Circle
Events
Blog

Download Publication

Cloud Controls Matrix and CAIQ v4
Cloud Controls Matrix and CAIQ v4

Cloud Controls Matrix and CAIQ v4

Release Date: 06/07/2021

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM. You can now download the CCM and CAIQ together. 

What’s included in this download:
  • CCM v4
  • Mappings
  • CAIQ v4 
  • STAR Level 1: Security Questionnaire (CAIQ v4)
  • Implementation Guidelines
  • Auditing Guidelines (coming soon)
  • CCM Metrics
This zip file contains two versions of CAIQ:
  • CCM + CAIQ v4: This version cannot be used to submit to STAR and is just for reference.
  • STAR Level 1: Security Questionnaire (CAIQ v4): Used to submit to the STAR Registry and includes all the necessary features. This version can also be downloaded on it’s own here
Mappings and components currently available in version 4:
  • Mappings to the following: ISO/IEC 27001/27002/27017/27018, CCM V3.0.1, AICPA TSC (2017) and CIS Controls V8. These mappings identify the equivalence, gaps and misalignment between the control specifications of the CCM V4 and other standards. Additional mappings for PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.
  • Controls Applicability Matrix: This matrix acts as a guide to help organizations determine the shared responsibilities between the CSPs and CSCs when implementing a CCM control. For each control it also identifies which cloud architectural and organizational stack and cloud service models are applicable. 
  • CCM Metrics: This is the first catalog of security metrics for the cloud. These metrics aim to support internal CSP governance, risk, and compliance (GRC) activities and provide a helpful baseline for service-level agreement transparency.
Frequently asked questions:

Help CSA better understand how we can support the cloud community. Answer a couple of questions to download this resource.

In my current job I work in:

CSA is a community driven organization. We would like to send you updates about our ongoing initiatives and opportunities to participate.

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).

You’ve made safer cloud computing possible.

Download
Provide feedback on this form

CSA is a community driven organization. We would like to send you updates about our ongoing initiatives and opportunities to participate.

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).

Download
Provide feedback on this form

Acknowledgements

Jon-Michael Brook Headshot
Jon-Michael Brook
Jon-Michael Brook

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in Information Security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. Mr. Brook's work traverses the government, financial, healthcare, gaming, oil and gas and pharmaceutical industries. Mr. Brook obtained a number of industry certifications, including CISSP and CCSK, has patents and trade secrets in...

Read more

Sean Cordero Headshot
Sean Cordero
Sean Cordero

Sean Cordero brings more than 15 years of information security and IT experience to his current role as director, information security at Optiv. Cordero provides executive level advisement for the company’s Fortune 50 clients. Cordero’s prior leadership roles included: President of Cloud Watchmen, CSO for EdFund, CSO for ECMC West, Director of Security and Compliance for Charlotte Russe.

Cordero is a thought-leader and serves as chair...

Read more

Michael Roza Headshot
Michael Roza
Michael Roza

Risk, Audit, Control and Compliance Professional

Michael Roza is a risk, audit, control and compliance professional with 20-plus years of experience with organizations such as Bridgestone EMEA, Komatsu International, Mitsui Novus International, Johnson and Johnson Inc., and Baxter, Inc. Within CSA, he has served as lead author/contributor for 11 projects completed by CSA’s Internet of Things, Blockchain/Distributed Ledger, Top Threats, Cloud Control Matrix, and Software-Defined P...

Read more

Daniele Catteddu Headshot
Daniele Catteddu
Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, ...

Read more

Aradhna Chetal Headshot
Aradhna Chetal
Aradhna Chetal

Aradhna Chetal is a Senior Director Executive - Cloud Security at TIAA. She has worked for a number of enterprises like JP Morgan Chase, HSBC, Merck, Boeing Company, T-Mobile and Microsoft where she was responsible for defining cloud security strategies, cloud security architecture, digital transformation and migration of applications to the cloud.

Aradhna is a Cloud Security Alliance Research Fellow and has been a key contributor...

Read more

Paul Rich Headshot
Paul Rich
Paul Rich

Executive Director, Data Management & Protection

Paul Rich is the executive director, data management and protection for JPMorgan Chase & Co., where he leads the strategy and implementation within the company for unstructured data protection both in the cloud and on-premises. He is the co-chair of the CSA Cloud Key Management Working Group, which he envisions as a means of hearing diverse perspectives on the use of cloud services and expectations for both data privacy and secu...

Read more

Sean Estrada Headshot
Sean Estrada
Sean Estrada

Head of Industry Standards Engagement for AWS

Sean Estrada is Head of Industry Standards Engagement for AWS, where he is responsible for driving engagement with industry standards organizations and alliances. Building on over 15 years of experience in information security, audit and compliance, Sean is Amazon's internal subject matter expert on security standards design, strategy and implementation, and is Amazon's representative to the PCI Board of Advisors and the Vice President of t...

Read more

Shawn Harris Headshot
Shawn Harris
Shawn Harris

Director of Information Security

With more than 25 years of information security experience, Shawn Harris is currently the Director of Information Security at Starbucks Coffee Company. His background includes engineering, architecture, and executive responsibilities. Shawn is currently co-chair of the CSA Cloud Controls Matrix working group, where he led efforts to develop the Cloud Control Matrix 4.0. Additionally, he has served on CSA’s Consensus Assessments ...

Read more

Harry Lu Headshot
Harry Lu
Harry Lu

Manager, PwC Cybersecurity

Harry Lu brings perspectives of Cloud Security from the professional services industry. He is currently a manager with the PwC Cybersecurity practice. Being part of the PwC Cloud Security Team, Harry’s background includes security strategy planning, security operations development and security executive consulting roles. He has also had years of hands-on experience implementing cloud security technologies across SaaS, IaaS and hybrid cloud ...

Read more

Jens Laundrup Headshot
Jens Laundrup
Jens Laundrup

Chief Security Engineer and Executive Consultant, Emagined Security Inc.

Jens Laundrup, Chief Security Engineer and Executive Consultant, Emagined Security Inc., has spent over 30 years in the Information Security space to include numerous security engineering disciplines including Military, Government and Corporate Information Security, Compliance Program Design, Architecture Design, and Network & Physical Security. Mr. Laundrup has led the development and design of cutting-edge risk-based security programs and...

Read more

Vani Murthy Headshot
Vani Murthy
Vani Murthy

Senior advisor Security & Compliance at Akamai Technologies

Vani is an active contributor to several Cloud Security Alliance working groups, including Application Containers and Microservices, Serverless, Top threats, Cloud Control Matrix (CCMv4), SDP Expert Group (Advisory Group to the Office of the CTO), Cloud Key Management etc. Vani has co-authored publications such as "How to Design a Secure Serverless Architecture", "CCM v4.0 Implementation Guidelines", "Cloud Top Threats". She has...

Read more

Johan Olivier Headshot
Johan Olivier
Johan Olivier

Security and Compliance Director

I am the Security and Compliance Director at Qorus Software where I am responsible for driving security and privacy compliance across the business. My career in the compliance space is backed by 22 years of experience as a Software Solutions Architect. Having worked in seven countries across four continents I have developed a special interest in behavioral sciences, psychology, diversity, and inclusion in the workplace. I am a motivational ...

Read more

Geoff Bird Headshot
Geoff Bird
Geoff Bird

Chief Information Security Officer

This person does not have a biography listed with CSA.

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training