCM Addendum for the Financial Sector
Written by Daniele Catteddu, Chief Technology Officer, CSA.


The CSA Cloud Controls Matrix (CCM) is 11 years old. Almost a teenager! Over time it has evolved and matured and has been a fundamental piece of the cloud journey for several thousands of organizations worldwide. Virtually any organization willing to implement cloud computing in a secure way has made use of our framework. The reasons are several, the CCM is:

  • Cloud relevant
  • Connected to all the most important security standards, laws and regulations that are important in the cloud space
  • Agile, and therefore able to reflect the technical and compliance changes of the cloud landscape
  • Technology-agnostic
  • The standard of reference of the STAR Program
  • Open source and free for users to adopt

The characteristics and qualities of the CCM are a coherent reflection of the vision that we always had for our framework at CSA. This vision now represents the lingua franca for cloud security, a de facto standard representing the center of gravity for any cloud governance, risk and compliance effort. It is a tool kit with several components that each of the cloud actors (CSPs, customers and assurance providers) can use to guide their actions and support their approach to the cloud, regardless of the size of the organization, its risk profile and the business sector in which it operates.

Does this mean that the CCM in its current version is sufficient to satisfy all the security and compliance requirements for every business sector? No, otherwise, we’d probably close the shop, call mission accomplished and go on permanent vacation.

The CCM is not perfect and the CCM has not yet accomplished its long-term vision. That has been one of the reasons why we decided to partner with the Cyber Risk Institute (CRI) to develop a CCM addendum for the financial sector.

Financial institutions have been looking at extending their cloud adoption rate over the course of the last few years. For a long time, cloud was to financial institutions as the apple was to Adam and Eve: a very tempting and forbidden fruit. That had to do with several things, mainly related to compliance and regulatory supervision, which I won’t elaborate on in this blog. The bottom line is that the financial institutions were from one side pressured to move to the cloud for effectiveness and efficiency reasons, but they couldn’t, or they were limited in the scope of what they could do, given some compliance constrains.

In the meantime, cloud has matured, providers have been able to accommodate most, if not all, the needs and requirements of financial institutions, and finally cloud is ready in highly regulated sectors. This doesn’t mean that the compliance and regulatory requirements have magically disappeared and/or evaporated somewhere in the stratosphere, it just means that there are technologies, procedures and best practices able to satisfy them.

CSA has moved strategically along the path of accommodating sector-specific requirements within our CCM framework. The way we’ve gone about this is coherent with our motto of applying common sense and not reinventing the wheel. For this reason, rather than creating ex novo a new set of controls to layer on top of the CCM core controls, we simply partnered with a like-minded organization, CRI. CRI has already created a framework, the CRI Profile for the Financial Sector, that covers most of the cybersecurity-relevant requirements of financial institutes at the global level.

Similarly to the CCM, CRI’s Profile had a limitation. It didn’t sufficiently cover the specificity of cloud computing security. As you can imagine, it didn’t take too long for both organizations to realize how powerful and fruitful a collaborative effort could be. In this collaboration, we would map the controls within the two respective frameworks, perform a gap analysis, and create addenda to add cloud-specific controls into the CRI Profile and to add financial sector-specific requirements into the CCM.

Today, we are glad to release the results of such a collaboration. You can download the addendum here.

This is only the first step in a process that will eventually lead to the creation of the dedicated version of CSA STAR Level 2 for financial institutions. We are now starting to look for financial institutions willing to work in a pilot program. Please get in contact with us to join this new initiative.

Share this content on your favorite social network today!