Cloud Controls
Matrix (CCM)

Cloud Control Matrix (CCM)

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 133 control objectives that are structured in 16 domains covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

The controls framework is aligned to the Security Guidance v4 and is currently considered a de-facto standard for cloud security assurance and compliance.

Map to Standards, Regulations & Controls Frameworks

The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, ENISA Information Assurance Framework, German BSI C5, PCI DSS,, ISACA COBIT, NERC CIP, and many others.

Contribute to the CCM Working Group
Learn how to use the CCM.
Enroll in Training

Leverage the CCM to...

Strengthen information security control environments. The CCM delineates control guidance by service provider and consumer. It also differentiates according to cloud model type and environment.

Reduce audit complexity. Controls map onto multiple industry-accepted security standards, regulations, and controls frameworks. Fulfilling the CCM controls also fulfills it for the accompanying standards and regulations it maps onto.

Normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud

Integrations with the STAR Registry

The CCM is used as the standard to assess the security posture of organizations on the Security, Trust, Assurance and Risk (STAR) registry. The STAR program promotes flexible, incremental and multi-layered certifications that integrate with popular third-party assessments to avoid duplication of effort and cost.

Use the CCM Questionnaire to Assess Cloud Providers

The Consensus Assessments Initiative Questionnaire (CAIQ) is a companion to the CCM that provides a set of “yes or no” questions a cloud consumer or auditor may wish to ask a cloud provider. Based off of the security controls in the CCM, the questions can be used to document which security controls exist in a provider’s IaaS, PaaS, and SaaS offerings. Over 500 organizations currently use the CCM & CAIQ to submit self-assessments on the STAR registry.

Train Your Team to Use the Cloud Controls Matrix

Enroll your team in CSA’s Cloud Governance and Compliance (CGC) course to learn how to operationalize the Cloud Controls Matrix (CCM). Students will also be introduced to the Consensus Assessments Initiative Questionnaire (CAIQ), and the CSA STAR Program.

Contact Us >

Join the Working Group

Interested in contributing to future versions of the Cloud Controls Matrix? Participate in peer reviews, surveys, or join the working group. Learn more about the current initiatives in development here.

View Initiatives >

Licensing the Cloud Controls Matrix

CSA offers licensing opportunities for organizations interested in leveraging the CCM and CAIQ for commercial exploitation. CSA Executive and Corporate members receive a discount on 1 year, 2 year, 5 year, and 10 year licensing contracts. Non members can also license the CCM or CAIQ at an increased price.

When Do I Need a License?

You will need a license if you plan to use the CCM or CAIQ in products and services that are sold to the public. Examples of products and services are:

  • Software based products such as 3rd party risk assessment solution and other tools.
  • Services, such as consultancy assessment methodologies, audits and evaluation approaches, etc.