CSA CCMv4.0 Final 031521

CLOUD CONTROLS MATRIX VERSION 4.
Control Domain Control Title Control ID
Audit and Assurance - A&A
Audit and Assurance Policy

Audit & Assurance
and Procedures A&A-01
Audit & Assurance Independent Assessments A&A-02
Risk Based Planning

Audit & Assurance
Assessment A&A-03
Audit & Assurance

Requirements Compliance A&A-04
Audit & Assurance Audit Management Process A&A-05

Audit & Assurance Remediation A&A-06
Application and Interface Security - AIS
Application and Interface

Application & Interface
Security
Security Policy and AIS-01
Procedures
Application & Interface Application Security Baseline

Security Requirements AIS-02

Security
Application Security Metrics AIS-03
Application & Interface Secure Application Design and

Security Development AIS-04
Application & Interface Automated Application

Security Security Testing AIS-05
Application & Interface Automated Secure Application

Security Deployment AIS-06
Application & Interface Application Vulnerability

Security Remediation AIS-07
Business Continuity Management and Operational Resilience - BCR

Business Continuity Business Continuity
Management & Management Policy and BCR-01
Operational Resilience Procedures
Business Continuity
Risk Assessment and Impact
Management &
Analysis BCR-02
Operational Resilience
Business Continuity
Management & Business Continuity Strategy BCR-03
Business Continuity
Management & Business Continuity Planning BCR-04
Business Continuity
Management & Documentation BCR-05
Business Continuity
Management & Business Continuity Exercises BCR-06
Business Continuity
Management & Communication BCR-07
Business Continuity
Management & Backup BCR-08
Business Continuity
Management & Disaster Response Plan BCR-09
Business Continuity
Management & Response Plan Exercise BCR-10
Business Continuity
Management & Equipment Redundancy BCR-11
Change Control and Configuration Management - CCC
Change Control &

Change Management Policy
Configuration
and Procedures CCC-01
Management
Change Control &

Configuration Quality Testing CCC-02
Management
Change Control &

Change Management
Configuration
Technology CCC-03
Management
Change Control &

Unauthorized Change
Configuration
Protection CCC-04
Management
Change Control &

Configuration Change Agreements CCC-05
Management
Change Control &

Change Management
Configuration
Baseline CCC-06
Management
Change Control &
Detection of Baseline
Configuration
Deviation CCC-07
Management
Change Control &

Configuration Exception Management CCC-08
Management
Change Control &

Configuration Change Restoration CCC-09
Management
Cryptography, Encryption and Key Management - CEK
Cryptography, Encryption and Key

Encryption & Key Management Policy and CEK-01
Management Procedures
Cryptography,
CEK Roles and
Encryption & Key
Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption Change
Encryption & Key
Management CEK-05
Management
Cryptography,
Encryption Change Cost
Encryption & Key
Benefit Analysis CEK-06
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
CSC Key Management
Encryption & Key
Capability CEK-08
Management
Cryptography,
Encryption and Key
Encryption & Key
Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Datacenter Security - DCS
Off-Site Equipment Disposal

Datacenter Security
Policy and Procedures DCS-01
Off-Site Transfer Authorization

Datacenter Security
Secure Area Policy and

Datacenter Security
Procedures DCS-03
Secure Media Transportation

Datacenter Security
Datacenter Security Assets Classification DCS-05
Assets Cataloguing and

Datacenter Security
Tracking DCS-06
Datacenter Security Controlled Access Points DCS-07

Datacenter Security Equipment Identification DCS-08
Datacenter Security Secure Area Authorization DCS-09
Datacenter Security Surveillance System DCS-10
Unauthorized Access
Datacenter Security
Response Training DCS-11
Datacenter Security Cabling Security DCS-12
Datacenter Security Environmental Systems DCS-13
Datacenter Security Secure Utilities DCS-14
Datacenter Security Equipment Location DCS-15
Data Security and Privacy Lifecycle Management - DSP

Data Security & Privacy Security and Privacy Policy
Lifecycle Management and Procedures DSP-01
Data Security & Privacy

Lifecycle Management
Secure Disposal DSP-02

Data Inventory DSP-03

Data Classification DSP-04

Data Flow Documentation DSP-05
Data Security & Privacy Data Ownership and

Lifecycle Management Stewardship DSP-06
Data Security & Privacy Data Protection by Design and

Lifecycle Management Default DSP-07
Data Security & Privacy Data Privacy by Design and

Data Security & Privacy Data Protection Impact

Lifecycle Management Assessment DSP-09
Sensitive Data Transfer DSP-10
Personal Data Access,

Reversal, Rectification and DSP-11
Deletion
Data Security & Privacy Limitation of Purpose in

Lifecycle Management Personal Data Processing DSP-12

Personal Data Sub-processing DSP-13
Data Security & Privacy Disclosure of Data Sub-

Lifecycle Management processors DSP-14
Data Security & Privacy Limitation of Production Data

Lifecycle Management Use
DSP-15

Data Retention and Deletion DSP-16

Sensitive Data Protection DSP-17
Disclosure Notification DSP-18

Data Location DSP-19
Governance, Risk and Compliance - GRC
Governance, Risk
Governance Program Policy
Management &
and Procedures GRC-01
Compliance
Governance, Risk
Management & Risk Management Program GRC-02
Compliance
Governance, Risk
Management & Organizational Policy Reviews GRC-03
Compliance
Governance, Risk
Management & Policy Exception Process GRC-04
Compliance
Governance, Risk
Management & Information Security Program GRC-05
Compliance
Governance, Risk
Governance Responsibility
Management &
Model GRC-06
Compliance
Governance, Risk
Information System Regulatory
Management &
Mapping GRC-07
Compliance
Governance, Risk
Management & Special Interest Groups GRC-08
Compliance
Human Resources - HRS
Background Screening Policy

Human Resources
and Procedures HRS-01
Acceptable Use of Technology

Human Resources
Policy and Procedures HRS-02
Clean Desk Policy and

Human Resources
Procedures HRS-03
Remote and Home Working

Human Resources
Human Resources Asset returns HRS-05
Human Resources Employment Termination HRS-06
Employment Agreement
Human Resources
Process HRS-07
Human Resources
Content HRS-08
Personnel Roles and

Human Resources
Responsibilities HRS-09
Human Resources Non-Disclosure Agreements HRS-10
Human Resources Security Awareness Training HRS-11
Personal and Sensitive Data

Human Resources
Awareness and Training HRS-12
Compliance User
Human Resources
Responsibility HRS-13
Identity and Access Management - IAM

Identity and Access
Identity & Access
Management
Management Policy and IAM-01
Procedures
Identity & Access Strong Password Policy and

Management Procedures IAM-02
Identity & Access

Management
Identity Inventory IAM-03
Identity & Access

Management
Separation of Duties IAM-04
Identity & Access

Management
Least Privilege IAM-05
Identity & Access

Management
User Access Provisioning IAM-06
Identity & Access User Access Changes and

Management Revocation IAM-07
Identity & Access

Management
User Access Review IAM-08
Identity & Access Segregation of Privileged

Management Access Roles IAM-09
Identity & Access Management of Privileged
Identity & Access CSCs Approval for Agreed

Management Privileged Access Roles IAM-11
Identity & Access

Management
Safeguard Logs Integrity IAM-12
Identity & Access

Management
Uniquely Identifiable Users IAM-13
Identity & Access

Management
Strong Authentication IAM-14
Identity & Access

Management
Passwords Management IAM-15
Identity & Access

Management
Authorization Mechanisms IAM-16
Interoperability and Portability - IPY

Interoperability & Interoperability and Portability
Portability Policy and Procedures IPY-01
Interoperability & Application Interface

Portability Availability IPY-02
Interoperability & Secure Interoperability and

Portability Portability Management IPY-03
Interoperability & Data Portability Contractual

Portability Obligations IPY-04
Infrastructure and Virtualization Security - IVS
Infrastructure and
Infrastructure &
Virtualization Security
Virtualization Security Policy IVS-01
and Procedures
Infrastructure & Capacity and Resource

Virtualization Security Planning IVS-02
Infrastructure &
Network Security IVS-03
Infrastructure & OS Hardening and Base
Virtualization Security Controls IVS-04
Infrastructure & Production and Non-

Virtualization Security Production Environments IVS-05
Infrastructure & Segmentation and

Virtualization Security Segregation IVS-06
Infrastructure & Migration to Cloud

Virtualization Security Environments IVS-07
Infrastructure & Network Architecture

Virtualization Security Documentation IVS-08
Infrastructure &
Network Defense IVS-09
Logging and Monitoring - LOG
Logging and Monitoring Policy

Logging & Monitoring
and Procedures LOG-01
Logging & Monitoring Audit Logs Protection LOG-02
Security Monitoring and

Alerting LOG-03
Audit Logs Access and
Accountability LOG-04
Audit Logs Monitoring and

Response LOG-05
Logging & Monitoring Clock Synchronization LOG-06
Logging & Monitoring Logging Scope LOG-07
Logging & Monitoring Log Records LOG-08
Logging & Monitoring Log Protection LOG-09
Encryption Monitoring and

Reporting LOG-10
Logging & Monitoring Transaction/Activity Logging LOG-11
Logging & Monitoring Access Control Logs LOG-12
Failures and Anomalies

Reporting LOG-13
Security Incident Management, E-Discovery, and Cloud Forensics - SEF

Security Incident
Management, E- Security Incident Management
Discovery, & Cloud Policy and Procedures SEF-01
Forensics
Security Incident
Management, E- Service Management Policy
Discovery, & Cloud and Procedures SEF-02
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Incident Response Plans SEF-03
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Incident Response Testing SEF-04
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Incident Response Metrics SEF-05
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Event Triage Processes SEF-06
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Security Breach Notification SEF-07
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Points of Contact Maintenance SEF-08
Forensics
Supply Chain Management, Transparency, and Accountability - STA

Supply Chain
Management,
Transparency &
SSRM Policy and Procedures STA-01
Accountability
Supply Chain
Management,
Transparency &
SSRM Supply Chain STA-02
Accountability
Supply Chain
Management,
Transparency &
SSRM Guidance STA-03
Accountability
Supply Chain
Management,
Transparency &
SSRM Control Ownership STA-04
Accountability
Supply Chain
Management,
Transparency &
SSRM Documentation Review STA-05
Accountability
Supply Chain
Management,
Transparency &
SSRM Control Implementation STA-06
Accountability
Supply Chain
Management,
Transparency &
Supply Chain Inventory STA-07
Accountability
Supply Chain
Management, Supply Chain Risk
Transparency & Management STA-08
Accountability
Supply Chain
Management, Primary Service and
Transparency & Contractual Agreement STA-09
Accountability
Supply Chain
Management, Supply Chain Agreement
Transparency & Review STA-10
Accountability
Supply Chain
Management,
Transparency &
Internal Compliance Testing STA-11
Accountability
Supply Chain
Management, Supply Chain Service
Transparency & Agreement Compliance STA-12
Accountability
Supply Chain
Management, Supply Chain Governance
Accountability
Supply Chain
Management, Supply Chain Data Security
Transparency & Assessment STA-14
Accountability
Threat and Vulnerability Management - TVM

Threat and Vulnerability
Threat & Vulnerability
Management
Management Policy and TVM-01
Procedures
Threat & Vulnerability Malware Protection Policy and

Management Procedures TVM-02
Threat & Vulnerability Vulnerability Remediation

Management Schedule TVM-03

Management
Detection Updates TVM-04

Management
External Library Vulnerabilities TVM-05

Management
Penetration Testing TVM-06

Management
Vulnerability Identification TVM-07

Management
Vulnerability Prioritization TVM-08
Threat & Vulnerability Vulnerability Management

Management Reporting TVM-09

Management Metrics TVM-10
Universal Endpoint Management - UEM
Universal Endpoint Endpoint Devices Policy and

Management Procedures UEM-01
Universal Endpoint Application and Service

Management Approval UEM-02
Universal Endpoint
Management
Compatibility UEM-03
Universal Endpoint
Management
Endpoint Inventory UEM-04
Universal Endpoint
Management
Endpoint Management UEM-05
Universal Endpoint
Management
Automatic Lock Screen UEM-06
Universal Endpoint
Management
Operating Systems UEM-07
Universal Endpoint
Management
Storage Encryption UEM-08
Universal Endpoint Anti-Malware Detection and

Management Prevention UEM-09
Universal Endpoint
Management
Software Firewall UEM-10
Universal Endpoint
Management
Data Loss Prevention UEM-11
Universal Endpoint
Management
Remote Locate UEM-12
Universal Endpoint
Management
Remote Wipe UEM-13
Universal Endpoint Third-Party Endpoint Security

Management Posture UEM-14
End of Standard
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print,
and link to the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0” at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix v4.0 may be used solely for your personal, informational, non-commercial use; (b) the Cloud
Controls Matrix v4.0 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0 may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0 as permitted by
the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud
Controls Matrix Version 4.0. If you are interested in obtaining a license to this material for other usages not addresses in the copyright
notice, please contact info@cloudsecurityalliance.org.
VERSION 4.0
Typical Control Applicability and Ownership

(CSP-Owned, CSC-Owned, Shared)
Updated Control Specification IaaS PaaS
Audit and Assurance - A&A

Establish, document, approve, communicate, apply, evaluate and maintain audit and
assurance policies and procedures and standards. Review and update the policies and
procedures at least annually. Shared Shared
Conduct independent audit and assurance assessments according to relevant standards

at least annually.
Shared Shared
Perform independent audit and assurance assessments according to risk-based plans

and policies. Shared Shared
Verify compliance with all relevant standards, regulations, legal/contractual, and

statutory requirements applicable to the audit. Shared Shared
Define and implement an Audit Management process to support audit planning, risk
analysis, security control assessment, conclusion, remediation schedules, report
generation, and review of past reports and supporting evidence. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a risk-based
corrective action plan to remediate audit findings, review and report remediation status
to relevant stakeholders.
Shared Shared
ication and Interface Security - AIS

Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for application security to provide guidance to the appropriate planning,
delivery and support of the organization's application security capabilities. Review and
update the policies and procedures at least annually. Shared CSC-Owned
Establish, document and maintain baseline requirements for securing different

applications. Shared Shared
Define and implement technical and operational metrics in alignment with business
objectives, security requirements, and compliance obligations.
Shared Shared
Define and implement a SDLC process for application design, development,

deployment, and operation in accordance with security requirements defined by the
organization. Shared Shared
Implement a testing strategy, including criteria for acceptance of new information

systems, upgrades and new versions, which provides application security assurance and
maintains compliance while enabling organizational speed of delivery goals. Automate
when applicable and possible. Shared Shared
Establish and implement strategies and capabilities for secure, standardized, and
compliant application deployment. Automate where possible.
Shared Shared
Define and implement a process to remediate application security vulnerabilities,

automating remediation when possible.
Shared Shared
y Management and Operational Resilience - BCR

Establish, document, approve, communicate, apply, evaluate and maintain business
continuity management and operational resilience policies and procedures. Review and
update the policies and procedures at least annually. Shared Shared
Determine the impact of business disruptions and risks to establish criteria for
developing business continuity and operational resilience strategies and capabilities.
Shared Shared
Establish strategies to reduce the impact of, withstand, and recover from business
disruptions within risk appetite.
Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a business

continuity plan based on the results of the operational resilience strategies and
capabilities. Shared Shared
Develop, identify, and acquire documentation that is relevant to support the business
continuity and operational resilience programs. Make the documentation available to
authorized stakeholders and review periodically. Shared Shared
Exercise and test business continuity and operational resilience plans at least annually
or upon significant changes.
Shared Shared
Establish communication with stakeholders and participants in the course of business

continuity and resilience procedures.
Shared Shared
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and
availability of the backup, and verify data restoration from backup for resiliency.
Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a disaster

response plan to recover from natural and man-made disasters. Update the plan at least
annually or upon significant changes. CSP-Owned CSP-Owned
Exercise the disaster response plan annually or upon significant changes, including if
possible local emergency authorities.
CSP-Owned CSP-Owned
Supplement business-critical equipment with redundant equipment independently

located at a reasonable minimum distance in accordance with applicable industry
standards. CSP-Owned CSP-Owned
trol and Configuration Management - CCC

procedures for managing the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc., regardless of
whether the assets are managed internally or externally (i.e., outsourced). Review and
update the policies and procedures at least annually.
Shared Shared
Follow a defined quality change control, approval and testing process with established
baselines, testing, and release standards.
CSP-Owned Shared
Manage the risks associated with applying changes to organization assets, including
application, systems, infrastructure, configuration, etc., regardless of whether the assets
are managed internally or externally (i.e., outsourced). Shared Shared
Restrict the unauthorized addition, removal, update, and management of organization

assets.
Shared Shared
Include provisions limiting changes directly impacting CSCs owned

environments/tenants to explicitly authorized requests within service level agreements
between CSPs and CSCs. CSP-Owned Shared
Establish change management baselines for all relevant authorized changes on

organization assets. Shared Shared
Implement detection measures with proactive notification in case of changes deviating
from the established baseline. CSP-Owned Shared
Implement a procedure for the management of exceptions, including emergencies, in the

change and configuration process. Align the procedure with the requirements of GRC-
04: Policy Exception Process. Shared Shared
Define and implement a process to proactively roll back changes to a previous known
good state in case of errors or security concerns.
Shared Shared
y, Encryption and Key Management - CEK

procedures for Cryptography, Encryption and Key Management. Review and update the
policies and procedures at least annually. Shared Shared
Define and implement cryptographic, encryption and key management roles and
responsibilities.
Shared Shared
Provide cryptographic protection to data at-rest and in-transit, using cryptographic

libraries certified to approved standards. Shared Shared
Use encryption algorithms that are appropriate for data protection, considering the
classification of data, associated risks, and usability of the encryption technology.
Shared Shared
Establish a standard change management procedure, to accommodate changes from

internal and external sources, for review, approval, implementation and communication
of cryptographic, encryption and key management technology changes.
Shared Shared
Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream effects of
proposed changes, including residual risk, cost, and benefits analysis. Shared Shared
Establish and maintain an encryption and key management risk program that includes
provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.
Shared Shared
CSPs must provide the capability for CSCs to manage their own data encryption keys.
Shared Shared
Audit encryption and key management systems, policies, and processes with a
frequency that is proportional to the risk exposure of the system with audit occurring
preferably continuously but at least annually and after any security event(s).
Shared Shared
Generate Cryptographic keys using industry accepted cryptographic libraries specifying

the algorithm strength and the random number generator used.
Shared Shared
Manage cryptographic secret and private keys that are provisioned for a unique
purpose. Shared Shared
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which

includes provisions for considering the risk of information disclosure and legal and
regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to

revoke and remove cryptographic keys prior to the end of its established cryptoperiod,
when a key is compromised, or an entity is no longer part of the organization, which
include provisions for legal and regulatory requirements.
Shared Shared
destroy keys stored outside a secure environment and revoke keys stored in Hardware
Security Modules (HSMs) when they are no longer needed, which include provisions for
legal and regulatory requirements.
Shared Shared

create keys in a pre-activated state when they have been generated but not authorized
for use, which include provisions for legal and regulatory requirements.
Shared Shared

monitor, review and approve key transitions from any state to/from suspension, which
include provisions for legal and regulatory requirements. Shared Shared

deactivate keys at the time of their expiration date, which include provisions for legal and
regulatory requirements. Shared Shared

manage archived keys in a secure repository requiring least privilege access, which
include provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to use
compromised keys to encrypt information only in controlled circumstances, and
thereafter exclusively for decrypting data and never for encrypting data, which include Shared Shared
provisions for legal and regulatory requirements.

assess the risk to operational continuity versus the risk of the keying material and the
information it protects being exposed if control of the keying material is lost, which Shared Shared
Define, implement and evaluate processes, procedures and technical measures in order
for the key management system to track and report all cryptographic materials and
changes in status, which include provisions for legal and regulatory requirements. Shared Shared
procedures for the secure disposal of equipment used outside the organization's
premises. If the equipment is not physically destroyed a data destruction procedure that
renders recovery of information impossible must be applied. Review and update the CSP-Owned CSP-Owned
policies and procedures at least annually.
procedures for the relocation or transfer of hardware, software, or data/information to an
offsite or alternate location. The relocation or transfer request requires the written or
cryptographically verifiable authorization. Review and update the policies and CSP-Owned CSP-Owned
procedures at least annually.
procedures for maintaining a safe and secure working environment in offices, rooms,
and facilities. Review and update the policies and procedures at least annually. CSP-Owned CSP-Owned
procedures for the secure transportation of physical media. Review and update the
policies and procedures at least annually. CSP-Owned CSP-Owned
Classify and document the physical, and logical assets (e.g., applications) based on the
organizational business risk.
Shared Shared
Catalogue and track all relevant physical and logical assets located at all of the CSP's
sites within a secured system. CSP-Owned Shared
Implement physical security perimeters to safeguard personnel, data, and information

systems. Establish physical security perimeters between the administrative and business
areas and the data storage and processing facilities areas. CSP-Owned CSP-Owned
Use equipment identification as a method for connection authentication.
CSP-Owned Shared
Allow only authorized personnel access to secure areas, with all ingress and egress
points restricted, documented, and monitored by physical access control mechanisms.
Retain access control records on a periodic basis as deemed appropriate by the
organization. CSP-Owned CSP-Owned
Implement, maintain, and operate datacenter surveillance systems at the external

perimeter and at all the ingress and egress points to detect unauthorized ingress and
egress attempts. CSP-Owned CSP-Owned
Train datacenter personnel to respond to unauthorized ingress or egress attempts.

CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and technical measures that
ensure a risk-based protection of power and telecommunication cables from a threat of
interception, interference or damage at all facilities, offices and rooms. CSP-Owned CSP-Owned
Implement and maintain data center environmental control systems that monitor,
maintain and test for continual effectiveness the temperature and humidity conditions
within accepted industry standards. CSP-Owned CSP-Owned
Secure, monitor, maintain, and test utilities services for continual effectiveness at
planned intervals. CSP-Owned CSP-Owned
Keep business-critical equipment away from locations subject to high probability for
environmental risk events. CSP-Owned CSP-Owned
y and Privacy Lifecycle Management - DSP

procedures for the classification, protection and handling of data throughout its lifecycle,
and according to all applicable laws and regulations, standards, and risk level. Review
and update the policies and procedures at least annually. CSC-Owned CSC-Owned
Apply industry accepted methods for the secure disposal of data from storage media
such that data is not recoverable by any forensic means. Shared Shared
Create and maintain a data inventory, at least for any sensitive data and personal data.
Shared Shared
Classify data according to its type and sensitivity level.

CSC-Owned CSC-Owned
Create data flow documentation to identify what data is processed, stored or transmitted
where. Review data flow documentation at defined intervals, at least annually, and after
any change. CSC-Owned CSC-Owned
Document ownership and stewardship of all relevant documented personal and sensitive
data. Perform review at least annually. CSC-Owned CSC-Owned
Develop systems, products, and business practices based upon a principle of security by
design and industry best practices. Shared Shared
Develop systems, products, and business practices based upon a principle of privacy by
design and industry best practices. Ensure that systems' privacy settings are configured
by default, according to all applicable laws and regulations. CSC-Owned CSC-Owned
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature,
particularity and severity of the risks upon the processing of personal data, according to
any applicable laws, regulations and industry best practices. CSC-Owned CSC-Owned
ensure any transfer of personal or sensitive data is protected from unauthorized access
and only processed within scope as permitted by the respective laws and regulations.
CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures to enable data
subjects to request access to, modification, or deletion of their personal data, according
to any applicable laws and regulations. CSC-Owned CSC-Owned

ensure that personal data is processed according to any applicable laws and regulations
and for the purposes declared to the data subject. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures for the
transfer and sub-processing of personal data within the service supply chain, according
to any applicable laws and regulations. CSC-Owned CSC-Owned

disclose the details of any personal or sensitive data access by sub-processors to the
data owner prior to initiation of that processing. CSC-Owned CSC-Owned
Obtain authorization from data owners, and manage associated risk before replicating or
using production data in non-production environments. CSC-Owned CSC-Owned
Data retention, archiving and deletion is managed in accordance with business

requirements, applicable laws and regulations. CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures to protect

sensitive data throughout it's lifecycle.
CSC-Owned CSC-Owned
The CSP must have in place, and describe to CSCs the procedure to manage and
respond to requests for disclosure of Personal Data by Law Enforcement Authorities
according to applicable laws and regulations. The CSP must give special attention to the
notification procedure to interested CSCs, unless otherwise prohibited, such as a
prohibition under criminal law to preserve confidentiality of a law enforcement
CSC-Owned CSC-Owned
investigation.
Define and implement, processes, procedures and technical measures to specify and
document the physical locations of data, including any locations in which data is CSC-Owned CSC-Owned
processed or backed up.
nance, Risk and Compliance - GRC

procedures for an information governance program, which is sponsored by the
leadership of the organization. Review and update the policies and procedures at least
annually. Shared Shared
Establish a formal, documented, and leadership-sponsored Enterprise Risk

Management (ERM) program that includes policies and procedures for identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. Shared Shared
Review all relevant organizational policies and associated procedures at least annually
or when a substantial change occurs within the organization.
Shared Shared
Establish and follow an approved exception process as mandated by the governance

program whenever a deviation from an established policy occurs.
Shared Shared
Develop and implement an Information Security Program, which includes programs for
all the relevant domains of the CCM. Shared Shared
Define and document roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs. Shared Shared
Identify and document all relevant standards, regulations, legal/contractual, and

statutory requirements, which are applicable to your organization. Shared Shared
Establish and maintain contact with cloud-related special interest groups and other
relevant entities in line with business context. Shared Shared

procedures for background verification of all new employees (including but not limited to
remote employees, contractors, and third parties) according to local laws, regulations,
ethics, and contractual constraints and proportional to the data classification to be
accessed, the business requirements, and acceptable risk. Review and update the
policies and procedures at least annually.
Shared Shared
procedures for defining allowances and conditions for the acceptable use of
organizationally-owned or managed assets. Review and update the policies and Shared Shared
procedures that require unattended workspaces to not have openly visible confidential
data. Review and update the policies and procedures at least annually.
Shared Shared
procedures to protect information accessed, processed or stored at remote sites and
locations. Review and update the policies and procedures at least annually.
Shared Shared
Establish and document procedures for the return of organization-owned assets by
terminated employees. Shared Shared
Establish, document, and communicate to all personnel the procedures outlining the
roles and responsibilities concerning changes in employment. Shared Shared
Employees sign the employee agreement prior to being granted access to organizational
information systems, resources and assets. Shared Shared
The organization includes within the employment agreements provisions and/or terms
for adherence to established information governance and security policies.
Shared Shared
Document and communicate roles and responsibilities of employees, as they relate to

information assets and security. Shared Shared
Identify, document, and review, at planned intervals, requirements for

non-disclosure/confidentiality agreements reflecting the organization's needs for the
protection of data and operational details. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a security

awareness training program for all employees of the organization and provide regular
training updates. Shared Shared
Provide all employees with access to sensitive organizational and personal data with
appropriate security awareness training and regular updates in organizational
procedures, processes, and policies relating to their professional function relative to the
organization. Shared Shared
Make employees aware of their roles and responsibilities for maintaining awareness and
compliance with established policies and procedures and applicable legal, statutory, or
regulatory compliance obligations. Shared Shared
tity and Access Management - IAM

Establish, document, approve, communicate, implement, apply, evaluate and maintain
policies and procedures for identity and access management. Review and update the

strong password policies and procedures. Review and update the policies and
Manage, store, and review the information of system identities, and level of access.
Shared Shared
Employ the separation of duties principle when implementing information system access.
Shared Shared
Employ the least privilege principle when implementing information system access.
Shared Shared
Define and implement a user access provisioning process which authorizes, records,
and communicates access changes to data and assets. Shared Shared
De-provision or respectively modify access of movers / leavers or system identity

changes in a timely manner in order to effectively adopt and communicate identity and
access management policies. Shared Shared
Review and revalidate user access for least privilege and separation of duties with a
frequency that is commensurate with organizational risk tolerance. Shared Shared
segregation of privileged access roles such that administrative access to data,
encryption and key management capabilities and logging capabilities are distinct and
separated. Shared Shared
Define and implement an access process to ensure privileged access roles and rights
are granted for a time limited period, and implement procedures to prevent the
culmination of segregated privileged access. Shared Shared
Define, implement and evaluate processes and procedures for customers to participate,
where applicable, in the granting of access for agreed, high risk (as defined by the
organizational risk assessment) privileged access roles. Shared Shared

ensure the logging infrastructure is read-only for all with write access, including
privileged access roles, and that the ability to disable it is controlled through a procedure
that ensures the segregation of duties and break glass procedures. Shared Shared
ensure users are identifiable through unique IDs or which can associate individuals to
the usage of user IDs. Shared Shared
Define, implement and evaluate processes, procedures and technical measures for
authenticating access to systems, application and data assets, including multifactor
authentication for at least privileged user and sensitive data access. Adopt digital
certificates or alternatives which achieve an equivalent level of security for system Shared Shared
identities.
secure management of passwords. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to verify
access to data and system functions is authorized.
Shared Shared
eroperability and Portability - IPY

procedures for interoperability and portability including requirements for:
a. Communications between application interfaces
b. Information processing interoperability
c. Application development portability
d. Information/Data exchange, usage, portability, integrity, and persistence CSC-Owned Shared
Review and update the policies and procedures at least annually.
Provide application interface(s) to CSCs so that they programmatically retrieve their data
to enable interoperability and portability. CSC-Owned Shared
Implement cryptographically secure and standardized network protocols for the

management, import and export of data. CSC-Owned Shared
Agreements must include provisions specifying CSCs access to data upon contract
termination and will include:
a. Data format
b. Length of time the data will be stored
c. Scope of the data retained and made available to the CSCs CSC-Owned Shared
d. Data deletion policy
ucture and Virtualization Security - IVS

procedures for infrastructure and virtualization security. Review and update the policies
and procedures at least annually. CSP-Owned CSP-Owned
Plan and monitor the availability, quality, and adequate capacity of resources in order to
deliver the required system performance as determined by the business. Shared CSP-Owned
Monitor, encrypt and restrict communications between environments to only

authenticated and authorized connections, as justified by the business. Review these
configurations at least annually, and support them by a documented justification of all
allowed services, protocols, ports, and compensating controls. CSP-Owned CSP-Owned
Harden host and guest OS, hypervisor or infrastructure control plane according to their
respective best practices, and supported by technical controls, as part of a security
baseline. CSP-Owned CSP-Owned
Separate production and non-production environments.

CSP-Owned CSP-Owned
Design, develop, deploy and configure applications and infrastructures such that CSP
and CSC (tenant) user access and intra-tenant access is appropriately segmented and
segregated, monitored and restricted from other tenants. CSP-Owned CSP-Owned
Use secure and encrypted communication channels when migrating servers, services,
applications, or data to cloud environments. Such channels must include only up-to-date
and approved protocols. Shared Shared
Identify and document high-risk environments.

CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and defense-in-depth
techniques for protection, detection, and timely response to network-based attacks.
CSP-Owned CSP-Owned

procedures for logging and monitoring. Review and update the policies and procedures
at least annually. Shared Shared

ensure the security and retention of audit logs.
Shared Shared
Identify and monitor security-related events within applications and the underlying
infrastructure. Define and implement a system to generate alerts to responsible
stakeholders based on such events and corresponding metrics. CSC-Owned Shared
Restrict audit logs access to authorized personnel and maintain records that provide
unique access accountability.
Shared Shared
Monitor security audit logs to detect activity outside of typical or expected patterns.
Establish and follow a defined process to review and take appropriate and timely actions
on detected anomalies. Shared Shared
Use a reliable time source across all relevant information processing systems.
Shared CSP-Owned
Establish, document and implement which information meta/data system events should
be logged. Review and update the scope at least annually or whenever there is a
change in the threat environment. Shared Shared
Generate audit records containing relevant security information.

Shared Shared
The information system protects audit records from unauthorized access, modification,
and deletion. Shared Shared
Establish and maintain a monitoring and internal reporting capability over the operations
of cryptographic, encryption and key management policies, processes, procedures, and
controls. Shared Shared
Log and monitor key lifecycle management events to enable auditing and reporting on
usage of cryptographic keys. Shared Shared
Monitor and log physical access using an auditable access control system.
CSP-Owned CSP-Owned
reporting of anomalies and failures of the monitoring system and provide immediate
notification to the accountable party. Shared Shared
nagement, E-Discovery, and Cloud Forensics - SEF

procedures for Security Incident Management, E-Discovery, and Cloud Forensics.
Review and update the policies and procedures at least annually. Shared Shared
procedures for the timely management of security incidents. Review and update the

incident response plan, which includes but is not limited to: relevant internal
departments, impacted CSCs, and other business critical relationships (such as supply- Shared Shared
chain) that may be impacted.
Test and update as necessary incident response plans at planned intervals or upon
significant organizational or environmental changes for effectiveness.
Shared Shared
Establish and monitor information security incident metrics.

Shared Shared
Define, implement and evaluate processes, procedures and technical measures
supporting business processes to triage security-related events.
Shared Shared
Define and implement, processes, procedures and technical measures for security
breach notifications. Report security breaches and assumed security breaches including
any relevant supply chain breaches, as per applicable SLAs, laws and regulations.
Shared Shared
Maintain points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities.
Shared Shared
gement, Transparency, and Accountability - STA

procedures for the application of the Shared Security Responsibility Model (SSRM)
within the organization. Review and update the policies and procedures at least Shared Shared
annually.
Apply, document, implement and manage the SSRM throughout the supply chain for the
cloud service offering.
Shared Shared
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability
throughout the supply chain.
CSP-Owned CSP-Owned
Delineate the shared ownership and applicability of all CSA CCM controls according to
the SSRM for the cloud service offering.
CSP-Owned CSP-Owned
Review and validate SSRM documentation for all cloud service offerings the
organization uses.
Shared Shared
Implement, operate, and audit or assess the portions of the SSRM which the
organization is responsible for.
Shared Shared
Develop and maintain an inventory of all supply chain relationships.
Shared Shared
CSPs periodically review risk factors associated with all organizations within their supply
chain.
Shared Shared
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures Shared Shared
• Right to audit and third party assessment
• Service termination
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
Shared Shared
Define and implement a process for conducting internal assessments to confirm

conformance and effectiveness of standards, policies, procedures, and service level
agreement activities at least annually. Shared Shared
Implement policies requiring all CSPs throughout the supply chain to comply with
information security, confidentiality, access control, privacy, audit, personnel policy and
service level requirements and standards. Shared Shared
Periodically review the organization's supply chain partners' IT governance policies and
procedures.
Shared Shared
Define and implement a process for conducting security assessments periodically for all
organizations within the supply chain.
Shared Shared
and Vulnerability Management - TVM

procedures to identify, report and prioritize the remediation of vulnerabilities, in order to
protect systems against vulnerability exploitation. Review and update the policies and
procedures to protect against malware on managed assets. Review and update the

enable both scheduled and emergency responses to vulnerability identifications, based
on the identified risk. Shared Shared

update detection tools, threat signatures, and indicators of compromise on a weekly, or
more frequent basis. Shared Shared

identify updates for applications which use third party or open source libraries according
to the organization's vulnerability management policy. Shared Shared
periodic performance of penetration testing by independent third parties. Shared Shared
detection of vulnerabilities on organizationally managed assets at least monthly.
Shared Shared
Use a risk-based model for effective prioritization of vulnerability remediation using an

industry recognized framework. Shared Shared
Define and implement a process for tracking and reporting vulnerability identification and
remediation activities that includes stakeholder notification. Shared Shared
Establish, monitor and report metrics for vulnerability identification and remediation at
defined intervals. Shared Shared
ersal Endpoint Management - UEM
procedures for all endpoints. Review and update the policies and procedures at least
annually. Shared Shared
Define, document, apply and evaluate a list of approved services, applications and
sources of applications (stores) acceptable for use by endpoints when accessing or
storing organization-managed data. Shared Shared
Define and implement a process for the validation of the endpoint device's compatibility
with operating systems and applications. CSC-Owned Shared
Maintain an inventory of all endpoints used to store and access company data.
CSC-Owned CSC-Owned
enforce policies and controls for all endpoints permitted to access systems and/or store,
transmit, or process organizational data. CSC-Owned CSC-Owned
Configure all relevant interactive-use endpoints to require an automatic lock screen.

CSC-Owned CSC-Owned
Manage changes to endpoint operating systems, patch levels, and/or applications

through the company's change management processes. CSC-Owned Shared
Protect information from unauthorized disclosure on managed endpoint devices with

storage encryption.
CSC-Owned CSC-Owned
Configure managed endpoints with anti-malware detection and prevention technology

and services.
CSC-Owned CSC-Owned
Configure managed endpoints with properly configured software firewalls.

CSC-Owned CSC-Owned
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules
in accordance with a risk assessment. CSC-Owned
CSC-Owned
Enable remote geo-location capabilities for all managed mobile endpoints.
CSC-Owned
CSC-Owned
enable the deletion of company data remotely on managed endpoint devices. CSC-Owned
CSC-Owned
Define, implement and evaluate processes, procedures and technical and/or contractual
measures to maintain proper security of third-party endpoints with access to
organizational assets. CSC-Owned CSC-Owned
End of Standard
rights reserved. You may download, store, display on your computer, view, print,
ls Matrix (CCM) Version 4.0” at http://www.cloudsecurityalliance.org subject to the
used solely for your personal, informational, non-commercial use; (b) the Cloud
n any way; (c) the Cloud Controls Matrix v4.0 may not be redistributed; and (d) the
moved. You may quote portions of the Cloud Controls Matrix v4.0 as permitted by
ht Act, provided that you attribute the portions to the Cloud Security Alliance Cloud
btaining a license to this material for other usages not addresses in the copyright
g.
bility and Ownership
Architectural Relevance - Cloud Stack Components
Owned, Shared)
SaaS Phys Network Compute Storage App
Shared 1 0 0 0 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 0 0 0 1 0
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 0
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 0 1 0 0 0
CSP-Owned 0 0 0 0 0
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 0 0 0 0 0
Shared 1 1 1 1 1
CSP-Owned 0 0 0 0 0
CSP-Owned 0 0 0 0 0
CSP-Owned 0 0 0 0 0
CSP-Owned 1 1 1 1 0
CSP-Owned 1 0 0 0 0
CSP-Owned 1 1 0 0 0
CSP-Owned 1 1 1 1 0
CSC-Owned 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSC-Owned 0 0 0 0 0
CSC-Owned 1 1 1 1 1
CSC-Owned 0 0 0 0 0
Shared 1 1 1 1 1
CSC-Owned 1 1 1 1 1
CSC-Owned 0 0 0 0 0
CSC-Owned 0 1 1 0 0
CSC-Owned 0 0 0 0 0
CSC-Owned 1 1 1 1 1
CSC-Owned 1 1 1 1 1
CSC-Owned 0 0 0 0 0
CSC-Owned 0 0 0 0 0
CSC-Owned 0 0 0 1 0
CSC-Owned 0 0 0 0 0
CSC-Owned 0 0 0 0 0
CSC-Owned 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 1
Shared 0 1 0 1 1
Shared 1 1 1 1 1
Shared 1 0 0 0 0
Shared 1 1 1 1 1
Shared 1 0 0 1 1
Shared 1 0 0 1 1
Shared 1 0 0 1 1
Shared 0 0 0 0 0
Shared 0 0 0 0 0
Shared 0 0 0 0 0
Shared 0 0 0 0 0
Shared 0 0 0 0 0
Shared 0 0 0 0 0
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 0
CSP-Owned 1 1 1 1 0
CSP-Owned 1 1 0 0 0
CSP-Owned 1 1 1 1 0
CSP-Owned 0 0 0 0 1
CSP-Owned 1 1 1 1 0
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 0 1 0 0 0
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
Shared 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 1 1 1 1 1
CSP-Owned 0 1 1 0 1
CSP-Owned 0 1 1 1 1
CSC-Owned 0 1 1 1 1
Shared 0 1 1 1 1
Shared 0 1 1 1 1
CSC-Owned 0 1 1 1 1
CSC-Owned 0 1 1 1 1
CSP-Owned 0 1 1 1 1
CSP-Owned 0 1 1 1 1
CSP-Owned 0 1 1 1 1
Shared 0 1 1 1 1
Shared 0 1 1 1 1
CSP-Owned 0 1 1 1 1
Organizational Relevance
Architecture
Data Cybersecurity Internal Audit SW Development Operations
Team
1 0 0 0 1 1
1 0 1 0 0 0
1 0 1 0 0 0
1 0 1 0 0 0
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
0 1 1 1 0 1
1 0 1 1 0 0
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 0 1 1 0 0
1 1 1 1 1 1
1 1 1 1 1 1
1 0 1 1 0 0
1 1 1 1 0 0
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 0 1
1 1 1 1 0 1
0 0 1 1 0 1
0 0 1 0 0 1
1 0 1 1 0 1
1 1 0 0 0 1
0 0 0 0 0 1
1 1 0 1 1 1
0 0 0 0 0 1
0 0 0 0 0 1
0 0 0 0 0 1
0 0 0 0 0 1
0 1 1 0 0 1
0 1 1 1 0 1
0 1 1 1 0 1
1 0 1 1 0 0
1 0 1 1 0 0
1 0 0 1 0 1
1 0 0 1 0 1
1 0 0 1 0 0
1 0 0 1 0 1
1 0 0 1 1 0
1 0 0 1 1 0
1 0 0 1 0 1
1 1 0 1 0 1
1 0 0 1 0 1
1 0 0 1 1 0
1 0 0 1 1 0
1 0 0 1 1 1
1 0 0 1 1 1
1 0 0 1 0 1
1 0 0 1 1 1
1 0 0 0 0 0
1 0 0 1 0 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
0 1 1 1 1 1
1 1 1 1 1 1
1 1 1 0 0 1
1 1 1 0 0 1
1 1 1 0 0 1
0 1 1 0 0 1
0 1 1 0 0 1
0 1 1 0 0 1
0 1 1 1 1 1
0 1 1 1 1 1
0 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 0 1 1 1 0
1 0 1 0 0 0
1 0 1 1 1 0
1 0 1 1 0 0
0 0 0 1 0 0
0 0 0 1 0 1
0 1 0 1 1 1
0 0 0 1 1 1
0 0 0 1 1 1
0 0 0 1 1 1
1 1 0 1 1 1
0 0 0 1 0 0
0 1 0 1 0 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 0 1 1 1
1 1 1 1 1 1
1 1 0 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 0 0 0 1
1 1 0 0 0 1
1 1 0 0 0 1
1 1 0 0 0 1
1 1 0 0 0 1
1 1 0 0 0 1
1 1 0 0 0 1
1 1 0 0 0 0
1 1 1 1 0 1
1 1 1 1 0 1
1 1 1 0 0 0
1 1 1 1 0 0
1 1 1 1 0 0
1 1 1 1 0 1
1 0 1 0 0 0
1 1 1 0 0 0
1 1 1 0 0 1
1 0 1 0 0 0
1 0 1 0 0 0
1 1 1 0 0 1
1 1 0 0 0 0
1 1 1 0 0 0
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 0 1
1 1 0 1 0 1
1 1 0 1 0 1
1 1 0 1 0 1
1 1 1 0 0 1
1 1 1 1 1 1
1 1 1 1 1 1
0 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
0 1 1 1 1 1
0 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
1 1 1 1 1 1
nal Relevance
Supply Chain
Legal/Privacy GRC Team HR
Management
1 1 1 0
0 1 0 0
0 1 0 0
0 1 0 0
1 1 1 1
0 0 1 0
1 1 1 1
0 1 1 0
0 1 1 0
0 1 1 1
0 1 1 0
0 1 1 0
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 0
0 1 0 0
1 1 1 1
0 1 0 0
0 0 1 0
1 1 0 0
1 1 1 1
0 0 1 0
0 1 0 0
0 1 0 0
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 0 0
1 1 0 0
1 1 0 0
1 1 0 0
1 1 0 1
0 0 0 0
0 0 1 0
0 0 0 0
0 0 1 0
0 0 1 0
0 1 0 1
0 0 1 0
0 1 1 0
0 1 1 0
1 1 0 0
0 1 1 0
0 1 1 0
1 0 0 0
0 1 0 0
0 0 0 0
0 0 0 0
0 0 0 0
1 0 0 0
1 0 0 0
0 1 0 0
1 0 0 0
1 1 0 0
1 1 1 0
1 1 1 0
0 0 0 0
1 1 0 0
0 0 0 0
1 0 0 0
0 0 0 0
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 0 1
1 1 0 0
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
0 1 0 1
0 1 0 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 0 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 0 1
0 0 0 0
0 0 1 0
1 1 0 0
0 1 0 0
0 0 0 0
0 1 1 0
0 0 0 0
0 0 0 0
0 0 1 0
0 1 1 0
0 0 0 0
0 0 0 0
1 1 1 1
1 1 0 1
1 1 0 0
1 1 0 0
0 1 0 0
1 1 0 0
0 1 0 0
1 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
1 1 0 0
1 1 0 0
1 1 0 0
1 0 0 0
1 1 0 0
1 1 0 0
1 0 0 0
1 0 0 0
1 1 0 0
1 1 1 1
0 1 1 0
1 1 1 0
1 1 1 0
1 1 1 0
0 1 1 0
0 0 1 0
0 1 1 0
1 0 1 0
1 0 1 0
0 1 1 0
1 0 1 0
0 1 1 0
0 0 1 0
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
1 1 1 1
0 1 0 0
0 1 0 0
0 1 0 0
1 1 0 1
1 1 0 1
1 1 1 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 1 0
1 1 1 0
0 1 1 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
1 1 0 0
CLOUD CONTROLS MATRIX VERSION 4.0
Control Domain Control Title Control ID
Audit & Assurance - A&A
Audit and Assurance Policy

Audit & Assurance
and Procedures A&A-01
Audit & Assurance Independent Assessments A&A-02
Risk Based Planning

Audit & Assurance
Assessment A&A-03
Audit & Assurance

Requirements Compliance A&A-04
Audit & Assurance Audit Management Process A&A-05
Audit & Assurance Remediation A&A-06
Application & Interface Security - AIS

Application and Interface
Security
Security Policy and AIS-01
Procedures
Application & Interface Application Security Baseline

Security Requirements AIS-02

Security
Application Security Metrics AIS-03
Application & Interface Secure Application Design and

Security Development AIS-04
Application & Interface Automated Application

Security Security Testing AIS-05
Application & Interface Automated Secure Application

Security Deployment AIS-06
Application & Interface Application Vulnerability

Security Remediation AIS-07
Business Continuity Management and Operational Resilience - BCR
Business Continuity Business Continuity

Management & Management Policy and BCR-01
Operational Resilience Procedures
Business Continuity
Risk Assessment and Impact
Management &
Analysis BCR-02
Business Continuity
Management & Business Continuity Strategy BCR-03
Business Continuity
Management & Business Continuity Planning BCR-04
Business Continuity
Management & Documentation BCR-05
Business Continuity
Management & Business Continuity Exercises BCR-06
Business Continuity
Management & Communication BCR-07
Business Continuity
Management & Backup BCR-08
Business Continuity
Management & Disaster Response Plan BCR-09
Business Continuity
Management & Response Plan Exercise BCR-10
Business Continuity
Management & Equipment Redundancy BCR-11
Change Control and Configuration Management - CCC
Change Control &

Change Management Policy
Configuration
and Procedures CCC-01
Management
Change Control &
Configuration Quality Testing CCC-02
Management
Change Control &

Change Management
Configuration
Technology CCC-03
Management
Change Control &
Unauthorized Change
Configuration
Protection CCC-04
Management
Change Control &

Configuration Change Agreements CCC-05
Management
Change Control &

Change Management
Configuration
Baseline CCC-06
Management
Change Control &
Detection of Baseline
Configuration
Deviation CCC-07
Management
Change Control &

Configuration Exception Management CCC-08
Management
Change Control &

Configuration Change Restoration CCC-09
Management
Cryptography, Encryption & Key Management - CEK
Cryptography, Encryption and Key

Encryption & Key Management Policy and CEK-01
Management Procedures
Cryptography,
CEK Roles and
Encryption & Key
Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption Change
Encryption & Key
Management CEK-05
Management
Cryptography,
Encryption Change Cost
Encryption & Key
Benefit Analysis CEK-06
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
CSC Key Management
Encryption & Key
Capability CEK-08
Management
Cryptography,
Encryption and Key
Encryption & Key
Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management

Off-Site Equipment Disposal
Datacenter Security
Off-Site Transfer Authorization

Datacenter Security
Secure Area Policy and

Datacenter Security
Procedures DCS-03
Secure Media Transportation

Datacenter Security
Datacenter Security Assets Classification DCS-05
Assets Cataloguing and

Datacenter Security
Tracking DCS-06
Datacenter Security Controlled Access Points DCS-07
Datacenter Security Equipment Identification DCS-08
Datacenter Security Secure Area Authorization DCS-09
Datacenter Security Surveillance System DCS-10

Unauthorized Access
Datacenter Security
Response Training DCS-11
Datacenter Security Cabling Security DCS-12
Datacenter Security Environmental Systems DCS-13
Datacenter Security Secure Utilities DCS-14
Datacenter Security Equipment Location DCS-15
Data Security and Privacy Lifecycle Management - DSP
Data Security & Privacy Security and Privacy Policy

Lifecycle Management and Procedures DSP-01

Secure Disposal DSP-02

Data Inventory DSP-03

Data Classification DSP-04

Data Flow Documentation DSP-05
Data Security & Privacy Data Ownership and

Lifecycle Management Stewardship DSP-06
Data Security & Privacy Data Protection by Design and
Data Security & Privacy Data Privacy by Design and

Data Security & Privacy Data Protection Impact

Lifecycle Management Assessment DSP-09

Sensitive Data Transfer DSP-10
Personal Data Access,

Reversal, Rectification and DSP-11
Deletion
Data Security & Privacy Limitation of Purpose in

Lifecycle Management Personal Data Processing DSP-12

Personal Data Sub-processing DSP-13
Data Security & Privacy Disclosure of Data Sub-

Lifecycle Management processors DSP-14
Data Security & Privacy Limitation of Production Data

Lifecycle Management Use DSP-15
Data Retention and Deletion DSP-16

Sensitive Data Protection DSP-17

Disclosure Notification DSP-18

Data Location DSP-19
Governance, Risk and Compliance - GRC

Governance, Risk
Governance Program Policy
Management &
and Procedures GRC-01
Compliance
Governance, Risk
Management & Risk Management Program GRC-02
Compliance
Governance, Risk
Management & Organizational Policy Reviews GRC-03
Compliance
Governance, Risk
Management & Policy Exception Process GRC-04
Compliance
Governance, Risk
Management & Information Security Program GRC-05
Compliance
Governance, Risk
Governance Responsibility
Management &
Model GRC-06
Compliance
Governance, Risk
Information System Regulatory
Management &
Mapping GRC-07
Compliance
Governance, Risk
Management & Special Interest Groups GRC-08
Compliance
Background Screening Policy

Human Resources
and Procedures HRS-01
Acceptable Use of Technology

Human Resources
Clean Desk Policy and

Human Resources
Procedures HRS-03
Remote and Home Working

Human Resources
Human Resources Asset returns HRS-05
Human Resources Employment Termination HRS-06
Human Resources
Process HRS-07
Human Resources
Content HRS-08
Personnel Roles and
Human Resources
Responsibilities HRS-09
Human Resources Non-Disclosure Agreements HRS-10
Human Resources Security Awareness Training HRS-11
Personal and Sensitive Data

Human Resources
Awareness and Training HRS-12
Compliance User
Human Resources
Responsibility HRS-13
Identity & Access Management - IAM
Identity and Access

Identity & Access
Management
Management Policy and IAM-01
Procedures
Identity & Access Strong Password Policy and

Management Procedures IAM-02
Identity & Access

Management
Identity Inventory IAM-03
Identity & Access

Management
Separation of Duties IAM-04
Identity & Access
Management
Least Privilege IAM-05
Identity & Access

Management
User Access Provisioning IAM-06
Identity & Access User Access Changes and

Management Revocation IAM-07
Identity & Access

Management
User Access Review IAM-08
Identity & Access Segregation of Privileged

Identity & Access Management of Privileged

Identity & Access CSCs Approval for Agreed

Management Privileged Access Roles IAM-11
Identity & Access

Management
Safeguard Logs Integrity IAM-12
Identity & Access
Management
Uniquely Identifiable Users IAM-13
Identity & Access

Management
Strong Authentication IAM-14
Identity & Access

Management
Passwords Management IAM-15
Identity & Access

Management
Authorization Mechanisms IAM-16
Interoperability & Portability - IPY
Interoperability & Interoperability and Portability

Portability Policy and Procedures IPY-01
Interoperability & Application Interface

Portability Availability IPY-02
Interoperability & Secure Interoperability and

Portability Portability Management IPY-03
Interoperability & Data Portability Contractual

Portability Obligations IPY-04
Infrastructure & Virtualization Security - IVS

Infrastructure and
Infrastructure &
Virtualization Security Policy IVS-01
and Procedures
Infrastructure & Capacity and Resource

Virtualization Security Planning IVS-02
Infrastructure &
Network Security IVS-03
Infrastructure & OS Hardening and Base

Virtualization Security Controls IVS-04
Infrastructure & Production and Non-

Virtualization Security Production Environments IVS-05
Infrastructure & Segmentation and

Virtualization Security Segregation IVS-06
Infrastructure & Migration to Cloud

Virtualization Security Environments IVS-07
Infrastructure & Network Architecture

Virtualization Security Documentation
IVS-08
Infrastructure &
Network Defense IVS-09

Logging and Monitoring Policy
and Procedures LOG-01
Logging & Monitoring Audit Logs Protection LOG-02
Security Monitoring and

Alerting LOG-03
Audit Logs Access and

Accountability LOG-04
Audit Logs Monitoring and

Response LOG-05
Logging & Monitoring Clock Synchronization LOG-06
Logging & Monitoring Logging Scope LOG-07
Logging & Monitoring Log Records LOG-08
Logging & Monitoring Log Protection LOG-09
Encryption Monitoring and

Reporting LOG-10
Logging & Monitoring Transaction/Activity Logging LOG-11
Logging & Monitoring Access Control Logs LOG-12
Failures and Anomalies

Reporting LOG-13
Security Incident Management, E-Discovery, & Cloud Forensics - SEF
Security Incident
Management, E- Security Incident Management
Discovery, & Cloud Policy and Procedures SEF-01
Forensics
Security Incident
Management, E- Service Management Policy
Discovery, & Cloud and Procedures SEF-02
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Incident Response Plans SEF-03
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Incident Response Testing SEF-04
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Incident Response Metrics SEF-05
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Event Triage Processes SEF-06
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Security Breach Notification SEF-07
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Points of Contact Maintenance SEF-08
Forensics
Supply Chain Management, Transparency, and Accountability - STA
Supply Chain
Management,
Transparency &
SSRM Policy and Procedures STA-01
Accountability
Supply Chain
Management,
Transparency &
SSRM Supply Chain STA-02
Accountability
Supply Chain
Management,
Transparency &
SSRM Guidance STA-03
Accountability
Supply Chain
Management,
Transparency &
SSRM Control Ownership STA-04
Accountability
Supply Chain
Management,
Transparency &
SSRM Documentation Review STA-05
Accountability
Supply Chain
Management,
Transparency &
SSRM Control Implementation STA-06
Accountability
Supply Chain
Management,
Transparency &
Supply Chain Inventory STA-07
Accountability
Supply Chain
Management, Supply Chain Risk
Transparency & Management STA-08
Accountability
Supply Chain
Management, Primary Service and
Transparency & Contractual Agreement STA-09
Accountability
Supply Chain
Management, Supply Chain Agreement
Accountability
Supply Chain
Management,
Transparency &
Internal Compliance Testing STA-11
Accountability
Supply Chain
Management, Supply Chain Service
Transparency & Agreement Compliance STA-12
Accountability
Supply Chain
Management, Supply Chain Governance
Accountability
Supply Chain
Management, Supply Chain Data Security
Transparency & Assessment STA-14
Accountability
Threat & Vulnerability Management - TVM
Threat and Vulnerability
Management
Management Policy and TVM-01
Procedures
Threat & Vulnerability Malware Protection Policy and

Management Procedures TVM-02
Threat & Vulnerability Vulnerability Remediation

Management Schedule TVM-03

Management
Detection Updates TVM-04

Management
External Library Vulnerabilities TVM-05

Management
Penetration Testing TVM-06

Management
Vulnerability Identification TVM-07

Management
Vulnerability Prioritization TVM-08

Management Reporting
TVM-09

Management Metrics TVM-10
Universal Endpoint Management - UEM
Universal Endpoint Endpoint Devices Policy and

Management Procedures UEM-01
Universal Endpoint Application and Service

Management Approval UEM-02
Universal Endpoint
Management
Compatibility UEM-03
Universal Endpoint
Management
Endpoint Inventory UEM-04
Universal Endpoint
Management
Endpoint Management UEM-05
Universal Endpoint
Management
Automatic Lock Screen UEM-06
Universal Endpoint
Management
Operating Systems UEM-07
Universal Endpoint
Management
Storage Encryption UEM-08
Universal Endpoint Anti-Malware Detection and

Management Prevention UEM-09
Universal Endpoint
Management
Software Firewall UEM-10
Universal Endpoint
Management
Data Loss Prevention UEM-11
Universal Endpoint
Management
Remote Locate UEM-12
Universal Endpoint
Management
Remote Wipe UEM-13
Universal Endpoint Third-Party Endpoint Security

Management Posture UEM-14
End of Standard
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print,
and link to the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0” at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix v4.0 may be used solely for your personal, informational, non-commercial use; (b) the Cloud
Controls Matrix v4.0 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0 may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0 as permitted by
the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud
Controls Matrix Version 4.0. If you are interested in obtaining a license to this material for other usages not addresses in the copyright
notice, please contact info@cloudsecurityalliance.org.
VERSION 4.0
CCM v3.0.1
Updated Control Specification
Controls Mapping Gap Level
Audit & Assurance - A&A

Establish, document, approve, communicate, apply, evaluate and maintain audit and
assurance policies and procedures and standards. Review and update the policies and GRM-06
procedures at least annually. Partial Gap
GRM-09
Conduct independent audit and assurance assessments according to relevant standards

at least annually.
AAC-02 No Gap
Perform independent audit and assurance assessments according to risk-based plans

and policies. AAC-01
No Gap
AAC-02
Verify compliance with all relevant standards, regulations, legal/contractual, and
statutory requirements applicable to the audit. GRM-01
No Gap
GRM-03
Define and implement an Audit Management process to support audit planning, risk
analysis, security control assessment, conclusion, remediation schedules, report
generation, and review of past reports and supporting evidence. AAC-01 Partial Gap
Establish, document, approve, communicate, apply, evaluate and maintain a risk-based

corrective action plan to remediate audit findings, review and report remediation status GRM-10
to relevant stakeholders. Partial Gap
GRM-11
lication & Interface Security - AIS

procedures for application security to provide guidance to the appropriate planning,
delivery and support of the organization's application security capabilities. Review and
update the policies and procedures at least annually. AIS-01
Partial Gap
AIS-04
Establish, document and maintain baseline requirements for securing different

applications. AIS-01 No Gap
Define and implement technical and operational metrics in alignment with business
objectives, security requirements, and compliance obligations. No Mapping Full Gap
Define and implement a SDLC process for application design, development,
deployment, and operation in accordance with security requirements defined by the
AIS-01
organization. Partial Gap
AIS-03
Implement a testing strategy, including criteria for acceptance of new information

systems, upgrades and new versions, which provides application security assurance and AIS-01
maintains compliance while enabling organizational speed of delivery goals. Automate Partial Gap
when applicable and possible.
AIS-03
Establish and implement strategies and capabilities for secure, standardized, and
compliant application deployment. Automate where possible. AIS-01
Partial Gap
AIS-03
Define and implement a process to remediate application security vulnerabilities,
automating remediation when possible. TVM-02 Partial Gap
y Management and Operational Resilience - BCR

Establish, document, approve, communicate, apply, evaluate and maintain business BCR-07
continuity management and operational resilience policies and procedures. Review and BCR-10
update the policies and procedures at least annually. BCR-11 Partial Gap
GRM-06
GRM-09
Determine the impact of business disruptions and risks to establish criteria for
developing business continuity and operational resilience strategies and capabilities. BCR-09 No Gap
BCR-04
Establish strategies to reduce the impact of, withstand, and recover from business BCR-06
disruptions within risk appetite. BCR-08 No Gap
BCR-09
Establish, document, approve, communicate, apply, evaluate and maintain a business BCR-10
continuity plan based on the results of the operational resilience strategies and
capabilities. BCR-01 No Gap
Develop, identify, and acquire documentation that is relevant to support the business BCR-01
continuity and operational resilience programs. Make the documentation available to
authorized stakeholders and review periodically. BCR-04 No Gap
Exercise and test business continuity and operational resilience plans at least annually
or upon significant changes. BCR-02 Partial Gap
Establish communication with stakeholders and participants in the course of business
BCR-01
continuity and resilience procedures. No Gap
BCR-02
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and
availability of the backup, and verify data restoration from backup for resiliency. BCR-11 Partial Gap
Establish, document, approve, communicate, apply, evaluate and maintain a disaster

response plan to recover from natural and man-made disasters. Update the plan at least
annually or upon significant changes. No Mapping Full Gap
Exercise the disaster response plan annually or upon significant changes, including if
possible local emergency authorities. No Mapping Full Gap
Supplement business-critical equipment with redundant equipment independently

located at a reasonable minimum distance in accordance with applicable industry
standards. BCR-06 No Gap
trol and Configuration Management - CCC

procedures for managing the risks associated with applying changes to organization CCC-05
assets, including application, systems, infrastructure, configuration, etc., regardless of
whether the assets are managed internally or externally (i.e., outsourced). Review and GRM-06 Partial Gap
update the policies and procedures at least annually. GRM-09
Follow a defined quality change control, approval and testing process with established
baselines, testing, and release standards.
CCC-03 No Gap
Manage the risks associated with applying changes to organization assets, including
application, systems, infrastructure, configuration, etc., regardless of whether the assets CCC-05 Partial Gap
are managed internally or externally (i.e., outsourced).
Restrict the unauthorized addition, removal, update, and management of organization

assets. CCC-04 Partial Gap
Include provisions limiting changes directly impacting CSCs owned
environments/tenants to explicitly authorized requests within service level agreements
between CSPs and CSCs. CCC-05 No Gap
Establish change management baselines for all relevant authorized changes on

organization assets. No Mapping Full Gap
Implement detection measures with proactive notification in case of changes deviating

from the established baseline. GRM-01 Partial Gap
Implement a procedure for the management of exceptions, including emergencies, in the

change and configuration process. Align the procedure with the requirements of GRC-
04: Policy Exception Process. No Mapping Full Gap
Define and implement a process to proactively roll back changes to a previous known
good state in case of errors or security concerns. No Mapping Full Gap
hy, Encryption & Key Management - CEK

Establish, document, approve, communicate, apply, evaluate and maintain policies and EKM-01
procedures for Cryptography, Encryption and Key Management. Review and update the EKM-02
policies and procedures at least annually. EKM-03
Partial Gap
GRM-06
GRM-09
Define and implement cryptographic, encryption and key management roles and
responsibilities. No Mapping Full Gap
Provide cryptographic protection to data at-rest and in-transit, using cryptographic EKM-03
libraries certified to approved standards. No Gap
EKM-04
Use encryption algorithms that are appropriate for data protection, considering the
classification of data, associated risks, and usability of the encryption technology. EKM-04 Partial Gap
Establish a standard change management procedure, to accommodate changes from

internal and external sources, for review, approval, implementation and communication
of cryptographic, encryption and key management technology changes. EKM-02 Partial Gap
Manage and adopt changes to cryptography-, encryption-, and key management-related

systems (including policies and procedures) that fully account for downstream effects of
proposed changes, including residual risk, cost, and benefits analysis. No Mapping Full Gap
Establish and maintain an encryption and key management risk program that includes
provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. No Mapping Full Gap
CSPs must provide the capability for CSCs to manage their own data encryption keys.
No Mapping Full Gap
Audit encryption and key management systems, policies, and processes with a
frequency that is proportional to the risk exposure of the system with audit occurring
preferably continuously but at least annually and after any security event(s). No Mapping Full Gap
Generate Cryptographic keys using industry accepted cryptographic libraries specifying

the algorithm strength and the random number generator used. EKM-04 Partial Gap
Manage cryptographic secret and private keys that are provisioned for a unique
purpose. No Mapping Full Gap
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which
includes provisions for considering the risk of information disclosure and legal and
regulatory requirements. No Mapping Full Gap

revoke and remove cryptographic keys prior to the end of its established cryptoperiod,
when a key is compromised, or an entity is no longer part of the organization, which No Mapping Full Gap
destroy keys stored outside a secure environment and revoke keys stored in Hardware
Security Modules (HSMs) when they are no longer needed, which include provisions for
legal and regulatory requirements.
No Mapping Full Gap

create keys in a pre-activated state when they have been generated but not authorized No Mapping Full Gap
for use, which include provisions for legal and regulatory requirements.

monitor, review and approve key transitions from any state to/from suspension, which
include provisions for legal and regulatory requirements. No Mapping Full Gap

deactivate keys at the time of their expiration date, which include provisions for legal and
regulatory requirements. No Mapping Full Gap

manage archived keys in a secure repository requiring least privilege access, which
include provisions for legal and regulatory requirements. No Mapping Full Gap
Define, implement and evaluate processes, procedures and technical measures to use
compromised keys to encrypt information only in controlled circumstances, and
thereafter exclusively for decrypting data and never for encrypting data, which include No Mapping Full Gap
provisions for legal and regulatory requirements.

assess the risk to operational continuity versus the risk of the keying material and the
information it protects being exposed if control of the keying material is lost, which No Mapping Full Gap
Define, implement and evaluate processes, procedures and technical measures in order
for the key management system to track and report all cryptographic materials and
changes in status, which include provisions for legal and regulatory requirements. No Mapping Full Gap

procedures for the secure disposal of equipment used outside the organization's DCS-05
premises. If the equipment is not physically destroyed a data destruction procedure that
renders recovery of information impossible must be applied. Review and update the
GRM-06 Partial Gap
policies and procedures at least annually. GRM-09
procedures for the relocation or transfer of hardware, software, or data/information to an DCS-04
offsite or alternate location. The relocation or transfer request requires the written or
cryptographically verifiable authorization. Review and update the policies and
GRM-06 Partial Gap
procedures at least annually. GRM-09
Establish, document, approve, communicate, apply, evaluate and maintain policies and DCS-06
procedures for maintaining a safe and secure working environment in offices, rooms,
and facilities. Review and update the policies and procedures at least annually.
GRM-06 Partial Gap
GRM-09
procedures for the secure transportation of physical media. Review and update the GRM-06
Partial Gap
policies and procedures at least annually. GRM-09
Classify and document the physical, and logical assets (e.g., applications) based on the
organizational business risk. DCS - 01 No Gap
Catalogue and track all relevant physical and logical assets located at all of the CSP's
sites within a secured system. DCS - 01 No Gap
Implement physical security perimeters to safeguard personnel, data, and information
systems. Establish physical security perimeters between the administrative and business DCS-02
No Gap
areas and the data storage and processing facilities areas. DCS-08
Use equipment identification as a method for connection authentication.
DCS - 03 No Gap
Allow only authorized personnel access to secure areas, with all ingress and egress
points restricted, documented, and monitored by physical access control mechanisms. DCS-07
Retain access control records on a periodic basis as deemed appropriate by the Partial Gap
organization.
DCS-09
Implement, maintain, and operate datacenter surveillance systems at the external DCS-02
perimeter and at all the ingress and egress points to detect unauthorized ingress and
egress attempts.
DCS-07 Partial Gap
DCS-08
Train datacenter personnel to respond to unauthorized ingress or egress attempts.
HRS-09 Partial Gap
ensure a risk-based protection of power and telecommunication cables from a threat of
interception, interference or damage at all facilities, offices and rooms. BCR - 03 Partial Gap
Implement and maintain data center environmental control systems that monitor,
maintain and test for continual effectiveness the temperature and humidity conditions
within accepted industry standards. BCR - 03 Partial Gap
Secure, monitor, maintain, and test utilities services for continual effectiveness at
planned intervals. BCR - 03 No Gap
Keep business-critical equipment away from locations subject to high probability for
environmental risk events. BCR - 06 No Gap
y and Privacy Lifecycle Management - DSP

procedures for the classification, protection and handling of data throughout its lifecycle, DSI-04
and according to all applicable laws and regulations, standards, and risk level. Review GRM-06 Partial Gap
and update the policies and procedures at least annually. GRM-09
Apply industry accepted methods for the secure disposal of data from storage media
such that data is not recoverable by any forensic means. DSI-07 Partial Gap
Create and maintain a data inventory, at least for any sensitive data and personal data.
No Mapping Full Gap
Classify data according to its type and sensitivity level.

DSI-01 No Gap
Create data flow documentation to identify what data is processed, stored or transmitted
where. Review data flow documentation at defined intervals, at least annually, and after
any change.
DSI-02 Partial Gap
Document ownership and stewardship of all relevant documented personal and sensitive
data. Perform review at least annually. DSI-06 Partial Gap
Develop systems, products, and business practices based upon a principle of security by
design and industry best practices. No Mapping Full Gap
Develop systems, products, and business practices based upon a principle of privacy by
design and industry best practices. Ensure that systems' privacy settings are configured
by default, according to all applicable laws and regulations. No Mapping Full Gap
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature,
particularity and severity of the risks upon the processing of personal data, according to
any applicable laws, regulations and industry best practices. No Mapping Full Gap
ensure any transfer of personal or sensitive data is protected from unauthorized access GRM-02
and only processed within scope as permitted by the respective laws and regulations. Partial Gap
EKM-03
Define and implement, processes, procedures and technical measures to enable data
subjects to request access to, modification, or deletion of their personal data, according
to any applicable laws and regulations. No Mapping Full Gap

ensure that personal data is processed according to any applicable laws and regulations
and for the purposes declared to the data subject. No Mapping Full Gap
transfer and sub-processing of personal data within the service supply chain, according
to any applicable laws and regulations. No Mapping Full Gap

disclose the details of any personal or sensitive data access by sub-processors to the
data owner prior to initiation of that processing. No Mapping Full Gap
Obtain authorization from data owners, and manage associated risk before replicating or
using production data in non-production environments. DSI-05 No Gap
Data retention, archiving and deletion is managed in accordance with business
requirements, applicable laws and regulations. GRM-02
No Gap
BCR-11
Define and implement, processes, procedures and technical measures to protect
sensitive data throughout it's lifecycle.
No Mapping Full Gap
The CSP must have in place, and describe to CSCs the procedure to manage and
respond to requests for disclosure of Personal Data by Law Enforcement Authorities No Mapping Full Gap
according to applicable laws and regulations. The CSP must give special attention to the
notification procedure to interested CSCs, unless otherwise prohibited, such as a
prohibition under criminal law to preserve confidentiality of a law enforcement
Define and implement, processes, procedures and technical measures to specify and
investigation.
document the physical locations of data, including any locations in which data is No Mapping Full Gap
processed or backed up.
nance, Risk and Compliance - GRC

procedures for an information governance program, which is sponsored by the GRM-06
Partial Gap
leadership of the organization. Review and update the policies and procedures at least GRM-09
annually.
Establish a formal, documented, and leadership-sponsored Enterprise Risk
Management (ERM) program that includes policies and procedures for identification,
GRM-08
evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. GRM-10 Partial Gap
GRM-11
Review all relevant organizational policies and associated procedures at least annually
or when a substantial change occurs within the organization. GRM-09 No Gap
Establish and follow an approved exception process as mandated by the governance

program whenever a deviation from an established policy occurs. GRM-01 Partial Gap
Develop and implement an Information Security Program, which includes programs for
all the relevant domains of the CCM. GRM-04 Partial Gap
Define and document roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs. No Mapping Full Gap
Identify and document all relevant standards, regulations, legal/contractual, and
statutory requirements, which are applicable to your organization. AAC-03 No Gap
Establish and maintain contact with cloud-related special interest groups and other
relevant entities in line with business context. No Mapping Full Gap

procedures for background verification of all new employees (including but not limited to HRS-02
remote employees, contractors, and third parties) according to local laws, regulations, GRM-06 Partial Gap
ethics, and contractual constraints and proportional to the data classification to be GRM-09
accessed, the business requirements, and acceptable risk. Review and update the
Establish, document,
policies and approve,
procedures at leastcommunicate,
annually. apply, evaluate and maintain policies and
procedures for defining allowances and conditions for the acceptable use of HRS-08
organizationally-owned or managed assets. Review and update the policies and GRM-06 Partial Gap
GRM-09
procedures that require unattended workspaces to not have openly visible confidential
data. Review and update the policies and procedures at least annually.
HRS-11
GRM-06 Partial Gap
GRM-09
procedures to protect information accessed, processed or stored at remote sites and
locations. Review and update the policies and procedures at least annually. GRM-06
Partial Gap
GRM-09
Establish and document procedures for the return of organization-owned assets by

terminated employees. HRS-01 Partial Gap
Establish, document, and communicate to all personnel the procedures outlining the
roles and responsibilities concerning changes in employment. HRS-04 No Gap
Employees sign the employee agreement prior to being granted access to organizational
information systems, resources and assets. HRS-03 No Gap
The organization includes within the employment agreements provisions and/or terms
for adherence to established information governance and security policies.
HRS-03 No Gap
Document and communicate roles and responsibilities of employees, as they relate to
information assets and security. HRS-07
No Gap
HRS-10
Identify, document, and review, at planned intervals, requirements for
non-disclosure/confidentiality agreements reflecting the organization's needs for the
protection of data and operational details. HRS-06 No Gap

awareness training program for all employees of the organization and provide regular
HRS-09
training updates. Partial Gap
HRS-10
Provide all employees with access to sensitive organizational and personal data with
appropriate security awareness training and regular updates in organizational
procedures, processes, and policies relating to their professional function relative to the HRS-09
organization. Partial Gap
HRS-10
Make employees aware of their roles and responsibilities for maintaining awareness and
compliance with established policies and procedures and applicable legal, statutory, or
regulatory compliance obligations. HRS-10 No Gap
ntity & Access Management - IAM

policies and procedures for identity and access management. Review and update the IAM-02
policies and procedures at least annually. GRM-06 Partial Gap
GRM-09
Establish, document, approve, communicate, implement, apply, evaluate and maintain IAM-02
strong password policies and procedures. Review and update the policies and
IAM-12
procedures at least annually. Partial Gap
GRM-06
GRM-09
Manage, store, and review the information of system identities, and level of access.
IAM-04
Partial Gap
IAM-10
Employ the separation of duties principle when implementing information system access.
IAM-05 No Gap
Employ the least privilege principle when implementing information system access.
IAM-02
No Gap
IAM-06
Define and implement a user access provisioning process which authorizes, records,
and communicates access changes to data and assets. IAM-09 No Gap
De-provision or respectively modify access of movers / leavers or system identity

changes in a timely manner in order to effectively adopt and communicate identity and
access management policies. IAM-11 No Gap
Review and revalidate user access for least privilege and separation of duties with a
frequency that is commensurate with organizational risk tolerance. IAM-10 Partial Gap
segregation of privileged access roles such that administrative access to data,
encryption and key management capabilities and logging capabilities are distinct and
separated. No Mapping Full Gap
Define and implement an access process to ensure privileged access roles and rights
are granted for a time limited period, and implement procedures to prevent the
culmination of segregated privileged access. No Mapping Full Gap
Define, implement and evaluate processes and procedures for customers to participate,
where applicable, in the granting of access for agreed, high risk (as defined by the
organizational risk assessment) privileged access roles. No Mapping Full Gap

ensure the logging infrastructure is read-only for all with write access, including
privileged access roles, and that the ability to disable it is controlled through a procedure
that ensures the segregation of duties and break glass procedures. No Mapping Full Gap
ensure users are identifiable through unique IDs or which can associate individuals to
the usage of user IDs. No Mapping Full Gap
Define, implement and evaluate processes, procedures and technical measures for
authenticating access to systems, application and data assets, including multifactor
authentication for at least privileged user and sensitive data access. Adopt digital
IAM-02
certificates or alternatives which achieve an equivalent level of security for system Partial Gap
identities. IAM-05
secure management of passwords. No Mapping Full Gap
Define, implement and evaluate processes, procedures and technical measures to verify
access to data and system functions is authorized.
IAM-02 No Gap
teroperability & Portability - IPY

procedures for interoperability and portability including requirements for:
a. Communications between application interfaces
IPY-03
b. Information processing interoperability GRM-06 Partial Gap
c. Application development portability GRM-09
d. Information/Data exchange, usage, portability, integrity, and persistence
Review and update the policies and procedures at least annually.
Provide application interface(s) to CSCs so that they programmatically retrieve their data
to enable interoperability and portability. No Mapping Full Gap
Implement cryptographically secure and standardized network protocols for the

management, import and export of data. IPY-04 No Gap
Agreements must include provisions specifying CSCs access to data upon contract
termination and will include:
a. Data format No Mapping Full Gap
b. Length of time the data will be stored
c. Scope of the data retained and made available to the CSCs
ucture & Virtualization Security - IVS
d. Data deletion policy
procedures for infrastructure and virtualization security. Review and update the policies
GRM-06
and procedures at least annually. Partial Gap
GRM-09
Plan and monitor the availability, quality, and adequate capacity of resources in order to
deliver the required system performance as determined by the business. IVS-04 No Gap
Monitor, encrypt and restrict communications between environments to only

authenticated and authorized connections, as justified by the business. Review these
configurations at least annually, and support them by a documented justification of all
allowed services, protocols, ports, and compensating controls.
IVS-06 No Gap
Harden host and guest OS, hypervisor or infrastructure control plane according to their
respective best practices, and supported by technical controls, as part of a security
baseline. IVS-07 Partial Gap
Separate production and non-production environments.

IVS-08 No Gap
Design, develop, deploy and configure applications and infrastructures such that CSP
and CSC (tenant) user access and intra-tenant access is appropriately segmented and
segregated, monitored and restricted from other tenants. IVS-09 No Gap
Use secure and encrypted communication channels when migrating servers, services,
applications, or data to cloud environments. Such channels must include only up-to-date
and approved protocols. IVS-10 Partial Gap
Identify and document high-risk environments.

IVS-13 No Gap
Define, implement and evaluate processes, procedures and defense-in-depth
techniques for protection, detection, and timely response to network-based attacks.
IVS-13 No Gap

procedures for logging and monitoring. Review and update the policies and procedures GRM-06
at least annually. Partial Gap
GRM-09

ensure the security and retention of audit logs.
IVS-01 Partial Gap
Identify and monitor security-related events within applications and the underlying
infrastructure. Define and implement a system to generate alerts to responsible SEF-03
stakeholders based on such events and corresponding metrics. Partial Gap
SEF-05
Restrict audit logs access to authorized personnel and maintain records that provide
unique access accountability.
IVS-01 Partial Gap
Monitor security audit logs to detect activity outside of typical or expected patterns.
Establish and follow a defined process to review and take appropriate and timely actions
on detected anomalies. No Mapping Full Gap
Use a reliable time source across all relevant information processing systems.
IVS-03 No Gap
Establish, document and implement which information meta/data system events should
be logged. Review and update the scope at least annually or whenever there is a
change in the threat environment. No Mapping Full Gap
Generate audit records containing relevant security information.

No Mapping Full Gap
The information system protects audit records from unauthorized access, modification,
and deletion. GRM-04
Partial Gap
IVS-01
Establish and maintain a monitoring and internal reporting capability over the operations
of cryptographic, encryption and key management policies, processes, procedures, and EKM-02
controls. Partial Gap
EKM-03
Log and monitor key lifecycle management events to enable auditing and reporting on
usage of cryptographic keys. EKM-02 Partial Gap
Monitor and log physical access using an auditable access control system.
DCS-08 Partial Gap
reporting of anomalies and failures of the monitoring system and provide immediate
notification to the accountable party. SEF-03 Partial Gap
anagement, E-Discovery, & Cloud Forensics - SEF

procedures for Security Incident Management, E-Discovery, and Cloud Forensics. SEF-02
Review and update the policies and procedures at least annually. GRM-06 Partial Gap
GRM-09
procedures for the timely management of security incidents. Review and update the SEF-02
GRM-09
incident response plan, which includes but is not limited to: relevant internal
departments, impacted CSCs, and other business critical relationships (such as supply- BCR-02 Partial Gap
chain) that may be impacted.
Test and update as necessary incident response plans at planned intervals or upon
significant organizational or environmental changes for effectiveness.
BCR-02 No Gap
Establish and monitor information security incident metrics.

SEF-05 No Gap
Define, implement and evaluate processes, procedures and technical measures
supporting business processes to triage security-related events.
SEF-02 No Gap
Define and implement, processes, procedures and technical measures for security
breach notifications. Report security breaches and assumed security breaches including
any relevant supply chain breaches, as per applicable SLAs, laws and regulations. SEF-04
Partial Gap
STA-05
Maintain points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities.
SEF-01 No Gap
gement, Transparency, and Accountability - STA

procedures for the application of the Shared Security Responsibility Model (SSRM)
within the organization. Review and update the policies and procedures at least No Mapping Full Gap
annually.
Apply, document, implement and manage the SSRM throughout the supply chain for the
cloud service offering.
No Mapping Full Gap
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability
throughout the supply chain.
No Mapping Full Gap
Delineate the shared ownership and applicability of all CSA CCM controls according to
the SSRM for the cloud service offering.
No Mapping Full Gap
Review and validate SSRM documentation for all cloud service offerings the
organization uses.
No Mapping Full Gap
Implement, operate, and audit or assess the portions of the SSRM which the
organization is responsible for.
No Mapping Full Gap
Develop and maintain an inventory of all supply chain relationships.
No Mapping Full Gap
CSPs periodically review risk factors associated with all organizations within their supply
chain. STA-06
No Gap
STA-08
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process STA-05 Partial Gap
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
•Review
Servicesupply
termination
chain agreements between CSPs and CSCs at least annually.
• Interoperability and portability requirements
• Data privacy STA-07 No Gap
Define and implement a process for conducting internal assessments to confirm

conformance and effectiveness of standards, policies, procedures, and service level
agreement activities at least annually. STA-04 No Gap
Implement policies requiring all CSPs throughout the supply chain to comply with
information security, confidentiality, access control, privacy, audit, personnel policy and
service level requirements and standards. STA-09 Partial Gap
Periodically review the organization's supply chain partners' IT governance policies and
procedures.
STA-06 No Gap
Define and implement a process for conducting security assessments periodically for all
organizations within the supply chain.
STA-08 No Gap
t & Vulnerability Management - TVM
Establish, document, approve, communicate, apply, evaluate and maintain policies and TVM-02
procedures to identify, report and prioritize the remediation of vulnerabilities, in order to
protect systems against vulnerability exploitation. Review and update the policies and
GRM-06 Partial Gap
procedures at least annually. GRM-09
Establish, document, approve, communicate, apply, evaluate and maintain policies and TVM-01
procedures to protect against malware on managed assets. Review and update the
GRM-09
enable both scheduled and emergency responses to vulnerability identifications, based
on the identified risk. TVM-02 No Gap

update detection tools, threat signatures, and indicators of compromise on a weekly, or
more frequent basis. No mapping Full Gap

identify updates for applications which use third party or open source libraries according
to the organization's vulnerability management policy. No mapping Full Gap
periodic performance of penetration testing by independent third parties. TVM-02 Partial Gap
detection of vulnerabilities on organizationally managed assets at least monthly.
TVM-02 Partial Gap
Use a risk-based model for effective prioritization of vulnerability remediation using an

industry recognized framework. TVM-02 Partial Gap
Define and implement a process for tracking and reporting vulnerability identification and
remediation activities that includes stakeholder notification. TVM-02 No Gap
Establish, monitor and report metrics for vulnerability identification and remediation at
defined intervals. No mapping Full Gap
GRM-06
GRM-09
ersal Endpoint Management - UEM MOS-03
MOS-04
procedures for all endpoints. Review and update the policies and procedures at least MOS-08
annually. MOS-11 Partial Gap
MOS-12
MOS-02
MOS-13
Define, document, apply and evaluate a list of approved services, applications and
sources of applications (stores) acceptable for use by endpoints when accessing or MOS-03
MOS-16
storing organization-managed data. MOS-04
MOS-17 Partial Gap
MOS-06
MOS-20
Define and implement a process for the validation of the endpoint device's compatibility
with operating systems and applications. MOS-07 Partial Gap
Maintain an inventory of all endpoints used to store and access company data.
MOS-09 Partial Gap
enforce policies and controls for all endpoints permitted to access systems and/or store,
transmit, or process organizational data. MOS-10 Partial Gap
Configure all relevant interactive-use endpoints to require an automatic lock screen.

MOS-14 Partial Gap
Manage changes to endpoint operating systems, patch levels, and/or applications

through the company's change management processes. MOS-15 Partial Gap
Protect information from unauthorized disclosure on managed endpoint devices with

storage encryption.
MOS-11 Partial Gap
Configure managed endpoints with anti-malware detection and prevention technology

and services.
No Mapping Full Gap
Configure managed endpoints with properly configured software firewalls.

No Mapping Full Gap
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules
in accordance with a risk assessment. No Mapping Full Gap
Enable remote geo-location capabilities for all managed mobile endpoints.
No Mapping Full Gap
enable the deletion of company data remotely on managed endpoint devices. MOS-18 Partial Gap
Define, implement and evaluate processes, procedures and technical and/or contractual
measures to maintain proper security of third-party endpoints with access to
organizational assets. No Mapping Full Gap
End of Standard End of Mapping

rights reserved. You may download, store, display on your computer, view, print,
ls Matrix (CCM) Version 4.0” at http://www.cloudsecurityalliance.org subject to the
used solely for your personal, informational, non-commercial use; (b) the Cloud
n any way; (c) the Cloud Controls Matrix v4.0 may not be redistributed; and (d) the
moved. You may quote portions of the Cloud Controls Matrix v4.0 as permitted by
ht Act, provided that you attribute the portions to the Cloud Security Alliance Cloud
btaining a license to this material for other usages not addresses in the copyright
g.
CCM v3.0.1 ISO/IEC 27001/02/17/18
Addenda Controls Mapping Gap Level
Missing specification(s) in CCMv3.0.1:

'apply and evaluate audit and assurance policies,
procedures and standards' 27001: 9.2 Partial Gap
Requirement of 'at least annually' in last sentence.
27001: A.18.2.1
N/A Partial Gap
27002: 18.2.1
27001: A.18.2.1
N/A 27002: 18.2.1 No Gap
27018: 18.2.1
27001: A.18.2.2
27002: 18.2.2
N/A specification to be
Recommend the full V4 control No Gap
used to close the gap. 27001: A.18.2.3
Portion in the mapped control(s) contributing to the 27002: 18.2.3
partial gap, that is, covering in part the V4 control: 27001: 9.2.c
(AAC-01) 'Audit plans shall be developed' and 27001: A.18.2.2 No Gap
'Auditing plans shall focus on reviewing the 27002: 18.2.2
effectiveness of the implementation of security
operations'.
'Establish, document, approve, communicate, apply, 27001: A.18.2.2
Partial Gap
evaluate and maintain a risk-based corrective action 27002: 18.2.2
plan'
Missing specification(s) in CCMv3.0.1: 27001: A.14.2.1
'apply, evaluate, maintain policies and procedures for 27002: 14.2.1
application security' 27017: 14.2.1
Requirement of 'at least annually' in last sentence. Partial Gap
27001: A.14.2.5
27001: 14.2.5
27017: 14.2.5
27001: A.5.1.1
27017: 5.1.1
N/A Partial Gap
27001: A.7.2.2
27002:
27001:
27001: 7.2.2
9.1
A.14.1.1
The full V4 control specification is missing from
CCMv3.0.1 27001:
27002:A.18.2.2
14.1.1 Partial Gap
Recommendand thehas
full to
V4be used specification
control to close the gap.
to be
used to close the gap.
27002: 14.1.1
27017: 18.2.2
27001: A.14.1.2
Portion in the mapped control(s) contributing to the 27002: 14.1.2
No Gap
partial gap, that is, covering in part the V4 control: 27017:A.14.2.8
27001: 14.1.2
(AIS-01) 'Applications and programming interfaces 27001: A.14.2.1
(APIs) shall be designed, developed, deployed, and 27001: A.14.2.9
tested in accordance with leading industry standards' 27002:A.12.1.2
27001: 14.2.1
Missing specification(s) in CCMv3.0.1: 27017:
27002: 14.2.1
12.1.2
'Automate when applicable and possible.' No Gap
27001: A.14.1.1
27002: 14.1.1
27001: A.14.2.2
Missing specification(s) in CCMv3.0.1: 27002: 14.2.2
'Automate where possible.' No mapping
27001: A.16.1.5 Full Gap
27002: 16.1.5
27017: 16.1.5
'Automating remediation when possible.' 27001: A.12.6.1 No Gap
27002: 12.6.1
27017: 12.6.1
27018: 12.6.1
27001: 5.2
Missing specification(s) in CCMv3.0.1: 27001: A.5.1
27001:A.7.2.1
6.1.1 Partial Gap
Requirement of 'at least annually' in last sentence. 27001:
27001: 6.1.2
27001: A.17.1.2
27001: 6.1.3
N/A 27001: 8.2 Partial Gap
27001: 8.3
27001: A.16.1.6
27001: A.17.1
27001: A.17.1.1
N/A Partial Gap
27001: A.17.1.2
27001: A.17.1.1
N/A Partial Gap
27001: A.17.1.3
N/A 27001: 7.5.1a Partial Gap

'at least annually' 27001: A.17.1.3 Partial Gap
N/A No Mapping Full Gap

'Ensure the confidentiality, integrity and availability of
the backup' 27017: 12.3 Partial Gap
27018: 12.3.1

CCMv3.0.1 and has to be used to close the gap. No Mapping Full Gap


'apply, evaluate policies and procedures for managing 27001: A.12.1.2
the risks associated with applying changes to
27002: 12.1.2
organization assets' Partial Gap
'regardless of whether the assets are managed 27017: 12.1.2
internally or externally (i.e., outsourced)' 27001: A.14.2.2
Requirement of 'at least annually' in last sentence. 27001: A.14.2.3
27001: A.14.2.2
27001:A.5.1.1
N/A 27002:
27017:14.2.2
5.1.1 Partial Gap
27017: 14.2.2
27001: A.12.1.2
27002: 12.1.2
27001: A.12.1.4
'regardless of whether the assets are managed 27001: No Gap
internally or externally (i.e., outsourced)' 27001: A.12.1.4
A.14.2.3
27002:A.15.2.2
27001: 12.1.4
27001: A.12.4.2
27002: 15.2.2
'removal, update, and management of organization No Gap
assets' 27002:A.14.2.6
27001: 12.4.2
27001:
27001: A.15.2.2
27002:A.14.2.2
14.2.6
27001:
27017:A.14.2.2
27001:14.2.2
A.5
N/A 27002: 14.2.2
27002: 5 No Gap
27001: A.12.1.2
27001: 5.2
27017:
27001: 12.1.2
A.12.1.1
27001: 5.3
The full V4 control specification is missing from 27002: 12.1.1
27001: A.6.1.1 Partial Gap
CCMv3.0.1 and has to be used to close the gap. 27001:
27002A.14.2.2
27001: :14.2.2
6.1.1
27001:
27002:A.14.2.4
14.2.2
27001: A.6.1.2
27002: 6.1.2 No Gap
'detection measures with proactive notification' 27002: 12.4.1
27001: 8.2 (g)
27001: A.5.1.1
27001: 8.3
27001: A.12.1.2
27017:
The full V4 control specification is missing from 27001:5.1.1
9.1
27002: 12.1.2 (h) No Gap
27001: A.16
27017:A.12.1.2
12.1.2
27002:
27002: 16
12.1.2
27001: 5.1 (g)
The full V4 control specification is missing from 27001:
27001: A.16.1
A.12.5.1
27001: 5.3 No Gap
27002: 9.2 (e)
12.5.1
27001: A.5.1.1
27001:
27001: 9.3
A.12.3.1
27002: 5.1.1
27001: A.10
27017: A.6.1.1
12.3.1
27001:
27002: 10
27002: 6.1.1
27017: 6.1.1
'Apply and evaluate the policies and procedures for 27001: A.10.1.2
27001: A.6.1.2
Cryptography, Encryption and Key Management' 27017: 10.1.2 No Gap
Requirement of 'at least annually' in last sentence. 27017: 6.1.2
27001: A.12.4
27001: A.9.1
27002: 12.4
27002: 9.1
27001: A.12.7
The full V4 control specification is missing from 27001: A.10.1.1
27002: 12.7 No Gap
CCMv3.0.1 and has to be used to close the gap. 27002: 10.1.1
27017: 12.7
27001: A.15.1.2
27001: A.18.1.1-to-5
27017: 15.1.2
27001: A.12.1.2
27001: A.13.1.3
27002: 12.1.2
27017: 13.1.3
27001: A.12.3.1
27001: A.10.1.1
27017: 12.3.1
27001: A.18.1.5
27001: A.10.1
27002: 10.1
27001: A.13.2.1
27002: 13.2.1
N/A 27001:
27001: A.8.2
A.18 No Gap
27002:
27002: 8.218
27001: A.14.1.2
'considering the classification of data, associated 27001:
27002:A.10.1.1
A.12.1.2
14.1.2 No Gap
risks, and usability
the fullofV4
thecontrol
encryption technology.' 27002: 10.1.1
Recommend specification to be 27002: 12.1.2(b)
27001: A.14.1.3
used to close the gap. 27001:
27017: A.10.1.2
12.1.2
Portion in the mapped control(s) contributing to the 27002 14.1.3 c)
27002:
27001:
27001 10.1.2
A.10.1.2
- A.12.1.2
A.10.1.1 No Gap
partial gap, that is, covering in part the V4 control:
(EKM-02) 'lifecycle management/replacement' and 27002:
27002:10.1.2
27017 10.1.1e)
- 12.1.2
'changes within the cryptosystem' 27001 A.14.2.2
27001:- A.10.1.2
A.10.1.2
The full V4 control specification is missing from 27017 - 14.2.2
27002:
27002: 10.1.2
10.1.2e)
27001: 8.2 No Gap
27001: 8.3
27001: A.10.1.1
27001:
27002:A.10.1.1
10.1.1
27001:
27002: A.10.1
27017: 10.1.1
10.1.1 No Gap
CCMv3.0.1 and has to be used to close the gap.
27017:
27017: 10.1
27001:10.1.1
9.2
27001:
27001: A.10.1.1
A.18.2.1
CCMv3.0.1 and has to be used to close the gap. Partial Gap
27017:A.18.2.2
27001: 10.1.1
10.1.2
27001: A.10.1.2
27001: A.12.7
27001: 12.7
A.10.1.1 No Gap
Recommend the full V4 control specification to be 27017:
27002: 12.7(e)
10.1.1
used to close the gap. 27001: A.10.1.2
27017: 10.1.1
Portion in the mapped control(s) contributing to the 27001: A.10.1.2
partial gap, that is, covering in part the V4 control: 27001: A.10.1.2
27001: 10.1.2
A.10.1.1 No Gap
27002:
27002: k)
(EKM-04) 'open/validated formats and standard 27017: 10.1.2
10.1.1
The full V4 shall
algorithms control
bespecification
required'. is missing from 27002:
27001:10.1.2
A.10.1.2(a) No Gap
CCMv3.0.1 and has to be used to close the gap. 27017:10.1.2
10.1.2(c)
27001:
27002: A.10.1.1
27017: 10.1.1
10.1.2
CCMv3.0.1 and has to be used to close the gap. 27001: A.10.1.2 Partial Gap
27002: 10.1.2 e)
27017:A.10.1.1
27001: 10.1.2
27017: 10.1.1
CCMv3.0.1 and has to be used to close the gap. 27001: A.10.1.2 No Gap
27002: 10.1.2 (g),(f)
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27017: 10.1.2
27002: 10.1.2 (j)
27001: A.18.1.3
A.10.1.1
27002: 10.1.1
27017: 18.1.3
27002: 10.1.2 a)
27017:A.10.1.1
27001: 10.1.2
Partial Gap
CCMv3.0.1 and has to be used to close the gap. 27001: A.10.1.2
27017:A.10.1.1
27001: 10.1.2
27017: 10.1.1
27001:
27002:A.10.1.1
10.1.2
27017:
27017: 10.1.1
10.1.2
27001: A.10.1.2
Partial Gap
CCMv3.0.1 and has to be used to close the gap. 27002: 10.1.2 (i)
27001:
27001: 9.0
A.10.1.1
27002:
27002: 9.0 (d)
10.1.1
27017:
27001: 9.0
A.10.1.2
CCMv3.0.1 and has to be used to close the gap. 27002: 10.1.2 (f),(g) No Gap
27001: A.18.1.5
27001: A.18.1.3
27001:18.1.3
27002: 8.2
27001: 8.3
27002: 10.1.2 (h)
27001: A.18.1.5
27001: A.10.1.2
No Gap
27001: A.18.1.5
'apply and evaluate policies and procedures for the 27001: A.11.2.7
secure disposal of equipment used outside the 27002: 11.2.7 No Gap
organization's premises' 27017: 11.2.7
'apply and evaluate policies and procedures for the
relocation or transfer of hardware, software, or
data/information to an offsite or alternate location' 27001: A.11.2.5 Partial Gap
'or cryptographically verifiable authorization'
27002: 11.1.3
27017: 11.1.3
'evaluate (implementation of) policies and procedures' No Gap
27002: 11.1.5
'apply and evaluate policies and procedures for the
27017: A.8.3.3
11.1.5
secure transportation of physical media.' 27007: 8.3.3 No Gap
27001: A.8.2.1
N/A 27002: 8.2.1 Partial Gap
27017: 8.2.1
27001: A.8.1.1
27017: 8.1.1
27001: A.11.1.1
N/A 27002: 11.1.1 No Gap
27017: 11.1.1

'all ingress and egress points (are) documented'
'Retain access control records on a periodic basis as 27001: A.11.1.2 No Gap
deemed appropriate by the organization.'

'maintain datacenter surveillance systems' No Mapping Full Gap
Recommend the full V4 control specification to be
Portion in the mapped control(s) contributing to the
(HRS-09) 'All individuals with access to organizational No Mapping Full Gap
data shall receive appropriate awareness training
relating
Missing to their professional
specification(s) function relative to the
in CCMv3.0.1:
organization.'
'Define, implement and evaluate processes,
procedures and technical measures that ensure a risk- 27001: A.11.2.3 No Gap
based protection of telecommunication cables'

'within accepted industry standards' 27001: A.11 No Gap
27001: A.17.1.3
N/A 27001: A.11.2.1 Partial Gap
27001: A.11.2.2
27001: A.11.2.1
N/A No Gap
27002: 11.2.1
27001: A.8.2.1
27001: A.5.1
Missing specification(s) in CCMv3.0.1: 27001: 5.2
'apply and evaluate policies and procedures for the 27001: A.5.1.1
classification, protection and handling of data
throughout its lifecycle and according to all applicable 27002: 5.1.1 Partial Gap
laws and regulations, standards, and risk level.' 27001: A.5.1.2
Requirement
Missing of 'at least in
specification(s) annually' in last sentence.
CCMv3.0.1: 27002:A.8.3.2
27001: 5.1.2
'Apply industry accepted methods for the secure 27001:
27002:A.12.1
8.3.2
Partial Gap
disposal of data' 27002:
27001: 12.1
A.11.2.7
27002: 11.2.7
Partial Gap
27001: A.8.2.1
N/A No Gap
27002: 8.2.1
'Review data flow documentation at defined intervals, No Mapping Full Gap
at least annually, and after any change.'
'Document ownership' 27001: A.8.1.2 Partial Gap
'all relevant documented personal data'
'Perform review at least annually'
27001: A.14.1.1
The full V4 control specification is missing from 27002:14.1.1
Partial Gap
27002:14.2.5


27001: A.13.2.1
The reference to personal data: 'transfer of personal 27001: A.8.3.3
data is protected from unauthorized access and only Partial Gap
27002: 8.3.3
processed within scope as permitted by the respective
laws and regulations'
27001: A.13.2.3
27002: 13.2.3

27002: 18.1.4


CCMv3.0.1 and has to be used to close the gap. 27018: A.6.2 Partial Gap
27001: A.14.3.1
27002: 14.3.1
N/A Partial Gap
27001: A.12.1.4
27002: 12.1.4
N/A 27001: A.18.1.3 No Gap
27001: A.18.1.3
No Gap
CCMv3.0.1 and has to be used to close the gap. 27001:A.18.1.4
27002:18.1.4
CCMv3.0.1 and has to be used to close the gap. 27018: A.6.1 No Gap
27001: A.8.1.1
CCMv3.0.1 and has to be used to close the gap. 27002: 8.1.1 No Gap
27017: 8.1.1

'apply and evaluate policies and procedures for an
information governance in program' 27001: 5.2 Partial Gap
Missing specification(s) CCMv3.0.1:
Requirement of 'at least
'Enterprise Risk Management annually' in last
(ERM) sentence.
program (as it 27001: 5.3
includes information security risks but is not limited to
only those)' 27001: A.6.1.2
No Gap
'(ERM) program that includes policies and procedures 27001: 6.2
for identification, evaluation, ownership, treatment,
and acceptance of privacy risks' (focus is on missing
req. for risk management on privacy)
N/A 27001:7.5.2 (c) Partial Gap

No Gap
'deviation from an established policy' 27002: 5.1.1 (c)
27001: 1
'all the domains of the CCM' (i.e., reference to 27001: 5.3 Partial Gap
CCMv4.0) 27001: 4.3
27001: A.6.1.1
Partial Gap
27001: A.18.1
27002: 7.2.1
27001: A.18.2.2
N/A 27018: 5.1.1 No Gap
27018: A.18.1
27018: A.18.2.2

'apply, evaluate, policies and procedures for
background verification of all new employees' 27002: 7.1.1 Partial Gap
27001: A.8.1.3
Requirement of 'at least annually' in last sentence. 27002: 8.1.3 Partial Gap
27017: 8.1.3
27001: A.11.2.8
'apply, evaluate, policies and procedures that require
27017: 11.2.8
unattended workspaces to not have openly visible Partial Gap
confidential data' 27001: A.11.2.9
27017: 11.2.9
'apply, evaluate, policies and procedures to protect
27002: 6.2.2
information accessed, processed or stored at remote Partial Gap
sites and locations' 27001: A.11.2.6

'Establish and document procedures' 27002: 8.1.4 No Gap
27017: 8.1.4
27001: A.7.3.1
N/A 27002: 7.3.1 No Gap
27017: 7.3.1
27001: A.7.1.2
N/A 27002: 7.1.2 No Gap
27017: 7.1.2
27001: A.6.1.1
N/A 27002: 6.1.1 No Gap
27001:
27017:A.7.1.2
6.1.1
27002: 7.1.2
27017: 7.1.2
N/A No Gap
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
'approve, evaluate and maintain a security awareness 27002: 7.2.2 No Gap
training program' 27017: 7.2.2

'Provide all employees with access to sensitive
organizational and personal data with appropriate 27002: 7.2.2 Partial Gap
security awareness training' 27017: 7.2.2
27001: A.7.2.1
27017: 7.2.1
27001:
27001: A.9.4.3
A.9.1.1
27002:
27002: 9.4.3
9.1.1
Missing specification(s) in CCMv3.0.1: 27017:A.5.1.2
9.4.3 No Gap
Requirement of 'at least annually' in last sentence. 27001:
27018:
27002: 9.4.3
5.1.2
27001: A.9.2.4
(If Password is equal to "authentication secrets" then) 27002: 9.2.4
Missing specification(s) in CCMv3.0.1: 27017: 9.2.4 Partial Gap
27002:7.2.2
27001: A.8.1.1
27002:A.9.2.6
8.1.1
27002:A.9.4.1
9.2.6 Partial Gap
'system identities' 27001:
27001: A.9.2.3
27002: 9.4.1
27002:A.6.1.2
27001: 9.2.3
N/A No Gap
27002: 6.1.2
27001: A.9.1.1
27002: 9.1.1
27001: A.9.1.2
N/A No Gap
27002: 9.1.2
27001: A.9.2.3
27002: 9.2.3

27001: A.9.2.5
'Review and revalidate user access for separation of
27001: A.9.4.1
duties' Partial Gap
'a frequency that is commensurate with organizational 27017: 9.4.1
risk tolerance' 27001: A.6.1.2
27001: A 9.2.5
A.9.2.3
No Gap
27018: 9.2.3
27001: A.9.2.3
27017: 9.2.3
27018: 9.2.3

CCMv3.0.1 and has to be used to close the gap. No Mapping
27002: 12.4.1 Full Gap
27017: 12.4.1
27018: 12.4.1
27001: A.12.4.2
Partial Gap
27018: 12.4.2
27001: A.12.4.3
27002: 12.4.3
27017: 12.4.3
27018: 12.4.3
No Gap
CCMv3.0.1 and has to be used to close the gap. 27002:A.9.1.2
27001: 9.2.1
27002: 9.1.2
27017: 9.1.2
27001: A.9.2.4
27002:A.9.2.4
9.2.4
'Adopt digital certificates or alternatives which achieve 27002: Partial Gap
an equivalent level of security for system identities' 27017: 9.2.4
9.2.4
27017:A.9.4.2
27001: 9.2.4
27018:
27002: 9.2.4
9.4.2
27001:
27017:A.9.3.1
9.4.2
The full V4 control specification is missing from 27002:
27018: 9.3.1
9.4.2 No Gap
27018:A.9.2.5
27001: 9.3.1
27001: A.9.4.3
27002: 9.2.5
N/A 27002: No Gap
27017: 9.4.3
9.2.5
27017:
27018: 9.4.3
9.2.5
27001: A.14.1.1
27018: 9.4.3
27017: 14.1.1
27001: A.14.1.2
'apply and evaluate policies and procedures for 27017: 14.1.2
Partial Gap
interoperability and portability.' 27001: A.14.2
Requirement of 'at least annually' in last sentence. 27002: 14.2
27001: A.14.2.1
CCMv3.0.1 and has to be used to close the gap. No Mapping
27001: A.14.2.5 Full Gap
27001: A.18.1
27001: A.15.1.1
N/A No Gap
27002: 15.1.1
27017: 15.1.1
Missing specification(s) in CCMv3.0.1: 27001: A.5
'apply and evaluate policies and procedures for 27002: 5
Partial Gap
infrastructure and virtualization security.' 27017: 5
Requirement of 'at least annually' in last sentence. 27018: 5
27001: 5.3
27001: 6.1
27001: A.12.1.3
27001:
27002:A.13.1.1
12.1.3
27002: 13.1.1
27001: A.13.1.2
N/A Partial Gap
27002: 13.1.2
27001:
27001: 7.4
A.13.1.3
27001: A.13.1.1
27002:A.14.2.2
27001: 13.1.3
27002: 13.1.1
14.2.2
'Host and guest OS', 27017: 13.1.1
'hypervisor', 27018: 13.1.1
'infrastructure control plane'. 27001 A.14.2.4
27001:
27001
27018:A.13.1.2
A.12.1.4
12.1.2
27002: 13.1.2
27002 12.1.4
27017 12.1.4
27018: 13.1.2
27018 12.1.4
27001: A.13.1.3
27017:
27017: 13.1.3
13.1.3
27018: 13.1.3
27001:A.13.2.1
27001: A.9.1.2
'Such channels must include only up-to-date and 27002:13.2.1
27002: 9.1.2 Partial Gap
approved protocols'. 27017: 9.1.2
27017: 13.2.1
27001:
27018: A.9.4.2
13.2.1
27002:A.13.2.2
27001:
27001: 9.4.2
A.14.1.2
N/A Partial Gap
27017: 9.4.2
27002: 13.2.2
14.1.2
27018: 13.2.2
27017: 9.4.2
14.1.2
N/A 27001:
27001: A.14.2.5
27018:A.11.1.4
13.2.2 Partial Gap
27002:
27001: 14.2.5
A.13.2.3
27002: 11.1.4
27017:
27002: 14.2.5
27017: 13.2.3
11.1.4
27017:
27018:13.2.3
16.1.1
27018: 13.2.3
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
27018: 13.2.4
'apply and evaluate policies and procedures for
logging and monitoring' No mapping Full Gap

27001: A.18.1.3
'Define, implement and evaluate processes, Partial Gap
procedures and technical measures' 27002: 18.1.3
'Define and implement a system to generate alerts to 27001: A.12.4.1
Partial Gap
responsible stakeholders based on such events and 27002: 12.4.1
corresponding metrics.'
27001: A.12.4.2
'Restrict audit logs access to authorized personnel' No Gap
27002: 12.4.2

No Gap
27001: A.12.4.4
N/A 27002: 12.4.4 No Gap
27017: 12.4.4
27001: A.12.4.1
CCMv3.0.1 and has to be used to close the gap. 27002: 12.4.1 No Gap
27017: 12.4.1
27001: A.12.4.1
Recommend the full
The full V4 control V4 control specification
specification to be
is missing from
used to close
CCMv3.0.1 andthehas
gap.to be used to close the gap. 27002: 12.4.1 No Gap
27017: 12.4.1
Portion
Recommendin the the
mapped
full V4control(s) contributing to
control specification to be
the
27001: A.12.4.2
partial gap, that is,
used to close the gap. covering in part the V4 control: No Gap
(IVS-01) 'Higher levels of assurance are required for 27002: 12.4.2
protection
Portion of audit
in the mapped logs',control(s)
(GRM-04) 'to protecttoassets
contributing the
and data from
27001: A.10.1
partial gap, thatloss, misuse, unauthorized
is, covering in part the V4 access,
control:
disclosure, alteration,andand destruction'. 27002: 10.1
(EKM-02) 'Policies procedures shall be No Gap
established for the management of cryptographic 27001: A.10.1.2
keys', (EKM-03) 'Policies and procedures shall be 27017: 10.1.2
established, and supporting business processes and
technical measures implemented, for the use of
encryption protocols'.
Recommend the full V4 control specification to be
27001: A.10.1.2
Portion in the mapped control(s) contributing to the No Gap
partial gap, that is, covering in part the V4 control: 27017: 10.1.2
(EKM-02) 'managementin
Missing specification(s) ofCCMv3.0.1:
cryptographic keys in the
service's cryptosystem'. 27001: A.11.1.2
'log physical access using an auditable access control No Gap
system.' 27002: 11.1.2
'Define, implement and evaluate processes, 27002: 16.1.1
No Gap
procedures and technical measures for the reporting 27001: A.16.1.2
of anomalies and failures of the monitoring system' 27017: 16.1.2

'policies and procedures for E-Discovery and Cloud 27002: 16.1
Partial Gap
Forensics'. 27017: 16.1
27018: 16.1
27002: 16.1.2
27017: 16.1.2
Partial Gap
27002: 16.1.5
27001:
27017:A.16.1.5
16.1.5
'Establish, document, approve, communicate, apply,
27018: 16.1.5
a security incident response plan, which Include 27017: 16.1.5 No Gap
relevant internal departments' 27017: CLD.12.1.5
27018: 16.1.5
N/A 27001: A.16.1.4

No Mapping Full Gap
27002: 16.1.4
27017: 16.1.4
27018: 16.1.4
N/A No Gap
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
27001: A.16.1.1
27002: 16.1.1
27017: 16.1.1
27018: 16.1.1
'Define and implement, processes, procedures and 27002:
27001:16.1.2
4.2 Partial Gap
technical measures for security breach notifications' 27017: 16.1.2
27001: A.6.1.3
'Report assumed security breaches' 27018:
27002:16.1.2
6.1.3
27001: A.16.1.5
27017: 6.1.3
27002:
27018:16.1.5
6.1.3
N/A 27017:A.16.1.1
27001: 16.1.5 No Gap
27018:
27002: 16.1.5
16.1.1
27001: A.18.1.1
27001:18.1.1
27002: 5.1a
27001:18.1.1
27017: 5.2
27001:18.1.1
27018: 6.2
The full V4 control specification is missing from 27001: 9.1
Partial Gap
27001: 9.3
6.2
27001:
27001:A.5.1
7.1
27001: A.5.2
27001: 8.1
27001: A.15.1.1
27001: 8.2
Partial Gap
CCMv3.0.1 and has to be used to close the gap. 27001: 9.1
27001: 9.3
27001:
27001: 6.2
A.15.1
27001: 7.4
The full V4 control specification is missing from 27001: A.15.2
CCMv3.0.1 and has to be used to close the gap. 27001: 9.1 Partial Gap
27001: A.15.1.2
27001: A.15.1.3
27001: 6.2
27001: 7.4
CCMv3.0.1 and has to be used to close the gap. 27001: 9.1 Partial Gap
27001: A.15.1.2
27001:
27001: 6.2
A.15.2
27001: 7.4
The full V4 control specification is missing from 27001: 9.1
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
27001: 8.1
27001: A.15.1.3
27001: 8.1
27001: A.15.1.3
27001: 8.1
N/A 27001: A.15.1.2 Partial Gap
27001: A.15.1.3

'Logging and monitoring capability' 27001: A.15.1.2 Partial Gap
'Data Privacy' 27001: A.15.1.3
27001: A.15.1
N/A Partial Gap
27001: A.15.2
27001: A.15.2
N/A Partial Gap
27001: 5.2
27001: A.5.1
Partial Gap
'to comply with privacy, personnel policy.' 27001: A.7.2.1
27001: A.15.1.2
27001: 8.1
27001: A.15.1.3
27001: 9.1
27001: 9.2
N/A Partial Gap
27001: 9.3
27001: A.15.1.2
27001:
27001: 8.1
A.15.1.3
27001: 8.2
27001: A.15.1.2
27001: A.15.1.3
27001: A.5.1.1
27002: 5.1.1 (g), (c)
27001: A.5.1.2
27002: 5.1.2
27001: 5.2
27001: A.12.2.1
27001: 5.2
27001: A.5.1.1 No Gap
Requirement of 'at least annually' in last sentence. 27002: 6.2.1 (h)
27002: 5.1.1 (c), (h)
27001: A.6.2.2
27002: 6.2.2 (j)
Requirement of 'at least annually' in last sentence. 27001: A.7.2.2 Partial Gap
27002: 7.2.2 (d)
27001:
27001: A.10.1.1
A12.2.1
27002:
27001:10.1.1 (g)
A.12.6.1
N/A 27001: A.13.2.1 No Gap
27002: 12.6.1(c)(d)(j)
27002:12.6.1(k)(i)
27018: 13.2.1 (b)
27001: A.15.1.2
27001: A.5.1.1
27017: 15.1.2
The full V4 control specification is missing from 27002: 5.1.1 (h)
27002: 12.2.1 (a),(d)
27002: 12.6.1 (b),(c)
27017: CLD.9.5.2
Recommend the full
The full V4 control V4 control specification
specification to be
is missing from 27001: A.12.6.2
used to close the gap. Partial Gap
Portion in the mapped control(s) contributing to the
(TVM-02) 'supporting processes and technical No Mapping Full Gap
measures implemented, for timely detection of
vulnerabilities within organizationally-owned or
managed applications, infrastructure network and 27001: A.12.6
system components (e.g., penetration testing)'
Requirement of 'at least monthly'. 27001: A.12.6.1 No Gap
27002: 12.6.1
'vulnerability remediation using an industry recognized No Mapping Full Gap
framework'.
27001: A.16.1.2
27002: 16.1.2
N/A No Gap
27001: A.16.1.3
27002: 16.1.3
CCMv3.0.1 and has to be used to close the gap. 27001: 9.1(a)(e) Partial Gap
'endpoints' (The term is missing from CCMv3.0.1 and 27001: A.9.1.1
A.6.2.1
MOS domain. Mobile device policies are a subset of 27002: 9.1.1
6.2.1
endpoint devices policy). Partial Gap
'apply, evaluate policies and procedures for all 27001:
27017:A.9.2.2
6.2.1
endpoints'. 27002:
27018: 9.2.2
6.2.1
Requirement
Missing of 'at least in
specification(s) annually' in last sentence.
CCMv3.0.1: 27001: A.12.1.2
'endpoint'. 27002: 12.1.2
Partial Gap
'Define, apply and evaluate a list' 27001: A.12.5
27002: 12.5
27001: A.13.2.3
A.14.2.4
'endpoint'. 27002: 13.2.3 Partial Gap
'Define and implement a process'. 27002: 14.2.4
27001: A.14.2.2
27001: A.8.1.1
Missing specification(s) in CCMv3.0.1: 27002:14.2.2
27002: 8.1.1 Partial Gap
'endpoints'.
27017: 8.1.1
'endpoints'.
27001: A.12.6.2
'Define, implement and evaluate processes, Partial Gap
procedures and technical measures to enforce 27002:12.6.2
policies and controls for all endpoints'.
No Mapping Full Gap
'endpoint'. 27001: A.14.2
27001: A.14.2.2
Missing specification(s) in CCMv3.0.1: 27002:A.11.2.7
27001: 14.2.2
Partial Gap
'endpoint'. 27001:
27002:A.14.2.3
11.2.7
27001: A.14.2.4
27001: A.18.1.1
27017:12.1.2
18.1.1
'endpoint'. Partial Gap
27001: A.12.3.1
27017: A.12.2
27001: 12.3.1
27018:
27001:
27002:A.11.4
A.12.3
12.2
27002:A.11.5
12.3 Partial Gap
27017: 12.2
27002: A.8.3.1
12.6.1
27001:
27018: 12.2
27001: A.13.1.2
27002: 8.3.1
27001: A.12.2 Partial Gap
27001:
27002:A.6.2.2
12.2
The full V4 control specification is missing from 27002:A.18.1.3
27001: 6.2.2
27018:18.1.3
16.1 Partial Gap
27001: A.3.2.2
27002: 3.2.2
27001: A.6.1.1
27017: 6.1.1
Partial Gap
CCMv3.0.1 and has to be used to close the gap.
'endpoint'. 27001:
27001:A.15.1.1
A.6.2.1
'Define, implement and evaluate processes, 27002: Partial Gap
procedures and technical measures'. 27002:15.1.1
6.2.1
27001: A.14.1.2
27002: 14.1.2
27017: 6.1.1
27001: A.9.2.2
27017: 9.2.2
End of Mapping End of Mapping
27001: A.9.2.4
27017: 9.2.4
01/02/17/18
Addenda
Missing specification(s) in ISOs:

Requirement of 'at least annually' in last
sentence.

Terms 'audit and assurance' and 'at least
annually' are not specifically called out.
N/A
N/A
N/A

'Establish, document, approve, communicate,
apply, evaluate and maintain a risk-based
corrective action plan to remediate audit
findings'.
'to review and update the policies and
procedures at least annually.'

ISO does not explicitly stipulate baseline
requirements for securing
Missing specification(s) in different
ISOs: applications.
ISO does not expicitly specify the need to
implement technical and operational metrics in
alignment with business objectives, security
requirements, and compliance obligations.
N/A
N/A

the ISOs and has to be used to close the gap.
N/A

The requirement to provide a framework for
setting business continuity objectives.

The specific references to a BIA.
No reference to Business Continuity Strategies



'Table Top Exercises'


ISO does not specify the need to verify data
restoration from backup for resiliency.




'Review and update the policies and
procedures at least annually.'
'Quality and baselines'
N/A
N/A
N/A

'Establish change management baselines'
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

'The cloud service provider should provide
N/Acloud service
capabilities to permit the
customer to independently store and manage
encryption keys used for protection of any data
owned or managed by the cloud service
customer'
N/A
N/A
N/A

'Keys Rotation' requirement not mentioned
N/A
N/A

'Keys Pre-Activation' requirement not
mentioned

'Keys Suspension' requirement not mentioned
N/A

'secure repository requiring least priveledged
access'
N/A
N/A
N/A
N/A

'Apply and maintain policies and procedures for
the relocation or transfer of hardware, software,
or data/information to an offsite or alternate
location'
'relocation requires the cryptographically
verifiable authorization.'
N/A
N/A

'classify phyiscal assets'

'classify phyiscal assets'
N/A

N/A

N/A
N/A

No requirements to execise environmental
controls
N/A

Requirement to review and update the policies
and procedures at least annually.

Requirement to ensure that data is not
recoverable by any forensic means.
Requirement for maintaining an inventory for
personal data
N/A


Requirement to perform a review at least
annually.
incorporating security requirements at the
design stage



Requirement to ensure information is only
processed within scope as permitted by the
respective laws and regulations.


Processing personal data as per the purpose
declared to the data subject


Requirement to disclose the details of any
personal or sensitive data access by sub-
processors to the data owner prior to initiation
of that processing.

Obtain explicit authorization from data owners
N/A
N/A
N/A
N/A
Missing in the ISOs:

"document, approve, apply, evaluate and
maintain policies and procedures for an
information governance program"
"Review and update the policies and
procedures at least annually."
N/A

Requirement of 'at least annually'
N/A

'domains of the CCMv4.0' missing from ISOs
Missing in the ISOs:
'for planning, implementing, operating,
assessing, and improving governance
programs.'
'document roles and responsibilities'
N/A
N/A

requirement to review and update the policies



N/A
N/A

N/A
N/A
N/A
N/A

Ρequirement to focus training on "sensitive
organizational and personal data"

requirement to focus on "applicable legal,
statutory, or regulatory compliance obligations."
N/A


ISO partially addressed Identity Inventory
under asset management
N/A
N/A

ISOs and has to be used to close the gap.

ISOs and has to be used to close the gap.

Requirement of separation of duties in
reviewing of user access rights.
N/A

Requirement to prevent the culmination of
segregated privileged access.
N/A

Requirement to control the ability to disable
logs through a procedure that ensures the
segregation of duties and break glass
procedures.
N/A

Requirement to include multifactor
authentication for at least privileged user and
sensitive data access.
N/A
N/A

Requirement of communications between
application services (APIs)

N/A

Requirement of "Infrastructure & Virtualization
Security"

Security"

Security"

Security"

Security"
'Design, develop, deploy and configure
applications and infrastructures'
'monitored and restricted from other tenants.'

Security

Security
Requirement of Infrastructure & Virtualization
Security
Requirement for defense-in-depth approach

Requirement for the review and update of
policies and procedures.

Requirement to generate alerts to responsible
stakeholders.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A


N/A


N/A
Requirement to report relevant supply chain
breaches.
Requirement to report as per applicable SLAs,
laws and regulations.
N/A

Requirement of a Shared Security
Responsibility Model (SSRM).












N/A

Requirement of 'malware policy and
procedures'
N/A

Requirement of 'detection tools and or a
specific time frame for updates as well as no
mention of IOC's'
Requirement of 'for applications which
use...open source libraries according to the
organization's vulnerbility management
standard.'
N/A

N/A

Requirement of 'vulnerability remediation'
Term 'endpoint' device












apping
CLOUD CONTROLS MATRIX VERSION 4.0
CCM v4.0 Controls Applicability M

(names are alphabetically listed) (names are alphabetically list
Authors Contributors
Martin Acherman Renu Bedi

Ricky Arora Jon-Michael Brook
Christian Banse Angell Duran
Rolf Becker Odutola Ekundayo
John Britton Rajeev Gupta
Jon-Michael Brook Roberto Hernandez
Bobbie-Lynn Burton Joel John
Daniele Catteddu Erik Johnson
Sean Cordero Bala Kaundinya
Peter Dickman Nancy Kramer
Sean Estrada Claus Matzke
Tom Follo Vani Murthy
Shawn Harris Johan Olivier
Matthew Hoerig Michael Roza
Erik Johnson Chirag Sheth
Harry Lu Ashish Vashishtha
Surinder S. Rait Dimitri Vekris
Michael Roza
Agnidipta Sarkar
Chris Shull
Lefteris Skoutaris
Tony Snook
Contributors
Kai Axford
Darin Blank
Kevin Burgin
Martin Capuder
Vishal Chaudhary
Aradhna Chetal
Jeff Cook
Angela Dogan
Doug Egan
Andreas von Grebmer
Mohin Gulzar
Frank Jaramillo
Gaurav Khanna
Keri Kusznir
Jens Laundrup
Robin Lyons
Loredana Mancini
Julien Mauvieux
Bill Marriott
Claus Matzke
Matthew Meersman
Kai Axford
Darin Blank
Kevin Burgin
Martin Capuder
Vishal Chaudhary
Aradhna Chetal
Jeff Cook
Angela Dogan
Doug Egan
Andreas von Grebmer
Mohin Gulzar
Frank Jaramillo
Gaurav Khanna
Keri Kusznir
Jens Laundrup
Robin Lyons
Loredana Mancini
Julien Mauvieux
Bill Marriott
Claus Matzke
Matthew Meersman
David Nance
Christine Peters
Lisa Peterson
Paul Rich
Max Simakov
Tima Soni
Luke Synnestvedt
Eric Tierling
Raj Tuliani
Editorial Team
Darin Blank (Team Lead)

Bobbie-Lynn Burton
Martin Capuder
Lisa Peterson
Luke Synnestvedt
CCM Leader
Daniele Catteddu
Sean Corde
Sean Estra
Shawn Har
Harry Lu
Lefteris Skoutaris
End of AC
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on
Version 4.0” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v
Controls Matrix v4.0 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0 may not
quote portions of the Cloud Controls Matrix v4.0 as permitted by the Fair Use provisions of the United Stat
Controls Matrix Version 4.0. If you are interested in obtaining a license to this material for other usages not
Controls Applicability Matrix CCM v4.0 - CCM v3.0.1 Mapping CCM v4.0 - ISO27001/02/17/18
(names are alphabetically listed) (names are alphabetically listed) (names are alphabetically liste
Contributors Contributors Contributors
Renu Bedi Sandra Ackland Sandra Ackland

Jon-Michael Brook Renu Bedi Renu Bedi
Angell Duran Glenn Bluff Anders Brännfors
Odutola Ekundayo Anders Brännfors Ramon Codina
Rajeev Gupta Madhav Chablani Angela Dogan
Roberto Hernandez Aislin Cole Brian Dorsey
Joel John Brian Dorsey Angell Duran
Erik Johnson Angell Duran Odutola Ekundayo
Bala Kaundinya Rajeev Gupta Roberto Hernandez
Nancy Kramer Frank Jaramillo Frank Jaramillo
Claus Matzke Bala Kaundinya Bala Kaundinya
Vani Murthy Nancy Kramer Nancy Kramer
Johan Olivier Claus Matzke Vani Murthy
Michael Roza Vani Murthy Johan Olivier
Chirag Sheth Johan Olivier Surinder Singh Rait
Ashish Vashishtha Michael Roza Michael Roza
Dimitri Vekris Surinder Singh Rait Agnidipta Sarkar
Ashish Vashishtha Chirag Sheth
Dimitri Vekris Chris Shull
Ashish Vashishtha
Dimitri Vekris
Surya Vinjamuri
CCM Leadership
Daniele Catteddu (CSA)

Sean Cordero
Sean Estrada
Shawn Harris
Harry Lu
Lefteris Skoutaris (CSA)
End of ACKs
ay download, store, display on your computer, view, print, and link to the Cloud Security Alliance “Cloud Controls Mat
(a) the Cloud Controls Matrix v4.0 may be used solely for your personal, informational, non-commercial use; (b) the
d Controls Matrix v4.0 may not be redistributed; and (d) the trademark, copyright or other notices may not be remove
e provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance
s material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
v4.0 - ISO27001/02/17/18 Mapping
(names are alphabetically listed)
Contributors
Sandra Ackland
Renu Bedi
Anders Brännfors
Ramon Codina
Angela Dogan
Brian Dorsey
Angell Duran
Odutola Ekundayo
Roberto Hernandez
Frank Jaramillo
Bala Kaundinya
Nancy Kramer
Vani Murthy
Johan Olivier
Surinder Singh Rait
Michael Roza
Agnidipta Sarkar
Chirag Sheth
Chris Shull
Ashish Vashishtha
Dimitri Vekris
Surya Vinjamuri
liance “Cloud Controls Matrix (CCM)
n-commercial use; (b) the Cloud
notices may not be removed. You may
the Cloud Security Alliance Cloud
udsecurityalliance.org.

CSA CCMv4.0 Final 031521

Uploaded by

Copyright:

Available Formats

CSA CCMv4.0 Final 031521

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSA CCMv4.0 Final 031521

Uploaded by

Copyright:

Available Formats

CLOUD CONTROLS MATRIX VERSION 4.

Control Domain Control Title Control ID

Audit and Assurance - A&A

Audit and Assurance Policy

Audit & Assurance Independent Assessments A&A-02

Risk Based Planning

Audit & Assurance

Audit & Assurance Audit Management Process A&A-05

Application and Interface Security - AIS

Application and Interface

Application & Interface Application Security Baseline

Application & Interface

Application & Interface Secure Application Design and

Application & Interface Automated Application

Application & Interface Automated Secure Application

Application & Interface Application Vulnerability

Business Continuity Management and Operational Resilience - BCR

Change Control and Configuration Management - CCC

Change Control &

Change Control &

Change Control &

Change Control &

Change Control &

Change Control &

Change Control &

Change Control &

Cryptography, Encryption and Key Management - CEK

Cryptography, Encryption and Key

Off-Site Equipment Disposal

Off-Site Transfer Authorization

Secure Area Policy and

Secure Media Transportation

Datacenter Security Assets Classification DCS-05

Assets Cataloguing and

Datacenter Security Controlled Access Points DCS-07

Datacenter Security Secure Area Authorization DCS-09

Datacenter Security Surveillance System DCS-10

Datacenter Security Cabling Security DCS-12

Datacenter Security Environmental Systems DCS-13

Datacenter Security Secure Utilities DCS-14

Datacenter Security Equipment Location DCS-15

Data Security and Privacy Lifecycle Management - DSP

Data Security & Privacy

Data Security & Privacy

Data Security & Privacy

Data Security & Privacy

Data Security & Privacy Data Ownership and

Data Security & Privacy Data Protection by Design and

Data Security & Privacy Data Privacy by Design and

Data Security & Privacy Data Protection Impact

Personal Data Access,

Data Security & Privacy Limitation of Purpose in

Data Security & Privacy

Data Security & Privacy Disclosure of Data Sub-

Data Security & Privacy Limitation of Production Data

Data Security & Privacy

Data Security & Privacy

Data Security & Privacy

Governance, Risk and Compliance - GRC