CCM Addendum - ISO/IEC 27002, 27017, 27018

This document is an addendum to the CCM V3.0.1 controls. It contains the additional controls that serves to bridge the gap between CCM and ISO/IEC 27002:2013, ISO/IEC 27017:2015 and ISO/IEC 27018:2014. The document includes: • A controls mapping between the mentioned standards and CCM (e.g. which control(s) in CCM maps to each given control in ISO27017). • A gap analysis • Compensating controls (i.e. the actual “addendum”). The purpose of the document is to help organisations assess and bridge compliance gaps between these standards. The document is structured as follows: Columns A-B-C contain details of the ISO standards, Column D provides the gap identification, Column E contains the controls mapping, Column F provides the gap analysis details and finally the Column G provides the compensating controls. The CSA and the CCM working group hope that organizations will find this document useful for their cloud security compliance programs. In the execution of this project, the CCM WG and the CSA recognizes that this is a mapping of ISO 27002, ISO 27017 and ISO 27018 which is a recommendation/guidelines ('should') standard to the CCM which is a mandatory requirements ('shall') standard. The contents of this document could contain technical inaccuracies, typographical errors and out-of-date information. The work was completed on May 18th, 2018 by volunteers in the CSA's CCM Working Group who are acknowledged below. If you would like to volunteer in the working group, please sign up here:

Open Until: 12/21/2018


Address Information

Having read and understood the CSA’s Privacy Policy,

I specifically consent to receive marketing messages via the following channels: