Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Download Publication

Cloud Controls Matrix and CAIQ v4
Cloud Controls Matrix and CAIQ v4

Cloud Controls Matrix and CAIQ v4

Release Date: 06/03/2024

Working Group: Cloud Controls Matrix

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, CAIQ, provides a set of “yes or no” questions based on the security controls in the CCM. You can now download the CCM and CAIQ together. 

What’s included in this download:
  • CCM v4
  • Mappings
  • CAIQ v4 
  • STAR Level 1: Security Questionnaire (CAIQ v4)
  • Implementation Guidelines
  • Auditing Guidelines
This zip file contains two versions of CAIQ:
  • CCM + CAIQ v4: This version cannot be used to submit to STAR and is just for reference.
  • STAR Level 1: Security Questionnaire (CAIQ v4): Used to submit to the STAR Registry and includes all the necessary features. This version can also be downloaded on its own here
Mappings and components currently available in version 4:
  • Mappings to the following: ISO/IEC 27001/27002/27017/27018, CCM v3.0.1, AICPA TSC (2017), CIS Controls v8, NIST CSF v1.1 and CSF v2.0, NIST 800-53r5, PCI DSS v3.2.1 and PCI DSS v4, ISF SOGP 2022, and ENX ISAv6. These mappings identify the equivalence, gaps, and misalignment between the control specifications of the CCM V4 and other standards. Additional mappings are under development and will also be added in the future.
  • Controls Applicability Matrix: This matrix acts as a guide to help organizations determine the shared responsibilities between the CSPs and CSCs when implementing a CCM control. For each control, it also identifies which cloud architectural and organizational stack and cloud service models are applicable. 
  • CCM Metrics: This is the first catalog of security metrics for the cloud. These metrics aim to support internal CSP governance, risk, and compliance (GRC) activities and provide a helpful baseline for service-level agreement transparency.
Frequently asked questions:
Have improvements or feedback for the CCM?
Download this Resource

Bookmark
Share
Related resources
Map the Transaction Flows for Zero Trust
Map the Transaction Flows for Zero Trust
Top Concerns With Vulnerability Data
Top Concerns With Vulnerability Data
Using Asymmetric Cryptography to Help Achieve Zero Trust Objectives
Using Asymmetric Cryptography to Help Achieve Z...
CSA Community Spotlight: Creating Globally-Recognized Cybersecurity Assessments with Willy Fabritius
CSA Community Spotlight: Creating Globally-Recognized Cybersecurity...
Published: 11/27/2024
A Wednesday in the Life of a Threat Hunter
A Wednesday in the Life of a Threat Hunter
Published: 11/27/2024
Bringing the Security vs. Usability Pendulum to a Stop
Bringing the Security vs. Usability Pendulum to a Stop
Published: 11/26/2024
Cyber Essentials vs. Cyber Essentials Plus: Key Differences
Cyber Essentials vs. Cyber Essentials Plus: Key Differences
Published: 11/26/2024

Acknowledgements

Rajat Dubey
Rajat Dubey
Cybersecurity Expert, Allianz Commercial

Rajat Dubey

Cybersecurity Expert, Allianz Commercial

Rajat is an accomplished cybersecurity expert with over 13 years of experience safeguarding critical systems and data for global enterprises. His expertise spans cyber risk assessment, compliance, threat modeling, incident response, Penetration testing, Ethical hacking, Digital Forensic, Cloud Security and emerging technologies (AI, Blockchain, IoT, Quantum computing) for enhanced security.

Read more

Daniele Catteddu
Daniele Catteddu
Chief Technology Officer, CSA

Daniele Catteddu

Chief Technology Officer, CSA

Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, ...

Read more

Aradhna Chetal
Aradhna Chetal
Senior Director Executive- Cloud Security

Aradhna Chetal

Senior Director Executive- Cloud Security

Aradhna serves as a Senior Director Executive- Cloud Security at TIAA, a financial services company. She is responsible for the cloud security vision, strategy, standards, security patterns for a multi-cloud hybrid enterprise and engineer security solutions, to support the vision. Aradhna has worked in various Cybersecurity leadership roles at JP Morgan Chase, Boeing Company, Microsoft & T-Mobile.

Aradhna is an active member in the cy...

Read more

Renu Bedi
Renu Bedi
Manager-IT Security

Renu Bedi

Manager-IT Security

Robin Basham
Robin Basham
CISO at AdaptHealth

Robin Basham

CISO at AdaptHealth

Robin Basham recently lead the Cloud Security Alliance CCM 4 to NIST 800-53 R5 Working Group. This effort began as a proposed commitment in April, involving the collaboration of some of our biggest and most well respected East Bay Enterprises. Leveraging the talent of 20 volunteers and mappings as designed in three major companies, the CCM WG produced a refined mapping t...

Read more

Jon-Michael Brook
Jon-Michael Brook

Jon-Michael Brook

Jon-Michael C. Brook is a certified, 25-year practitioner of cybersecurity, cloud, and privacy. He is the principal contributor to certification sites for privacy and cloud security, and has published books on privacy. Jon-Michael received numerous awards and recognition during his time with Raytheon, Northrop Grumman, Symantec, and Starbucks. He holds patents and trade secrets in intrusion detection, GUI design, and semantic data redaction...

Read more

Sean Cordero
Sean Cordero

Sean Cordero

Sean Cordero brings more than 15 years of information security and IT experience to his current role as director, information security at Optiv. Cordero provides executive level advisement for the company’s Fortune 50 clients. Cordero’s prior leadership roles included: President of Cloud Watchmen, CSO for EdFund, CSO for ECMC West, Director of Security and Compliance for Charlotte Russe.

Cordero is a thought-leader and serves as chair...

Read more

Michael Roza
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC

Michael Roza

Risk, Audit, Control and Compliance Professional at EVC

Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 125 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.

Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. His lea...

Read more

Paul Rich
Paul Rich
Executive Director, Data Management & Protection

Paul Rich

Executive Director, Data Management & Protection

Paul Rich is the executive director, data management and protection for JPMorgan Chase & Co., where he leads the strategy and implementation within the company for unstructured data protection both in the cloud and on-premises. He is the co-chair of the CSA Cloud Key Management Working Group, which he envisions as a means of hearing diverse perspectives on the use of cloud services and expectations for both data privacy and secu...

Read more

Sean Estrada
Sean Estrada
Head of Industry Standards Engagement for AWS

Sean Estrada

Head of Industry Standards Engagement for AWS

Sean Estrada is Head of Industry Standards Engagement for AWS, where he is responsible for driving engagement with industry standards organizations and alliances. Building on over 15 years of experience in information security, audit and compliance, Sean is Amazon's internal subject matter expert on security standards design, strategy and implementation, and is Amazon's representative to the PCI Board of Advisors and the Vice President of t...

Read more

Shawn Harris
Shawn Harris
Director of Information Security

Shawn Harris

Director of Information Security

With more than 25 years of information security experience, Shawn Harris is currently the Director of Information Security at Starbucks Coffee Company. His background includes engineering, architecture, and executive responsibilities. Shawn is currently co-chair of the CSA Cloud Controls Matrix working group, where he led efforts to develop the Cloud Control Matrix 4.0. Additionally, he has served on CSA’s Consensus Assessments ...

Read more

Harry Lu
Harry Lu
Manager, PwC Cybersecurity

Harry Lu

Manager, PwC Cybersecurity

Harry Lu brings perspectives of Cloud Security from the professional services industry. He is currently an Associate Director with Protiviti’s Cloud Security team. Harry’s background includes security strategy planning, security operations development and security executive consulting roles. He has also had years of hands-on experience implementing cloud security technologies across SaaS, IaaS and hybrid cloud environments. From his experie...

Read more

Jens Laundrup
Jens Laundrup
Chief Security Engineer and Executive Consultant, Emagined Security Inc.

Jens Laundrup

Chief Security Engineer and Executive Consultant, Emagined Security Inc.

Jens Laundrup, Chief Security Engineer and Executive Consultant, Emagined Security Inc., has spent over 30 years in the Information Security space to include numerous security engineering disciplines including Military, Government and Corporate Information Security, Compliance Program Design, Architecture Design, and Network & Physical Security. Mr. Laundrup has led the development and design of cutting-edge risk-based security programs and...

Read more

Vani Murthy
Vani Murthy
Sr. Information Security Compliance Advisor, Akamai Technologies

Vani Murthy

Sr. Information Security Compliance Advisor, Akamai Technologies

Vani has 20+ years of IT experience in the areas such as Security, Risk, Compliance, Cloud services (IaaS/PaaS/SaaS) architecture

Read more

Johan Olivier
Johan Olivier
Security and Compliance Director

Johan Olivier

Security and Compliance Director

I am a Security and Compliance Director at QorusDocs where I am responsible for the company-wide information security posture and SOC 2 Type 2 compliance.

My career in the compliance space is backed by 20 years’ experience as a Software Solutions Architect and 2.5 years in an executive leadership position as SVP of Engineering.

Having worked in seven countries across four continents I have developed a special interest in behav...

Read more

Geoff Bird
Geoff Bird
Chief Information Security Officer

Geoff Bird

Chief Information Security Officer

Chris Shull
Chris Shull
Chief Information Security Officer

Chris Shull

Chief Information Security Officer

Ashish Vashishtha
Ashish Vashishtha
Security Compliance Leader

Ashish Vashishtha

Security Compliance Leader

Analytical, results-oriented IS/IT Audit, Governance, Risk, and Compliance (GRC) leader over 19 years of experience managing enterprise-wide IT/IS security risk approach for large healthcare and IT services organizations. Passionate design thinker with an ability to harness innovation by facilitating collaboration to develop enterprise-wide security risk assessments (onsite as well as remote) for high-risk Third-Parties leveraging NIST 800-...

Read more

Erik Johnson
Erik Johnson
Cloud Security Specialist & Senior Research Analyst, CSA

Erik Johnson

Cloud Security Specialist & Senior Research Analyst, CSA

Worked for the Federal Reserve for many years and volunteered with the CSA with a focus on CCM/CAIQ V4, specifically the STA domain, and developing a comprehensive framework and guidance for defining and managing the cloud shared security responsibility model (SSRM).

I recently retired from the Federal Reserve and am now consulting with the CSA as a Senior Research Analyst with a focus on Zero Trust and Financial Services.

Linke...

Read more

Debjyoti Mukherjee
Debjyoti Mukherjee
Associate Director for RBC

Debjyoti Mukherjee

Associate Director for RBC

Christian Banse
Christian Banse
Head of Department "Service & Application Security"

Christian Banse

Head of Department "Service & Application Security"

Phil Garrelhas
Phil Garrelhas
Senior Manager - Fusion, Risk and Governance

Phil Garrelhas

Senior Manager - Fusion, Risk and Governance

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training