Download Publication
The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM. You can now download the CCM and CAIQ together.
What’s included in this download:
- CCM v4
- Mappings
- CAIQ v4
- STAR Level 1: Security Questionnaire (CAIQ v4)
- Implementation Guidelines
- Auditing Guidelines
This zip file contains two versions of CAIQ:
- CCM + CAIQ v4: This version cannot be used to submit to STAR and is just for reference.
- STAR Level 1: Security Questionnaire (CAIQ v4): Used to submit to the STAR Registry and includes all the necessary features. This version can also be downloaded on its own here.
Mappings and components currently available in version 4:
- Mappings to the following: Mappings to the following: ISO/IEC 27001/27002/27017/27018, CCM v3.0.1, AICPA TSC (2017), CIS Controls v8, NIST CSF v1.1 and CSF v2.0, NIST 800-53r5, PCI DSS v3.2.1 and PCI DSS v4, and ISF SOGP 2022. These mappings identify the equivalence, gaps, and misalignment between the control specifications of the CCM V4 and other standards. Additional mappings are under development and will also be added in the future.
- Controls Applicability Matrix: This matrix acts as a guide to help organizations determine the shared responsibilities between the CSPs and CSCs when implementing a CCM control. For each control, it also identifies which cloud architectural and organizational stack and cloud service models are applicable.
- CCM Metrics: This is the first catalog of security metrics for the cloud. These metrics aim to support internal CSP governance, risk, and compliance (GRC) activities and provide a helpful baseline for service-level agreement transparency.
Frequently asked questions:
- How will the transition to v4 affect submission to the STAR Registry?
- What updates were made to CAIQ v4? Why was it combined with the CCM?
Have improvements or feedback for the CCM?
- Please suggestions through this feedback form.
