Cloud Controls Matrix (CCM)

Version 4 of the CCM now available!

Cloud Control Matrix (CCM)

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.

It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance. Version 4 of the CCM has been updated to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards.

Maps to Industry Standards, Regulations & Controls Frameworks

The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS,, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.

Download the CCM
Join the working group on Circle
Certificate of Cloud Auditing Knowledge

Leverage the CCM to...

Strengthen information security control environments. The CCM delineates control guidance by service provider and consumer. It also differentiates according to cloud model type and environment.

Reduce audit complexity. Controls map onto multiple industry-accepted security standards, regulations, and controls frameworks. Fulfilling the CCM controls also fulfills it for the accompanying standards and regulations it maps onto.

Normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud

Integrations with the STAR Registry

The CCM is used as the standard to assess the security posture of organizations on the Security, Trust, Assurance and Risk (STAR) registry. The STAR program promotes flexible, incremental and multi-layered certifications that integrate with popular third-party assessments to avoid duplication of effort and cost.

Use the CAIQ Questionnaire to Assess Cloud Providers

The CAIQ provides a set of “yes or no” questions based on the security controls in the CCM that a cloud consumer or auditor may wish to ask a cloud provider. Over 1000 organizations currently use the CAIQ to submit self-assessments on the STAR registry.

Certificate of Cloud Auditing Knowledge

Certify your team in cloud governance, risk and compliance best practices by having them earn the Certificate of Cloud Auditing Knowledge. The body of knowledge for this exam explains how to operationalize tools like the Cloud Controls Matrix (CCM) to improve security within your organization.

Learn more

Join the Working Group

Interested in contributing to future versions of the Cloud Controls Matrix? Participate in peer reviews, surveys, or join the working group. Learn more about the current initiatives in development here.

View Initiatives

Licensing the Cloud Controls Matrix

CSA offers licensing opportunities for organizations interested in leveraging the CCM and CAIQ for commercial exploitation. CSA Executive and Corporate members receive a discount on 1 year, 2 year, 5 year, and 10 year licensing contracts. Non members can also license the CCM or CAIQ at an increased price.

When Do I Need a License?

You will need a license if you plan to use the CCM or CAIQ in products and services that are sold to the public. Examples of products and services are:

  • Software based products such as 3rd party risk assessment solution and other tools.
  • Services, such as consultancy assessment methodologies, audits and evaluation approaches, etc.