Cloud Controls Matrix (CCM) Arrow to Content

Download the Cloud Controls Matrix

Document Version Release Date Download
Cloud Controls Matrix 3 09/26/2013 Download

About the CSA Cloud Controls Matrix

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

The Cloud Controls Matrix is part of the CSA GRC Stack.

Cloud Controls Matrix Leadership

Co-Chairs:
Sean Cordero, Cloud Watchmen
Evelyn DeSouza, Cisco

Join the Cloud Controls Matrix

Frequently Asked Questions

There are no FAQ items at this time. Help us populate this section by submitting your questions below.

Submit a Question

Have questions you would like to see answered? Please direct them to [email protected] or through the form below:

Your First Name (required)

Your Last Name (required)

Your Email (required)

Your Question

Download the Cloud Controls Matrix Version 3

Document Version Release Date Download
Cloud Controls Matrix 3 09/26/2013 Download

About CCM v3

The CSA Cloud Control Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks. The CCM Version 3.0 expands its control domains to address changes in cloud security risks since the release of the CSA’s seminal guidance domain, “Security Guidance for Critical Areas of Focus in Cloud Computing version 3.0” while making strides towards closer harmonization of the two.

Having drawn from industry-accepted security standards, regulations, and control frameworks such as ISO 27001/2, the European Union Agency for Network and Information Security (ENISA) Information Assurance Framework, ISACA’s Control Objectives for Information and Related Technology, the American Institute of CPAs Trust Service and Principals Payment Card Industry Data Security Standard, and the Federal Risk and Authorization Management Program, the updated CSA CCM control domain provides organizations with the cohesiveness of controls needed to manage cloud centric information security risks. This major restructuring of the CCM also captures the needs of cloud security governance in the near future, where it will serve as an annual check in updating future controls, further ensuring CCM remains in line with future technology and policy changes.

CCM Version 3.0 includes the following updates:

  • Five new control domains that address information security risks over the access of, transfer to, and securing of cloud data: Mobile Security; Supply Chain Management, Transparency & Accountability; Interoperability & Portability; and Encryption & Key Management
  • Improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3
  • Improved control auditability throughout the control domains and an expanded control identification naming convention

Cloud Controls Matrix v3 Contributors

Working Group (WG) Co-Chair(s)

  • Sean Cordero
  • Evelyn DeSouza

CSA Global Support

  • Daniele Catteddu
  • Alexander Ginsburg
  • Frank Guanco
  • JR Santos
  • Evan Scoboria
  • Kendall Scoboria
  • Becky Swain
  • John Yeoh

Contributors

  • Assaf Afek-Levy
  • Kelvin J Arcelay
  • Anant Bardhan
  • Bernard Bossuyt
  • Anand Choksi
  • John DiMaria
  • Carlo Espiritu
  • JD Hascup
  • Peter HJ van Eijk
  • Giles Hogben
  • Muhammad Imran Tariq
  • Bernd Jaeger
  • Vladimir Jirasek
  • David Johnson
  • Thomas Kenyon
  • Valdez Ladd
  • Tamba Lamin
  • Anoine Laureau
  • Felix Mohan
  • Gene Naftulyev
  • Tony Noblett
  • Heather Ouelette
  • Steve Primost
  • Richard Scott
  • Paritosh Sharma
  • Andrea Simmons
  • Vinoth Sivasubramanian
  • Mitesh Soni
  • Jakub Syta
  • Sam Wilke

Download the Cloud Controls Matrix Version 1.4

Document Version Release Date Download
Cloud Controls Matrix 1.4 03/08/2013 Download

About CCM v1.4

Version 1.4 of the Cloud Controls Matrix includes two new mapping columns relating to AICPA's SOC 2 engagement. The SOC 2 report provides cloud service organizations and cloud users more flexibility related to compliance and operational reporting controls. It addresses risk of IT-enabled systems and privacy programs beyond the controls necessary for financial reporting.

Cloud Controls Matrix V1.4 Contributors

Working Group (WG) Co-Chair(s)

  • Evelyn de Souza
  • Sean Cordero
  • Thomas Kenyon

CSA Research Global Support

  • J.R. Santos
  • John Yeoh

Control Area Mapping Leads

  • Audrey Katcher
  • Chris Halterman
  • Janis Parthun
  • Erin Mackler

About AICPA

The AICPA is the world’s largest member association representing the accounting profession, with nearly 386,000 members in 128 countries and a 125-year heritage of serving the public interest. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA sets ethical standards for the profession and U.S. auditing standards for audits of private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination and offers specialty credentials for CPAs who concentrate on personal financial planning; fraud and forensics; business valuation; and information technology. Through a joint venture with the Chartered Institute of Management Accountants, it has established the Chartered Global Management Accountant designation to elevate management accounting globally.

Download the Cloud Controls Matrix Version 1.3

Document Version Release Date Download
Cloud Controls Matrix 1.3 09/20/2012 Download

Cloud Controls Matrix V1.3 Contributors

Working Group (WG) Co-Chair(s)

  • Becky Swain
  • Evelyn de Souza
  • Sean Cordero
  • Thomas Kenyon

CSA Research Global Support

  • J.R. Santos
  • John Yeoh

Control Area Mapping Leads

  • Balaji Ramamoorthy
  • Chris Davis
  • Daniel Philpott
  • David Lingenfelter
  • Doug Barbin
  • Evelyn de Souza
  • Matthew Metheny
  • The Late Ron Knode
  • Tim Mather

About FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide mandated program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that is intended to save cost, time, and staff required to conduct redundant agency security assessments. There are no “new” controls for FedRAMP. The FedRAMP security controls are based on NIST SP 800-53 R3 controls for low and moderate impact systems and contain controls and enhancements above the NIST baseline for low and moderate impact systems that address the unique elements of cloud computing. For additional information, refer to the FedRAMP FAQ website located at: http://www.gsa.gov/portal/category/102439.

Authoritative Source:
http://www.gsa.gov/graphics/staffoffices/FedRAMP_Security_Controls_072912.zip

Download the Cloud Controls Matrix Version 1.2

Document Version Release Date Download
Cloud Controls Matrix 1.2 08/26/2011 Download

Cloud Controls Matrix V1.2 Contributors

CSA CCM Leadership Team

  • Becky Swain, CIPP/IT, CISSP, CISA – CCM Co-Founder/Chair, CSA Silicon Valley Chapter Board Member, Partner, EKKO Consulting
  • Philip Agcaoili – CCM Co-Founder/Chair, CSA Atlanta Chapter Co-Founder/Board Member
  • Kip Boyle, CISM, CISSP – CCM Project Manager
  • Jim Reavis – CSA Executive Director


Contact the CCM Leadership Team:
Email

Data Governance (DG)

  • Vijaya Kumar Teki (Lead)
  • Abhik Chaudhuri

Resiliency (RS)

  • Tim J Sandage (Lead)
  • Balaji Palanisamy
  • Keith Prabhu

Jericho Forum

  • Brad Bemis (Lead)
  • Abhik Chaudhuri
  • Kanchanna Ramasamy Balraj
  • MS Prasad
  • Tajeshwar Singh
  • Phil Agcaoili

Compliance (CO)

  • JD Hascup (Lead)
  • Abhik Chaudhuri
  • Angela Polania
  • Kanchanna Ramasamy Balraj
  • Vijaya Kumar Teki
  • Visvesvara Ravikanth Anisingaraju

Information Security (IS)

  • Visvesvara Ravikanth Anisingaraju (Lead)
  • Ted Skinner
  • Kent Zhou
  • Steve Dotson
  • Laura Kuiper
  • Adam Politsch
  • Nadeem Bukhari

Quality Assurance (QA)

  • John DiMaria (Lead)
  • Kelvin Arcelay
  • Gary Sheehan
  • Lisa Peterson
  • John Sapp
  • Henry Ojo
  • Renne’ Devasia
  • Taiye Lambo

Facility Security (FS)

  • Visvesvara Ravikanth Anisingaraju (Lead)
  • Keith Prabhu

Human Resources (HR)

  • Vijaya Kumar Teki (Lead)

Legal (LG)

  • Eric Hibbard (Lead)
  • Kenton Morneau
  • Rizwan Ahmad
  • Steve Dotson

Operations Management (OM)

  • Vijaya Kumar Teki (Lead)
  • Visvesvara Ravikanth Anisingaraju
  • Ted Skinner

Risk Management (RI)

  • Dan Cimpean (Lead)
  • Cedric Lempereur
  • Abhik Chaudhuri
  • Angela Polania
  • Kenton Morneau
  • Eduardo Haruo Kamioka
  • Devesh Bhatt
  • Eric Phifer
  • JD Hascup

Release Management (RM)

  • Visvesvara Ravikanth Anisingaraju (Lead)

Security Architecture (SA)

  • Jeff Lockwood (Lead)
  • Balaji Palanisamy
  • Deep Mallangadakalaiah
  • Kanchanna Ramasamy Balraj
  • Kenton Morneau
  • Laura Kuiper
  • Visvesvara Ravikanth Anisingaraju
  • Stefano Ciminelli
  • Steve Dotson
  • Ted Skinner
  • Usha Rajsekar
  • Vijaya Kumar Teki

NERC CIP

  • Cary Stronach (Co-Lead)
  • Donald Schleede (Co-Lead)
  • Michael Craigue, Ph.D.
  • Balaji Palanisamy
  • Nikita Reva

Download the Cloud Controls Matrix Version 1.1

Document Version Release Date Download
Cloud Controls Matrix 1.1 12/17/2010 Download (xlsx)
Download (xls)

Cloud Controls Matrix V1.1 Contributors

CSA CCM Leadership Team

  • Becky Swain, CIPP/IT, CISSP, CISA – CCM Co-Founder/Chair, CSA Silicon Valley Chapter Board Member, Partner, EKKO Consulting
  • Marlin Pohlman – CCM Co-Chair
  • Philip Agcaoili – CCM Co-Founder/Chair, CSA Atlanta Chapter Co-Founder/Board Member
  • Kip Boyle, CISM, CISSP – CCM Project Manager
  • Jim Reavis – CSA Executive Director


Contact the CCM Leadership Team:
Email

CSA CCM R1.1 – S/P/I Ownership

  • Guy Bejerano – LivePerson CSO (Lead)
  • Philip Richardson, CISSP, A.Inst.ISP, MBCS – Logicalis UK Ltd
  • Paul Stephen – Ernst and Young LLP

CSA CCM R1.1 – COBIT 4.1

  • Georges Ataya Solvay – Brussels School of Economics and Management
  • April Battle – MITRE
  • Akira Shibata – NTT DATA Corp
  • Elizabeth Ann Wickham – L47 Consulting Limited
  • Marcelo Gonzalez – Banco Central Republica Argentina
  • Mark Lobel – PricewaterhouseCoopers LLP
  • Meenu Gupta – Mittal Technologies
  • Ramesan Ramani – Paramount Computer Systems
  • Yves Le Roux – CA Technologies

CSA CCM R1.1 – HIPAA / HITECH Act

  • Joshua Schmidt, CISA, CISM – Vertafore, Inc. (Lead)
  • Patty Williams – Symetra Financial

CSA CCM R1.1 – ISO/IEC 27001:2005

  • MS Prasad, Exec Dir CSA India (Lead)
  • Joel Cort, CISSP, ISO 27001 Lead Auditor – Xerox Corporation
  • Laura Kuiper – Cisco Systems, Inc.
  • Kyle Lai, CISSP, CSSP, CISA, CIPP/G – KLC Consulting, Inc.
  • Thomas Loczewski, CISSP, CRISC, CCSK – Ernst and Young GmbH, Germany
  • Pritam Bankar, CISA, CISM – Infosys Technologies Ltd.

CSA CCM R1.1 – NIST SP800-53 + FedRAMP

  • Daniel Philpott – Tantus Technologies, FISMApedia.org (Lead)
  • Pritam Bankar, CISA, CISM – Infosys Technologies Ltd.
  • Kyle Lai, CISSP, CSSP, CISA, CIPP/G – KLC Consulting, Inc.
  • MS Prasad, Exec Dir CSA India
  • Steve Primost, CISSP, CISM
  • Philip Richardson, CISSP, A.Inst.ISP, MBCS – Logicalis UK Ltd
  • Vincent Samuel, Archer Certified Consultant, Certified Application Security Specialist, Oracle Certified Associate – KPMG LLP
  • Paul Stephen – Ernst and Young LLP
  • Adalberto Afonso A Navarro F do Valle – Deloitte LLP

CSA CCM R1.1 – PCI DSS v2.0

  • Pritam Bankar, CISA, CISM – Infosys Technologies Ltd. (Lead)
  • Karthik Amrutesh, CISSP, CISA – Ernst and Young LLP
  • Chris Brenton – Dell
  • Dr. Anton Chuvakin – Security Warrior Consulting
  • Michael Craigue, Ph.D. (CISSP, CSSLP) – Dell
  • Jakob Holm Hansen, CISA, CISSP, ABCP – Neupart A/S
  • Addison Lawrence – Dell
  • Steve Primost, CISSP, CISM
  • Philip Richardson, CISSP, A.Inst.ISP, MBCS – Logicalis UK Ltd.
  • Paul Stephen – Ernst and Young LLP

CSA CCM R1.1 – BITS Shared Assessment AUP v5.0 / SIG v6.0

  • Niall Browne, CCSP, CISA, CISSP, CCSI – LiveOps
  • Henry Ojo – Kamhen Services Ltd, HISPI

CSA CCM R1.1 – GAPP

  • Thej Mehta, CISA, ITIL v3 Foundation, ISACA San Francisco Chapter: 2nd Vice President and Education Program Chair, KPMG LLP (Lead)
  • Pritam Bankar, CISA, CISM – Infosys Technologies Ltd.
  • Thomas Loczewski – Ernst and Young LLP
  • Lloyd Wilkerson – Robert Half International
  • Anna Tang, CISSP, CIPP, CIPP/IT, Cisco Systems, Inc.

CSA CCM R1.1 – QA Team

  • John DiMaria – HISPI (Lead)
  • Taiye Lambo – eFortresses, Inc , HISPI
  • Kelvin Arcelay, CISM, CISSP, CRISC, HISP, ISMS Auditor, PMP, SSGB – Arcelay & Associates, HISPI
  • Henry Ojo – Kamhen Services Ltd, HISPI
  • Lisa Peterson, CISA, CISSP – Progressive Insurance, HISPI
  • Dale Pound – SAIC, HISPI
  • John Sapp – McKesson Healthcare, HISPI
  • Gary Sheehan – Advanced Server Management Group, Inc., HISPI
  • Greg Zimmerman – Jefferson Wells, HISPI

Download the Cloud Controls Matrix Version 1.0

Document Version Release Date Download
Cloud Controls Matrix 1.0 04/27/2010 Download (xlsx)
Download (xls)

Cloud Controls Matrix V1.0 Contributors

CSA CCM Leadership Team

  • Becky Swain, CIPP/IT, CISSP, CISA – CCM Co-Founder/Chair, CSA Silicon Valley Chapter Board Member, Partner, EKKO Consulting
  • Marlin Pohlman – CCM Co-Chair
  • Philip Agcaoili – CCM Co-Founder/Chair, CSA Atlanta Chapter Co-Founder/Board Member
  • Kip Boyle, CISM, CISSP – CCM Project Manager
  • Jim Reavis – CSA Executive Director


Contact the CCM Leadership Team:
Email

CSA CCM R1.0 Contributors

  • Philip Agcaoili (co-chair)
  • Becky Swain (co-chair)
  • Marlin Pohlman (co-chair)
  • Mike Craigue
  • Phil Genever-Watling
  • Addison Lawrence
  • Chandrasekar Umpathy
  • Andy Dancer
  • Anton Chuvakin
  • Georg Heß
  • Glen Jones
  • Larry Harvey
  • M S Prasad
  • Patrick Sullivan
  • Steve Primost
  • Tajeshwar Singh
  • Thomas Loczewski
  • Dan Philpott

Cloud Controls Matrix News

February 12, 2014

Invitation to CSA CloudBytes: CSA STAR Certification

Don’t miss your chance to join experts and learn more about the CSA STAR Certification on Thursday, February 20th at 11:00am (Pacific Time).

November 22, 2013

Cloud Security Alliance Announces Bonus Workshop Series At 2013 US Congress

The five workshops will provide participants with the opportunity to explore key topics in cloud security in an intensive daylong session led by some of the world’s most prominent cloud security practitioners.

October 07, 2013

CSA Releases CCM v3.0 Info Sheet for Updates on New Controls, Domains

The CCM v3.0 Info Sheet is designed to update users on domain changes, control additions, and alignment to other CSA and industry standards documents.

September 26, 2013

Cloud Security Alliance Releases Cloud Controls Matrix, Version 3.0

The industry standard for cloud security now includes expanded controls to assess cloud service provider information security risks.

February 12, 2013

CSA Announces Working Group Sessions at RSA in San Francisco

CSA is hosting sessions during the week for some of our active working groups. These are free events that will be held outside of the regular conference on Thursday, February 28th.

September 21, 2012

Cloud Security Alliance Releases Cloud Controls Matrix Version 1.3

Version 1.3 integrates revised mapping of FedRAMP security controls.

November 16, 2011

Major Cloud Providers to Participate In CSA STAR – CSA Security, Trust and Assurance Registry

CSA today announced that Google, Verizon, Intel, McAfee, and Microsoft plan to submit reports to the CSA Security, Trust and Assurance Registry (STAR), a newly announced, free and publicly accessible registry that documents the security controls provided by various cloud computing offerings.

August 26, 2011

Cloud Security Alliance Releases Cloud Controls Matrix v1.2

The Cloud Security Alliance (CSA) today published Version 1.2 of the Cloud Controls Matrix (CCM), which is designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

August 16, 2011

Learn About the CSA STAR Registry

The Cloud Security Alliance announces two upcoming opportunities to learn more about its CSA STAR Registry. These public webcast briefings will be held August 18th and 23rd and will cover general information about the STAR Registry and the proper use of linked documents from the GRC Stack.

July 06, 2011

CSA Announces Licensing Agreement With CSC For Cloudtrust Protocol

CSA announced that it has received a nocost license for the CloudTrust Protocol (CTP) from CSC. The CTP is being integrated as the fourth pillar of the CSA’s cloud Governance, Risk and Compliance (GRC) stack. The CSA’s GRC stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.

Downloads relating to the Cloud Controls Matrix

CCM v3.0 Info Sheet

CCM v3.0 Info Sheet

Release Date: October 07, 2013

Cloud Controls Matrix v3.0

Cloud Controls Matrix v3.0

Cloud Controls Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks.

Release Date: September 26, 2013

Cloud Controls Matrix v1.4

Release Date: March 08, 2013

Cloud Controls Matrix v1.3

Release Date: September 20, 2012

Cloud Controls Matrix v1.2

Release Date: August 26, 2011

Cloud Controls Matrix V1.1

Release Date: December 17, 2010

Cloud Controls Matrix V1.01

Release Date: October 20, 2010

Cloud Controls Matrix V1.0

Release Date: April 27, 2010

Page Dividing Line