The more complex systems become, the less secure they become, even though security technologies improve. With the proliferation of security certifications, industry standards and regulations it is becoming increasingly challenging to keep up with the requirements to stay secure and compliant in the cloud.
Why was the CCM created?
To respond to simplify the process of assessing the overall security risk of a cloud provider, CSA created the Cloud Control Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ). The CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the best practices outlined in the CSA Security Guidance for Cloud Computing. The CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the CCM.
Help Integrate the CCM with CRI’s Financial Services Cybersecurity Profile
CSA is partnering with the Cyber Risk Institute (CRI) to provide the financial community with new resources to map and integrate CSA’s Cloud Controls Matrix (CCM) and CRI’s Financial Services Cybersecurity Profile. The goal is to define the scope, objectives and technical specifications of the Cloud Security Framework for Financial Services. To learn more, download our group charter.
Along with releasing updated versions of the CCM and CAIQ, this working group provides addendums, control mappings and gap analysis between the CCM and other research releases, industry standards, and regulations to keep it continually up to date.
Sep 29, 2021, 08:00AM PDT
Join the Meeting
Working Group Leadership
Cloud Controls Matrix v4 and CAIQ v4
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Cloud Controls Matrix v4 and CAIQ v4
The Cloud Controls Matrix (CCM) is a cybersecurity control framework and is considered the de-facto standard for cloud security and privacy. Version 4 of the Cloud Controls Matrix (CCM) has been combined with the Consensus Assessment Initiative Questionnaire (CAIQ). Version 4 introduces changes in the structure of the framework with a new domain dedicated to Log and Monitoring (LOG), and a significant increase in requirements. Additional features are: ensured coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility.
CCM Translation in 10 Languages
CSA in the context of an agreement with OneTrust has translated the Cloud Control Matrix (CCM) v3.0.1 in 10 languages in order to facilitate their easier adoption by organizations in the corresponding countries. Provided translations are in: Spanish (ES), German (DE), French (FR), Italian (IT), Japanese (JA), Danish (DA), Dutch (NL), Portuguese (PT), Romanian (RO) and Swedish (SV).
Cloud Controls Matrix v3.01
The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.
Cloud Security Initiative for the Financial Sector Working Group
|7 free GRC tools every compliance professional should know about||Search Compiance||November 30, 2020|
|A Growing Digital Economy Means More Cybersecurity Challenges||Forbes||November 30, 2020|
|Cloud Security Alliance’s New Cloud Controls Matrix V4 Adds New Log and Monitoring Domain and More Than 60 New Cloud Security Controls||AIthority||January 22, 2021|
|Cloud Controls Matrix v4 adds 60+ new cloud security controls||Help Net Security||January 22, 2021|
|Whose job is it anyway? Cloud Security Alliance updates controls matrix to include logging and monitoring||DevClass||January 25, 2021|