Cloud 101CircleEventsBlog
Gain exclusive access to CSA’s extensive network of cloud security experts by becoming a corporate member. Learn how today.

Cloud Controls Matrix (CCM)

Version 4 of the CCM and CAIQ are now combined!

Cloud Control Matrix (CCM)

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.

It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

The CCM now includes the following:
The download file also contains the following:
Download CCM and CAIQ
Learn more about the transition to CCM v4 in this blog.

How can you use the CCM and CAIQ?

Document controls for multiple standards & regulations in one place

The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.

Fulfilling the CCM controls also fulfills it for the accompanying standards and regulations it maps onto.

Assess cloud providers by having them fill out the CAIQ questionnaire

Version 4 of the CCM now includes the Consensus Assessment Initiative Questionnaire (CAIQ) in the same document. CAIQ provides a set of “yes or no” questions that can be used to assess a cloud service provider and eliminates the need for multiple questionnaires from individual cloud consumers.

Clarify the shared responsibility model

The CCM defines the attribution of the responsibilities between cloud service providers (CSPs) and customers (CSCs). It also helps define the organizational relevance of each control based on the work done by the CSA Enterprise Architecture Working Group.

Submit to the STAR Registry

CSPs can use the STAR Level 1: Security Submission Form to submit a self-assessment to the STAR Registry. This submission form is based on the CAIQ v4. In addition, the CCM is also used as the standard to assess organizations interested in earning a STAR Level 2 Certification or Attestation.

Learn how to use the CCM

Implementation Guidelines

Included when you download the latest version of the CCM.

The CCM v4 Implementation Guidelines provides structured guidance on how to use the CCM and provides support to users on how to implement the CCM controls. For each control it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provides assistance to the cloud customer.

Download now

Auditing Guidelines

Included when you download the latest version of the CCM.

The CCM Auditing Guidelines provides a baseline understanding of the CCM audit areas and provides tools and resources to auditors when performing a CCM related assessment. The guidelines are an extension to the work that appears in the CCAK guide and its Chapter 7: CCM Auditing Guidelines, and specifically of subsection 7.5: CCM Audit Workbook.

Download now

CCM Machine Readable Version

CSA provides in a machine-readable format the CCM Controls, CAIQ Security Questionnaire, Implementation Guidelines (both JSON/YAML and OSCAL) and Mappings (JSON/YAML) to support organizations that would like to foster CCM automation.

Download now

Certificate of Cloud Auditing Knowledge

Improve the security and compliance posture of your organization by having your team trained and certified in best practices for the evaluation and auditing of cloud services. The Certificate of Cloud Auditing Knowledge (CCAK) includes guidance on cloud governance, risk management and compliance, while also explaining how to leverage and operationalize CSA's best practices (such as the Cloud Controls Matrix (CCM) and STAR Program).

Learn more

Which security domains are covered by the CCM?

Join the Working Group

Interested in contributing to future versions of the Cloud Controls Matrix? Participate in peer reviews, surveys, or join the working group. Learn more about the current initiatives in development here.

View the working group

Licensing the CCM or CAIQ

CSA offers licensing opportunities for organizations interested in leveraging the CCM and CAIQ for commercial exploitation. CSA Executive and Corporate members receive a discount on 1 year, 2 year, 5 year, and 10 year licensing contracts. Non members can also license the CCM or CAIQ at an increased price.

When Do I Need a License?

You will need a license if you plan to use the CCM or CAIQ in products and services that are sold to the public. Examples of products and services are:

  • Software based products such as 3rd party risk assessment solution and other tools.
  • Services, such as consultancy assessment methodologies, audits and evaluation approaches, etc.
You don’t need a license if you are just using the CCM for internal purposes.
Contact Us

STAR Enabled Solutions

STAR Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR Enabled Solution.

Learn more