Cloud Security Alliance Releases New Cloud Controls Matrix v3.0.1 and Consensus Assessments Initiative Questionnaire v3.0.1
Two De Facto Industry Standards Now Aligned with One-to-One Mapping to Allow for Smarter Decisions by Cloud Consumers and More Transparency for Cloud Providers
Seattle, WA – July 16, 2014 – The Cloud Security Alliance (CSA) today announced the release of significant updates to two de facto industry standards, the Cloud Controls Matrix (CCM) Version v3.0.1 and the Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1. With the updates, the CSA has completed a major milestone in the alignment between the Security Guidance for Critical Areas of Focus in Cloud Computing v3, CCM, and CAIQ.
“With the release of the new CAIQ and CCM, alongside a strong migration path to CSA’s Security, Trust & Assurance Registry, we have intentionally created a much needed one-stop-shop in the cloud provider assessment process,” says Jim Reavis, CEO of the CSA. “This will allow cloud providers to be more transparent in the baseline assessment process, helping accelerate the implementation process where cloud consumers will be able to make smart, efficient decisions. We expect the new versions to have an enormous and positive impact on the cloud industry.”
Together the CCM v3.0.1 and CAIQ v3.0.1 allow for greater efficiencies and transparency in the cloud assessment and implementation process. Additionally, the new guidance documents will serve as a seamless transition point to those providers wishing to submit to the CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
Specifically, CAIQ v3.0.1 realigns CAIQ questions to CCM v3.0.1 control domains and the CSA’s Guidance for Critical Areas of Focus in Cloud Computing v3.0. It also maps the CAIQ questions to the latest compliance requirements found in the CCM v3.0.1. In both documents, redundancies have been reduced and language rewritten for clarity of intent, STAR enablement, and Standards Development Organization alignment. Additionally, CCM v3.0.1 contains new or updated mappings in all 16 domain control areas.
“With the release of the new CCM and CAIQ, we are creating an incredibly efficient and effective process for cloud providers to better demonstrate transparency and improve trust in the cloud, which is the
ultimate mission of the CSA,” said Daniele Catteddu, Managing Director, CSA EMEA. “Now we also have a streamlined path for these providers to become part of the CSA STAR program, giving further assurance to cloud consumers by allowing them to review the security practices of providers. This will help accelerate their due diligence and lead to a higher quality procurement experience.”
The CSA CAIQ is an initial exploratory document between a cloud customer and provider. By providing a series of “yes or no” control assertion questions the CSA CAIQ helps organizations build the necessary assessment processes when engaging with cloud providers. This question set is a simplified distillation of the issues, best practices, and control specifications from the CSA CCM and intended to quickly identify areas for additional discussion between consumer and provider.
The CSA CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that are aligned across 16 security domains. The foundation of the Cloud Controls Matrix rests on its customized relationship to other industry standards, regulations, and controls frameworks such as: ISO 27001:2013, COBIT 5.0, PCI:DSS v3, AICPA 2014 Trust Service Principles and Criteria and augments internal control direction for service organization control reports attestations.
The CSA CCM strengthens existing information security control environments by enabling the reduction of security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
CAIQ v3.0.1 is a result of the work of the Consensus Assessments Initiative Working Group led by Laura Posey of Motorola Mobility, Inc . CCM v3.0.1 is the product from the work of the CSA Cloud Controls Matrix Working Group led by Evelyn De Souza of Cisco and industry expert, Sean Cordero. Individuals interested in becoming part of either working group can visit https://cloudsecurityalliance.org/research/cai/ or https://cloudsecurityalliance.org/research/ccm/
For more information or to download the new CAIQ v3.0.1 and CCM v3.0.1 visit
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Kari Walker for the CSA