Cloud Security Alliance Announces Implementation Guidelines v2.0 for Cloud Controls Matrix (CCM) in Alignment with Shared Security Responsibility Model

Update strengthens CCM’s position as the cloud security industry’s preferred control framework

SEATTLE–(BUSINESS WIRE)–#CCM–The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, has issued Cloud Controls Matrix (CCM) Implementation Guidelines v2.0: Securing the Cloud with the Shared Security Responsibility Model, an update to its flagship cybersecurity framework for cloud computing, CCM v4.0.12. Drafted by the CCM Working Group, the CCM Implementation Guidelines v2.0 provide security best practices for cloud organizations looking to implement CCM v4.0 control specifications in alignment with the Shared Security Responsibility Model (SSRM).

“It’s important that both cloud service providers (CSPs) and their customers understand their respective roles in implementing the CCM controls. Fostering a collaborative environment that enhances the overall security posture of the cloud ecosystem benefits everyone,” said Lefteris Skoutaris, Program Manager, Cloud Security Alliance, EMEA.

The CCM Implementation Guidelines v2.0 address the critical need to establish clearly demarcated lines of security responsibility between CSPs and cloud service customers (CSCs), bringing greater clarity and accountability to the implementation process. The guidelines are rooted in the collected experiences of CCM Working Group members, based on shared CSP and CSC experiences in implementing and securing cloud services and using CCM controls.

The insight covers myriad topics and queries, including how organizations can:

  • Implement controls for the first time or improve an existing implementation
  • Guide the implementation of controls across multiple frameworks via CCM mappings
  • Delineate and understand the security responsibilities of CSPs and CSCs in cloud implementations
  • Conduct implementation assessments of their CSPs and how to answer a CAIQ question
  • Identify the most-effective best practices to include as provisions within their organizational security policy
  • Translate cloud security best practices into contractual provisions with their CSPs
  • Leverage and implement CCM controls within a specific cloud platform or architecture

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains, covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Along with releasing updated versions of the CCM and CAIQ, the Cloud Controls Matrix Working Group provides control mappings, gap analysis, and addendums between the CCM and other industry standards and regulations to keep it continually up-to-date. Those interested in participating in the working group or its research are invited to join.

Download the CCM Implementation Guidelines v2.0: Securing the Cloud with the SSRM, or learn more about the Shared Responsibility Model here.

Those looking to learn more about the CCM Implementation Guidelines v2.0 are encouraged to register for CSA’s free, virtual Cloud Trust Summit on June 6, which will feature the session CCM Implementation Guidelines version 2.0: Securing the Cloud with the Shared Security Responsibility. Register now.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.


Kristina Rundquist

ZAG Communications for the CSA

error: Content is protected !!