Cloud 101CircleEventsBlog
Our website will be down for scheduled maintenance on February 13th from 4:00 PM to 5:00 PM PST. We apologize for any inconvenience and appreciate your patience!

Implementing CCM: Assurance & Audit Controls

Published 02/04/2025

Implementing CCM: Assurance & Audit Controls

CSA’s Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It contains 197 control objectives structured into 17 domains that cover all key aspects of cloud technology. You can use CCM to systematically assess a cloud implementation. CCM also provides guidance on which actors within the cloud supply chain should implement which security controls.

CCM Domains

list of the 17 CCM domains


Today we’re taking a closer look at implementing the first domain of CCM: Audit and Assurance (A&A). The A&A domain consists of six control specifications:

  • Audit and Assurance Policy and Procedures
  • Independent Assessments
  • Risk-Based Planning Assessment
  • Requirements Compliance
  • Audit Management Process
  • Remediation

The A&A domain plays a pivotal role in guiding both cloud service providers (CSPs) and cloud service customers (CSCs). It helps them with critical decision-making, communication, and reporting. This domain focuses on key processes, including those embedded in the CCM, and ensures stakeholders evaluate them through rigorous assessment, verification, and validation activities.

The A&A domain facilitates audit planning, risk analysis, security control assessments, and remediation. It further enables effective reporting and evaluation of attestations and supporting evidence, ensuring transparent and reliable oversight.

In this blog, learn more about the A&A domain and its underlying control activities. Get ready to effectively implement and manage audit and assurance practices in your own cloud environments.


Audit and Assurance Controls

CCM has six control specifications for audit and assurance.


Audit and Assurance Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually.

First, you must establish basic policies, procedures, and how you will communicate them. For example, you could set up an Information Security Management System (ISMS), in the vein of ISO 27001. Just make sure you establish formal policies and procedures of some kind, and that you base them on industry best practices.

If you don't implement this control, you could face legal fines and reputational damage.


Independent Assessments

Conduct independent audit and assurance assessments according to relevant standards at least annually.

You need to have a methodology for doing an annual independent assessment, which is relevant to your standards. A competent, independent, internal or external auditor should conduct these activities. This means that the auditor auditing a certain area should not have any involvement in its original implementation. This applies to both internal and external audits.


Risk-Based Planning Assessment

Perform independent audit and assurance assessments according to risk-based plans and policies.

This control suggests you take a risk-based approach to policies and your assurance mechanism. Critical (high) risks can have more emphasis than medium risks, which can have more emphasis than low risks, et cetera.

If you don't implement this control, you will have an ambiguous risk scope and an inaccurate audit opinion. Before you start your audit, you need to ensure that you have correctly identified the risk scope.


Requirements Compliance

Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit.

This control takes into account the several security and privacy standards around the world, such as GDPR. You need to look at what is applicable to your specific company and what your contractual legal requirements are. Then, map those legal requirements to your policies, procedures, and other overarching cloud security requirements.

When you don't implement this control, both the CSP and CSC could be in noncompliance with regulatory requirements. This can then lead to other risks, such as legal fines and reputational damage.


Audit Management Process

Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence.

Next, you need to have a process for managing the previous four controls.

You need to have your own internal procedures for auditing and day-to-day management, scheduling, and reporting. Audit team members should be available and competent. They should follow the audit plan in a sequential order. Your audit should have an opening meeting and a closing meeting where you discuss the findings.

If you don’t implement these processes, your control implementation and your risk management implementation will both be ineffective.


Remediation

Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders.

However, every process will have gaps. Unfortunately, 100% cybersecurity does not exist. So the final control says that you need to have a remediation process. How are you going to communicate, apply, evaluate, and maintain corrective action plans and audit findings?

Give due care and attention to the findings of audit and assurance activities. If you identify a control deficiency, make sure to prioritize it. Conduct a root cause analysis and determine the proper corrective action.

If you do not implement this control, you will face the recurrence of nonconformities in your assessments. It also leads to ineffective mitigation controls and improper root cause analysis.


Provider and Customer Responsibilities

Next, it’s important to clarify which control implementation responsibilities fall on the CSP versus the CSC.

The key to effective cloud security is understanding the division of responsibilities in any cloud project. Knowing precisely who is responsible for what is crucial, regardless of specific security controls offered by CSPs. This understanding allows organizations to fill control gaps with their own measures or consider alternative CSPs. CSA covers these responsibilities in depth in the Shared Responsibility Model within the CCM framework.

Both the CSP and CSC share responsibility for all six controls in the A&A domain. Customers often overlook this responsibility. For instance, small startups frequently believe that the main providers like Amazon and Azure will manage everything for them. These small companies can have the misconception that they don’t need to do anything related to security assurance.

CSCs must have their own evaluation of the risks for every specific CSP that they have. Whether it’s 10, 20, or 100, you need to do a risk assessment for every CSP. Even with large providers, don’t take it for granted that everything is secure and there is no risk impact by using them.

CSCs also need to have a mechanism to audit CSPs in some way. Don’t just leave security assurance up to the CSP and sign off on whatever they say.


Conclusion

Remember that both CSPs and CSCs are responsible for implementing audit and assurance controls. You can leverage CCM mappings (included in the CCM download) to gauge controls across multiple frameworks. Timely risk-based assurance assessments, conducted by competent independent auditors, are an essential baseline for the effective evaluation of your company’s security posture.

Over the next several months, we will be providing overviews of all 17 CCM domains. Check back soon to learn more about the second domain, Application & Interface Security.

Also check out the CCM v4 Implementation Guidelines to get an in depth understanding of all 197 control specifications.