Cloud Controls Matrix

Latest ResearchJoin Group
Join the CCM working group
Cloud Controls Matrix
Maintaining cloud governance, risk and compliance is becoming increasingly difficult..
The more complex systems become, the less secure they become, even though security technologies improve. With the proliferation of security certifications, industry standards and regulations it is becoming increasingly challenging to keep up with the requirements to stay secure and compliant in the cloud. 

Why was the CCM created?
To respond to simplify the process of assessing the overall security risk of a cloud provider, CSA created the Cloud Control Matrix (CCM). The CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the best practices outlined in the CSA Security Guidance for Cloud Computing

The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.

Cloud Controls MatrixEnterprise ArchitectureSecurity GuidanceCAIQCCAKSTAR

Along with releasing updated versions of the CCM, this working group provides addendums, control mappings and gap analysis between the CCM and other research releases, industry standards, and regulations to keep it continually up to date.

Next Meeting

Jan 21, 2021, 08:00AM PST
Join the Meeting



Working Group Leadership

Sean Cordero Headshot

Sean Cordero

Shawn Harris Headshot

Shawn Harris

Harry Lu Headshot

Harry Lu

Sean Estrada Headshot

Sean Estrada

Daniele Catteddu Headshot

Daniele Catteddu

Eleftherios Skoutaris Headshot

Eleftherios Skoutaris

Join the CCM working group

Cloud Controls Matrix

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

Cloud Controls Matrix v4 (Coming Soon)

Cloud Controls Matrix v4 (Coming Soon)

The Cloud Controls Matrix (CCM) is a cybersecurity control framework and is considered the de-facto standard for cloud security and privacy. Version 4 of the CCM constitutes a significant upgrade to the previous version (v3.0.1) by introducing changes in structure of the framework with a new domain dedicated to Log and Monitoring (LOG), and a significant increase in requirements. Additional features of the version 3 update are: ensured coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility 

Cloud Controls Matrix v3.0.1

Cloud Controls Matrix v3.0.1

The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

CCM Translation in 10 Languages

CCM Translation in 10 Languages

CSA in the context of an agreement with OneTrust has translated the Cloud Control Matrix (CCM) v3.0.1 in 10 languages in order to facilitate their easier adoption by organizations in the corresponding countries. Provided translations are in: Spanish (ES), German (DE), French (FR), Italian (IT), Japanese (JA), Danish (DA), Dutch (NL), Portuguese (PT), Romanian (RO) and Swedish (SV).

Blog Posts

What is the Cloud Controls Matrix (CCM)?
CCM Addendum for Associated Banks of Singapore
What is a Cloud Service Provider?

Press Coverage