Cloud Controls Matrix - What You Need to Know | Redscan
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

With business cloud adoption increasing to 90%, ensuring secure implementation and management is more important than ever.

In this blog post, we explore Cloud Controls Matrix, what’s included in the framework and how it can provide value for organisations.


What is the Cloud Controls Matrix?

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud security assurance and compliance.

The CCM is made up of 197 control objectives structured in 17 domains which cover all the key aspects of cloud technology. It was created by the Cloud Security Alliance (CSA), a not-for-profit that seeks to define and raise awareness of best practices to help ensure a secure cloud computing environment.

Described by the CSA as “the world’s only meta-framework of cloud-specific security controls mapped to leading standards, best practices and regulations”, the CCM can be used as a tool for assessing a cloud implementation. It also provides guidance on the type of security controls that should be implemented by different parties within the cloud supply chain. It is aligned with the CSA Security Guidance for Cloud Computing.

The Cloud Controls Matrix is regularly updated. The latest iteration, Version 4, has been combined with the Consensus Assessment Initiative Questionnaire (CAIQ), which is the basis for the STAR Self-Assessment (STAR Level 1) and many cloud vendor evaluation programs.

The CCM includes the following:

  • CCM v4 Controls
  • Mappings
  • CAIQ v4
  • Implementation Guidelines
  • Auditing Guidelines (Available soon)
  • CCM Metrics (Available soon)


Which areas does the CCM cover?

The CCM provides guidance on a wide range of security domains, including:

  • Application & Interface Security
  • Data Centre Security
  • Identity & Access Management
  • Threat and Vulnerability Management
  • Universal Endpoint Management


How organisations can benefit from the CCM and CAIQ

Document controls for multiple standards and regulations in one place

The controls in the CCM are mapped against security standards, regulations and control frameworks, meaning organisations can have confidence that measures being implemented are addressing multiple requirements simultaneously.

Clarify the shared responsibility model

Shared responsibility can be a key area of risk for organisations. The CCM defines the attribution of responsibilities between cloud service providers and customers and also helps to define the organisational relevance of each control.

Assess cloud service providers through the CAIQ questionnaire

Version 4 of the CCM now includes the Consensus Assessment Initiative Questionnaire (CAIQ). This provides a set of questions which organisations can use to assess a cloud service provider, removing the need for multiple questionnaires.


How Redscan can help

Redscan is an award-winning provider of security services that help organisations to make lasting improvements to their cloud security posture.

Our assessment services, including CREST-accredited Penetration Testing and Red Teaming, help to identify and address the latest cloud security vulnerabilities, and can be tailored to specific cloud environments.

ThreatDetect™, our Managed Detection and Response service, integrates experienced security professionals, the latest cutting-edge technologies and aggregated intelligence to swiftly identify, disrupt and remediate threats across both cloud and on-premise environments.

More on our cloud security services