Cloud Security Alliance GRC Stack

Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements. The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.

The Cloud Security Alliance GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire, and is available now for free download at

Cloud Audit


The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.

Visit the CloudAudit site

Download the Cloud Controls Matrix V1

Cloud Controls Matrix (CCM)

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.

The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

Visit the Cloud Controls Matrix (CCM) page

Download the Initiative

Consensus Assessments Initiative Questionnaire (CAIQ)

The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners.

The initial deliverable of this project is the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is available in spreadsheet format, and provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of "yes or no" control assertion questions which can then be tailored to suit each unique cloud customer's evidentiary requirements.

Visit the Consensus Assessments Initiative Questionnaire (CAIQ) page

CSA GRC Stack Training

Outsourcing critical business functions into the Cloud can result in challenges of maintaining assurance and control over legal and regulatory obligations for data management and protection. The Cloud Security Alliance is offering a training session to show you how to leverage the CSA GRC (Governance, Risk Management & Compliance) Stack, a toolkit designed for peeling back and revealing those layers of accountability and responsibility between Cloud Service Providers and their Tenants, applying measurable risk-based decision making for both assessing and attesting to governance, risk and compliance best practices. Download the: original CSA GRC Stack Training Documents or the updated (Feb. 2011) CSA GRC Stack Training Documents

CSA GRC Stack Integration & Implementation

The three initiatives have been developed through a collaborative effort and contain out-of-the-box integration. CloudAudit includes the Cloud Controls Matrix as an included namespace, while the Consensus Assessments Initiative Questionnaire was specifically designed to identify the presence or lack of CCM controls and other key practices identified in the CSA guidance. Some of the uses of the GRC stack include the following:

Cloud Providers – Assess your own systems with CAIQ to measure alignment with CCM. Implement CloudAudit to automate CCM assertions, enabling third parties to independently analyze your GRC capabilities against their needs. This generates significant cost savings in audit response, reduces customer sales cycles and leads to increased trust of provider’s solutions.

Enterprise Organizations – Use CCM to align your information security program with emerging cloud security requirements. Use CAIQ and CCM together to assess your cloud providers against industry supported criteria. Use CloudAudit to instrument your own private cloud to simplify IT audits.

Solution Providers – Integrate the CSA GRC stack into your own products and services, including management consoles, reporting systems and system agents to provide “out-of-the-box” compatibility and relevance to the leading cloud security guidance.

Consultants and Independent Auditors – Integrate the CSA GRC stack into your own processes and tool sets to provide cloud assurance services aligned with customer and provider requirements.


Download GRC Stack: