Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level

Home
Industry Insights
The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level

Blog Article Published: 01/21/2021

Written by: Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance and Lefteris Skoutaris, CCM Program Manager, Cloud Security Alliance

Over the course of the last decade since its first appearance in 2010, the Cloud Controls Matrix (CCM) has become a reference for any organization seeking to define and improve its cloud security and compliance posture. CCM is by now a de facto standard in the cloud market and constitutes the very foundation of CSA’s STAR Program.

Now in 2021, after a long creation period, CSA has released the initial version 4 of the CCM.

The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.

Since CCM V3.0.1 was initially released six years ago, the cloud market has substantially evolved and matured.

Cloud native approaches have passed from being the exception to being the rule, multi-cloud, DevOps, microservices and micro-segmentation, serverless, and automation are the new norm. GDPR, LGPD, CCPA, and other privacy regulations, together the recent rulings of the European Court of Justice have redesigned the rules of compliance in the cloud. One of the only things that doesn’t appear to have changed significantly is the bad habits from cloud customers due to the poor understanding of the cloud security shared responsibility model and the difference between cloud security responsibility and accountability. Both of those were important drivers for the creation of CCM v4.

CCM v4 is meant to provide the community with the best vendor-neutral security and privacy control framework.

CSA’s main goal was to create a new reference in the cloud security market. We wanted to offer to the community the best vendor agnostic security and privacy control framework in market. We built on the experience and the feedback collected from the tens of thousands of CCM users, and created a better standard, a framework that was easier to implement and audit and that would offer the much needed level of assurance for any category of cloud customers, from small and medium companies to large enterprises in the highly regulated business sectors.

The objectives that drove CCM v4 development were:

Ensure coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and new legal and regulatory requirements especially in the privacy realm.

Improve the auditability of the controls and providing better implementation and assessment guidance to organizations.

Clarify the allocation of cloud security responsibilities within the share responsibility model.

Improve interoperability and compatibility with other standards.

Changes in CCM v4

The new version 4 of the CCM includes a number of changes that are summarized below alongside the various complementary components that are currently under development and will be released during the course of 2021.

CCM v4.0 includes new additional controls, so as to better reflect the changes and evolution described above. It is comprised of 17 domains, compared to 16 in v3.0.1, and about 50% more control specifications, from 133 to 197 controls.

The V4 controls will eventually be accompanied by mappings with the following standards:

  • ISO/IEC 27001-2013
  • ISO/IEC 27017-2015
  • ISO/OEC 27018-2019
  • AICPA TSC v2017
  • CCM V3.0.1

Beside the set of core controls, CCM V4 will eventually include the following additional components:

CCM Implementation Guidelines: a guidance to support the implementation of CCM controls. Expected to be released at the beginning of Q2 2021 (tentative date April).

CAIQ: the new CCM Questionnaire. Expected to be released at the beginning of Q2 2021 (tentative date April).

Control Applicability Matrix: a support to define the attribution of the responsibilities between cloud service providers (CSPs) and customers (CSCs). Expected to be released in Q2 2021 (tentative date April).

Organizational Relevance: a support to define the organizational relevance of each control based on the work done by the CSA Enterprise Architecture Working Group. Expected to be released in Q2 2021 (tentative date April).

CCM Auditing Guidelines: a guidance to support the auditing and assessment of CCM controls. Expected to be released at the beginning of Q3 2021 (tentative date July).

CCM Lite: a lightweight version of CCM, including a subset of the CCM Controls which represent the CCM foundational controls, i.e., those that any organization should implement ‘no matter what’. Expected to be released at the beginning of Q4 2021 (tentative date October).

In addition to the above, CSA will be working over the course of 2021 to translate the CCM in other languages and provide additional mapping to relevant standards, best practices, laws and regulations. In our current pipeline, priority will be given, in no particular order, to: NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS.

CCM v4 is just the beginning.

With all that being said, we are conscious that the CCM v4 is not the conclusion of our work, but rather the beginning of journey towards the excellence. We want work with the community and give the best possible solution for cloud security and privacy assurance and compliance.

Download CCM v4 →

Should you be interested in knowing more, or participating and contributing to the CCMv4 and working group activities, please join us here: https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix .

Join the CCM v4 User Group

CSA is looking for feedback on version 4 of the CCM. If you would like to help provide feedback, please join our community on Circle. (You will need to create an account on Circle to join this community.)

https://circle.cloudsecurityalliance.org/community-home1?CommunityKey=a8cb68d1-4d5c-499a-b28d-3f95b63aea27

Cloud Controls MatrixComplianceTransitioning to the cloud

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How to Audit Your Outdated Security Processes

Published: 04/16/2024

Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’

Published: 04/15/2024

Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024

Building a SOC for Compliance

Published: 04/11/2024