Cloud 101CircleEventsBlog
Call for Presentations: Share your expertise at 2024! Submit your proposals by June 28th.

CSA Official Press Release

Published 06/28/2022

Cloud Security Alliance, Cyber Risk Institute Partner to Create Cloud Controls Matrix (CCM) Addendum for the Financial Sector

Cloud Security Alliance, Cyber Risk Institute Partner to Create Cloud Controls Matrix (CCM) Addendum for the Financial Sector

Strategic collaboration addresses sector-specific requirements within CCM framework

SEATTLE June 28, 2022 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today announced that it has partnered with the Cyber Risk Institute (CRI), a non-profit coalition of financial institutions and trade associations, to develop an addendum to its Cloud Controls Matrix (CCM), written specifically for the financial sector.

For many years, the cloud was a tempting, albeit forbidden, fruit for financial institutions. However, as cloud service providers' (CSP) security measures have improved to accommodate most, if not all, of the financial sector's regulatory requirements, increasing numbers of financial institutions are now looking to extend their rate of cloud adoption. Unfortunately, until now there hasn’t been a framework that adequately addresses this sector’s unique regulatory security requirements within the context of cloud computing.

“Rather than layer new controls over CCM’s core set, we chose to partner with another like-minded organization that would allow us to mutually take advantage of the work each of us has done in addressing cyber and cloud security. We are excited to further build on our relationship with CRI in what we see as the first step in creating a version of CSA Security, Trust, Assurance, and Risk (STAR) Level 2 specific to financial institutions,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.

While CCM has become the de facto standard for cloud security assurance and compliance, it has not yet evolved to the point where it’s sufficient to satisfy the security and compliance requirements for every business sector. Correspondingly, the CRI Profile, the financial sector’s benchmark for cyber risk assessment, covered many of the financial sector’s unique cybersecurity requirements but lacked the specificity of cloud security. After mapping the controls within their respective frameworks, CSA and CRI performed a gap analysis to create and incorporate both cloud-specific controls into the CRI Profile, and correspondingly, financial sector-specific requirements into CCM.

“When we released the CRI Cloud Profile in March of this year, we knew it was a tremendous step forward for financial institutions looking to move to the cloud with confidence by outlining roles and responsibilities. This recent reverse mapping by CSA to the Profile is the missing piece that allows cloud service providers to speak financial sector language,” said CRI Founder and President, Josh Magri. “This is not the end, though. We are excited to continue our collaboration with CSA and look forward to building on this success.”

Financial organizations interested in learning more about the CRI Profile are encouraged to attend the session, The Cloud Profile: A Rosetta Stone for Cloud, Security, and Finance Sector Compliance, at the CxO Summit in Barcelona on June 29.

Learn more about the Cloud Controls Matrix and the financial services addendum.

About Cyber Risk Institute
The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. CRI is working to protect the global economy by enhancing cybersecurity and resiliency through assessment standardization. Its Cyber Profile tool is the benchmark for cyber security and resiliency in the financial services industry. Learn more at

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.