Cloud Controls Matrix v4 adds 60+ new cloud security controls

The Cloud Security Alliance (CSA) announced the availability of version 4 of the Cloud Controls Matrix (CCM), CSA’s cybersecurity framework for cloud computing.


The CCM v4 includes additional cloud security and privacy-related controls and encompasses coverage of requirements deriving from new cloud technologies, improved control auditability, enhanced interoperability and compatibility with other standards, and expanded support offerings to navigate the cloud shared responsibility model.

CCM is a cybersecurity control framework for cloud computing that aligns to the CSA Best Practices and is considered the de-facto standard for cloud security and privacy. CCM v4 constitutes a significant upgrade to the previous version (v3.0.1) by introducing changes in the framework structure with a new domain dedicated to Logging and Monitoring (LOG), and modifications in the existing ones including governance, risk and compliance (GRC); auditing and assurance (A&A); unified endpoint management (UEM); and cryptography, encryption, and key management (CEK).

“CSA’s Cloud Controls Matrix continues to lead the security industry and market as the cloud provider and user-centric control framework of choice. With an increasingly complex array of cloud technologies, controls, and frameworks, it’s vital that cloud customers have clear, definitive insight into the risks, roles, and responsibilities to which they and their chosen cloud service provider must adhere,” said Jim Reavis, CEO, Cloud Security Alliance.

The CCMv4 was developed by an expert group of more than 70 practitioners and industry leaders representing key cloud stakeholders, among them cloud service providers, cloud customers, auditors, and consulting firms.

It features 17 domains, up one from the previous iteration, and a total of 197 controls (up from 133). In early February, the 64 new controls will be accompanied by mappings with ISO/IEC 27001-2013, ISO/IEC 27017-2015, ISO/IEC 27018-2019, AICPA TSC v2017, and CCM V3.0.1.

“The world is changing at rapid-fire pace, and cloud security providers are having to not only keep pace but stay one step ahead. CCMv4 provides enterprises with an additional layer of transparency and confidence that their CSPs are following recommended security best practices,” said Daniele Catteddu, CTO, Cloud Security Alliance.

Don't miss