Methodology for the Mapping of the Cloud Controls Matrix
By Victor Chin, Research Analyst, Cloud Security Alliance
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. To reduce compliance fatigue in the cloud services industry, the CCM program also includes controls mappings to other key industry frameworks such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, National Institute of Standards and Technology (NIST) 800-53, and American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC).
Historically, these mappings come from two main sources: third-party organizations and CCM Working Group volunteers. Over time, processes to incorporate these mappings have evolved organically but were not formally documented.
The Methodology for the Mapping of the Cloud Controls Matrix document aims to formally document and enhance these processes. They include a controls mapping methodology, the identification of gaps between two frameworks, the creation of a mapping work package, naming references, and project management guidelines.
By documenting these processes, we aim to fulfill four primary functions:
- Provide clarity and transparency regarding the CSA CCM Working Group’s mapping approach, guidelines and naming conventions;
- Encourage process review and improvement suggestions by the CSA community;
- Yield a valuable reference for organizations—especially those seeking to benefit from and contribute to interoperable efforts by mapping their frameworks to the CCM; and
- Improve assessor criteria understanding and interpretation of all mapping processes through criteria mapping exercises.
Moving forward, we hope that this document will be a valuable reference to all key stakeholders in the CCM ecosystem, as well as contribute to the maturity of the CCM program.
The success of the CCM continues to be the result of the dedicated professionals within the CCM Working Group. This document would not have been possible without the expertise, focus, and collaboration of the following working group members:
- Sean Cordero
- Ai-Ping Foo
- Kimberley Laris
- Ahmed Maaloul
- Michael Roza
- Eric Tierling
Download the Methodology for the Mapping of the Cloud Controls Matrix.