Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog
CSA Day is coming soon on May 7, 2025. Secure the cloud. Strengthen your future - at half the cost →

What is the Cloud Controls Matrix (CCM)?

Published 10/16/2020

Home
Industry Insights
What is the Cloud Controls Matrix (CCM)?
Written by Eleftherios Skoutaris, Program Manager / Research Analyst, CSA EMEA.

What is the Cloud Controls Matrix?

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is a spreadsheet that lists 16 domains covering all key aspects of cloud technology. Each domain is broken up into 133 control objectives. It can be used as a tool to systematically assess cloud implementation, by providing guidance on which security controls should be implemented by which actor within the cloud supply chain.The controls framework is aligned to the Security Guidance v4 and is currently considered a de-facto standard for cloud security assurance and compliance. The translated versions of CCM v3 are available here.


Map to Standards, Regulations and Controls Frameworks

The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks.

The CCM v4 is currently mapped to the following:

  • ISO/IEC 27001/27002/27017/27018
  • CCM V3.0.1
  • CIS Controls V8.
  • Additional mappings for AICPA TSC, PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.

The previous version of the CCM v3.0.1 is mapped to the following standards:

  • ISO 27001/27002/27017/27018
  • NIST SP 800-53
  • AICPA TSC
  • German BSI C5
  • PCI DSS
  • ISACA COBIT
  • NERC CIP
  • FedRamp
  • CIS
  • And many others...


How does it work?

The Cloud Controls Matrix is a baseline control framework specifically designed for managing risk in the cloud. Organizations (CSPs and CSCs) can use the CCM to build a detailed list of requirements and controls that they want to implement in order to mitigate risk for a given cloud service that falls within the security and compliance assessment scope.

Each CCM control and underlying requirements map onto multiple industry-accepted security standards and regulations, thus allowing organizations to better understand and track along what are similar, equivalent, or additional requirements found in those frameworks. It reduces the need to use multiple frameworks and simplifies cloud security, risk management, and compliance by bringing greater efficiency, effectiveness, and transparency towards the broader landscape of cloud security and certification.

In this context, CSA and the CCM Working Group perform mappings and gap analysis exercises between CCM and widely-used standards, giving organizations the opportunity to assess their cloud services security posture through the lens of the CCM in comparison to other standards.

Furthermore, the CCM provides a control’s applicability and responsibility matrix. The matrix indicates the cloud service model type (IaaS, PaaS, SaaS) each CCM control applies to, and acts as a guide to help organizations determine which of the two cloud parties (CSP or CSC) is responsible for the implementation of the control. It also identifies which cloud architectural and organizational stack and cloud service models are applicable.


For Cloud Customers

Use the CCM to assess cloud vendors or in place of an RFP

The Consensus Assessments Initiative Questionnaire (CAIQ) is a companion to the CCM that provides a set of “yes or no” questions a cloud consumer or auditor may wish to ask a cloud provider. Based on the security controls in the CCM, the questions can be used to document which security controls exist in a provider’s IaaS, PaaS, and SaaS offerings. Organizations often use the CAIQ to get additional protection by building a request for proposal (RFP) with the information from CAIQ. Organizations can then verify the validity of a vendor’s answers during the RFP interview. Over 500 organizations currently use the CAIQ to submit self-assessments on the STAR registry.


For Cloud Solution Providers (CSPs)

Use the CCM to submit to CSA’s public registry.

The CCM is used as the standard to assess the security posture of organizations on the Security, Trust, Assurance and Risk (STAR) registry. The STAR program promotes flexible, incremental and multi-layered certifications that integrate with popular third-party assessments to avoid duplication of effort and cost. Security providers can fill out the extended question set that aligns with the CCM and send it to potential and current clients to demonstrate compliance to industry standards, frameworks and regulations. It is recommended that providers submit the completed CAIQ to the STAR Registry so it is publicly available to all clients.


Security Domains Covered by the CCM

CSA is currently working on releasing the fourth iteration of the Cloud Controls Matrix. The CCM v.4 constitutes a significant upgrade to the previous version (v3.0.1) by introducing changes in structure of the framework with a new domain dedicated to Log and Monitoring (LOG), and modifications in the existing ones (GRC, A&A, UEM, CEK). This update will also deliver a significant increase of requirements as a result of developing additional controls and updating existing ones.

Additional features of the CCM v.4 update are:

  • Ensured coverage of requirements deriving from new cloud technologies
  • New controls and security responsibility matrix
  • Improved auditability of the controls, and enhanced interoperability and compatibility with other standards.

The domains covered in the Cloud Controls Matrix (CCM) v4 are:

  1. Application & Interface Security
  2. Audit and Assurance
  3. Business Continuity Mgmt & Op Resilience
  4. Change Control & Configuration Management
  5. Data Security & Privacy Lifecycle Management
  6. Datacenter Security
  7. Cryptography, Encryption and Key Management
  8. Governance, Risk Management and Compliance
  9. Human Resources Security
  10. Identity & Access Management
  11. Security Infrastructure & Virtualization
  12. Interoperability & Portability
  13. Universal EndPoint Management
  14. Security Incident Management, E-Discovery & Cloud Forensics
  15. Supply Chain Management, Transparency & Accountability
  16. Threat & Vulnerability Management
  17. Logging and Monitoring


What if there is a regulation or industry framework not covered in the current version of CCM?

In the case where there is a region-specific regulation or new framework that organizations need to map to, CSA will release a CCM mapping. You can find a list of all available mappings to the Cloud Controls Matrix (CCM) here.

Most Recent CCM Mappings:


Can I get certified against the CCM? How do I become CCM certified?

Organizations looking to get certified against the CCM can obtain an Attestation or Certification through the CSA STAR Registry.


Help CSA develop future versions of the CCM by joining the working group!

We are always looking for new experts to join the Cloud Controls Matrix Working Group to help make the CCM the most effective tool it can be for people actually using it in the industry. You can learn more and join the working group here.

Cloud Controls MatrixCAIQComplianceEnhancing cloud security strategyTransitioning to the cloud

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Be the First to Explore CSA’s AI Safety Certification
New: Top Threats to Cloud Computing 2025
CSA Announces Partnership with Industry Leaders
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Ethical and Responsible AI in Business: Finding the Right Balance

Published: 05/02/2025

Knowing the Difference Between the Two Types of Technical Challenges is the Key to Smarter Decisions

Published: 04/30/2025

Breaking the Cloud Security Illusion: Putting the App Back in CNAPP

Published: 04/30/2025

Cloud Security Alliance Issues Top Threats to Cloud Computing Deep Dive 2025

Published: 04/29/2025