Methodology for the Mapping of the Cloud Controls Matrix
Blog Article Published: 07/09/2018
By Victor Chin, Research Analyst, Cloud Security Alliance The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. To reduce compliance fatigue in the cloud services industry, the CCM program also includes controls mappings to other key industry frameworks such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, National Institute of Standards and Technology (NIST) 800-53, and American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC). Historically, these mappings come from two main sources: third-party organizations and CCM Working Group volunteers. Over time, processes to incorporate these mappings have evolved organically but were not formally documented. The Methodology for the Mapping of the Cloud Controls Matrix document aims to formally document and enhance these processes. They include a controls mapping methodology, the identification of gaps between two frameworks, the creation of a mapping work package, naming references, and project management guidelines. By documenting these processes, we aim to fulfill four primary functions:
- Provide clarity and transparency regarding the CSA CCM Working Group’s mapping approach, guidelines and naming conventions;
- Encourage process review and improvement suggestions by the CSA community;
- Yield a valuable reference for organizations—especially those seeking to benefit from and contribute to interoperable efforts by mapping their frameworks to the CCM; and
- Improve assessor criteria understanding and interpretation of all mapping processes through criteria mapping exercises.
- Sean Cordero
- Ai-Ping Foo
- Kimberley Laris
- Ahmed Maaloul
- Michael Roza
- Eric Tierling
Share this content on your favorite social network today!