Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Cloud Controls Matrix (CCM)

Version 4 of the CCM and CAIQ are now combined!

Cloud Control Matrix (CCM)

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.

It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

The CCM now includes the following:
The download file also contains the following:
Download CCM and CAIQ
Learn more about the transition to CCM v4 in this blog.

How can you use the CCM and CAIQ?

Document controls for multiple standards & regulations in one place

The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.

Fulfilling the CCM controls also fulfills it for the accompanying standards and regulations it maps onto.

Assess cloud providers by having them fill out the CAIQ questionnaire

Version 4 of the CCM now includes the Consensus Assessment Initiative Questionnaire (CAIQ) in the same document. CAIQ provides a set of “yes or no” questions that can be used to assess a cloud service provider and eliminates the need for multiple questionnaires from individual cloud consumers.

Clarify the shared responsibility model

The CCM defines the attribution of the responsibilities between cloud service providers (CSPs) and customers (CSCs). It also helps define the organizational relevance of each control based on the work done by the CSA Enterprise Architecture Working Group.

Submit to the STAR Registry

CSPs can use the STAR Level 1: Security Submission Form to submit a self-assessment to the STAR Registry. This submission form is based on the CAIQ v4. In addition, the CCM is also used as the standard to assess organizations interested in earning a STAR Level 2 Certification or Attestation.

Learn how to use the CCM

Implementation Guidelines

Included when you download the latest version of the CCM.

The CCM v4 Implementation Guidelines provides structured guidance on how to use the CCM and provides support to users on how to implement the CCM controls. For each control it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provides assistance to the cloud customer.

Download now

Auditing Guidelines

Included when you download the latest version of the CCM.

The CCM Auditing Guidelines provides a baseline understanding of the CCM audit areas and provides tools and resources to auditors when performing a CCM related assessment. The guidelines are an extension to the work that appears in the CCAK guide and its Chapter 7: CCM Auditing Guidelines, and specifically of subsection 7.5: CCM Audit Workbook.

Download now

CCM Machine Readable Version

CSA provides in a machine-readable format the CCM Controls, CAIQ Security Questionnaire, Implementation Guidelines (both JSON/YAML and OSCAL) and Mappings (JSON/YAML) to support organizations that would like to foster CCM automation.

Download now

Certificate of Cloud Auditing Knowledge

Improve the security and compliance posture of your organization by having your team trained and certified in best practices for the evaluation and auditing of cloud services. The Certificate of Cloud Auditing Knowledge (CCAK) includes guidance on cloud governance, risk management and compliance, while also explaining how to leverage and operationalize CSA's best practices (such as the Cloud Controls Matrix (CCM) and STAR Program).

Learn more

Which security domains are covered by the CCM?

A&A
Audit & Assurance
AIS
Application & Interface Security
BCR
Business Continuity Mgmt & Op Resilience
CCC
Change Control & Configuration Management
CEK
Cryptography, Encryption, & Key Management
DCS
Datacenter Security
DSP
Data Security & Privacy
GRC
Governance, Risk Management, & Compliance
HRS
Human Resources Security
IAM
Identity & Access Management
IPY
Interoperability & Portability
IVS
Infrastructure & Virtualization Security
LOG
Logging & Monitoring
SEF
Sec. Incident Mgmt, E-Disc & Cloud Forensics
STA
Supply Chain Mgmt, Transparency, & Accountability
TVM
Threat & Vulnerability Management
UEM
Universal Endpoint Management

Join the Working Group

Interested in contributing to future versions of the Cloud Controls Matrix? Participate in peer reviews, surveys, or join the working group. Learn more about the current initiatives in development here.

View the working group

Licensing the CCM

A CCM license allows organizations to customize the CCM or use it for commercial purposes. With a license, you can:

  • Customize the CCM: Tailor the controls to suit the unique demands of your organization.
  • Use the CCM for commercial purposes: Leverage the CCM within your products.
  • Utilize the CCM in Consulting Projects: Provide your clients with industry-leading solutions.
*You do not need a license if you are using the CCM for internal purposes.
*CSA Corporate Members receive a discount on CCSK and CCM licensing.

STAR Enabled Solutions

STAR Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR Enabled Solution.

Learn more