Download Publication

Cloud Controls Matrix and CAIQ v4
Cloud Controls Matrix and CAIQ v4

Cloud Controls Matrix and CAIQ v4

Release Date: 06/07/2021

Working Group: Cloud Controls Matrix

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM. You can now download the CCM and CAIQ together. 

What’s included in this download:
  • CCM v4
  • Mappings
  • CAIQ v4 
  • Implementation Guidelines (coming soon)
  • Auditing Guidelines (coming soon)
  • CCM Metrics (coming soon)
This zip file contains two versions of CAIQ:
  • CCM + CAIQ v4: Includes only the questionnaire and is folded into the CCM file. (This version cannot be used to submit to STAR and is just for reference.) 
  • STAR Level 1: Security Questionnaire (CAIQ v4): Used to submit to the STAR Registry and includes all the necessary features. Please note that this version won’t be accepted to the STAR Registry until July 2021. You can read more about the updates made to CAIQ v4 in this blog here.
Mappings and components currently available in version 4:
  • Mappings to the following: ISO/IEC 27001/27002/27017/27018, CCM V3.0.1 and CIS Controls V8. These mappings identify the equivalence, gaps and misalignment between the control specifications of the CCM V4 and other standards. Additional mappings for AICPA TSC, PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.
  • Controls Applicability Matrix: This matrix acts as a guide to help organizations determine the shared responsibilities between the CSPs and CSCs when implementing a CCM control. For each control it also identifies which cloud architectural and organizational stack and cloud service models are applicable. 
You can learn about the transition timeline for v3.0.1 to v4, and how that will affect submission to the STAR Registry in this blog. You can read about the updates in CAIQ v4 in this blog here.

Help CSA better understand how we can support the cloud community. Answer a couple of questions to download this resource.

In my current job I work in:

CSA is a community driven organization. We would like to send you updates about our ongoing initiatives and opportunities to participate.

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).

You’ve made safer cloud computing possible.

Download
Provide feedback on this form

CSA is a community driven organization. We would like to send you updates about our ongoing initiatives and opportunities to participate.

By opting into this agreement I am indicating that I want to receive email updates from CSA on related projects. (Marketing purposes, Section 3 of the Privacy Policy).

Download
Provide feedback on this form

Interested in helping develop research with CSA?