Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Save the date for CSA's 2024 Cyber Monday Sale: Get 50% off the exam token bundle!

What Are Cloud Controls?

Published 03/19/2022

Home
Industry Insights
What Are Cloud Controls?
Written by Nicole Krenz, Web Marketing Specialist, CSA.


There are many risks associated with cloud computing. Therefore, it’s critical to understand cloud security before attempting to migrate your organization to the cloud.

Cloud controls are safeguards or countermeasures that help organizations manage risk in the cloud. Cloud controls can be policies, procedures, guidelines, practices, or organizational structures that prevent misconfigurations, vulnerabilities, attacks, and more. They can be of an administrative, technical, management, or legal nature.

The Cloud Controls Matrix

CSA’s Cloud Controls Matrix (CCM) is a framework of cloud controls. It’s a spreadsheet that lists 16 topics covering all key aspects of cloud technology, each topic broken down into a total of 133 control objectives. By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security.

For example, the CCM Business Continuity Management and Operational Resilience (BCR) Domain includes these controls:

Control Title

Control ID

Specification

Business Continuity Management Policy and Procedures

BCR-01

Establish, evaluate, and maintain business continuity management and operational policies.

Risk Assessment and Impact Analysis

BCR-02

Determine the impact of business disruptions and risks.

Business Continuity Strategy

BCR-03

Establish strategies to reduce the impact of business disruptions.

Business Continuity Planning

BCR-04

Maintain a business continuity plan based on operational resilience strategies.

Documentation

BCR-05

Acquire documentation relevant to support business continuity.

Business Continuity Exercises

BCR-06

Exercise business continuity and operational resilience plans annually.

Communication

BCR-07

Establish communication with stakeholders and participants.

Backup

BCR-08

Periodically backup data stored in the cloud.

Disaster Response Plan

BCR-09

Maintain a disaster response plan to recover from natural and man-made disasters.

Response Plan Exercise

BCR-10

Exercise the disaster response plan annually or upon significant changes.

Equipment Redundancy

BCR-11

Supplement business-critical equipment with redundant equipment.

By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security. The CCM also provides guidance on who should fill the control (the cloud service provider or cloud customer) and on which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) the control applies to. This clarifies the roles and responsibilities between a cloud service provider and cloud customer CCM. Learn more about the CCM in this blog.

Cloud Controls MatrixTransitioning to the cloud

Share this content on your favorite social network today!

Latest from CSA
Register for the Virtual Zero Trust Summit!
Explore Top Concerns With Vulnerability Data
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
What is Cloud Workload in Cloud Computing?

Published: 11/13/2024

The Future of Compliance: Adapting to Digital Acceleration and Ephemeral Technologies

Published: 11/07/2024

Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation

Published: 11/04/2024

Streamlining Cloud Security: Integrating CSA CCM Controls into Your ISO/IEC 27001 Framework

Published: 10/29/2024