Cloud Security Alliance Releases New Cloud Controls Matrix Auditing Guidelines

Document provides auditors a baseline understanding of the CCM audit areas, allowing them to better perform a CCM-related audit and assessment

SEATTLE–(BUSINESS WIRE)–#CCM–The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the Cloud Controls Matrix (CCM) Auditing Guidelines. Drafted by the CCM Working Group, this new addition to the Cloud Controls Matrix v4 contains a set of auditing guidelines tailored to the control specifications of each of the CCM’s 17 cloud security domains. This document provides auditors with a baseline understanding of the CCM audit areas, allowing them to better perform a CCM-related audit and assessment.

The guidelines are an extension of Chapter 7: CCM Auditing Guidelines found in the Certificate of Cloud Auditing Knowledge guide (specifically of subsection 7.5: CCM Audit Workbook) and were drafted to provide direction to:

  • auditors who plan to perform audits against the CCM on cloud service providers (CSPs)
  • cloud service customers (CSCs) using the CCM framework to evaluate their cloud service portfolio, and
  • CSPs or CSCs who intend to use the CCM framework to guide the design, development, and implementation of their cloud security controls.

“We are very excited about the work done with CCM v4. The auditing guidelines represent an additional aid for the organizations adopting CCM and will facilitate and streamline the execution of assessment based on CCM control. This document will clearly make it easier for companies to join the STAR Program,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.

“The guidelines have been drafted in such a way as to allow auditors to tailor various aspects to address their specific objectives and will support a cloud security audit or assessment, regardless of company’s size, business, cloud deployment complexity, or maturity level. It’s hoped these guidelines will make it even easier for CSPs and CSCs, who are seeking secure implementation, assessment, and management of cloud services security risks, to determine where the responsibility for various aspects of security lie,” said Sanjeev Gupta, a lead author of the paper.

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains, covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Along with releasing updated versions of the CCM and CAIQ, the Cloud Controls Matrix Working Group provides control mappings, gap analysis, and addendums between the CCM and other industry standards and regulations to keep it continually up to date. Those interested in participating in the working group or its research are invited to join.

Download the CCM Auditing Guidelines now.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.


ZAG Communications for the CSA

Kristina Rundquist

error: Content is protected !!