Cloud Security Alliance Cloud Controls Matrix (CCM)
The Ultimate Guide to

Cloud Security Alliance Cloud Controls Matrix (CCM)

What Is Cloud Security Alliance Cloud Controls Matrix

Your cloud solution company’s prospective customers need assurance that your information security control environment is managed in a way that meets their security requirements. The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It is cross-walked to several other industry-accepted standards, regulations, and control frameworks to simplify audits. 

According to the Cloud Security Alliance, the Cloud Controls Matrix provides fundamental security principles to guide cloud vendors and assist potential cloud customers in assessing the overall security risk of a cloud provider. Organizations implement the CCM as a way to strengthen their existing information security control environments. It delineates control guidance by service provider and consumer and by differentiating according to the specific cloud model type and environment. 

The CCM contains 16 control domains that are cross-walked to other industry-accepted standards, regulations, and control frameworks to simplify audits. The crosswalks include but are not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, ENISA Information Assurance Framework, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, and many others.

The latest version of CCM (v3.0) contains the following domains:

  • Application and Interface Security 
  • Audit Assurance and Compliance 
  • Business Continuity Management and Op Resilience 
  • Chance Control and Configuration Management 
  • Data Security and Information Lifecycle Management
  • Datacenter Security 
  • Encryption and Key Management 
  • Governance and Risk Management 
  • Human Resources Security 
  • Identity and Access Management 
  • Infrastructure and Virtualization 
  • Interoperability and Portability 
  • Mobile Security 
  • Threat and Vulnerability Management 
  • Supply Chain Management, Transparency, and Access
  • Security Incident Management, E-discovery, and Cloud Forensics

The Cloud Security Alliance has developed a certification program called STAR. The value-added CSA STAR certification verifies an above and beyond cloud security stance that carries weight with customers. This overachiever’s set of standards may be the best asset for customers looking to assess a vendor’s commitment to security, and it is a must for all organizations looking to cement customer trust. Further, the STAR registry documents the security and privacy controls provided by popular cloud computing offerings so cloud customers can assess their security providers to make good purchasing decisions.

Who needs to implement CSA CCM?

If you are a cloud vendor and your organization wants to conduct business with the government or any security-conscious enterprise, achieving cloud security certifications is the procurement gate. Cloud compliance frameworks like the CSA CCM provide the guidelines and structure necessary for maintaining the level of security your customers demand. 

Additionally, these frameworks will help you navigate a regulatory minefield and avoid the steep financial and reputational cost of non-compliance. Most importantly, implementing a compliance framework will allow your organization to showcase your commitment to privacy and data protection. This will keep you out of trouble with regulators and boost credibility and trust with your customers.

Hyperproof for CSA CCM Compliance

Hyperproof is a continuous compliance software solution that helps organizations implement security standards, regulations, and control frameworks efficiently and monitor their control environment on an ongoing basis. We support implementation of CSA CCM by allowing you to:


Utilize a program template that helps you put controls in place for each CCM control domain

Quickly collect evidence to document your security policies and procedures

Collaborate easily with other participants in the compliance program

Assign monitoring and remediation tasks to program participants and keep team members on track

Use dashboards to gauge progress and audit preparedness posture

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CSA CCM ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader