Cloud Controls
Matrix (CCM) FAQ

Cloud Control Matrix (CCM) FAQ

Frequently Asked Questions

What is the CCM?

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 133 control objectives that are structured in 16 domains covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

The controls framework is aligned to the Security Guidance v4 and is currently considered a de-facto standard for cloud security assurance and compliance.

Is the CCM more than a framework?

Yes, the Open Certification Framework program and STAR Program use it as the basis for security assessments, certifications and attestations.

How does the CCM compares to other standards?
The CCM is not a “standard”, it is a framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing, so it is used as an extended control set to other standards like ISO/IEC 27001 and SOC2. It is not meant to replace other standards.
Can the CCM be used as an RFP?
Yes. The CCM has an extended set of questions called the CAIQ. Organizations many times use the CAIQ to get additional protection by building a request for proposal (RFP) with the information from CAIQ. Organizations can then verify the validity of a vendor’s answers during the RFP interview.
How do I use the CCM to compare cloud security providers?

By having each cloud security provider fill out the CAIQ, you will be able to compare which controls different providers are fulfilling in the CCM.

How do I use the CCM to demonstrate my security posture to clients?
Security providers can fill out the extended question set that aligns with the Cloud Controls Matrix called the Consensus Assessments Initiative Questionnaire (CAIQ) and send it to potential and current clients to demonstrate compliance to industry standards, frameworks and regulations. It is recommended that providers submit the completed CAIQ to the STAR Registry so it is publically available to all clients.
Is the CCM fully aligned with the CAIQ?
Yes, the CAIQ is essentially a questionnaire version of the CCM.
Can I submit a self-assessment using the CCM instead of the CAIQ to the STAR Registry?
No. The CCM is a set of controls that is used as the basis for security assessments, certifications and attestations. The CAIQ is the extended questionnaire that is designed to drill down into the details of the CCM control set. The CAIQ is the required document that must be submitted to the registry.
Can I get certified against the CCM? How do I become CCM certified? (info and link to STAR)
Organizations looking to get certified against the CCM can obtain an Attestation or Certification through the CSA STAR Registry.
Can I send out the CCM to my suppliers as part of my third-party risk management system without having to obtain a license?
Yes, organizations can use the CCM for third-party risk management systems without a license. The only case where a license is required is if your company plans to use it for products or systems for commercial exploitation.
Can I send out the CCM to my suppliers as part of my third-party risk management system without having to obtain a license?
Yes, organizations can use the CCM for third-party risk management systems without a license. The only case where a license is required is if your company plans to use it for products or systems for commercial exploitation.
What should be my background to join the CCM working group?
An understanding of security concepts and principles related to the cloud along with the foundations of the Cloud Security Alliance Controls Matrix. We also welcome those that can contribute to customize the CCM’s relationship to other industry-accepted security standards, regulations, and controls frameworks.