Cloud 101CircleEventsBlog
Call for Presentations: Share your expertise at 2024! Submit your proposals by June 28th.

What Are Cloud Controls?

What Are Cloud Controls?

Blog Article Published: 03/19/2022

Written by Nicole Krenz, Web Marketing Specialist, CSA.

There are many risks associated with cloud computing. Therefore, it’s critical to understand cloud security before attempting to migrate your organization to the cloud.

Cloud controls are safeguards or countermeasures that help organizations manage risk in the cloud. Cloud controls can be policies, procedures, guidelines, practices, or organizational structures that prevent misconfigurations, vulnerabilities, attacks, and more. They can be of an administrative, technical, management, or legal nature.

The Cloud Controls Matrix

CSA’s Cloud Controls Matrix (CCM) is a framework of cloud controls. It’s a spreadsheet that lists 16 topics covering all key aspects of cloud technology, each topic broken down into a total of 133 control objectives. By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security.

For example, the CCM Business Continuity Management and Operational Resilience (BCR) Domain includes these controls:

Control Title

Control ID


Business Continuity Management Policy and Procedures


Establish, evaluate, and maintain business continuity management and operational policies.

Risk Assessment and Impact Analysis


Determine the impact of business disruptions and risks.

Business Continuity Strategy


Establish strategies to reduce the impact of business disruptions.

Business Continuity Planning


Maintain a business continuity plan based on operational resilience strategies.



Acquire documentation relevant to support business continuity.

Business Continuity Exercises


Exercise business continuity and operational resilience plans annually.



Establish communication with stakeholders and participants.



Periodically backup data stored in the cloud.

Disaster Response Plan


Maintain a disaster response plan to recover from natural and man-made disasters.

Response Plan Exercise


Exercise the disaster response plan annually or upon significant changes.

Equipment Redundancy


Supplement business-critical equipment with redundant equipment.

By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security. The CCM also provides guidance on who should fill the control (the cloud service provider or cloud customer) and on which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) the control applies to. This clarifies the roles and responsibilities between a cloud service provider and cloud customer CCM. Learn more about the CCM in this blog.

Share this content on your favorite social network today!