Cloud 101CircleEventsBlog
Join AT&T's experts & CSA's Troy Leach on April 4 to boost your cyber resilience in 2024!

Download Publication

CCMv4.0 Auditing Guidelines
CCMv4.0 Auditing Guidelines
Who it's for:
  • auditors
  • cloud service providers
  • cloud customers

CCMv4.0 Auditing Guidelines

Release Date: 12/08/2021

Working Group: Cloud Controls Matrix

This document contains auditing guidelines for each of the control specifications within the CCM version 4. The CCM is a detailed controls framework aligned with CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. Version 4, published in 2021, includes additional new components, such as the CCM v4.0 Implementation Guidelines and these auditing guidelines.

Within this document, you’ll find step-by-step instructions on how to audit each CCM v4.0 control. Auditors are provided with a set of assessment guidelines per CCMv4.0 control specification with an objective to improve the controls’ auditability and help organizations to more efficiently meet compliance (by conducting either internal or external 3rd party cloud security audits). 

Key Takeaways:
  • What the different CCM audit areas are
  • How to perform a CCM-related audit and assessment of organizations of any size, business, cloud deployment complexity, or maturity

Relevance to the Certificate of Cloud Auditing Knowledge (CCAK)
The CCMv4.0 Auditing Guidelines found in this document is an extension to the CCM Audit Workbook that appears in the CCAK guide. The workbook is a baseline audit template, auditors may wish to adopt in order to facilitate and guide a CCM audit. A major feature (among others) when filling out the workbook is for auditors to document how they will test whether the organization meets a given CCM control (that is to develop an audit test plan per CCM control). We took the audit workbook template, and based on that we developed auditing guidelines for all CCMv4.0 controls, something that is missing currently from the CCAK, and which significantly extends the relevant section.

Download this Resource

Bookmark
Share
Related resources
Standardizing Security in Diverse Sectors: A Template for STAR-Aligned Sector-Specific Standards
Standardizing Security in Diverse Sectors: A Te...
CCM v4.0 Addendum - ECUC PP v2.1
CCM v4.0 Addendum - ECUC PP v2.1
STAR Attestation Value Proposition
STAR Attestation Value Proposition
CSA STAR Level 2: All About STAR Attestations and Certifications
CSA STAR Level 2: All About STAR Attestations and Certifications
Published: 03/23/2024
CSA Community Spotlight: Propelling the Industry Forward with Larry Whiteside Jr.
CSA Community Spotlight: Propelling the Industry Forward with Larry...
Published: 03/12/2024
Adhere to the EU Cloud CoC through the CSA
Adhere to the EU Cloud CoC through the CSA
Published: 03/05/2024
A New Era of Data Protection: CSA’s Strategic Partnership with the EU Cloud CoC for GDPR Compliance
A New Era of Data Protection: CSA’s Strategic Partnership with the ...
Published: 02/29/2024

Acknowledgements

Vani Murthy
Vani Murthy
Sr. Information Security Compliance Advisor, Akamai Technologies

Vani Murthy

Sr. Information Security Compliance Advisor, Akamai Technologies

Vani has 20+ years of IT experience in the areas such as Security, Risk, Compliance, Cloud services (IaaS/PaaS/SaaS) architecture

Read more

Tanya Tipper-Luster
Tanya Tipper-Luster
Director, Cloud Security

Tanya Tipper-Luster

Director, Cloud Security

This person does not have a biography listed with CSA.

Renu Bedi
Renu Bedi
Manager-IT Security

Renu Bedi

Manager-IT Security

This person does not have a biography listed with CSA.

Erik Johnson
Erik Johnson
Cloud Security Specialist & Senior Research Analyst, CSA

Erik Johnson

Cloud Security Specialist & Senior Research Analyst, CSA

Worked for the Federal Reserve for many years and volunteered with the CSA with a focus on CCM/CAIQ V4, specifically the STA domain, and developing a comprehensive framework and guidance for defining and managing the cloud shared security responsibility model (SSRM).

I recently retired from the Federal Reserve and am now consulting with the CSA as a Senior Research Analyst with a focus on Zero Trust and Financial Services.

Linke...

Read more

Robin Basham
Robin Basham
CEO

Robin Basham

CEO

Robin Basham recently lead the Cloud Security Alliance CCM 4 to NIST 800-53 R5 Working Group. This effort began as a proposed commitment in April, involving the collaboration of some of our biggest and most well respected East Bay Enterprises. Leveraging the talent of 20 volunteers and mappings as designed in three major companies, the CCM WG produced a refined mapping t...

Read more

Agnidipta Sarkar
Agnidipta Sarkar
Group CISO, Biocon

Agnidipta Sarkar

Group CISO, Biocon

Agnidipta Sarkar has been evangelizing Cybersecurity, Privacy, Business Continuity, Digital Resilience, and Standardization through speaking at industry forums like Gartner, IDC, EC-Council, ISMG, BCI Global, CORE Resilience, etc. and through his contributions to standards bodies like the ISO, Cloud Security Alliance, and the Business Continuity Institute. He is a member of ISO panels for security & privacy, continuity & resilience, and ris...

Read more

Michael Roza
Michael Roza
Head of Risk, Audit, Control and Compliance

Michael Roza

Head of Risk, Audit, Control and Compliance

Since 2012 Michael has contributed to over 100 CSA projects completed by CSA's Internet of Things, Zero Trust/Software-Defined Perimeter, Top Threats, Cloud Control Matrix, Containers/Microservices, DevSecOps, and other working groups. He has also served as co-chair of CSA's Enterprise Architecture, Top Threats, and Security-as-a-Service working groups while also serving as the Standards Liaison Officer for IoT, ICS, EA, SECaaS, and Cloud K...

Read more

Ashish Vashishtha
Ashish Vashishtha
Security Compliance Leader

Ashish Vashishtha

Security Compliance Leader

Analytical, results-oriented IS/IT Audit, Governance, Risk, and Compliance (GRC) leader over 19 years of experience managing enterprise-wide IT/IS security risk approach for large healthcare and IT services organizations. Passionate design thinker with an ability to harness innovation by facilitating collaboration to develop enterprise-wide security risk assessments (onsite as well as remote) for high-risk Third-Parties leveraging NIST 800-...

Read more

John DiMaria
John DiMaria
Director of Operations Excellence, CSA

John DiMaria

Director of Operations Excellence, CSA

This person does not have a biography listed with CSA.

Angell Duran Headshot Missing
Angell Duran

Angell Duran

This person does not have a biography listed with CSA.

Harry Lu
Harry Lu
Manager, PwC Cybersecurity

Harry Lu

Manager, PwC Cybersecurity

Harry Lu brings perspectives of Cloud Security from the professional services industry. He is currently an Associate Director with Protiviti’s Cloud Security team. Harry’s background includes security strategy planning, security operations development and security executive consulting roles. He has also had years of hands-on experience implementing cloud security technologies across SaaS, IaaS and hybrid cloud environments. From his experie...

Read more

Agnidipta Sarkar
Agnidipta Sarkar
Group CISO, Biocon

Agnidipta Sarkar

Group CISO, Biocon

Agnidipta Sarkar has been evangelizing Cybersecurity, Privacy, Business Continuity, Digital Resilience, and Standardization through speaking at industry forums like Gartner, IDC, EC-Council, ISMG, BCI Global, CORE Resilience, etc. and through his contributions to standards bodies like the ISO, Cloud Security Alliance, and the Business Continuity Institute. He is a member of ISO panels for security & privacy, continuity & resilience, and ris...

Read more

Claus Matzke Headshot Missing
Claus Matzke

Claus Matzke

This person does not have a biography listed with CSA.

Parminder Bawa Headshot Missing
Parminder Bawa

Parminder Bawa

This person does not have a biography listed with CSA.

Bilal Khattak Headshot Missing
Bilal Khattak

Bilal Khattak

This person does not have a biography listed with CSA.

Daniele Catteddu
Daniele Catteddu
Chief Technology Officer, CSA

Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, ...

Read more

Joel John
Joel John
IT Secuirty and Risk Professional for Aneja Asssociates

Joel John

IT Secuirty and Risk Professional for Aneja Asssociates

I work with Eleftherios in CSA working groups for mapping CCM v4 with various industry standards.

Read more

Damian Heal Headshot Missing
Damian Heal

Damian Heal

This person does not have a biography listed with CSA.

Shawn Harris
Shawn Harris
Director of Information Security

Shawn Harris

Director of Information Security

With more than 25 years of information security experience, Shawn Harris is currently the Director of Information Security at Starbucks Coffee Company. His background includes engineering, architecture, and executive responsibilities. Shawn is currently co-chair of the CSA Cloud Controls Matrix working group, where he led efforts to develop the Cloud Control Matrix 4.0. Additionally, he has served on CSA’s Consensus Assessments ...

Read more

Sean Cordero
Sean Cordero

Sean Cordero

Sean Cordero brings more than 15 years of information security and IT experience to his current role as director, information security at Optiv. Cordero provides executive level advisement for the company’s Fortune 50 clients. Cordero’s prior leadership roles included: President of Cloud Watchmen, CSO for EdFund, CSO for ECMC West, Director of Security and Compliance for Charlotte Russe.

Cordero is a thought-leader and serves as chair...

Read more

David Nickles
David Nickles
AWS

David Nickles

AWS

David Nickles is a Global Audit Program Manager for FSI’s at Amazon Web Services (AWS). His work focuses on enabling financial services institutions to move their workloads to the cloud by providing sound guidance for building programs to ensure regulatory, governance, risk, compliance, audit, and security control requirements are met, align to industry best practices, and appropriate due diligence activity is completed. Prior to AWS, David...

Read more

Sanjeev Gupta
Sanjeev Gupta
Director - Cloud Assurance Programs at CPG Singapore

Sanjeev Gupta

Director - Cloud Assurance Programs at CPG Singapore

This person does not have a biography listed with CSA.

Jan Jacobsen Headshot Missing
Jan Jacobsen

Jan Jacobsen

This person does not have a biography listed with CSA.

Steve Sparkes Headshot Missing
Steve Sparkes

Steve Sparkes

This person does not have a biography listed with CSA.

Brian Dorsey Headshot Missing
Brian Dorsey

Brian Dorsey

This person does not have a biography listed with CSA.

Krishna das Manghat Headshot Missing
Krishna das Manghat

Krishna das Manghat

Contributed to CCM V.4.06, including the ISO 27001:2022 mapping with CCM. My area of contribution was Application Security. I worked closely with Lefteris from CSA on this exercise.

Read more

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training