The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.
It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.
The CCM now includes the following:
- CCM v4 Controls
- Mappings
- CAIQ v4
- Implementation Guidelines
- Auditing Guidelines
- CCM Metrics
- CCM Machine Readable (JSON/YAML/OSCAL)
The download file also contains the following:
Download CCM and CAIQLearn more about the transition to CCM v4 in this blog.
How can you use the CCM and CAIQ?
Document controls for multiple standards & regulations in one place
The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.
Fulfilling the CCM controls also fulfills it for the accompanying standards and regulations it maps onto.
Assess cloud providers by having them fill out the CAIQ questionnaire
Version 4 of the CCM now includes the Consensus Assessment Initiative Questionnaire (CAIQ) in the same document. CAIQ provides a set of “yes or no” questions that can be used to assess a cloud service provider and eliminates the need for multiple questionnaires from individual cloud consumers.
Clarify the shared responsibility model
The CCM defines the attribution of the responsibilities between cloud service providers (CSPs) and customers (CSCs). It also helps define the organizational relevance of each control based on the work done by the CSA Enterprise Architecture Working Group.
Submit to the STAR Registry
CSPs can use the STAR Level 1: Security Submission Form to submit a self-assessment to the STAR Registry. This submission form is based on the CAIQ v4. In addition, the CCM is also used as the standard to assess organizations interested in earning a STAR Level 2 Certification or Attestation.
Learn how to use the CCM
Implementation Guidelines
Included when you download the latest version of the CCM.
The CCM v4 Implementation Guidelines provides structured guidance on how to use the CCM and provides support to users on how to implement the CCM controls. For each control it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provides assistance to the cloud customer.
Auditing Guidelines
Included when you download the latest version of the CCM.
The CCM Auditing Guidelines provides a baseline understanding of the CCM audit areas and provides tools and resources to auditors when performing a CCM related assessment. The guidelines are an extension to the work that appears in the CCAK guide and its Chapter 7: CCM Auditing Guidelines, and specifically of subsection 7.5: CCM Audit Workbook.
CCM Machine Readable Version
CSA provides in a machine-readable format the CCM Controls, CAIQ Security Questionnaire, Implementation Guidelines (both JSON/YAML and OSCAL) and Mappings (JSON/YAML) to support organizations that would like to foster CCM automation.
Certificate of Cloud Auditing Knowledge
Improve the security and compliance posture of your organization by having your team trained and certified in best practices for the evaluation and auditing of cloud services. The Certificate of Cloud Auditing Knowledge (CCAK) includes guidance on cloud governance, risk management and compliance, while also explaining how to leverage and operationalize CSA's best practices (such as the Cloud Controls Matrix (CCM) and STAR Program).
Which security domains are covered by the CCM?
A&AAudit & Assurance
AISApplication & Interface Security
BCRBusiness Continuity Mgmt & Op Resilience
CCCChange Control & Configuration Management
CEKCryptography, Encryption, & Key Management
DCSDatacenter Security
DSPData Security & Privacy
GRCGovernance, Risk Management, & Compliance
HRSHuman Resources Security
IAMIdentity & Access Management
IPYInteroperability & Portability
IVSInfrastructure & Virtualization Security
LOGLogging & Monitoring
SEFSec. Incident Mgmt, E-Disc & Cloud Forensics
STASupply Chain Mgmt, Transparency, & Accountability
TVMThreat & Vulnerability Management
UEMUniversal Endpoint Management
Join the Working Group
Interested in contributing to future versions of the Cloud Controls Matrix? Participate in peer reviews, surveys, or join the working group. Learn more about the current initiatives in development here.
Licensing the CCM
A CCM license allows organizations to customize the CCM or use it for commercial purposes. With a license, you can:
- Customize the CCM: Tailor the controls to suit the unique demands of your organization.
- Use the CCM for commercial purposes: Leverage the CCM within your products.
- Utilize the CCM in Consulting Projects: Provide your clients with industry-leading solutions.
*CSA Corporate Members receive a discount on CCSK and CCM licensing.
STAR Enabled Solutions
STAR Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR Enabled Solution.