The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.
It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.
Version 4 of the Cloud Controls Matrix (CCM) has been combined with the Consensus Assessment Initiative Questionnaire (CAIQ). You can read about the updates in CAIQ v4 here.
The CCM now includes the following:
- CCM v4 Controls
- CAIQ v4
- Implementation Guidelines
- Auditing Guidelines (coming soon)
- CCM Metrics (coming soon)
The download file also contains the following:
- STAR Level 1: Security Questionnaire (CAIQ v4)
You can learn about the transition timeline to v4, and how that will affect STAR Registry submissions in this blog. To learn more about CAIQ v4, read this blog.
How can you use the CCM and CAIQ?
Document controls for multiple standards & regulations in one place
The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks. Fulfilling the CCM controls also fulfills the controls for the accompanying standards and regulations it maps onto.
The CCM v4 is currently mapped to the following: ISO/IEC 27001/27002/27017/27018, CCM V3.0.1 and CIS Controls V8. Additional mappings for AICPA TSC, PCI-DSS and NIST 8-53 Rev.5 are under development and other new mappings will also be added in the future.
The previous version of the CCM v3.0.1 is mapped to the following standards: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, FedRamp, CIS and many others.
Assess cloud providers by having them fill out the CAIQ questionnaire
Version 4 of the CCM now includes the Consensus Assessment Initiative Questionnaire (CAIQ) in the same document. CAIQ provides a set of “yes or no” questions that can be used to assess a cloud service provider and eliminates the need for multiple questionnaires from individual cloud consumers.
Clarify the shared responsibility model
The CCM defines the attribution of the responsibilities between cloud service providers (CSPs) and customers (CSCs). It also helps define the organizational relevance of each control based on the work done by the CSA Enterprise Architecture Working Group.
Submit to the STAR Registry
CSPs can use the STAR Level 1: Security Submission Form to submit a self-assessment to the STAR Registry. This submission form is based on the CAIQ v4. In addition, the CCM is also used as the standard to assess organizations interested in earning a STAR Level 2 Certification or Attestation.
Learn how to use the CCM
Included when you download the latest version of the CCM.
The CCM v4 Implementation Guidelines provides structured guidance on how to use the CCM and provides support to users on how to implement the CCM controls. For each control it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provides assistance to the cloud customer.
Auditing Guidelines (coming soon)
Will eventually be included when you download the latest version of the CCM.
The CCM Auditing Guidelines provides a baseline understanding of the CCM audit areas and provides tools and resources to auditors when performing a CCM related assessment.
Certificate of Cloud Auditing Knowledge
Improve the security and compliance posture of your organization by having your team trained and certified in best practices for the evaluation and auditing of cloud services. The Certificate of Cloud Auditing Knowledge (CCAK) includes guidance on cloud governance, risk management and compliance, while also explaining how to leverage and operationalize CSA's best practices (such as the Cloud Controls Matrix (CCM) and STAR Program).
Which security domains are covered by the CCM?
Join the Working Group
Interested in contributing to future versions of the Cloud Controls Matrix? Participate in peer reviews, surveys, or join the working group. Learn more about the current initiatives in development here.
Licensing the CCM or CAIQ
CSA offers licensing opportunities for organizations interested in leveraging the CCM and CAIQ for commercial exploitation. CSA Executive and Corporate members receive a discount on 1 year, 2 year, 5 year, and 10 year licensing contracts. Non members can also license the CCM or CAIQ at an increased price.
When Do I Need a License?
You will need a license if you plan to use the CCM or CAIQ in products and services that are sold to the public. Examples of products and services are:
- Software based products such as 3rd party risk assessment solution and other tools.
- Services, such as consultancy assessment methodologies, audits and evaluation approaches, etc.