ChaptersEventsBlog
Register for The Case for Agentic Teammates webinar Oct 28 to learn how agentic AI transforms the SOC.

Cloud Controls Matrix (CCM)

Version 4 of the CCM and CAIQ are now combined!

Cloud Control Matrix (CCM)

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.

It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

Benefits of Using the CCM and CAIQ

Map Controls for Multiple Standards & Regulations

The CCM helps you align with industry-accepted security standards (including, but not limited to ISO, NIST, PCI, and DSS), fulfilling multiple requirements in one streamlined process.

Assess Cloud Providers with the CAIQ

The CAIQ, built into the CCM, offers a simple set of "yes/no" questions to assess cloud providers, saving you from repetitive evaluations.

Clarify the Shared Responsibility Model

CCM defines the security roles between CSPs and customers, helping you clearly understand and assign responsibilities.

Submit to the STAR Registry

CSPs can use the STAR Level 1 form to self-assess and submit to the STAR Registry, with options to pursue higher certifications or attestations.

Learn how to use the CCM

Implementation Guidelines

Included when you download the latest version of the CCM.

The CCM v4 Implementation Guidelines provides structured guidance on how to use the CCM and provides support to users on how to implement the CCM controls. For each control it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provides assistance to the cloud customer.

Download now

Auditing Guidelines

Included when you download the latest version of the CCM.

The CCM Auditing Guidelines provides a baseline understanding of the CCM audit areas and provides tools and resources to auditors when performing a CCM related assessment. The guidelines are an extension to the work that appears in the CCAK guide and its Chapter 7: CCM Auditing Guidelines, and specifically of subsection 7.5: CCM Audit Workbook.

Download now

CCM Machine Readable Version

CSA provides in a machine-readable format the CCM Controls, CAIQ Security Questionnaire, Implementation Guidelines (both JSON/YAML and OSCAL) and Mappings (JSON/YAML) to support organizations that would like to foster CCM automation.

Download now

Licensing the CCM

A CCM license allows organizations to customize the CCM or use it for commercial purposes. With a license, you can:

  • Customize the CCM: Tailor the controls to suit the unique demands of your organization.
  • Use the CCM for commercial purposes: Leverage the CCM within your products.
  • Utilize the CCM in Consulting Projects: Provide your clients with industry-leading solutions.
*You do not need a license if you are using the CCM for internal purposes.
*CSA Corporate Members receive a discount on CCSK and CCM licensing.

STAR Enabled Solutions

STAR Enabled Solutions

STAR Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR Enabled Solution.