Circle
Events
Blog

Download Publication

CCMv4.0 Auditing Guidelines
CCMv4.0 Auditing Guidelines
Who it's for:
  • auditors
  • cloud service providers
  • cloud customers

CCMv4.0 Auditing Guidelines

Release Date: 12/08/2021

This document contains auditing guidelines for each of the control specifications within the CCM version 4. The CCM is a detailed controls framework aligned with CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. Version 4, published in 2021, includes additional new components, such as the CCM v4.0 Implementation Guidelines and these auditing guidelines.

Within this document, you’ll find step-by-step instructions on how to audit each CCM v4.0 control. Auditors are provided with a set of assessment guidelines per CCMv4.0 control specification with an objective to improve the controls’ auditability and help organizations to more efficiently meet compliance (by conducting either internal or external 3rd party cloud security audits). 

Key Takeaways:
  • What the different CCM audit areas are
  • How to perform a CCM-related audit and assessment of organizations of any size, business, cloud deployment complexity, or maturity

Relevance to the Certificate of Cloud Auditing Knowledge (CCAK)
The CCMv4.0 Auditing Guidelines found in this document is an extension to the CCM Audit Workbook that appears in the CCAK guide. The workbook is a baseline audit template, auditors may wish to adopt in order to facilitate and guide a CCM audit. A major feature (among others) when filling out the workbook is for auditors to document how they will test whether the organization meets a given CCM control (that is to develop an audit test plan per CCM control). We took the audit workbook template, and based on that we developed auditing guidelines for all CCMv4.0 controls, something that is missing currently from the CCAK, and which significantly extends the relevant section.

Help CSA better understand how we can support the cloud community. Answer a couple of questions to download this resource.

In my current job I work in:

Can we send you updates?

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).

You’ve made safer cloud computing possible.

Download
Provide feedback on this form

CSA is a community driven organization. We would like to send you updates about our ongoing initiatives and opportunities to participate.

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).

Download
Provide feedback on this form

Acknowledgements

Vani Murthy Headshot
Vani Murthy
Senior advisor Security & Compliance at Akamai Technologies
Vani Murthy

Senior advisor Security & Compliance at Akamai Technologies

Vani is an active contributor to several Cloud Security Alliance working groups, including Application Containers and Microservices, Serverless, Top threats, Cloud Control Matrix (CCMv4), SDP Expert Group (Advisory Group to the Office of the CTO), Cloud Key Management etc. Vani has co-authored publications such as "How to Design a Secure Serverless Architecture", "CCM v4.0 Implementation Guidelines", "Cloud Top Threats". She has...

Read more

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?