What is the Cloud Security Alliance?
The Cloud Security Alliance (CSA) is a non-profit organisation founded in 2008 with a mission to promote the use of best practices for providing security assurance within cloud computing. With tens of thousands of individual members and hundreds of corporate members worldwide, CSA is the world’s leading organisation dedicated to defining and raising awareness of best practices for securing cloud environments.
CSA produces a range of research, tools and certifications including the Cloud Controls Matrix, the STAR (Security Trust Assurance and Risk) Registry, and the CCSK (Certificate of Cloud Security Knowledge) certification.
What is the CSA Cloud Controls Matrix?
The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework specifically designed for cloud computing. It provides a detailed understanding of security concepts and principles aligned to cloud service categories and maps to virtually all major security standards and regulations — making it the definitive reference for cloud security assurance.
CCM v4, released in 2021, contains 197 control objectives structured across 17 domains. It is used by cloud service providers to demonstrate their security posture, by cloud customers to assess vendor security, and by auditors to evaluate cloud environments against industry standards.
| Standard Body | Cloud Security Alliance (CSA) |
| Current Version | CCM v4.0 (2021) |
| Mandatory or Voluntary | Voluntary |
| Geography | Global |
| Total controls | 197 control objectives across 17 domains |
| Official Resource | cloudsecurityalliance.org |
What Changed in CCM v4?
| Area | CCM v3.0.1 | CCM v4.0 |
|---|---|---|
| Control objectives | 133 controls | 197 controls |
| Domains | 16 domains | 17 domains |
| Audit scope | Limited audit guidance | Dedicated audit guidelines for each control |
| Implementation guidance | Basic | Detailed implementation guidance per control |
| Mappings | Major standards | Expanded mappings including NIST CSF 2.0, ISO 27001:2022, CIS Controls v8, GDPR |
The 17 CCM Domains
CCM v4 organises all 197 control objectives into 17 domains covering the full spectrum of cloud security requirements.
| Code | Domain | Controls | Key focus areas |
|---|---|---|---|
| AIS | Application and Interface Security | 4 | Secure SDLC, application security testing, automated application security |
| BCR | Business Continuity Management and Operational Resilience | 11 | Business continuity planning, RTO/RPO, equipment power, environmental risks |
| CCC | Change Control and Configuration Management | 7 | Change management policy, quality testing, unauthorised change controls |
| CEK | Cryptography, Encryption and Key Management | 21 | Encryption policies, key lifecycle management, key generation and storage, certificates |
| DSP | Data Security and Privacy Lifecycle Management | 19 | Data classification, data flows, data retention, data disposal, PII handling |
| GRC | Governance, Risk Management and Compliance | 7 | Governance programme, risk management framework, compliance management |
| HRS | Human Resources Security | 7 | Background checks, employment agreements, training, termination procedures |
| IAM | Identity and Access Management | 14 | Identity lifecycle, MFA, privileged access, credential management, access reviews |
| IPY | Interoperability and Portability | 4 | Application portability, data portability, network portability, APIs |
| IVS | Infrastructure and Virtualisation Security | 11 | Network architecture, hypervisor security, virtualisation policies, segmentation |
| LOG | Logging and Monitoring | 13 | Audit logs, log protection, monitoring, SIEM, clock synchronisation |
| SEF | Security Incident Management, E-Discovery and Cloud Forensics | 6 | Incident response policy, triage, breach notification, forensic investigations |
| STA | Supply Chain Management, Transparency and Accountability | 13 | Supplier risk, CSP contracts, subprocessors, STAR programme participation |
| TVM | Threat and Vulnerability Management | 8 | Vulnerability scanning, penetration testing, threat intelligence, patch management |
| UEM | Universal Endpoint Management | 6 | Endpoint inventory, MDM, BYOD policy, remote wipe, endpoint protection |
| DCS | Datacenter Security | 22 | Physical access, CCTV, asset management, media sanitisation, secure areas |
| AAC | Audit Assurance and Compliance | 4 | Independent audits, audit planning, audit scope, compliance with legal requirements |
CSA STAR Programme
The CSA STAR (Security Trust Assurance and Risk) programme is a publicly accessible registry of cloud provider security assessments based on the CCM. It has three levels of assurance.
| Level | Name | Description |
|---|---|---|
| Level 1 | Self-assessment | Cloud provider completes a self-assessment using the CCM and publishes results in the STAR registry — free, voluntary, no third-party verification |
| Level 2 | Third-party assessment | Independent audit by a CSA-accredited certification body — results in STAR Certification (based on ISO 27001) or STAR Attestation (based on SOC 2) |
| Level 3 | Continuous monitoring | Ongoing automated monitoring of security controls — the most rigorous level, currently being developed |
CCM Mappings to Other Frameworks
One of CCM’s greatest strengths is its comprehensive mappings to other major standards, making it an ideal integration point for organisations managing multiple compliance requirements.
| Framework | Mapping availability |
|---|---|
| ISO/IEC 27001:2022 | Full mapping — CCM forms basis of STAR Certification built on ISO 27001 |
| NIST CSF 2.0 | Full mapping to all six functions and subcategories |
| NIST SP 800-53 Rev 5 | Full mapping to all 20 control families |
| PCI DSS v4.0 | Full mapping to all 12 requirements |
| GDPR | Mapping to key GDPR articles relevant to cloud processing |
| CIS Controls v8 | Full mapping to all 18 CIS Controls |
| SOC 2 | Mapping to Trust Services Criteria — basis for STAR Attestation |
Securitora Assessment
The CSA CCM v4 is the essential reference framework for any organisation operating in or using cloud services — which in practice means almost every organisation today. Its 197 controls cover cloud-specific risks that general frameworks like ISO 27001 or NIST CSF address only partially. The comprehensive mappings to other frameworks make it an ideal integration tool for organisations managing multiple compliance requirements simultaneously. For cloud service providers, participation in the STAR programme is increasingly expected by enterprise customers as part of vendor due diligence.
| Recommended for | Cloud service providers, SaaS companies, any organisation with significant cloud usage |
| Difficulty to implement | Medium — well-structured with detailed implementation guidance per control |
| Best used with | ISO 27001 · SOC 2 Type II · NIST CSF 2.0 |
| Official resource | cloudsecurityalliance.org → |