Professional Documents
Culture Documents
CCMv4 0 2 - 2021-07-07
CCMv4 0 2 - 2021-07-07
2
v4.0.2+0
Introduction
This section explains the CCM V4 spreadsheet structure and describes its components.
I. Structure
The CCM V4 spreadsheet includes five tabs:
• Introduction.
• CCM Controls.
• CCM Scope Applicability (Mappings).
• Consensus Assessments Initiative Questionnaire (CAIQ).
• Acknowledgments.
a. CCM Controls
This is the core of the CCM V4. It includes 197 controls structured in 17 domains.
Each control is described by a:
• Control Domain: the name of the domain to which the control pertains.
• Control Title: the title of the control.
• Control ID: the control identifier.
• Control Specification: the requirement(s) description of the control.
In addition, this tab includes the following sections (groups of columns)
This group of columns describes the typical applicability of controls for the three main cloud delivery models: infrastructure-as-a-service (IaaS),
platform-as-a-service (PaaS), and software-as-a-service (SaaS). Additionally, the section explores the typical SSRM-based (Shared Security
Responsibility Model) allocation of responsibilities for the implementation of a given CCM control between a cloud service provider (CSP) and a
cloud service customer (CSC). The matrix clarifies if a control’s responsibility should be “CSP-Owned”, “CSC-Owned”, or “Shared”.
IMPORTANT NOTE: Both the control applicability to IaaS, PaaS, and SaaS models—and the control ownership attributions—are meant to represent a
high-level simplification. The CCM user should revise those attributions depending on the contractually agreed SSRM for the specific cloud
environment.
This group of columns indicates the architectural relevance of each CCM control per cloud stack component from the perspective of the CSA Cloud
Reference Model. The section focuses on components, including physical, network, compute, storage, application, and data.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The architectural relevance is meant to represent a high-level simplification. The CCM user should revise those attributions
depending on its specific cloud environment and technologies used.
Organizational Relevance:
This group of columns indicates the relevance between each CCM control and its implementation by the respective cloud relevant functions within an
organization. The functions included are: Cybersecurity, Internal Audit, Architecture Team, Software Development Team, Operations, Legal/Privacy,
Governance/Risk/Control, Supply Chain Management, and Human.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The organizational relevance is meant to represent a high-level simplification. The user of the CCM should revise those
attributions depending on the specific cloud environment and organizational structure.
b. CCM Scope Applicability (Mappings):
This tab includes the mappings between CCM V4 and numerous standards (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud
computing.
For each standard, CCM V4 is mapped to include the following three columns:
Control Mapping
The indication of which control(s) in the target standard (e.g., ISO27001) corresponds to the CCM control.
Gap Level
The level of gap a control (or controls) in the target standard has when compared with the CCM control. The gap levels used are:
• No Gap: In case of full correspondence.
• Partial Gap: If the control(s) in the target standard does not fully satisfy the corresponding CCM control’s requirements.
• Full Gap: If there is no control in the target standard to fulfill the corresponding CCM control’s requirements.
Addendum
The column describes the suggested compensating control that organizations must implement to cover the gap between the control in the target
standard and the corresponding CCM control.
d. Acknowledgments:
This tab acknowledges the volunteers who contributed to the CCM V4’s development.
End of Introduction
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to
the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d) the trademark, copyright or other notices
may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by the Fair Use provisions of the United States
Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
in obtaining a license to this material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
ON 4.0.2
Introduction
s components.
I. Structure
a. CCM Controls
7 domains.
.
the three main cloud delivery models: infrastructure-as-a-service (IaaS),
nally, the section explores the typical SSRM-based (Shared Security
on of a given CCM control between a cloud service provider (CSP) and a
sibility should be “CSP-Owned”, “CSC-Owned”, or “Shared”.
SaaS models—and the control ownership attributions—are meant to represent a
s depending on the contractually agreed SSRM for the specific cloud
M control per cloud stack component from the perspective of the CSA Cloud
al, network, compute, storage, application, and data.
UE” if the control is relevant to a component and “FALSE” if it is not.
a high-level simplification. The CCM user should revise those attributions
lumns:
ompared with the CCM control. The gap levels used are:
tions must implement to cover the gap between the control in the target
d. Acknowledgments:
development.
End of Introduction
You may download, store, display on your computer, view, print, and link to
.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
ormational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
may not be redistributed; and (d) the trademark, copyright or other notices
trix v4.0.2 as permitted by the Fair Use provisions of the United States
urity Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
he copyright notice, please contact info@cloudsecurityalliance.org.
CLOUD CONTROLS MATRIX VERSION 4.0.2
v4.0.2+0
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Operational Resilience
Business Continuity
Management and Business Continuity Strategy BCR-03
Operational Resilience
Business Continuity
Management and Business Continuity Planning BCR-04
Operational Resilience
Business Continuity
Management and Documentation BCR-05
Operational Resilience
Business Continuity
Management and Business Continuity Exercises BCR-06
Operational Resilience
Business Continuity
Management and Communication BCR-07
Operational Resilience
Business Continuity
Management and Backup BCR-08
Operational Resilience
Business Continuity
Management and Disaster Response Plan BCR-09
Operational Resilience
Business Continuity
Management and Response Plan Exercise BCR-10
Operational Resilience
Business Continuity
Management and Equipment Redundancy BCR-11
Operational Resilience
Change Control and Configuration Management - CCC
Cryptography,
Encryption and Key Management
Encryption & Key CEK-01
Policy and Procedures
Management
Cryptography,
Encryption & Key CEK Roles and Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Encryption & Key CEK-06
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Interoperability &
Application Interface Availability IPY-02
Portability
Interoperability & Secure Interoperability and Portability
IPY-03
Portability Management
Interoperability & Data Portability Contractual
IPY-04
Portability Obligations
Infrastructure &
Capacity and Resource Planning IVS-02
Virtualization Security
Infrastructure &
Network Security IVS-03
Virtualization Security
Infrastructure &
OS Hardening and Base Controls IVS-04
Virtualization Security
Infrastructure & Production and Non-Production
IVS-05
Virtualization Security Environments
Infrastructure &
Segmentation and Segregation IVS-06
Virtualization Security
Infrastructure &
Migration to Cloud Environments IVS-07
Virtualization Security
Infrastructure &
Network Architecture Documentation IVS-08
Virtualization Security
Infrastructure &
Network Defense IVS-09
Virtualization Security
Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Security Incident
Forensics
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Security Incident
Forensics
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain Management, Transparency, and Accountability - STA
Supply Chain
Management,
SSRM Policy and Procedures STA-01
Transparency, and
Accountability
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency,
Supply Chainand
Accountability
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency,
Supply Chainand
Accountability
Management,
SSRM Documentation Review STA-05
Transparency,
Supply Chainand
Accountability
Management,
Supply Chainand SSRM Control Implementation STA-06
Transparency,
Management,
Accountability
Supply Chainand Supply Chain Inventory STA-07
Transparency,
Management,
Accountability Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency,
Supply Chainand
Accountability
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency,
Supply Chainand
Accountability
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Threat & Vulnerability Management - TVM
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to
the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d) the trademark, copyright or other notices
may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by the Fair Use provisions of the United States
Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
in obtaining a license to this material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
ON 4.0.2
Define and implement a SDLC process for application design, development, deployment,
and operation in accordance with security requirements defined by the organization. Shared Shared
Implement a testing strategy, including criteria for acceptance of new information systems,
upgrades and new versions, which provides application security assurance and maintains
compliance while enabling organizational speed of delivery goals. Automate when Shared Shared
applicable and possible.
Establish and implement strategies and capabilities for secure, standardized, and compliant
application deployment. Automate where possible. Shared Shared
Establish strategies to reduce the impact of, withstand, and recover from business
disruptions within risk appetite. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a business
continuity plan based on the results of the operational resilience strategies and capabilities. Shared Shared
Develop, identify, and acquire documentation that is relevant to support the business
continuity and operational resilience programs. Make the documentation available to
authorized stakeholders and review periodically. Shared Shared
Exercise and test business continuity and operational resilience plans at least annually or
upon significant changes. Shared Shared
Establish communication with stakeholders and participants in the course of business
continuity and resilience procedures. Shared Shared
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and
availability of the backup, and verify data restoration from backup for resiliency. Shared Shared
Exercise the disaster response plan annually or upon significant changes, including if
possible local emergency authorities. CSP-Owned CSP-Owned
Supplement business-critical equipment with redundant equipment independently located
at a reasonable minimum distance in accordance with applicable industry standards. CSP-Owned CSP-Owned
rol and Configuration Management - CCC
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for managing the risks associated with applying changes to organization assets,
including application, systems, infrastructure, configuration, etc., regardless of whether the
assets are managed internally or externally (i.e., outsourced). Review and update the Shared Shared
policies and procedures at least annually.
Follow a defined quality change control, approval and testing process with established
baselines, testing, and release standards. CSP-Owned Shared
Manage the risks associated with applying changes to organization assets, including
application, systems, infrastructure, configuration, etc., regardless of whether the assets are
managed internally or externally (i.e., outsourced). Shared Shared
Define and implement cryptographic, encryption and key management roles and
responsibilities. Shared Shared
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries
certified to approved standards. Shared Shared
Use encryption algorithms that are appropriate for data protection, considering the
classification of data, associated risks, and usability of the encryption technology. Shared Shared
Establish and maintain an encryption and key management risk program that includes
provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. Shared Shared
CSPs must provide the capability for CSCs to manage their own data encryption keys.
Shared Shared
Audit encryption and key management systems, policies, and processes with a frequency
that is proportional to the risk exposure of the system with audit occurring preferably
continuously but at least annually and after any security event(s). Shared Shared
Manage cryptographic secret and private keys that are provisioned for a unique purpose.
Shared Shared
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes
provisions for considering the risk of information disclosure and legal and regulatory Shared Shared
requirements.
Define, implement and evaluate processes, procedures and technical measures to revoke
and remove cryptographic keys prior to the end of its established cryptoperiod, when a key
is compromised, or an entity is no longer part of the organization, which include Shared Shared
provisions for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to destroy
keys stored outside a secure environment and revoke keys stored in Hardware Security
Modules (HSMs) when they are no longer needed, which include provisions for legal and Shared Shared
regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to create
keys in a pre-activated state when they have been generated but not authorized for use,
which include provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to monitor,
review and approve key transitions from any state to/from suspension, which include
provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to
deactivate keys at the time of their expiration date, which include provisions for legal and Shared Shared
regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to manage
archived keys in a secure repository requiring least privilege access, which include
provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to use
compromised keys to encrypt information only in controlled circumstance, and thereafter
exclusively for decrypting data and never for encrypting data, which include provisions for Shared Shared
legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to assess the
risk to operational continuity versus the risk of the keying material and the information it
protects being exposed if control of the keying material is lost, which include provisions Shared Shared
for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures in order for
the key management system to track and report all cryptographic materials and changes in
status, which include provisions for legal and regulatory requirements. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for maintaining a safe and secure working environment in offices, rooms, and
facilities. Review and update the policies and procedures at least annually. CSP-Owned CSP-Owned
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for the secure transportation of physical media. Review and update the policies CSP-Owned CSP-Owned
and procedures at least annually.
Classify and document the physical, and logical assets (e.g., applications) based on the
organizational business risk. Shared Shared
Catalogue and track all relevant physical and logical assets located at all of the CSP's sites
within a secured system. CSP-Owned Shared
Implement physical security perimeters to safeguard personnel, data, and information
systems. Establish physical security perimeters between the administrative and business
areas and the data storage and processing facilities areas. CSP-Owned CSP-Owned
Implement, maintain, and operate datacenter surveillance systems at the external perimeter
and at all the ingress and egress points to detect unauthorized ingress and egress attempts. CSP-Owned CSP-Owned
Train datacenter personnel to respond to unauthorized ingress or egress attempts.
CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and technical measures that ensure
a risk-based protection of power and telecommunication cables from a threat of
interception, interference or damage at all facilities, offices and rooms. CSP-Owned CSP-Owned
Implement and maintain data center environmental control systems that monitor, maintain
and test for continual effectiveness the temperature and humidity conditions within CSP-Owned CSP-Owned
accepted industry standards.
Secure, monitor, maintain, and test utilities services for continual effectiveness at planned
intervals. CSP-Owned CSP-Owned
Keep business-critical equipment away from locations subject to high probability for
environmental risk events. CSP-Owned CSP-Owned
Apply industry accepted methods for the secure disposal of data from storage media such
that data is not recoverable by any forensic means. Shared Shared
Create and maintain a data inventory, at least for any sensitive data and personal data.
Shared Shared
Classify data according to its type and sensitivity level. CSC-Owned CSC-Owned
Create data flow documentation to identify what data is processed, stored or transmitted
where. Review data flow documentation at defined intervals, at least annually, and after CSC-Owned CSC-Owned
any change.
Document ownership and stewardship of all relevant documented personal and sensitive
data. Perform review at least annually. CSC-Owned CSC-Owned
Develop systems, products, and business practices based upon a principle of security by
design and industry best practices. Shared Shared
Develop systems, products, and business practices based upon a principle of privacy by
design and industry best practices. Ensure that systems' privacy settings are configured by
default, according to all applicable laws and regulations. CSC-Owned CSC-Owned
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature,
particularity and severity of the risks upon the processing of personal data, according to
any applicable laws, regulations and industry best practices. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures that ensure
any transfer of personal or sensitive data is protected from unauthorized access and only
processed within scope as permitted by the respective laws and regulations. CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures to enable data
subjects to request access to, modification, or deletion of their personal data, according to CSC-Owned CSC-Owned
any applicable laws and regulations.
Define, implement and evaluate processes, procedures and technical measures to ensure
that personal data is processed according to any applicable laws and regulations and for
the purposes declared to the data subject. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures for the
transfer and sub-processing of personal data within the service supply chain, according to
any applicable laws and regulations. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures to disclose
the details of any personal or sensitive data access by sub-processors to the data owner
prior to initiation of that processing. CSC-Owned CSC-Owned
Obtain authorization from data owners, and manage associated risk before replicating or
using production data in non-production environments. CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures to specify and
document the physical locations of data, including any locations in which data is processed CSP-Owned CSP-Owned
or backed up.
Review all relevant organizational policies and associated procedures at least annually or
when a substantial change occurs within the organization. Shared Shared
Develop and implement an Information Security Program, which includes programs for all
the relevant domains of the CCM.
Shared Shared
Define and document roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs. Shared Shared
Identify and document all relevant standards, regulations, legal/contractual, and statutory
requirements, which are applicable to your organization. Shared Shared
Establish and maintain contact with cloud-related special interest groups and other relevant
entities in line with business context. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for defining allowances and conditions for the acceptable use of
organizationally-owned or managed assets. Review and update the policies and procedures Shared Shared
at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures that require unattended workspaces to not have openly visible confidential
data. Review and update the policies and procedures at least annually. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures to protect information accessed, processed or stored at remote sites and
locations. Review and update the policies and procedures at least annually. Shared Shared
Employees sign the employee agreement prior to being granted access to organizational
information systems, resources and assets. Shared Shared
The organization includes within the employment agreements provisions and/or terms for
adherence to established information governance and security policies. Shared Shared
Document and communicate roles and responsibilities of employees, as they relate to
information assets and security. Shared Shared
Identify, document, and review, at planned intervals, requirements for
non-disclosure/confidentiality agreements reflecting the organization's needs for the Shared Shared
protection of data and operational details.
Establish, document, approve, communicate, apply, evaluate and maintain a security
awareness training program for all employees of the organization and provide regular Shared Shared
training updates.
Provide all employees with access to sensitive organizational and personal data with
appropriate security awareness training and regular updates in organizational procedures,
processes, and policies relating to their professional function relative to the organization. Shared Shared
Make employees aware of their roles and responsibilities for maintaining awareness and
compliance with established policies and procedures and applicable legal, statutory, or
regulatory compliance obligations. Shared Shared
Define, implement and evaluate processes, procedures and technical measures for the
segregation of privileged access roles such that administrative access to data, encryption
and key management capabilities and logging capabilities are distinct and separated. Shared Shared
Define and implement an access process to ensure privileged access roles and rights are
granted for a time limited period, and implement procedures to prevent the culmination of Shared Shared
segregated privileged access.
Define, implement and evaluate processes and procedures for customers to participate,
where applicable, in the granting of access for agreed, high risk (as defined by the
organizational risk assessment) privileged access roles. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to ensure
the logging infrastructure is read-only for all with write access, including privileged access
roles, and that the ability to disable it is controlled through a procedure that ensures the Shared Shared
segregation of duties and break glass procedures.
Define, implement and evaluate processes, procedures and technical measures that ensure
users are identifiable through unique IDs or which can associate individuals to the usage of Shared Shared
user IDs.
Define, implement and evaluate processes, procedures and technical measures for
authenticating access to systems, application and data assets, including multifactor
authentication for at least privileged user and sensitive data access. Adopt digital
certificates or alternatives which achieve an equivalent level of security for system Shared Shared
identities.
Define, implement and evaluate processes, procedures and technical measures for the
secure management of passwords. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to verify
access to data and system functions is authorized. Shared Shared
Provide application interface(s) to CSCs so that they programmatically retrieve their data
to enable interoperability and portability. CSC-Owned Shared
Implement cryptographically secure and standardized network protocols for the
management, import and export of data. CSC-Owned Shared
Agreements must include provisions specifying CSCs access to data
upon contract termination and will include:
a. Data format
b. Length of time the data will be stored CSC-Owned Shared
c. Scope of the data retained and made available to the CSCs
d. Data deletion policy
Plan and monitor the availability, quality, and adequate capacity of resources in order to
deliver the required system performance as determined by the business. Shared CSP-Owned
Harden host and guest OS, hypervisor or infrastructure control plane according to their
respective best practices, and supported by technical controls, as part of a security CSP-Owned CSP-Owned
baseline.
Separate production and non-production environments. CSP-Owned CSP-Owned
Design, develop, deploy and configure applications and infrastructures such that CSP and
CSC (tenant) user access and intra-tenant access is appropriately segmented and
segregated, monitored and restricted from other tenants. CSP-Owned CSP-Owned
Use secure and encrypted communication channels when migrating servers, services,
applications, or data to cloud environments. Such channels must include only up-to-date
and approved protocols. Shared Shared
Define, implement and evaluate processes, procedures and defense-in-depth techniques for
protection, detection, and timely response to network-based attacks. CSP-Owned CSP-Owned
Restrict audit logs access to authorized personnel and maintain records that provide unique
access accountability. Shared Shared
Monitor security audit logs to detect activity outside of typical or expected patterns.
Establish and follow a defined process to review and take appropriate and timely actions Shared Shared
on detected anomalies.
Use a reliable time source across all relevant information processing systems.
Shared CSP-Owned
Establish, document and implement which information meta/data system events should be
logged. Review and update the scope at least annually or whenever there is a change in the Shared Shared
threat environment.
Generate audit records containing relevant security information. Shared Shared
The information system protects audit records from unauthorized access, modification, and
deletion. Shared Shared
Establish and maintain a monitoring and internal reporting capability over the operations
of cryptographic, encryption and key management policies, processes, procedures, and Shared Shared
controls.
Log and monitor key lifecycle management events to enable auditing and reporting on
usage of cryptographic keys. Shared Shared
Monitor and log physical access using an auditable access control system.
CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and technical measures for the
reporting of anomalies and failures of the monitoring system and provide immediate Shared Shared
notification to the accountable party.
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for the timely management of security incidents. Review and update the
policies and procedures at least annually. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a security
incident response plan, which includes but is not limited to: relevant internal departments,
impacted CSCs, and other business critical relationships (such as supply-chain) that may Shared Shared
be impacted.
Test and update as necessary incident response plans at planned intervals or upon
significant organizational or environmental changes for effectiveness. Shared Shared
Define and implement, processes, procedures and technical measures for security breach
notifications. Report security breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws and regulations. Shared Shared
Maintain points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities. Shared Shared
Apply, document, implement and manage the SSRM throughout the supply chain for the
cloud service offering. Shared Shared
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability
throughout the supply chain. CSP-Owned CSP-Owned
Delineate the shared ownership and applicability of all CSA CCM controls according to
the SSRM for the cloud service offering. CSP-Owned CSP-Owned
Review and validate SSRM documentation for all cloud services offerings the organization
uses. Shared Shared
Implement, operate, and audit or assess the portions of the SSRM which the organization
is responsible for. Shared Shared
Develop and maintain an inventory of all supply chain relationships. Shared Shared
CSPs periodically review risk factors associated with all organizations within their supply
chain. Shared Shared
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment Shared Shared
• Service termination
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually. Shared Shared
Define and implement a process for conducting internal assessments to confirm
conformance and effectiveness of standards, policies, procedures, and service level Shared Shared
agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply with
information security, confidentiality, access control, privacy, audit, personnel policy and
service level requirements and standards. Shared Shared
Periodically review the organization's supply chain partners' IT governance policies and
procedures. Shared Shared
Define and implement a process for conducting security assessments periodically for all
organizations within the supply chain. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures to protect against malware on managed assets. Review and update the policies Shared Shared
and procedures at least annually.
Define, implement and evaluate processes, procedures and technical measures to enable
both scheduled and emergency responses to vulnerability identifications, based on the Shared Shared
identified risk.
Define, implement and evaluate processes, procedures and technical measures to update
detection tools, threat signatures, and indicators of compromise on a weekly, or more Shared Shared
frequent basis.
Define, implement and evaluate processes, procedures and technical measures to identify
updates for applications which use third party or open source libraries according to the
organization's vulnerability management policy. Shared Shared
Define, implement and evaluate processes, procedures and technical measures for the
periodic performance of penetration testing by independent third parties. Shared Shared
Define, implement and evaluate processes, procedures and technical measures for the
detection of vulnerabilities on organizationally managed assets at least monthly. Shared Shared
Establish, monitor and report metrics for vulnerability identification and remediation at
defined intervals. Shared Shared
Define, implement and evaluate processes, procedures and technical and/or contractual
measures to maintain proper security of third-party endpoints with access to organizational CSC-Owned CSC-Owned
assets.
End of Standard
You may download, store, display on your computer, view, print, and link to
.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
ormational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
may not be redistributed; and (d) the trademark, copyright or other notices
trix v4.0.2 as permitted by the Fair Use provisions of the United States
urity Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
he copyright notice, please contact info@cloudsecurityalliance.org.
ability and Ownership Architectural Relevance - Cloud Stack Components
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 0 0 0 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 0 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 0 0 0 0
Shared 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 0 0 0
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSC-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
Shared 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 1 1 0
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 1
CSC-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
Shared 0 1 0 1
Shared 1 1 1 1
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 1 0
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
k Components Org
1 1 0 0 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 0 1 1
0 0 0 1 0
1 1 0 1 1
1 1 1 0 0
0 0 0 0 0
1 1 1 0 1
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 1 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 0
1 1 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 1
1 1 0 1 1
0 0 0 0 1
0 0 0 0 1
0 0 1 0 1
0 0 0 0 1
1 0 0 0 1
0 0 0 0 1
1 1 1 0 1
1 0 0 0 1
0 0 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
1 1 1 0 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 0 1
1 1 1 0 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
Organizational Relevance
Supply Chain
SW Development Operations Legal/Privacy GRC Team
Management
1 1 1 1 1
0 0 0 1 0
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 0 0 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
0 0 0 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 0 1
0 0 1 1 0
1 1 1 1 1
1 1 0 0 1
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 0 0 0
0 1 0 0 1
1 1 0 0 0
0 1 0 0 1
0 1 0 0 1
0 1 0 1 0
0 1 0 0 1
0 1 0 1 1
0 1 0 1 1
0 1 1 1 0
0 0 0 1 1
0 0 0 1 1
0 1 1 0 0
0 1 0 1 0
0 0 0 0 0
0 1 0 0 0
1 0 0 0 0
1 0 1 0 0
0 1 1 0 0
0 1 0 1 0
0 1 1 0 0
1 0 1 1 0
1 0 1 1 1
1 1 1 1 1
1 1 0 0 0
0 1 1 1 0
1 1 0 0 0
0 0 1 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 0
0 0 0 0 0
1 0 0 0 1
0 0 1 1 0
0 0 0 1 0
0 1 0 0 0
1 1 0 1 1
1 1 0 0 0
1 1 0 0 0
1 1 0 0 1
1 1 0 1 1
0 0 0 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 0 0
0 0 1 1 0
0 1 1 1 1
0 1 0 1 1
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
0 1 0 1 1
0 0 0 0 1
0 0 0 1 1
0 1 1 0 1
0 0 1 0 1
0 0 0 1 1
0 1 1 0 1
0 0 0 1 1
0 0 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
HR
0
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
0
0
0
0
1
1
0
1
1
1
1
1
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
CLOUD CONTROLS MATRIX VERSION 4.0.2
v4.0.2+0
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Operational Resilience
Business Continuity
Management and Business Continuity Strategy BCR-03
Operational Resilience
Business Continuity
Management and Business Continuity Planning BCR-04
Operational Resilience
Business Continuity
Management and Documentation BCR-05
Operational Resilience
Business Continuity
Management and Business Continuity Exercises BCR-06
Operational Resilience
Business Continuity
Management and Communication BCR-07
Operational Resilience
Business Continuity
Management and Backup BCR-08
Operational Resilience
Business Continuity
Management and Disaster Response Plan BCR-09
Operational Resilience
Business Continuity
Management and Response Plan Exercise BCR-10
Operational Resilience
Business Continuity
Management and Equipment Redundancy BCR-11
Operational Resilience
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Encryption & Key CEK-06
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Interoperability &
Application Interface Availability IPY-02
Portability
Infrastructure &
Network Security IVS-03
Virtualization Security
Infrastructure &
OS Hardening and Base Controls IVS-04
Virtualization Security
Infrastructure &
Segmentation and Segregation IVS-06
Virtualization Security
Infrastructure &
Migration to Cloud Environments IVS-07
Virtualization Security
Infrastructure &
Network Architecture Documentation IVS-08
Virtualization Security
Infrastructure &
Network Defense IVS-09
Virtualization Security
Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Security Incident
Forensics E-
Management,
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain
Management,
SSRM Policy and Procedures STA-01
Transparency, and
Accountability
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency, and
Accountability
Supply Chain
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to
the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d) the trademark, copyright or other notices
may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by the Fair Use provisions of the United States
Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
in obtaining a license to this material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
ON 4.0.2
Verify compliance with all relevant standards, regulations, legal/contractual, and statutory
requirements applicable to the audit.
No Mapping
Define and implement an Audit Management process to support audit planning, risk
analysis, security control assessment, conclusion, remediation schedules, report
generation, and review of past reports and supporting evidence. No Mapping
Establish, document, approve, communicate, apply, evaluate and maintain a risk-based
corrective action plan to remediate audit findings, review and report remediation status to No Mapping
relevant stakeholders.
Define and implement technical and operational metrics in alignment with business
objectives, security requirements, and compliance obligations. 16.2
Define and implement a SDLC process for application design, development, deployment,
and operation in accordance with security requirements defined by the organization.
16.1
Implement a testing strategy, including criteria for acceptance of new information systems,
upgrades and new versions, which provides application security assurance and maintains
compliance while enabling organizational speed of delivery goals. Automate when
applicable and possible.
16.12
16.13
Establish and implement strategies and capabilities for secure, standardized, and compliant
application deployment. Automate where possible. No Mapping
16.2
16.6
No Mapping
Establish strategies to reduce the impact of, withstand, and recover from business
disruptions within risk appetite.
No Mapping
Develop, identify, and acquire documentation that is relevant to support the business
continuity and operational resilience programs. Make the documentation available to
authorized stakeholders and review periodically. No Mapping
Exercise and test business continuity and operational resilience plans at least annually or
upon significant changes. No Mapping
Establish communication with stakeholders and participants in the course of business
continuity and resilience procedures. No Mapping
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and 11.1
availability of the backup, and verify data restoration from backup for resiliency. 11.2
11.3
11.4
11.5
Establish, document, approve, communicate, apply, evaluate and maintain a disaster
response plan to recover from natural and man-made disasters. Update the plan at least
annually or upon significant changes. No Mapping
Exercise the disaster response plan annually or upon significant changes, including if
possible local emergency authorities. No Mapping
Supplement business-critical equipment with redundant equipment independently located
at a reasonable minimum distance in accordance with applicable industry standards. No Mapping
Follow a defined quality change control, approval and testing process with established
baselines, testing, and release standards. No Mapping
Manage the risks associated with applying changes to organization assets, including
application, systems, infrastructure, configuration, etc., regardless of whether the assets are
managed internally or externally (i.e., outsourced).
No Mapping
No Mapping
No Mapping
Define and implement a process to proactively roll back changes to a previous known
good state in case of errors or security concerns.
No Mapping
No Mapping
Define and implement cryptographic, encryption and key management roles and
responsibilities.
No Mapping
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries
certified to approved standards.
3.6
3.1
3.11
11.3
16.11
Use encryption algorithms that are appropriate for data protection, considering the
classification of data, associated risks, and usability of the encryption technology.
16.11
Establish a standard change management procedure, to accommodate changes from
internal and external sources, for review, approval, implementation and communication of
cryptographic, encryption and key management technology changes.
No Mapping
No Mapping
Establish and maintain an encryption and key management risk program that includes
provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.
No Mapping
CSPs must provide the capability for CSCs to manage their own data encryption keys.
No Mapping
Audit encryption and key management systems, policies, and processes with a frequency
that is proportional to the risk exposure of the system with audit occurring preferably
continuously but at least annually and after any security event(s).
No Mapping
16.11
Manage cryptographic secret and private keys that are provisioned for a unique purpose.
No Mapping
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes
provisions for considering the risk of information disclosure and legal and regulatory
requirements. No Mapping
Define, implement and evaluate processes, procedures and technical measures to revoke
and remove cryptographic keys prior to the end of its established cryptoperiod, when a key
is compromised, or an entity is no longer part of the organization, which include No Mapping
provisions for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to destroy
keys stored outside a secure environment and revoke keys stored in Hardware Security
Modules (HSMs) when they are no longer needed, which include provisions for legal and
regulatory requirements.
No Mapping
Define, implement and evaluate processes, procedures and technical measures to create
keys in a pre-activated state when they have been generated but not authorized for use,
which include provisions for legal and regulatory requirements. No Mapping
Define, implement and evaluate processes, procedures and technical measures to monitor,
review and approve key transitions from any state to/from suspension, which include
provisions for legal and regulatory requirements. No Mapping
No Mapping
Define, implement and evaluate processes, procedures and technical measures to use
compromised keys to encrypt information only in controlled circumstance, and thereafter
exclusively for decrypting data and never for encrypting data, which include provisions for
legal and regulatory requirements.
No Mapping
Define, implement and evaluate processes, procedures and technical measures to assess the
risk to operational continuity versus the risk of the keying material and the information it
protects being exposed if control of the keying material is lost, which include provisions No Mapping
for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures in order for
the key management system to track and report all cryptographic materials and changes in
status, which include provisions for legal and regulatory requirements. No Mapping
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for the relocation or transfer of hardware, software, or data/information to an
offsite or alternate location. The relocation or transfer request requires the written or
cryptographically verifiable authorization. Review and update the policies and procedures No Mapping
at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for maintaining a safe and secure working environment in offices, rooms, and
facilities. Review and update the policies and procedures at least annually.
No Mapping
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for the secure transportation of physical media. Review and update the policies No Mapping
and procedures at least annually.
Classify and document the physical, and logical assets (e.g., applications) based on the
organizational business risk. No Mapping
Catalogue and track all relevant physical and logical assets located at all of the CSP's sites
within a secured system. 1.1
2.1
Implement physical security perimeters to safeguard personnel, data, and information
systems. Establish physical security perimeters between the administrative and business
areas and the data storage and processing facilities areas. No Mapping
Implement, maintain, and operate datacenter surveillance systems at the external perimeter
and at all the ingress and egress points to detect unauthorized ingress and egress attempts. No Mapping
Implement and maintain data center environmental control systems that monitor, maintain
and test for continual effectiveness the temperature and humidity conditions within No Mapping
accepted industry standards.
Secure, monitor, maintain, and test utilities services for continual effectiveness at planned
intervals. No Mapping
Keep business-critical equipment away from locations subject to high probability for
environmental risk events. No Mapping
3.1
Apply industry accepted methods for the secure disposal of data from storage media such
that data is not recoverable by any forensic means.
3.5
Create and maintain a data inventory, at least for any sensitive data and personal data.
3.2
Classify data according to its type and sensitivity level.
3.7
Create data flow documentation to identify what data is processed, stored or transmitted
where. Review data flow documentation at defined intervals, at least annually, and after 3.8
any change.
Document ownership and stewardship of all relevant documented personal and sensitive
data. Perform review at least annually.
3.1
Develop systems, products, and business practices based upon a principle of security by
design and industry best practices.
16.1
Develop systems, products, and business practices based upon a principle of privacy by
design and industry best practices. Ensure that systems' privacy settings are configured by
default, according to all applicable laws and regulations. No Mapping
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature,
particularity and severity of the risks upon the processing of personal data, according to
any applicable laws, regulations and industry best practices. No Mapping
Define, implement and evaluate processes, procedures and technical measures that ensure
any transfer of personal or sensitive data is protected from unauthorized access and only
processed within scope as permitted by the respective laws and regulations. 3.1
3.12
3.13
Define and implement, processes, procedures and technical measures to enable data
subjects to request access to, modification, or deletion of their personal data, according to No Mapping
any applicable laws and regulations.
Define, implement and evaluate processes, procedures and technical measures to ensure
that personal data is processed according to any applicable laws and regulations and for
the purposes declared to the data subject. No Mapping
Define, implement and evaluate processes, procedures and technical measures for the
transfer and sub-processing of personal data within the service supply chain, according to
any applicable laws and regulations. No Mapping
Define, implement and evaluate processes, procedures and technical measures to disclose
the details of any personal or sensitive data access by sub-processors to the data owner
prior to initiation of that processing. No Mapping
Obtain authorization from data owners, and manage associated risk before replicating or
using production data in non-production environments.
No Mapping
Define and implement, processes, procedures and technical measures to protect sensitive
data throughout it's lifecycle.
3.1
3.1
3.14
The CSP must have in place, and describe to CSCs the procedure to manage and respond
to requests for disclosure of Personal Data by Law Enforcement Authorities according to
applicable laws and regulations. The CSP must give special attention to the notification
procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under
criminal law to preserve confidentiality of a law enforcement investigation. No Mapping
Define and implement, processes, procedures and technical measures to specify and
document the physical locations of data, including any locations in which data is processed No Mapping
or backed up.
Develop and implement an Information Security Program, which includes programs for all
the relevant domains of the CCM. 14.1
Define and document roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs.
No Mapping
Identify and document all relevant standards, regulations, legal/contractual, and statutory
requirements, which are applicable to your organization.
No Mapping
Establish and maintain contact with cloud-related special interest groups and other relevant
entities in line with business context. No Mapping
Human Resources - HRS
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for background verification of all new employees (including but not limited to
remote employees, contractors, and third parties) according to local laws, regulations,
ethics, and contractual constraints and proportional to the data classification to be
accessed, the business requirements, and acceptable risk. Review and update the policies No Mapping
and procedures at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for defining allowances and conditions for the acceptable use of
organizationally-owned or managed assets. Review and update the policies and procedures No Mapping
at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures that require unattended workspaces to not have openly visible confidential
data. Review and update the policies and procedures at least annually.
14.4
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures to protect information accessed, processed or stored at remote sites and 13.5
locations. Review and update the policies and procedures at least annually. 14.8
Establish, document, and communicate to all personnel the procedures outlining the roles
and responsibilities concerning changes in employment. 6.1
6.2
Employees sign the employee agreement prior to being granted access to organizational
information systems, resources and assets.
No Mapping
The organization includes within the employment agreements provisions and/or terms for
adherence to established information governance and security policies.
No Mapping
Make employees aware of their roles and responsibilities for maintaining awareness and
compliance with established policies and procedures and applicable legal, statutory, or
regulatory compliance obligations. No Mapping
5.2
Manage, store, and review the information of system identities, and level of access.
5.1
5.2
Employ the separation of duties principle when implementing information system access.
6.8
Employ the least privilege principle when implementing information system access.
6.8
Define and implement a user access provisioning process which authorizes, records, and
communicates access changes to data and assets. 6.1
Review and revalidate user access for least privilege and separation of duties with a
frequency that is commensurate with organizational risk tolerance.
5.1
Define, implement and evaluate processes, procedures and technical measures for the
segregation of privileged access roles such that administrative access to data, encryption
and key management capabilities and logging capabilities are distinct and separated. 5.4
Define and implement an access process to ensure privileged access roles and rights are
granted for a time limited period, and implement procedures to prevent the culmination of 5.1
segregated privileged access. 6.5
Define, implement and evaluate processes and procedures for customers to participate,
where applicable, in the granting of access for agreed, high risk (as defined by the
organizational risk assessment) privileged access roles. No Mapping
Define, implement and evaluate processes, procedures and technical measures to ensure
the logging infrastructure is read-only for all with write access, including privileged access
roles, and that the ability to disable it is controlled through a procedure that ensures the
segregation of duties and break glass procedures.
3.3
Define, implement and evaluate processes, procedures and technical measures that ensure
users are identifiable through unique IDs or which can associate individuals to the usage of No Mapping
user IDs.
Define, implement and evaluate processes, procedures and technical measures for
authenticating access to systems, application and data assets, including multifactor
authentication for at least privileged user and sensitive data access. Adopt digital
certificates or alternatives which achieve an equivalent level of security for system
identities. 6.3
6.5
12.5
12.7
Define, implement and evaluate processes, procedures and technical measures for the
secure management of passwords.
No Mapping
Define, implement and evaluate processes, procedures and technical measures to verify
access to data and system functions is authorized.
5.1
Provide application interface(s) to CSCs so that they programmatically retrieve their data
to enable interoperability and portability. No Mapping
Harden host and guest OS, hypervisor or infrastructure control plane according to their
respective best practices, and supported by technical controls, as part of a security
baseline. 4.1
4.2
16.8
Design, develop, deploy and configure applications and infrastructures such that CSP and
CSC (tenant) user access and intra-tenant access is appropriately segmented and
segregated, monitored and restricted from other tenants. No Mapping
Use secure and encrypted communication channels when migrating servers, services,
applications, or data to cloud environments. Such channels must include only up-to-date
and approved protocols. No Mapping
Identify and document high-risk environments.
No Mapping
Define, implement and evaluate processes, procedures and defense-in-depth techniques for
protection, detection, and timely response to network-based attacks.
13.3
13.8
Monitor security audit logs to detect activity outside of typical or expected patterns.
Establish and follow a defined process to review and take appropriate and timely actions 8.8
on detected anomalies. 8.11
Use a reliable time source across all relevant information processing systems.
8.4
Establish, document and implement which information meta/data system events should be
logged. Review and update the scope at least annually or whenever there is a change in the 8.1
threat environment.
Generate audit records containing relevant security information.
8.2
The information system protects audit records from unauthorized access, modification, and
deletion. No Mapping
Establish and maintain a monitoring and internal reporting capability over the operations
of cryptographic, encryption and key management policies, processes, procedures, and
controls. No Mapping
Log and monitor key lifecycle management events to enable auditing and reporting on
usage of cryptographic keys. No Mapping
Monitor and log physical access using an auditable access control system.
No Mapping
Define, implement and evaluate processes, procedures and technical measures for the
reporting of anomalies and failures of the monitoring system and provide immediate
notification to the accountable party. No Mapping
anagement, E-Discovery, & Cloud Forensics - SEF
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review
and update the policies and procedures at least annually. 17.4
Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for the timely management of security incidents. Review and update the
policies and procedures at least annually.
17.4
Test and update as necessary incident response plans at planned intervals or upon
significant organizational or environmental changes for effectiveness. 17.7
No Mapping
Define and implement, processes, procedures and technical measures for security breach
notifications. Report security breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws and regulations.
17.2
17.3
17.4
Maintain points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities.
17.2
No Mapping
Apply, document, implement and manage the SSRM throughout the supply chain for the
cloud service offering.
No Mapping
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability
throughout the supply chain.
No Mapping
Delineate the shared ownership and applicability of all CSA CCM controls according to
the SSRM for the cloud service offering.
No Mapping
Review and validate SSRM documentation for all cloud services offerings the organization
uses.
No Mapping
Implement, operate, and audit or assess the portions of the SSRM which the organization
is responsible for. No Mapping
CSPs periodically review risk factors associated with all organizations within their supply
chain. 15.3
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment 15.4
• Service termination
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
15.4
Define and implement a process for conducting internal assessments to confirm
conformance and effectiveness of standards, policies, procedures, and service level No Mapping
agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply with
information security, confidentiality, access control, privacy, audit, personnel policy and
service level requirements and standards.
15.5
Periodically review the organization's supply chain partners' IT governance policies and
procedures.
15.5
Define and implement a process for conducting security assessments periodically for all
organizations within the supply chain.
15.6
9.7
10.1
Define, implement and evaluate processes, procedures and technical measures to enable
both scheduled and emergency responses to vulnerability identifications, based on the 7.2
identified risk. 7.7
17.9
Define, implement and evaluate processes, procedures and technical measures to update
detection tools, threat signatures, and indicators of compromise on a weekly, or more
frequent basis. 10.2
Define, implement and evaluate processes, procedures and technical measures to identify
updates for applications which use third party or open source libraries according to the
organization's vulnerability management policy. 2.6
Define, implement and evaluate processes, procedures and technical measures for the
periodic performance of penetration testing by independent third parties. 18.1
18.2
Define, implement and evaluate processes, procedures and technical measures for the 7.1
detection of vulnerabilities on organizationally managed assets at least monthly. 7.5
7.6
Use a risk-based model for effective prioritization of vulnerability remediation using an 7.2
industry recognized framework. 18.3
16.6
Define and implement a process for tracking and reporting vulnerability identification and
remediation activities that includes stakeholder notification.
7.1
Establish, monitor and report metrics for vulnerability identification and remediation at
defined intervals. 7.2
No Mapping
Define, document, apply and evaluate a list of approved services, applications and sources
of applications (stores) acceptable for use by endpoints when accessing or storing
organization-managed data.
No Mapping
Define and implement a process for the validation of the endpoint device's compatibility
with operating systems and applications. No Mapping
Maintain an inventory of all endpoints used to store and access company data.
1.1
Define, implement and evaluate processes, procedures and technical measures to enforce
policies and controls for all endpoints permitted to access systems and/or store, transmit, 1.3
or process organizational data. 1.4
1.5
No Mapping
3.6
Configure managed endpoints with anti-malware detection and prevention technology and
services. 9.7
10.1
Configure managed endpoints with properly configured software firewalls.
4.4
4.5
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in
accordance with a risk assessment.
3.13
15.4
End of Standard
You may download, store, display on your computer, view, print, and link to
.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
ormational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
may not be redistributed; and (d) the trademark, copyright or other notices
trix v4.0.2 as permitted by the Fair Use provisions of the United States
urity Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
he copyright notice, please contact info@cloudsecurityalliance.org.
CIS v8.0
N/A
CC8.1
No Gap CC4.1
CC5.3
N/A
CC6.8
No Gap
CC8.1
Recommend the full V4 control specification to be used to close the
gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(16.12) 'Implement Code-Level Security Checks' (as part of AIS-05 CC6.8
Partial Gap
testing CC8.1
strategy)
(16.13) 'Conduct Application Penetration Testing' (as part of AIS-05
testing strategy).
The full V4 control specification is missing from CISv8.0 and has to
Full Gap be used to close the gap. No Mapping
The full V4 control specification is missing from CISv8.0 and has to CC7.5
Full Gap be used to close the gap. A1.2
A1.3
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap. CC2.1
Full Gap
PI1.1
The full V4 control specification is missing from CISv8.0 and has to A1.3
Full Gap be used to close the gap. CC7.5
The full V4 control specification is missing from CISv8.0 and has to CC2.3
Full Gap be used to close the gap. CC7.5
CC9.1
Missing specification(s) in CISv8:
'Periodically backup data stored in the cloud'
A1.2
Partial Gap
A1.3
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap. A1.2
Full Gap
CC3.2
The full V4 control specification is missing from CISv8.0 and has to CC7.4
be used to close the gap. CC7.5
Full Gap
CC8.1
CC9.2
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap.
CC5.3
Full Gap CC6.1
CC6.7
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap.
CC6.1
Partial Gap
CC6.7
N/A
No Gap CC6.1
The full V4 control specification is missing from CISv8.0 and has to CC3.4
be used to close the gap. CC6.4
Full Gap
CC6.5
CC6.7
N/A
No Gap CC6.1
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap. CC3.4
Full Gap CC6.4
CC6.5
The full V4 control specification is missing from CISv8.0 and has to A1.2
Full Gap be used to close the gap. CC3.2
N/A
PI1.1
PI1.5
P4.1
No Gap
P4.2
P4.3
CC5.3
N/A
CC1.1
CC1.3
CC1.5
No Gap
P2.1
P3.2
P6.7
Recommend the full V4 control specification to be used to close the
gap. PI1.2
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that PI1.3
is, covering in part the V4 control:
(16.1) 'Establish and maintain a secure application development
The full V4 control specification is missing from CISv8.0 and has to
process.
be usedprocess,
In the to closeaddress
the gap.such items as: secure application design
Full Gap standards, secure coding practices'. P1.1
CC1.3
CC1.4
No Gap
CC1.5
CC2.2
N/A
No Gap CC2.2
Missing specifications in CISv8.0:
'Provide all employees with access to personal data with appropriate
Partial Gap security awareness training' CC2.2
No Gap No Mapping
N/A
CC6.1
No Gap
CC6.3
N/A CC1.3
No Gap CC5.1
CC6.3
N/A
No Gap CC6.3
N/A
CC6.3
No Gap
CC8.1
N/A
CC5.3
No Gap
CC6.3
CC6.1
Partial Gap
CC6.2
CC6.1
Full Gap
CC6.2
N/A
CC6.1
No Gap CC6.2
CC6.3
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap.
The full V4 control specification is missing from CISv8.0 and has to PI1.1
Full Gap be used to close the gap. PI1.2
PI1.3
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap.
Full Gap CC6.7
N/A
CC6.1
No Gap
CC6.7
N/A
CC6.1
No Gap CC6.8
CC7.1
N/A
No Gap No Mapping
CC3.2
CC6.1
Full Gap CC7.1
CC7.2
CC7.3
N/A
No Gap CC7.2
N/A
No Gap No Mapping
N/A
No Gap CC7.2
N/A
No Gap CC7.2
The full V4 control specification is missing from CISv8.0 and has to CC6.1
Full Gap be used to close the gap. CC7.2
The full V4 control specification is missing from CISv8.0 and has to CC6.4
Full Gap be used to close the gap. CC7.2
The full V4 control specification is missing from CISv8.0 and has to
be used to close the gap. CC2.3
Full Gap
CC7.3
Missing specification(s) in CISv8: CC5.3
'Establish, document, approve, communicate, apply, evaluate and CC7.3
Partial Gap maintain CC7.4
policies and procedures for E-Discovery, and Cloud Forensics.' CC7.5
N/A
CC5.3
No Gap CC7.3
CC7.4
N/A
CC7.2
No Gap CC7.3
CC7.4
CC7.4
Partial Gap
CC7.5
N/A
No Gap CC2.3
N/A
No Gap No Mapping
N/A
No Gap CC9.2
Missing specification(s) in CISv8:
• Scope, characteristics and location of business relationship and
services offered
• SSRM requirements
• Change management process
• Logging and monitoring capability
• Right to audit and third party assessment
Partial Gap • Service termination CC9.2
• Interoperability and portability requirements
N/A
No Gap No Mapping
The full V4 control specification is missing from CISv8.0 and has to
Full Gap be used to close the gap. No Mapping
N/A
No Gap CC3.2
N/A
No Gap CC3.2
N/A CC3.2
CC5.3
No Gap CC6.6
CC7.1
CC7.4
Missing specification(s) in CISv8:
'Review and update the policies and procedures at least annually.'
CC5.3
Partial Gap
CC6.8
N/A
CC5.3
No Gap CC7.1
CC7.4
N/A
No Gap CC7.2
Missing specification(s) in CISv8:
'Define, implement and evaluate processes, procedures and technical
Partial Gap measures to identify updates' CC3.2
N/A
CC4.1
No Gap
CC7.1
N/A
No Gap CC7.1
N/A
No Gap No Mapping
CC5.3
Full Gap
CC6.7
N/A
CC6.1
No Gap
CC6.7
N/A
No Gap CC6.8
N/A
No Gap CC6.6
N/A
No Gap CC6.7
The full V4 control specification is missing from TSC 2017 and has to
Full Gap be used to close the gap. No mapping
N/A
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
No Gap 27001: A.12.6.1
27002: 12.6.1
27017: 12.6.1
27018: 12.6.1
N/A
27001: A.12.3
No Gap 27017: 12.3
27018: 12.3.1
Missing specification(s) in TSC 2017:
'to recover from man-made disasters'.
Partial Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
27001: A.12.1.1
27001: A.12.1.2
27002: 12.1.2
No Gap
27017: 12.1.2
27001: A.14.2.2
27001: A.14.2.3
N/A 27001: A.14.2.2
No Gap 27002: 14.2.2
27017: 14.2.2
N/A
27001:A.5.1.1
27017: 5.1.1
27001: A.12.1.2
27002: 12.1.2
27001: A.12.1.4
No Gap
27001: A.14.2.3
27001: A.15.2.2
27002: 15.2.2
27001: A.14.2.6
27002: 14.2.6
N/A
27001: A.12.1.4
27002: 12.1.4
27001: A.12.4.2
No Gap
27002: 12.4.2
27001: A.14.2.2
27017: 14.2.2
N/A 27001: A.15.2.2
27001: A.14.2.2
No Gap 27002: 14.2.2
27001: A.12.1.2
27017: 12.1.2
N/A 27001: A.12.1.1
27002: 12.1.1
No Gap
27001: 14.2.2
27002: 14.2.2
N/A
27001: A.14.2.2
27001: A.14.2.4
27001: A.12.4.1
No Gap
27002: 12.4.1 (g)
27001: A.5.1.1
27017: 5.1.1
Missing specification(s) in TSC 2017:
'Implement a procedure for the management of exceptions'. 27001: A.12.1.2
Partial Gap 27002: 12.1.2 (h)
27017: 12.1.2
N/A
27001: A.12.1.2
27002: 12.1.2 (g)
27001: A.12.5.1
No Gap
27002: 12.5.1 (e)
27001: A.12.3.1
27017: 12.3.1
27001: A.5
27002: 5
27001: 5.2
27001: 5.3
27001: A.6.1.1
Recommend the full V4 control specification to be used to close the 27002 6.1.1
gap. 27001: A.6.1.2
Portion in the mapped control(s) contributing to the partial gap, that 27002: 6.1.2
is, covering in part the V4 control: 27001: 8.2
(CC6.1) 'Protects Encryption Keys', 'Uses Encryption to Protect Data' 27001: 8.3
(CC6.7) 'Uses Encryption Technologies or Secure Communication 27001: 9.1
Channels to 27001: A.16
Protect Data' 27002: 16
(CC5.3) 'Establishes Policies and Procedures to Support Deployment 27001: A.16.1
of 27001: 9.2
Management’s Directives', 'Reassesses Policies and Procedures'. 27001: 9.3
27001: A.10
27002: 10
27001: A.10.1.1
27001: A.10.1.2
Partial Gap 27017: 10.1.2
27001: A.12.4
27002: 12.4
27001: A.12.7
27002: 12.7
27017: 12.7
27001: A.18.1.1-to-5
27001: A.12.1.2
27002: 12.1.2
27001: A.12.3.1
27017: 12.3.1
27001: A.15.1.2
27017: 15.1.2
27001: A.18.1.1
27017: 18.1.1
27001: A.18.1.5
27017: 18.1.5
27001: A.18
27002: 18
27001: A.18.2
27002: 18.2
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap.
27001: 5.1
27001: 5.3
27001: A.5.1.1
27002: 5.1.1
27001: A.6.1.1
27002: 6.1.1
27017: 6.1.1
27001: A.6.1.2
27017: 6.1.2
27001: A.9.1
27002: 9.1
Full Gap 27001: A.10.1.1
27002: 10.1.1
27001: A.15.1.2
27017: 15.1.2
27001: A.13.1.3
27017: 13.1.3
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27017: CLD 6.3
Missing specification(s) in TSC 2017:
'Cryptographic libraries certified to approved standards'.
27001: A.18.1.1
27001: A.18.1.2
27001: A.18.1.3
27001: A.18.1.4
27001: A.18.1.5
27001: A.10.1
27002: 10.1
27001: A.13.2.1
27002: 13.2.1
Partial Gap 27001: A.18
27002: 18
27001: A.14.1.2
27002: 14.1.2
27001: A.14.1.3
27002 14.1.3 c)
27001 - A.10.1.1
27017 - 10.1.1
27001 - A.10.1.2
27017 - 10.1.2
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: 8.2
27001: 8.3
27001: A.10.1.1
Full Gap 27002: 10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to
27001: A.10.1
be used to close the gap.
27017: 10.1
27001: A.10.1.1
Full Gap
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: 9.2
27001: A.18.2.1
27001: A.18.2.2
27001: A.12.7
Full Gap 27002: 12.7
27017: 12.7
27001: A.10.1.2
27001: A.10.1.2
27002: 10.1.2 k)
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.10.1.1
27002: 10.1.1 (e)
27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2
27002: 10.1.2 (a)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2 (c)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2 e)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2 (g),(f)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.10.1.1
27017: 10.1.1
27017: 10.1.2
Full Gap 27001: A.10.1.2
27002: 10.1.2 (j)
27001: A.18.1.3
27002: 18.1.3
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2 a)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap
27001: A.10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
Full Gap
27002: 10.1.2 (i)
27001: 9.0
27002: 9.0
27017: 9.0
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.10.1.1
27002: 10.1.1 (d)
27001: A.10.1.2
Full Gap 27002: 10.1.2 (f),(g)
27001: A.18.1.5
27001: A.18.1.3
27002: 18.1.3
The full V4 control specification is missing from TSC 2017 and has to 27001: 8.2
be used to close the gap. 27001: 8.3
Full Gap 27001: A.10.1.2
27002: 10.1.2 (h)
27001: A.18.1.5
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.2
be used to close the gap. 27002: 10.1.2
Full Gap
27017: 10.1.2
27001: A.18.1.5
Missing specification(s) in TSC 2017:
'Establish, document, approve, communicate, apply, evaluate and
maintain
policies and procedures' 27001: A.11.2.7
Partial Gap 'If the equipment is not physically destroyed a data destruction 27002: 11.2.7
procedure that renders recovery of information impossible must be 27017: 11.2.7
applied'
'Review and update the policies and procedures at least annually'.
Missing specification(s) in TSC 2017:
'policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location'
No Gap 'Review and update the policies and procedures at least annually'. 27001: A.11.2.5
The full V4 control specification is missing from TSC 2017 and has to
Full Gap be used to close the gap. No Mapping
N/A
N/A
27001: A.18.1.4
No Gap
27002: 18.1.4
N/A
No Gap No Mapping
N/A
The full V4 control specification is missing from TSC 2017 and has to 27001: A.14.3.1
be used to close the gap. 27002: 14.3.1
Full Gap
27001: A.12.1.4
27002: 12.1.4
N/A
N/A
27001: A.18.1.3
27002: 18.1.3
No Gap
27001:A.18.1.4
27002:18.1.4
N/A
N/A
27001: 5.1
No Gap 27001: 5.2
27001: 5.3
N/A
27001: A.6.1.2
No Gap
27001: 6.2
N/A
No Gap No Mapping
N/A
27001: A.7.1.2
No Gap 27002: 7.1.2
27017: 7.1.2
N/A
27001: A.6.1.1
No Gap 27002: 6.1.1
27017: 6.1.1
N/A
27001: A.7.1.2
27002: 7.1.2
27017: 7.1.2
No Gap
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
Missing specification(s) in TSC 2017: 27001: A.7.2.2
Partial Gap 'provide regular training updates'. 27002: 7.2.2
27017: 7.2.2
Missing specification(s) in TSC 2017:
'sensitive organizational and personal data with appropriate security 27001: A.7.2.2
Partial Gap awareness training'. 27002: 7.2.2
27017: 7.2.2
N/A
27001: A.7.2.1
No Gap 27002: 7.2.1
27017: 7.2.1
N/A
27001: A.9.1.1
27002: 9.1.1
27001: A.9.1.2
No Gap
27002: 9.1.2
27001: A.9.2.3
27002: 9.2.3
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27018: 9.2.4
27001: A.9.3.1
27002: 9.3.1
No Gap
27017: 9.3.1
27018: 9.3.1
27001: A.9.4.3
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
N/A
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
No Gap 27001: A.11.1.4
27002: 11.1.4
27017: 11.1.4
27018: 16.1.1
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.18.1.3
Full Gap
27002: 18.1.3
The full V4 control specification is missing from TSC 2017 and has to 27001: A.12.4.4
Full Gap be used to close the gap. 27002: 12.4.4
27017: 12.4.4
N/A 27001: A.12.4.1
No Gap 27002: 12.4.1
27017: 12.4.1
N/A 27001: A.12.4.1
No Gap 27002: 12.4.1
27017: 12.4.1
The full V4 control specification is missing from TSC 2017 and has to 27001: A.12.4.2
Full Gap be used to close the gap. 27002: 12.4.2
Recommend the full V4 control specification to be used to close the 27001: A.10.1
gap. 27002: 10.1
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that 27001: A.10.1.2
is, covering in part the V4 control: 27017: 10.1.2
(CC6.1) 'Uses Encryption to Protect Data'
Recommend the full V4
(CC7.2) ''Implements control specification
Detection to be used
Policies, Procedures, andtoTools',
close the 27001: A.10.1.2
Partial Gap gap.
'Monitors Detection Tools for Effective Operation'. 27017: 10.1.2
Portion
N/A in the mapped control(s) contributing to the partial gap, that 27001: A.11.1.2
No Gap is, covering in part the V4 control:
(CC6.1) 'Uses Encryption to Protect Data' 27002: 11.1.2
N/A
(CC7.2) ''Implements Detection Policies, Procedures, and Tools', 27001: A.16.1.1
'Monitors Detection Tools for Effective Operation'. 27002: 16.1.1
No Gap
27001: A.16.1.2
27017: 16.1.2
Missing specification(s) in TSC 2017: 27001: A.16.1
'Cloud Forensics' 27002: 16.1
Partial Gap 'Review and update the policies and procedures at least annually'. 27017: 16.1
27018: 16.1
Missing specification(s) in TSC 2017:
'Review and update the policies and procedures at least annually'. 27001: A.16.1.2
27002: 16.1.2
27017: 16.1.2
27018: 16.1.2
Partial Gap
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: 5.1a
27001: 5.2
27001: 6.2
27001: 9.1
Full Gap
27001: 9.3
27001: A.5.1
27001: A.5.2
27001: A.15.1.1
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: 6.2
27001: 7.1
27001: 8.1
27001: 8.2
Full Gap
27001: 9.1
27001: 9.3
27001: A.15.1
27001: A.15.2
Missing specification(s) in TSC 2017: 27001: 6.2
'SSRM' (Mapped controls don't specifically call out SSRM). 27001: 7.4
Partial Gap 27001: 9.1
27001: A.15.1.2
27001: A.15.1.3
The full V4 control specification is missing from TSC 2017 and has to 27001: 6.2
be used to close the gap. 27001: 7.4
Full Gap 27001: 9.1
27001: A.15.1.2
27001: A.15.2
The full V4 control specification is missing from TSC 2017 and has to
27001: 6.2
be used to close the gap.
27001: 7.4
27001: 9.1
Full Gap
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
The full V4 control specification is missing from TSC 2017 and has to 27001: 8.1
Full Gap be used to close the gap. 27001: A.15.1.2
27001: A.15.1.3
The full V4 control specification is missing from TSC 2017 and has to 27001: 8.1
Full Gap be used to close the gap. 27001: A.15.1.2
27001: A.15.1.3
N/A 27001: 8.1
No Gap 27001: A.15.1.2
27001: A.15.1.3
Missing specification(s) in TSC 2017:
• Scope, characteristics and location of business relationship and
services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures 27001: 8.1
Partial Gap • Right to audit and third party assessment 27001: A.15.1.2
• Service termination 27001: A.15.1.3
• Interoperability and portability requirements
• Data privacy.
The full V4 control specification is missing from TSC 2017 and has to 27001: A.15.1
Full Gap be used to close the gap. 27001: A.15.2
The full V4 control specification is missing from TSC 2017 and has to
Full Gap be used to close the gap. 27001: A.15.2
N/A
27001: 5.2
27001: A.5.1
27001: A.5.2
No Gap
27001: A.7.2.1
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 8.1
27001: 9.1
27001: 9.2
No Gap
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
N/A 27001: 8.1
27001: 8.2
No Gap 27001: 8.3
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 5.2
No Gap 27001: A.5.1.1
27002: 5.1.1 (c), (h)
N/A
27001: A.5.1.1
27002: 5.1.1 (g), (c)
27001: A.5.1.2
27002: 5.1.2
27001: 5.2
27001: A.12.2.1
27001: A.6.2.1
27002: 6.2.1 (h)
27001: A.6.2.2
27002: 6.2.2 (j)
No Gap 27001: A.7.2.2
27002: 7.2.2 (d)
27001: A.10.1.1
27002: 10.1.1 (g)
27001: A.13.2.1
27002: 13.2.1 (b)
27001: A.15.1.2
27017: 15.1.2
27001: A.12.2.1
27002: 12.2.1 (a),(d)
27017: CLD.9.5.2
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.9.1.1
27002: 9.1.1
27001: A.9.2.2
27002: 9.2.2
27001: A.12.1.2
27002: 12.1.2
Full Gap
27001: A.12.5
27002: 12.5
27001: A.13.2.3
27002: 13.2.3
27001: A.14.2.2
27002:14.2.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.14.2.4
Full Gap be used to close the gap. 27002: 14.2.4
The full V4 control specification is missing from TSC 2017 and has to 27001: A.8.1.1
Full Gap be used to close the gap. 27002: 8.1.1
27017: 8.1.1
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.12.6.2
Full Gap
27002:12.6.2
The full V4 control specification is missing from TSC 2017 and has to
Full Gap be used to close the gap. No Mapping
Missing specification(s) in TSC 2017:
27001: A.14.2
Requirement on 'endpoint' systems.
27001: A.14.2.2
27002: 14.2.2
Partial Gap
27001: A.14.2.3
27001: A.14.2.4
27018: 12.1.2
Missing specification(s) in TSC 2017:
Requirement on 'endpoint' systems. 27001: A.11.2.7
27002: 11.2.7
27001: A.18.1.1
27017: 18.1.1
Partial Gap
27001: A.12.3.1
27017: 12.3.1
27018: A.11.4
27018: A.11.5
The full V4 control specification is missing from TSC 2017 and has to 27001: A.6.2.1
Full Gap be used to close the gap. 27002: 6.2.1
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.6.2.1
Full Gap
27002: 6.2.1
The full V4 control specification is missing from TSC 2017 and has to
be used to close the gap. 27001: A.15.1.1
27002: 15.1.1
27001: A.14.1.2
27002: 14.1.2
27001: A.6.1.1
Full Gap
27017: 6.1.1
27001: A.9.2.2
27017: 9.2.2
27001: A.9.2.4
27017: 9.2.4
ISO/IEC 27001/02/17/18
N/A
GRM-01
No Gap
GRM-03
N/A
No Gap AAC-01
Missing specification(s) in ISOs:
'Establish, document, approve, communicate, apply, evaluate and GRM-10
Partial Gap
maintain a risk-based corrective action plan to remediate audit GRM-11
findings'.
AIS-01
No Gap
AIS-03
N/A
AIS-01
No Gap
AIS-03
The full V4 control specification is missing from the ISOs and has to
be used to close the gap. AIS-01
Full Gap
AIS-03
N/A
No Gap TVM-02
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. No Mapping
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. BCR-06
No Gap CCC-05
N/A
No Gap CCC-04
N/A
No Gap CCC-05
No Gap GRM-01
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
EKM-01
EKM-02
No Gap EKM-03
GRM-06
GRM-09
N/A
No Gap No Mapping
N/A
EKM-03
No Gap
EKM-04
N/A
No Gap EKM-04
N/A
No Gap EKM-02
N/A
No Gap No Mapping
N/A
No Gap No Mapping
No Gap No Mapping
N/A
No Gap EKM-04
N/A
No Gap No Mapping
No Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap No Mapping
Missing specification(s) in ISOs:
'secure repository requiring least privileged access'
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
DCS-05
No Gap GRM-06
GRM-09
N/A
DCS-06
No Gap GRM-06
GRM-09
N/A
GRM-06
No Gap
GRM-09
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. DCS - 03
N/A
DCS-07
No Gap
DCS-09
The full V4 control specification is missing from the ISOs and has to DCS-02
Full Gap be used to close the gap. DCS-07
DCS-08
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. HRS-09
N/A
No Gap BCR - 03
N/A
No Gap BCR - 03
N/A
No Gap BCR - 06
Missing specification(s) in ISOs:
Requirement to review and update the policies and procedures at least
annually.
DSI-04
Partial Gap GRM-06
GRM-09
The full V4 control specification is missing from the ISOs and has to
be used to close the gap.
Full Gap No Mapping
The full V4 control specification is missing from the ISOs and has to
be used to close the gap.
Full Gap No Mapping
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. No Mapping
The full V4 control specification is missing from the ISOs and has to
be used to close the gap.
Full Gap No Mapping
Missing specification(s) in ISOs:
Requirement to disclose the details of any personal or sensitive data
Partial Gap access by sub-processors to the data owner prior to initiation of that No Mapping
processing.
N/A
GRM-02
No Gap
BCR-11
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap GRM-01
N/A
No Gap AAC-03
N/A
No Gap No Mapping
Missing specification(s) in ISOs:
requirement to review and update the policies and procedures at least
annually.
HRS-02
Partial Gap GRM-06
GRM-09
N/A
No Gap HRS-01
N/A
No Gap HRS-04
The full V4 control specification is missing from the ISOs and has to
be used to close the gap.
Full Gap HRS-03
N/A
No Gap HRS-03
N/A
HRS-07
No Gap
HRS-10
N/A
No Gap HRS-06
N/A
HRS-09
No Gap
HRS-10
Missing specification(s) in ISOs:
Requirement to focus training on 'sensitive organizational and HRS-09
Partial Gap personal data' HRS-10
N/A
IAM-02
No Gap GRM-06
GRM-09
IAM-02
IAM-12
Partial Gap
GRM-06
GRM-09
Missing specification(s) in ISOs:
ISO partially addressed Identity Inventory under asset management IAM-04
Partial Gap IAM-08
IAM-10
N/A
No Gap IAM-05
N/A
IAM-02
No Gap IAM-06
IVS-11
N/A
No Gap No Mapping
Missing specification(s) in ISOs:
Requirement to prevent the culmination of segregated privileged
Partial Gap access. No Mapping
N/A
N/A
No Gap No Mapping
Missing specification(s) in ISOs:
Requirement to include multifactor authentication for at least
privileged user and sensitive data access.
IAM-02
Partial Gap
IAM-05
N/A
No Gap No Mapping
N/A
No Gap IAM-02
Missing specification(s) in ISOs:
Requirement of communications between application services (APIs)
IPY-03
Partial Gap GRM-06
GRM-09
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. No Mapping
N/A
No Gap IPY-04
The full V4 control specification is missing from the ISOs and has to
be used to close the gap.
The full V4 control specification is missing from the ISOs and has to
be used to close the gap. GRM-06
Full Gap
GRM-09
N/A
No Gap No Mapping
N/A
No Gap IVS-03
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A GRM-04
No Gap
IVS-01
N/A
EKM-02
No Gap
EKM-03
N/A
No Gap EKM-02
N/A
No Gap DCS-08
N/A
No Gap SEF-03
Missing specification(s) in ISOs:
Requirement to review and update the policies and procedures at least SEF-02
Partial Gap annually. GRM-06
GRM-09
N/A
No Gap BCR-02
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. BCR-02
Full Gap The full V4 control specification is missing from the ISOs and has to SEF-05
be used to close the gap.
N/A
No Gap SEF-02
SEF-04
Partial Gap
STA-05
N/A
No Gap SEF-01
N/A
TVM-02
No Gap GRM-06
GRM-09
Missing specification(s) in ISOs:
Requirement of 'malware policy and procedures'
TVM-01
Partial Gap GRM-06
GRM-09
N/A
No Gap TVM-02
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. TVM-02
N/A
No Gap TVM-02
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. TVM-02
N/A
No Gap TVM-02
MOS-02
MOS-03
Partial Gap
MOS-04
MOS-06
The full V4 control specification is missing from the ISOs and has to
Full Gap be used to close the gap. MOS-14
Missing specification(s) in ISOs:
Term 'endpoint' device
MOS-15
Partial Gap
MOS-19
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Portion in the mapped control(s) contributing to the partial gap, that is,
covering in part the V4 control: (AIS-01) 'Applications and
Partial Gap programming interfaces (APIs) shall be designed, developed,
deployed, and tested in accordance with leading industry standards'
Missing specification(s) in CCMv3.0.1:
'Automate when applicable and possible.'
Partial Gap
Partial Gap
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'regardless of whether the assets are managed internally or externally
(i.e., outsourced)'
Partial Gap
Partial Gap
N/A
No Gap
Partial Gap
Full Gap
Missing specification(s) in CCMv3.0.1:
'Apply and evaluate the policies and procedures for Cryptography,
Encryption and Key Management'
Requirement of 'at least annually' in last sentence.
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has
to be used to close the gap.
Full Gap
N/A
No Gap
Full Gap
Full Gap
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has
to be used to close the gap.
Full Gap
Full Gap
Full Gap
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'all ingress and egress points (are) documented'
Partial Gap 'Retain access control records on a periodic basis as deemed
appropriate by the organization.'
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for the classification,
protection and handling of data throughout its lifecycle and according
to all applicable laws and regulations, standards, and risk level.'
Requirement of 'at least annually' in last sentence.
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has
to be used to close the gap.
Full Gap
No Gap
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
'system identities'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Full Gap
Partial Gap
Full Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for interoperability and
portability.'
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
Full Gap
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
No Gap N/A
N/A
No Gap
Partial Gap
N/A
No Gap
Full Gap
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has
to be used to close the gap.
Full Gap
Full Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'Logging and monitoring capability'
'Data Privacy'
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
Portion in the mapped control(s) contributing to the partial gap, that is,
Missing
coveringspecification(s) in CCMv3.0.1:
in part the V4 control: (TVM-02) 'supporting processes and
Partial Gap Requirement of 'at least
technical measures monthly'. for timely detection of
implemented,
vulnerabilities within organizationally-owned or managed
applications,
Missing infrastructure
specification(s) network and system components (e.g.,
in CCMv3.0.1:
Partial Gap penetration testing)'
'vulnerability remediation using an industry recognized framework'.
N/A
No Gap
Partial Gap
Partial Gap
Partial Gap
Partial Gap
Full Gap
Full Gap
Full Gap
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE VERSION 4.0.2
v4.0.2+0
Audit Management
A&A-05
Process
Remediation A&A-06
Application Security
AIS-02
Baseline Requirements
Application Security
AIS-03
Metrics
Secure Application
Application & Interface AIS-04
Design and Development
Security
Automated Application
AIS-05
Security Testing
Automated Secure
AIS-06
Application Deployment
Application
Vulnerability AIS-07
Remediation
Business Continuity
Management Policy and BCR-01
Procedures
Risk Assessment and
BCR-02
Impact Analysis
Business Continuity
BCR-03
Strategy
Business Continuity
BCR-04
Planning
Documentation BCR-05
Business Continuity
Management and
Operational Resilience Business Continuity
BCR-06
Exercises
Communication BCR-07
Backup BCR-08
Change Management
CCC-01
Policy and Procedures
Change Management
CCC-03
Technology
Unauthorized Change
Change Control and CCC-04
Protection
Configuration
Management
Change Agreements CCC-05
Change Management
CCC-06
Baseline
Detection of Baseline
CCC-07
Deviation
Encryption Change
CEK-05
Management
Encryption Risk
CEK-07
Management
Key Inventory
CEK-21
Management
Off-Site Equipment
Disposal Policy and DCS-01
Procedures
Off-Site Transfer
Authorization Policy DCS-02
and Procedures
Secure Media
Transportation Policy DCS-04
and Procedures
Controlled Access
DCS-07
Points
Equipment
DCS-08
Identification
Secure Area
DCS-09
Authorization
Unauthorized Access
DCS-11
Response Training
Data Protection by
DSP-07
Design and Default
Limitation of Purpose
in Personal Data DSP-12
Processing
Personal Data
DSP-13
Sub-processing
Disclosure of Data
DSP-14
Sub-processors
Limitation of
DSP-15
Production Data Use
Data Retention and
DSP-16
Deletion
Sensitive Data
DSP-17
Protection
Governance Program
GRC-01
Policy and Procedures
Governance Program
GRC-01
Policy and Procedures
Organizational Policy
GRC-03
Governance, Risk and Reviews
Compliance Policy Exception
GRC-04
Process
Information Security
GRC-05
Program
Governance
GRC-06
Responsibility Model
Information System
GRC-07
Regulatory Mapping
Background Screening
HRS-01
Policy and Procedures
Acceptable Use of
Technology Policy and HRS-02
Procedures
Human Resources
Asset returns HRS-05
Employment Agreement
HRS-07
Process
Employment Agreement
HRS-08
Content
Personnel Roles and
HRS-09
Responsibilities
Non-Disclosure
HRS-10
Agreements
Security Awareness
HRS-11
Training
Compliance User
HRS-13
Responsibility
Segregation of
IAM-09
Privileged Access Roles
Identity & Access
Management
Management of
IAM-10
Privileged Access Roles
Safeguard Logs
IAM-12
Integrity
Uniquely Identifiable
IAM-13
Users
Strong Authentication IAM-14
Authorization
IAM-16
Mechanisms
Interoperability and
Portability Policy and IPY-01
Procedures
Interoperability &
Portability
Application Interface
IPY-02
Availability
Secure Interoperability
and Portability IPY-03
Management
Portability
Data Portability
IPY-04
Contractual Obligations
Infrastructure and
Virtualization Security IVS-01
Policy and Procedures
Infrastructure &
Virtualization Security OS Hardening and Base
IVS-04
Controls
Production and
Non-Production IVS-05
Environments
Infrastructure &
Virtualization Security
Segmentation and
IVS-06
Segregation
Migration to Cloud
IVS-07
Environments
Network Architecture
IVS-08
Documentation
Encryption Monitoring
LOG-10
and Reporting
Transaction/Activity
LOG-11
Logging
Security Incident
Management Policy and SEF-01
Procedures
Service Management
SEF-02
Policy and Procedures
Security Incident
Management,
Service Management
SEF-02
Policy and Procedures
Security Breach
SEF-07
Notification
Points of Contact
SEF-08
Maintenance
SSRM Documentation
STA-05
Review
SSRM Control
STA-06
Implementation
Supply Chain Inventory STA-07
Supply Chain Risk
STA-08
Management
Supply Chain
Management,
Transparency, and
Accountability
Threat and
Vulnerability
TVM-01
Management Policy and
Procedures
Malware Protection
TVM-02
Policy and Procedures
Vulnerability
TVM-03
Remediation Schedule
External Library
TVM-05
Vulnerabilities
Vulnerability
TVM-08
Prioritization
Vulnerability
TVM-09
Management Reporting
Vulnerability
TVM-10
Management Metrics
Compatibility UEM-03
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Management
Anti-Malware Detection
UEM-09
and Prevention
Software Firewall UEM-10
Data Loss Prevention UEM-11
Third-Party Endpoint
UEM-14
Security Posture
End of Standard
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to
the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d) the trademark, copyright or other notices
may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by the Fair Use provisions of the United States
Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
in obtaining a license to this material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
TIVE QUESTIONNAIRE VERSION 4.0.2
AIS-06.2
Define and implement a process to remediate application security
vulnerabilities, automating remediation when possible. AIS-07.1
AIS-07.2
BCR-05.3
Exercise and test business continuity and operational resilience plans at least
annually or upon significant changes. BCR-06.1
Establish communication with stakeholders and participants in the course of
business continuity and resilience procedures. BCR-07.1
Periodically backup data stored in the cloud. Ensure the confidentiality, BCR-08.1
integrity and availability of the backup, and verify data restoration from BCR-08.2
backup for resiliency. BCR-08.3
Establish, document, approve, communicate, apply, evaluate and maintain a
disaster response plan to recover from natural and man-made disasters. Update BCR-09.1
the plan at least annually or upon significant changes.
BCR-09.2
Exercise the disaster response plan annually or upon significant changes,
including if possible local emergency authorities. BCR-10.1
BCR-10.2
Supplement business-critical equipment with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry BCR-11.1
standards.
CEK-01.2
Define and implement cryptographic, encryption and key management roles and
responsibilities. CEK-02.1
Provide cryptographic protection to data at-rest and in-transit, using
cryptographic libraries certified to approved standards. CEK-03.1
Use encryption algorithms that are appropriate for data protection, considering
the classification of data, associated risks, and usability of the encryption CEK-04.1
technology.
Establish a standard change management procedure, to accommodate changes from
internal and external sources, for review, approval, implementation and CEK-05.1
communication of cryptographic, encryption and key management technology
changes.
Manage and adopt changes to cryptography-, encryption-, and key
management-related systems (including policies and procedures) that fully
account for downstream effects of proposed changes, including residual risk, CEK-06.1
cost, and benefits analysis.
Establish and maintain an encryption and key management risk program that
includes provisions for risk assessment, risk treatment, risk context, CEK-07.1
monitoring, and feedback.
CSPs must provide the capability for CSCs to manage their own data encryption
keys. CEK-08.1
Audit encryption and key management systems, policies, and processes with a
frequency that is proportional to the risk exposure of the system with audit CEK-09.1
occurring preferably continuously but at least annually and after any security
event(s).
CEK-09.2
Generate Cryptographic keys using industry accepted cryptographic libraries
specifying the algorithm strength and the random number generator used. CEK-10.1
Manage cryptographic secret and private keys that are provisioned for a unique
purpose. CEK-11.1
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which
includes provisions for considering the risk of information disclosure and CEK-12.1
legal andimplement
Define, regulatoryand
requirements.
evaluate processes, procedures and technical measures to
revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the CEK-13.1
organization, which include provisions for legal and regulatory requirements.
DCS-01.3
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software, DCS-02.1
or data/information to an offsite or alternate location. The relocation or
transfer request requires the written or cryptographically verifiable
authorization. Review and update the policies and procedures at least annually. DCS-02.2
DCS-02.3
DCS-04.2
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk. DCS-05.1
Catalogue and track all relevant physical and logical assets located at all of
the CSP's sites within a secured system. DCS-06.1
Implement physical security perimeters to safeguard personnel, data, and
information systems. Establish physical security perimeters between the DCS-07.1
administrative and business areas and the data storage and processing
facilities areas. DCS-07.2
Use equipment identification as a method for connection authentication. DCS-08.1
Allow only authorized personnel access to secure areas, with all ingress and
egress points restricted, documented, and monitored by physical access control DCS-09.1
mechanisms. Retain access control records on a periodic basis as deemed
appropriate by the organization.
DCS-09.2
Implement, maintain, and operate datacenter surveillance systems at the
external perimeter and at all the ingress and egress points to detect DCS-10.1
unauthorized ingress
Train datacenter and egress
personnel attempts.
to respond to unauthorized ingress or egress
attempts. DCS-11.1
Define, implement and evaluate processes, procedures and technical measures
that ensure a risk-based protection of power and telecommunication cables from
a threat of interception, interference or damage at all facilities, offices and DCS-12.1
rooms.
Implement and maintain data center environmental control systems that monitor,
maintain and test for continual effectiveness the temperature and humidity DCS-13.1
conditions within accepted industry standards.
Secure, monitor, maintain, and test utilities services for continual
effectiveness at planned intervals. DCS-14.1
Keep business-critical equipment away from locations subject to high
probability for environmental risk events. DCS-15.1
HRS-01.3
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for defining allowances and conditions for the HRS-02.1
acceptable use of organizationally-owned or managed assets. Review and update
the policies and procedures at least annually.
HRS-02.2
IAM-01.2
Establish, document, approve, communicate, implement, apply, evaluate and
maintain strong password policies and procedures. Review and update the IAM-02.1
policies and procedures at least annually.
IAM-02.2
Manage, store, and review the information of system identities, and level of
access. IAM-03.1
Employ the separation of duties principle when implementing information system
access. IAM-04.1
Employ the least privilege principle when implementing information system
access. IAM-05.1
Define and implement a user access provisioning process which authorizes,
records, and communicates access changes to data and assets. IAM-06.1
De-provision or respectively modify access of movers / leavers or system
identity changes in a timely manner in order to effectively adopt and IAM-07.1
communicate identity and access management policies.
Review and revalidate user access for least privilege and separation of duties
with a frequency that is commensurate with organizational risk tolerance. IAM-08.1
Define, implement and evaluate processes, procedures and technical measures for
the segregation of privileged access roles such that administrative access to
data, encryption and key management capabilities and logging capabilities are IAM-09.1
distinct and separated.
Define and implement an access process to ensure privileged access roles and
rights are granted for a time limited period, and implement procedures to IAM-10.1
prevent the culmination of segregated privileged access.
IAM-10.2
Define, implement and evaluate processes and procedures for customers to
participate, where applicable, in the granting of access for agreed, high risk IAM-11.1
(as defined by the organizational risk assessment) privileged access roles.
Define, implement and evaluate processes, procedures and technical measures to
ensure the logging infrastructure is read-only for all with write access, IAM-12.1
including privileged access roles, and that the ability to disable it is
controlled through a procedure that ensures the segregation of duties and break
glass procedures.
IAM-12.2
IPY-01.4
IPY-01.5
Provide application interface(s) to CSCs so that they programmatically retrieve
their data to enable interoperability and portability. IPY-02.1
Implement cryptographically secure and standardized network protocols for the
management, import and export of data. IPY-03.1
Agreements must include provisions specifying CSCs access to data
upon contract termination and will include:
a. Data format
b. Length of time the data will be stored IPY-04.1
c. Scope of the data retained and made available to the CSCs
d. Data deletion policy
IVS-01.2
Plan and monitor the availability, quality, and adequate capacity of resources
in order to deliver the required system performance as determined by the IVS-02.1
business.
Monitor, encrypt and restrict communications between environments to only IVS-03.1
authenticated and authorized connections, as justified by the business. Review IVS-03.2
these configurations at least annually, and support them by a documented
justification of all allowed services, protocols, ports, and compensating IVS-03.3
controls.
IVS-03.4
IVS-03.5
Harden host and guest OS, hypervisor or infrastructure control plane according
to their respective best practices, and supported by technical controls, as IVS-04.1
part of a security baseline.
Separate production and non-production environments. IVS-05.1
Design, develop, deploy and configure applications and infrastructures such
that CSP and CSC (tenant) user access and intra-tenant access is appropriately
segmented and segregated, monitored and restricted from other tenants. IVS-06.1
SEF-02.2
Establish, document, approve, communicate, apply, evaluate and maintain a
security incident response plan, which includes but is not limited to: relevant
internal departments, impacted CSCs, and other business critical relationships SEF-03.1
(such as supply-chain) that may be impacted.
Test and update as necessary incident response plans at planned intervals or
upon significant organizational or environmental changes for effectiveness. SEF-04.1
Review supply chain agreements between CSPs and CSCs at least annually. STA-10.1
Define and implement a process for conducting internal assessments to confirm
conformance and effectiveness of standards, policies, procedures, and service STA-11.1
level agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply
with information security, confidentiality, access control, privacy, audit, STA-12.1
personnel policy and service level requirements and standards.
Periodically review the organization's supply chain partners' IT governance
policies and procedures. STA-13.1
Define and implement a process for conducting security assessments periodically
for all organizations within the supply chain. STA-14.1
TVM-01.2
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to protect against malware on managed assets. Review TVM-02.1
and update the policies and procedures at least annually.
TVM-02.2
Define, implement and evaluate processes, procedures and technical measures to
enable both scheduled and emergency responses to vulnerability identifications, TVM-03.1
based on the identified risk.
Define, implement and evaluate processes, procedures and technical measures to
update detection tools, threat signatures, and indicators of compromise on a TVM-04.1
weekly, or more frequent basis.
Define, implement and evaluate processes, procedures and technical measures to
identify updates for applications which use third party or open source
libraries according to the organization's vulnerability management policy. TVM-05.1
Define, implement and evaluate processes, procedures and technical measures for
the periodic performance of penetration testing by independent third parties. TVM-06.1
Define, implement and evaluate processes, procedures and technical measures for
the detection of vulnerabilities on organizationally managed assets at least TVM-07.1
monthly.
Use a risk-based model for effective prioritization of vulnerability
remediation using an industry recognized framework. TVM-08.1
Define and implement a process for tracking and reporting vulnerability
identification and remediation activities that includes stakeholder TVM-09.1
notification.
Establish, monitor and report metrics for vulnerability identification and
remediation at defined intervals. TVM-10.1
Define and implement a process for the validation of the endpoint device's
compatibility with operating systems and applications. UEM-03.1
Maintain an inventory of all endpoints used to store and access company data.
UEM-04.1
Define, implement and evaluate processes, procedures and technical measures to
enforce policies and controls for all endpoints permitted to access systems UEM-05.1
and/or store, transmit, or process organizational data.
Configure all relevant interactive-use endpoints to require an automatic lock
screen. UEM-06.1
Manage changes to endpoint operating systems, patch levels, and/or applications
through the company's change management processes. UEM-07.1
Protect information from unauthorized disclosure on managed endpoint devices
with storage encryption. UEM-08.1
Configure managed endpoints with anti-malware detection and prevention
technology and services. UEM-09.1
Configure managed endpoints with properly configured software firewalls. UEM-10.1
Configure managed endpoints with Data Loss Prevention (DLP) technologies and
rules in accordance with a risk assessment. UEM-11.1
Enable remote geo-location capabilities for all managed mobile endpoints. UEM-12.1
Define, implement and evaluate processes, procedures and technical measures to
enable the deletion of company data remotely on managed endpoint devices. UEM-13.1
Define, implement and evaluate processes, procedures and technical and/or
contractual measures to maintain proper security of third-party endpoints with UEM-14.1
access to organizational assets.
End of Standard
You may download, store, display on your computer, view, print, and link to
.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
ormational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
may not be redistributed; and (d) the trademark, copyright or other notices
trix v4.0.2 as permitted by the Fair Use provisions of the United States
urity Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
he copyright notice, please contact info@cloudsecurityalliance.org.
Consensus Assessments Question
Are application security policies and procedures reviewed and updated at least
annually?
Are baseline requirements to secure different applications established,
documented, and maintained?
Are technical and operational metrics defined and implemented according to
business objectives, security requirements, and compliance obligations?
Is an SDLC process defined and implemented for application design, development,
deployment, and operation per organizationally designed security requirements?
Does the testing strategy outline criteria to accept new information systems,
upgrades, and new versions while ensuring application security, compliance
adherence, and organizational speed of delivery goals?
Is testing automated when applicable and possible?
Are strategies and capabilities established and implemented to deploy
application code in a secure, standardized, and compliant manner?
Is the deployment and integration of application code automated where possible?
Are application security vulnerabilities remediated following defined
processes?
Is the remediation of application security vulnerabilities automated when
possible?
Are the policies and procedures reviewed and updated at least annually?
Is a defined quality change control, approval and testing process (with
established baselines, testing, and release standards) followed?
Are risks associated with changing organizational assets (including
applications, systems, infrastructure, configuration, etc.) managed, regardless
of whether asset management occurs internally or externally (i.e., outsourced)?
Is the unauthorized addition, removal, update, and management of organization
assets restricted?
Are provisions to limit changes that directly impact CSC-owned environments and
require tenants to authorize requests explicitly included within the service
level agreements (SLAs) between CSPs and CSCs?
Are change management baselines established for all relevant authorized changes
on organizational assets?
Are detection measures implemented with proactive notification if changes
deviate from established baselines?
Is a procedure implemented to manage exceptions, including emergencies, in the
change and configuration process?
Is the procedure aligned with the requirements of the GRC-04: Policy Exception
Process?
Is a process to proactively roll back changes to a previously known "good
state" defined and implemented in case of errors or security concerns?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises established, documented, approved, communicated,
enforced, and maintained?
Is a data destruction procedure applied that renders information recovery
information impossible if equipment is not physically destroyed?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises reviewed and updated at least annually?
Are policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location established,
documented, approved, communicated, implemented, enforced, maintained?
Does a relocation or transfer request require written or cryptographically
verifiable authorization?
Are policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location reviewed and
updated at least annually?
Are policies and procedures for maintaining a safe and secure working
environment (in offices, rooms, and facilities) established, documented,
approved, communicated, enforced, and maintained?
Are policies and procedures for maintaining safe, secure working environments
(e.g., offices, rooms) reviewed and updated at least annually?
Are policies and procedures for the secure transportation of physical media
established, documented, approved, communicated, enforced, evaluated, and
maintained?
Are policies and procedures for the secure transportation of physical media
reviewed and updated at least annually?
Is the classification and documentation of physical and logical assets based on
the organizational business risk?
Are all relevant physical and logical assets at all CSP sites cataloged and
tracked within a secured system?
Are physical security perimeters implemented to safeguard personnel, data, and
information systems?
Are physical security perimeters established between administrative and
business areas, data storage, and processing facilities?
Is equipment identification used as a method for connection authentication?
Are solely authorized personnel able to access secure areas, with all ingress
and egress areas restricted, documented, and monitored by physical access
control mechanisms?
Are access control records retained periodically, as deemed appropriate by the
organization?
Are external perimeter datacenter surveillance systems and surveillance systems
at all ingress and egress points implemented, maintained, and operated?
Are datacenter personnel trained to respond to unauthorized access or egress
attempts?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to ensure risk-based protection of power and telecommunication cables
from interception, interference, or damage threats at all facilities, offices,
and rooms?
Are data security and privacy policies and procedures reviewed and updated at
least annually?
Are industry-accepted methods applied for secure data disposal from storage
media so information is not recoverable by any forensic means?
Is a data inventory created and maintained for sensitive and personal
information (at a minimum)?
Is data classified according to type and sensitivity levels?
Is data flow documentation created to identify what data is processed and where
it is stored and transmitted?
Is data flow documentation reviewed at defined intervals, at least annually,
and after any change?
Is the ownership and stewardship of all relevant personal and sensitive data
documented?
Is data ownership and stewardship documentation reviewed at least annually?
Are systems, products, and business practices based on security principles by
design and per industry best practices?
Are systems, products, and business practices based on privacy principles by
design and according to industry best practices?
Are systems' privacy settings configured by default and according to all
applicable laws and regulations?
Is a data protection impact assessment (DPIA) conducted when processing
personal data and evaluating the origin, nature, particularity, and severity of
risks according to any applicable laws, regulations and industry best
practices?
Are secure and encrypted communication channels including only up-to-date and
approved protocols used when migrating servers, services, applications, or data
to cloud environments?
Are high-risk environments identified and documented?
Are processes, procedures, and defense-in-depth techniques defined,
implemented, and evaluated for protection, detection, and timely response to
network-based attacks?
Are policies and procedures for security incident management, e-discovery, and
cloud forensics established, documented, approved, communicated, applied,
evaluated, and maintained?
Are policies and procedures reviewed and updated annually?
Are policies and procedures for timely management of security incidents
established, documented, approved, communicated, applied, evaluated, and
maintained?
Are policies and procedures for timely management of security incidents
reviewed and updated at least annually?
Is a security incident response plan that includes relevant internal
departments, impacted CSCs, and other business-critical relationships (such as
supply-chain) established, documented, approved, communicated, applied,
evaluated, and maintained?
Is the security incident response plan tested and updated for effectiveness, as
necessary, at planned intervals or upon significant organizational or
environmental changes?
Are information security incident metrics established and monitored?
Are processes, procedures, and technical measures supporting business processes
to triage security-related events defined, implemented, and evaluated?
Are processes, procedures, and technical measures for security breach
notifications defined and implemented?
Are security breaches and assumed security breaches reported (including any
relevant supply chain breaches) as per applicable SLAs, laws, and regulations?
Are points of contact maintained for applicable regulation authorities,
national and local law enforcement, and other legal jurisdictional authorities?
Are supply chain agreements between CSPs and CSCs reviewed at least annually?
Is there a process for conducting internal assessments at least annually to
confirm the conformance and effectiveness of standards, policies, procedures,
and SLA activities?
Are policies that require all supply chain CSPs to comply with information
security, confidentiality, access control, privacy, audit, personnel policy,
and service level requirements and standards implemented?
Are supply chain partner IT governance policies and procedures reviewed
periodically?
Is a process to conduct periodic security assessments for all supply chain
organizations defined and implemented?
Are threat and vulnerability management policies and procedures reviewed and
updated at least annually?
Are policies and procedures to protect against malware on managed assets
established, documented, approved, communicated, applied, evaluated, and
maintained?
Are asset management and malware protection policies and procedures reviewed
and updated at least annually?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to enable scheduled and emergency responses to vulnerability
identifications (based on the identified risk)?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to update detection tools, threat signatures, and compromise
indicators weekly (or more frequent) basis?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to identify updates for applications that use third-party or
open-source libraries (according to the organization's vulnerability management
policy)?
Change Log
Change Log
Description of Change
The mappings of CCM v4.0 to AICPA TSC 2017 and CIS v8.0 are included in the
standard.
The Cloud Control Matrix version 4 (CCM v4.0) is released (including the
controls applicability matrix).
The mappings of CCM v4.0 to CCM v3.0.1 and ISO/IEC 27001/02/17/18 are included
in the first release of the standard.
Authors Contributors
Martin Acherman
Ricky Arora
Christian Banse
Renu Bedi
Rolf Becker
Jon-Michael Brook
John Britton
Angell Duran
Jon-Michael Brook
Odutola Ekundayo
Bobbie-Lynn Burton
Rajeev Gupta
Daniele Catteddu
Roberto Hernandez
Sean Cordero
Joel John
Peter Dickman
Erik Johnson
Sean Estrada
Bala Kaundinya
Tom Follo
Nancy Kramer
Shawn Harris
Claus Matzke
Matthew Hoerig
Vani Murthy
Erik Johnson
Johan Olivier
Harry Lu
Michael Roza
Surinder S. Rait
Chirag Sheth
Michael Roza
Ashish Vashishtha
Agnidipta Sarkar
Dimitri Vekris
Chris Shull
Lefteris Skoutaris
Tony Snook
Contributors
Kai Axford
Darin Blank
Kevin Burgin
Martin Capuder
Vishal Chaudhary
Aradhna Chetal
Jeff Cook
Angela Dogan
Doug Egan
Andreas von Grebmer
Mohin Gulzar
Frank Jaramillo
Gaurav Khanna
Keri Kusznir
Jens Laundrup
Robin Lyons
Loredana Mancini
Julien Mauvieux
Bill Marriott
Claus Matzke
Matthew Meersman
David Nance
Christine Peters
Lisa Peterson
Paul Rich
Max Simakov
Tima Soni
Luke Synnestvedt
Eric Tierling
Raj Tuliani
Editorial Team
Darin Blank (Team Lead)
Bobbie-Lynn Burton
Martin Capuder
Lisa Peterson
Luke Synnestvedt
CCM Leadership
End of acknowledgments
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and
link to the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud
Controls Matrix v4.0.2 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d)
the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by
the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud
Controls Matrix Version 4.0.2. If you are interested in obtaining a license to this material for other usages not addresses in the
copyright notice, please contact info@cloudsecurityalliance.org.
ability Matrix CCM v4.0 - CIS v8.0 Mapping CCM v4.0 - AICPA TSC 2017 M
Contributors Contributors
Sandra Ackland
Renu Bedi
Renu Bedi
Anders Brännfors
Madhav Chablani
Ramon Codina
Angela Dogan
Angela Dogan
Angell Duran
Brian Dorsey
Odutola Ekundayo
Angell Duran
Roberto Hernandez
Odutola Ekundayo
Frank Jaramillo
Roberto Hernandez
Joel John
Frank Jaramillo
Audrey Katcher
Bala Kaundinya
Bala Kaundinya
Nancy Kramer
Giovanni Massard
Vani Murthy
Vani Murthy
Johan Olivier
Johan Olivier
Surinder Singh Rait
Michael Roza
Michael Roza
Agnidipta Sarkar
Agnidipta Sarkar
Chirag Sheth
Chirag Sheth
Ashish Vashishtha
Chris Shull
Dimitri Vekris
Ashish Vashishtha
Surya Vinjamuri
Dimitri Vekris
Surya Vinjamuri
CCM v4.0.1 - CCM v3.0.1 Mapping CAIQ v4.0.1
Contributors Contributors
Tony Snook (Team Lead)
Renu Bedi
Sandra Ackland
Geoff Bird
Renu Bedi
John Britton
Glenn Bluff
Jon-Michael Brook
Anders Brännfors
Bobbie-Lynn Burton
Madhav Chablani
Hannah Day
Aislin Cole
Angela Dogan
Brian Dorsey
Brian Dorsey
Angell Duran
Angell Duran
Rajeev Gupta
Odutola Ekundayo
Frank Jaramillo
Rajeev Gupta
Bala Kaundinya
Roberto Hernandez
Nancy Kramer
Frank Jaramillo
Claus Matzke
Erik Johnson
Vani Murthy
Bala Kaundinya
Johan Olivier
Johan Olivier
Michael Roza
Michael Roza
Surinder Singh Rait
Lefteris Skoutaris
Ashish Vashishtha
Luis Urena
Dimitri Vekris
Ashish Vashishtha
Casey Wood
v4.0.1
utors
Team Lead)
Bedi
Bird
ritton
el Brook
nn Burton
h Day
Dogan
orsey
Duran
kundayo
Gupta
ernandez
ramillo
hnson
ndinya
Olivier
Roza
koutaris
rena
shishtha
Wood