The more complex systems become, the less secure they become, even though security technologies improve. With the proliferation of security certifications, industry standards and regulations it is becoming increasingly challenging to keep up with the requirements to stay secure and compliant in the cloud.
Why was the CCM created?
To respond to simplify the process of assessing the overall security risk of a cloud provider, CSA created the Cloud Control Matrix (CCM). The CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the best practices outlined in the CSA Security Guidance for Cloud Computing.
The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.
Along with releasing updated versions of the CCM, this working group provides addendums, control mappings and gap analysis between the CCM and other research releases, industry standards, and regulations to keep it continually up to date.
No Meetings Currently Scheduled
Working Group Leadership
Cloud Controls Matrix
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Cloud Controls Matrix v4
The Cloud Controls Matrix (CCM) is a cybersecurity control framework and is considered the de-facto standard for cloud security and privacy. Version 4 of the CCM constitutes a significant upgrade to the previous version (v3.0.1) by introducing changes in structure of the framework with a new domain dedicated to Log and Monitoring (LOG), and a significant increase in requirements. Additional features of the version 3 update are: ensured coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility
CCM Translation in 10 Languages
CSA in the context of an agreement with OneTrust has translated the Cloud Control Matrix (CCM) v3.0.1 in 10 languages in order to facilitate their easier adoption by organizations in the corresponding countries. Provided translations are in: Spanish (ES), German (DE), French (FR), Italian (IT), Japanese (JA), Danish (DA), Dutch (NL), Portuguese (PT), Romanian (RO) and Swedish (SV).
Cloud Controls Matrix v3.01
The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.
|7 free GRC tools every compliance professional should know about||Search Compiance||November 30, 2020|
|A Growing Digital Economy Means More Cybersecurity Challenges||Forbes||November 30, 2020|
|Cloud Security Alliance’s New Cloud Controls Matrix V4 Adds New Log and Monitoring Domain and More Than 60 New Cloud Security Controls||AIthority||January 22, 2021|
|Cloud Controls Matrix v4 adds 60+ new cloud security controls||Help Net Security||January 22, 2021|
|Whose job is it anyway? Cloud Security Alliance updates controls matrix to include logging and monitoring||DevClass||January 25, 2021|