Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Get 50% off the Cloud Infrastructure Security training bundle with code 'unlock50advantage'

CCM Lite

A streamlined edition of CCM V4 is now available!

Download Now
CCM Home
CCM Lite
Working Group
Feedback Form
FAQ
Home
Research
CCM Lite

The Cloud Security Alliance and the CCM Working Group have developed CCM Lite, a streamlined version of the Cloud Controls Matrix (CCM) v4. It consists of 91 controls, a subset of the 197 of the CCM, and it includes foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile.

CCM Lite was primarily developed to address the needs of Small and Medium-sized Businesses (SMBs), with limited resources providing them with a streamlined solution for cloud security.

Download Now

The CCM Lite includes:

  • Implementation Guidelines
  • Auditing Guidelines
  • Machine Readable (JSON/ YAML/OSCAL)

*CCM Lite submissions are accepted into the STAR Registry.

Learn more about the CCM Lite in this FAQ

Who should use the CCM Lite?

The CCM Lite is designed as a cost-effective solution for low-risk profile cloud organizations, particularly Small and Medium Enterprises (SMEs) and Startups with limited IT and cybersecurity resources. It offers streamlined controls that prioritize essential cloud security measures, enabling SMEs to establish basic security hygiene and protect their infrastructure from common cloud security attacks.

While not a replacement for the CCMv4, the CCM Lite is a valuable resource for SMEs looking to improve their security posture within their resource constraints.

Which security domains are covered by the CCM Lite?

A&A
Audit & Assurance
AIS
Application & Interface Security
BCR
Business Continuity Mgmt & Op Resilience
CCC
Change Control & Configuration Management
CEK
Cryptography, Encryption, & Key Management
DCS
Datacenter Security
DSP
Data Security & Privacy
GRC
Governance, Risk Management, & Compliance
HRS
Human Resources Security
IAM
Identity & Access Management
IPY
Interoperability & Portability
IVS
Infrastructure & Virtualization Security
LOG
Logging & Monitoring
SEF
Sec. Incident Mgmt, E-Disc & Cloud Forensics
STA
Supply Chain Mgmt, Transparency, & Accountability
TVM
Threat & Vulnerability Management
UEM
Universal Endpoint Management
Want to learn about best practices for each of these domains?

Read the CSA Security Guidance first.

CAIQ Lite

The CAIQ Lite is a simplified version of the Consensus Assessments Initiative Questionnaire (CAIQ), developed through extensive research, testing and a review process. CAIQ Lite streamlines the assessment process, empowering cybersecurity professionals to engage cloud vendors more efficiently.

It features 124 questions across 17 control domains of the CCM v4.

Download CAIQ Lite

STAR and CCM Lite

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) . Publishing to the registry allows organizations to show current and potential customers their security and compliance posture.

As of October 9, 2024, CCM Lite submissions are accepted into the STAR Registry.

Learn More

Join the Working Group

Interested in contributing to future versions of the Cloud Controls Matrix or CAIQ? You can volunteer for the working group to stay up to date on the latest projects related to the CCM and participate in future initiatives.

View the working group