CCMv4 0 2 - 2021-07-07

CLOUD CONTROLS MATRIX VERSION 4.0.
2
v4.0.2+0
Introduction
This section explains the CCM V4 spreadsheet structure and describes its components.
I. Structure
The CCM V4 spreadsheet includes five tabs:
• Introduction.
• CCM Controls.
• CCM Scope Applicability (Mappings).
• Consensus Assessments Initiative Questionnaire (CAIQ).
• Acknowledgments.
II. Components Description
a. CCM Controls
This is the core of the CCM V4. It includes 197 controls structured in 17 domains.
Each control is described by a:
• Control Domain: the name of the domain to which the control pertains.
• Control Title: the title of the control.
• Control ID: the control identifier.
• Control Specification: the requirement(s) description of the control.
In addition, this tab includes the following sections (groups of columns)
Typical Control Applicability and Ownership:
This group of columns describes the typical applicability of controls for the three main cloud delivery models: infrastructure-as-a-service (IaaS),
platform-as-a-service (PaaS), and software-as-a-service (SaaS). Additionally, the section explores the typical SSRM-based (Shared Security
Responsibility Model) allocation of responsibilities for the implementation of a given CCM control between a cloud service provider (CSP) and a
cloud service customer (CSC). The matrix clarifies if a control’s responsibility should be “CSP-Owned”, “CSC-Owned”, or “Shared”.
IMPORTANT NOTE: Both the control applicability to IaaS, PaaS, and SaaS models—and the control ownership attributions—are meant to represent a
high-level simplification. The CCM user should revise those attributions depending on the contractually agreed SSRM for the specific cloud
environment.
Architectural Relevance - Cloud Stack Components:
This group of columns indicates the architectural relevance of each CCM control per cloud stack component from the perspective of the CSA Cloud
Reference Model. The section focuses on components, including physical, network, compute, storage, application, and data.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The architectural relevance is meant to represent a high-level simplification. The CCM user should revise those attributions
depending on its specific cloud environment and technologies used.
Organizational Relevance:
This group of columns indicates the relevance between each CCM control and its implementation by the respective cloud relevant functions within an
organization. The functions included are: Cybersecurity, Internal Audit, Architecture Team, Software Development Team, Operations, Legal/Privacy,
Governance/Risk/Control, Supply Chain Management, and Human.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The organizational relevance is meant to represent a high-level simplification. The user of the CCM should revise those
attributions depending on the specific cloud environment and organizational structure.
b. CCM Scope Applicability (Mappings):
This tab includes the mappings between CCM V4 and numerous standards (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud
computing.
For each standard, CCM V4 is mapped to include the following three columns:
Control Mapping
The indication of which control(s) in the target standard (e.g., ISO27001) corresponds to the CCM control.
Gap Level
The level of gap a control (or controls) in the target standard has when compared with the CCM control. The gap levels used are:
• No Gap: In case of full correspondence.
• Partial Gap: If the control(s) in the target standard does not fully satisfy the corresponding CCM control’s requirements.
• Full Gap: If there is no control in the target standard to fulfill the corresponding CCM control’s requirements.
Addendum
The column describes the suggested compensating control that organizations must implement to cover the gap between the control in the target
standard and the corresponding CCM control.
c. Consensus Assessments Initiative Questionnaire (CAIQ):

This tab includes the questionnaire associated with CCM controls, commonly known as CAIQ. The CAIQ consists of 261 questions structured in the 17
domains of the CCM. Each question is described in the following manner:
• Question ID: the questions identifier.
• Question: the description of the question.
IMPORTANT NOTE: The CAIQ version in this spreadsheet is NOT meant to be used in lieu of submitting self-assessments (STAR Level 1) into the STA
Registry. A separate submission form has been created for that purpose:
Download it here
d. Acknowledgments:
This tab acknowledges the volunteers who contributed to the CCM V4’s development.
End of Introduction
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to
the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d) the trademark, copyright or other notices
may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by the Fair Use provisions of the United States
Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
in obtaining a license to this material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
ON 4.0.2
Introduction
s components.
I. Structure
II. Components Description
a. CCM Controls
7 domains.
.
the three main cloud delivery models: infrastructure-as-a-service (IaaS),
nally, the section explores the typical SSRM-based (Shared Security
on of a given CCM control between a cloud service provider (CSP) and a
sibility should be “CSP-Owned”, “CSC-Owned”, or “Shared”.
SaaS models—and the control ownership attributions—are meant to represent a
s depending on the contractually agreed SSRM for the specific cloud
M control per cloud stack component from the perspective of the CSA Cloud
al, network, compute, storage, application, and data.
UE” if the control is relevant to a component and “FALSE” if it is not.
a high-level simplification. The CCM user should revise those attributions
ol and its implementation by the respective cloud relevant functions within an

Architecture Team, Software Development Team, Operations, Legal/Privacy,
UE” if the control is relevant to a component and “FALSE” if it is not.

nt a high-level simplification. The user of the CCM should revise those
onal structure.
M Scope Applicability (Mappings):
rds (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud
lumns:
1) corresponds to the CCM control.
ompared with the CCM control. The gap levels used are:
y the corresponding CCM control’s requirements.

sponding CCM control’s requirements.
tions must implement to cover the gap between the control in the target
ssessments Initiative Questionnaire (CAIQ):

monly known as CAIQ. The CAIQ consists of 261 questions structured in the 17
er:
eant to be used in lieu of submitting self-assessments (STAR Level 1) into the STAR
d. Acknowledgments:
development.
End of Introduction
You may download, store, display on your computer, view, print, and link to
.2” at http://www.cloudsecurityalliance.org subject to the following: (a) the
ormational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
may not be redistributed; and (d) the trademark, copyright or other notices
trix v4.0.2 as permitted by the Fair Use provisions of the United States
urity Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
he copyright notice, please contact info@cloudsecurityalliance.org.
CLOUD CONTROLS MATRIX VERSION 4.0.2
v4.0.2+0
Control Domain Control Title Control ID
Audit & Assurance - A&A
Audit and Assurance Policy and

Audit & Assurance A&A-01
Procedures
Audit & Assurance Independent Assessments A&A-02
Audit & Assurance Risk Based Planning Assessment A&A-03
Audit & Assurance Requirements Compliance A&A-04
Audit & Assurance Audit Management Process A&A-05
Audit & Assurance Remediation A&A-06
Application & Interface Security - AIS

Application & Interface Application and Interface Security
AIS-01
Security Policy and Procedures
Application & Interface Application Security Baseline

AIS-02
Security Requirements
Application & Interface

Application Security Metrics AIS-03
Security
Application & Interface Secure Application Design and

AIS-04
Security Development
Application & Interface Automated Application Security

AIS-05
Security Testing
Application & Interface Automated Secure Application

AIS-06
Security Deployment

Application Vulnerability Remediation AIS-07
Security
Business Continuity Management and Operational Resilience - BCR
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Business Continuity
Management and Business Continuity Strategy BCR-03
Business Continuity
Management and Business Continuity Planning BCR-04
Business Continuity
Management and Documentation BCR-05
Business Continuity
Management and Business Continuity Exercises BCR-06
Business Continuity
Management and Communication BCR-07
Business Continuity
Management and Backup BCR-08
Business Continuity
Management and Disaster Response Plan BCR-09
Business Continuity
Management and Response Plan Exercise BCR-10
Business Continuity
Management and Equipment Redundancy BCR-11
Change Control and Configuration Management - CCC
Change Control and

Change Management Policy and
Configuration CCC-01
Procedures
Management
Change Control and

Configuration Quality Testing CCC-02
Management
Change Control and
Configuration Change Management Technology CCC-03
Management
Change Control and
Configuration Unauthorized Change Protection CCC-04
Management
Change Control and
Configuration Change Agreements CCC-05
Management
Change Control and
Configuration Change Management Baseline CCC-06
Management
Change Control and
Configuration Detection of Baseline Deviation CCC-07
Management
Change Control and
Configuration Exception Management CCC-08
Management
Change Control and
Configuration Change Restoration CCC-09
Management
Cryptography, Encryption & Key Management - CEK
Cryptography,
Encryption and Key Management
Encryption & Key CEK-01
Management
Cryptography,
Encryption & Key CEK Roles and Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Datacenter Security - DCS
Off-Site Equipment Disposal Policy

Datacenter Security DCS-01
and Procedures
Off-Site Transfer Authorization Policy
and Procedures
Datacenter Security Secure Area Policy and Procedures DCS-03
Secure Media Transportation Policy

and Procedures
Datacenter Security Assets Classification DCS-05
Datacenter Security Assets Cataloguing and Tracking DCS-06
Datacenter Security Controlled Access Points DCS-07
Datacenter Security Equipment Identification DCS-08
Datacenter Security Secure Area Authorization DCS-09
Datacenter Security Surveillance System DCS-10

Unauthorized Access Response
Training
Datacenter Security Cabling Security DCS-12
Datacenter Security Environmental Systems DCS-13
Datacenter Security Secure Utilities DCS-14
Datacenter Security Equipment Location DCS-15
Data Security and Privacy Lifecycle Management - DSP
Data Security and

Security and Privacy Policy and
Privacy Lifecycle DSP-01
Procedures
Management
Data Security and

Privacy Lifecycle Secure Disposal DSP-02
Management
Data Security and
Privacy Lifecycle Data Inventory DSP-03
Data Security and
Management
Privacy Lifecycle Data Classification DSP-04
Management
Data Security and
Privacy Lifecycle Data Flow Documentation DSP-05
Management
Data Security and
Privacy Lifecycle Data Ownership and Stewardship DSP-06
Management
Data Security and
Privacy Lifecycle Data Protection by Design and Default DSP-07
Management
Data Security and
Privacy Lifecycle Data Privacy by Design and Default DSP-08
Management
Data Security and

Privacy Lifecycle Data Protection Impact Assessment DSP-09
Management
Data Security and

Privacy Lifecycle Sensitive Data Transfer DSP-10
Management
Data Security and

Personal Data Access, Reversal,
Rectification and Deletion
Management
Data Security and

Limitation of Purpose in Personal Data
Processing
Management
Data Security and

Privacy Lifecycle Personal Data Sub-processing DSP-13
Management
Data Security and
Privacy Lifecycle Disclosure of Data Sub-processors DSP-14
Management
Data Security and

Privacy Lifecycle Limitation of Production Data Use DSP-15
Management
Data Security and
Privacy Lifecycle Data Retention and Deletion DSP-16
Management
Data Security and
Privacy Lifecycle Sensitive Data Protection DSP-17
Management
Data Security and

Privacy Lifecycle Disclosure Notification DSP-18
Management
Data Security and

Privacy Lifecycle Data Location DSP-19
Management
Governance, Risk and Compliance - GRC
Governance, Risk and Governance Program Policy and

GRC-01
Compliance Procedures
Governance, Risk and
Risk Management Program GRC-02
Compliance

Organizational Policy Reviews GRC-03
Compliance

Policy Exception Process GRC-04
Compliance

Information Security Program GRC-05
Compliance

Governance Responsibility Model GRC-06
Compliance
Governance, Risk and Information System Regulatory

GRC-07
Compliance Mapping

Special Interest Groups GRC-08
Compliance
Human Resources - HRS

Background Screening Policy and
Human Resources HRS-01
Procedures
Acceptable Use of Technology Policy

and Procedures
Human Resources Clean Desk Policy and Procedures HRS-03
Remote and Home Working Policy and

Procedures
Human Resources Asset returns HRS-05
Human Resources Employment Termination HRS-06
Human Resources Employment Agreement Process HRS-07
Human Resources Employment Agreement Content HRS-08

Human Resources Personnel Roles and Responsibilities HRS-09
Human Resources Non-Disclosure Agreements HRS-10
Human Resources Security Awareness Training HRS-11
Personal and Sensitive Data Awareness

and Training
Human Resources Compliance User Responsibility HRS-13
Identity & Access Management - IAM
Identity & Access Identity and Access Management

IAM-01
Management Policy and Procedures
Identity & Access

Strong Password Policy and Procedures IAM-02
Management
Identity & Access

Identity Inventory IAM-03
Management
Identity & Access
Separation of Duties IAM-04
Management
Identity & Access
Least Privilege IAM-05
Management
Identity & Access

User Access Provisioning IAM-06
Management
Identity & Access

User Access Changes and Revocation IAM-07
Management
Identity & Access

User Access Review IAM-08
Management
Identity & Access

Segregation of Privileged Access Roles IAM-09
Management
Identity & Access Management of Privileged Access

IAM-10
Management Roles
Identity & Access CSCs Approval for Agreed Privileged

IAM-11
Management Access Roles
Identity & Access

Safeguard Logs Integrity IAM-12
Management
Identity & Access
Uniquely Identifiable Users IAM-13
Management
Identity & Access

Strong Authentication IAM-14
Management
Identity & Access

Passwords Management IAM-15
Management
Identity & Access
Authorization Mechanisms IAM-16
Management
Interoperability & Portability - IPY
Interoperability & Interoperability and Portability Policy

IPY-01
Portability and Procedures
Interoperability &
Application Interface Availability IPY-02
Portability
Interoperability & Secure Interoperability and Portability
IPY-03
Portability Management
Interoperability & Data Portability Contractual
IPY-04
Portability Obligations
Infrastructure & Virtualization Security - IVS
Infrastructure & Infrastructure and Virtualization

IVS-01
Virtualization Security Security Policy and Procedures
Infrastructure &
Capacity and Resource Planning IVS-02
Virtualization Security
Infrastructure &
Network Security IVS-03
Infrastructure &
OS Hardening and Base Controls IVS-04
Infrastructure & Production and Non-Production
IVS-05
Virtualization Security Environments
Infrastructure &
Segmentation and Segregation IVS-06
Infrastructure &
Migration to Cloud Environments IVS-07
Infrastructure &
Network Architecture Documentation IVS-08
Infrastructure &
Network Defense IVS-09
Logging and Monitoring - LOG
Logging and Monitoring Policy and

Logging and Monitoring LOG-01
Procedures
Logging and Monitoring Audit Logs Protection LOG-02
Logging and Monitoring Security Monitoring and Alerting LOG-03
Logging and Monitoring Audit Logs Access and Accountability LOG-04
Logging and Monitoring Audit Logs Monitoring and Response LOG-05
Logging and Monitoring Clock Synchronization LOG-06

Logging and Monitoring Logging Scope LOG-07
Logging and Monitoring Log Records LOG-08

Logging and Monitoring Log Protection LOG-09
Logging and Monitoring Encryption Monitoring and Reporting LOG-10
Logging and Monitoring Transaction/Activity Logging LOG-11
Logging and Monitoring Access Control Logs LOG-12
Logging and Monitoring Failures and Anomalies Reporting LOG-13
Security Incident Management, E-Discovery, & Cloud Forensics - SEF
Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Security Incident
Forensics
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Security Incident
Forensics
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain Management, Transparency, and Accountability - STA
Supply Chain
Management,
SSRM Policy and Procedures STA-01
Transparency, and
Accountability
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency,
Supply Chainand
Accountability
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency,
Supply Chainand
Accountability
Management,
SSRM Documentation Review STA-05
Transparency,
Supply Chainand
Accountability
Management,
Supply Chainand SSRM Control Implementation STA-06
Transparency,
Management,
Accountability
Supply Chainand Supply Chain Inventory STA-07
Transparency,
Management,
Accountability Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency,
Supply Chainand
Accountability
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency,
Supply Chainand
Accountability
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Threat & Vulnerability Management - TVM
Threat & Vulnerability Threat and Vulnerability Management

TVM-01
Threat & Vulnerability Malware Protection Policy and

TVM-02
Management Procedures
Threat & Vulnerability

Vulnerability Remediation Schedule TVM-03
Management

Detection Updates TVM-04
Management

External Library Vulnerabilities TVM-05
Management

Penetration Testing TVM-06
Management
Vulnerability Identification TVM-07
Management

Vulnerability Prioritization TVM-08
Management

Vulnerability Management Reporting TVM-09
Management

Vulnerability Management Metrics TVM-10
Management
Universal Endpoint Management - UEM
Universal Endpoint Endpoint Devices Policy and

UEM-01
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
ON 4.0.2
Typical Control Applicability and Ownershi
Control Specification IaaS PaaS

Establish, document, approve, communicate, apply, evaluate and maintain audit and
assurance policies and procedures and standards. Review and update the policies and Shared Shared
procedures at least annually.
Conduct independent audit and assurance assessments according to relevant standards at
least annually. Shared Shared
Perform independent audit and assurance assessments according to risk-based plans and
policies. Shared Shared
Verify compliance with all relevant standards, regulations, legal/contractual, and statutory
requirements applicable to the audit. Shared Shared
Define and implement an Audit Management process to support audit planning, risk
analysis, security control assessment, conclusion, remediation schedules, report
generation, and review of past reports and supporting evidence. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a risk-based

corrective action plan to remediate audit findings, review and report remediation status to Shared Shared
relevant stakeholders.
ication & Interface Security - AIS

Establish, document, approve, communicate, apply, evaluate and maintain policies and
procedures for application security to provide guidance to the appropriate planning,
delivery and support of the organization's application security capabilities. Review and Shared CSC-Owned
update the policies and procedures at least annually.
Establish, document and maintain baseline requirements for securing different

applications. Shared Shared
Define and implement technical and operational metrics in alignment with business
objectives, security requirements, and compliance obligations. Shared Shared
Define and implement a SDLC process for application design, development, deployment,
and operation in accordance with security requirements defined by the organization. Shared Shared
Implement a testing strategy, including criteria for acceptance of new information systems,
upgrades and new versions, which provides application security assurance and maintains
compliance while enabling organizational speed of delivery goals. Automate when Shared Shared
applicable and possible.
Establish and implement strategies and capabilities for secure, standardized, and compliant
application deployment. Automate where possible. Shared Shared
Define and implement a process to remediate application security vulnerabilities,

automating remediation when possible. Shared Shared
Management and Operational Resilience - BCR

Establish, document, approve, communicate, apply, evaluate and maintain business
continuity management and operational resilience policies and procedures. Review and
update the policies and procedures at least annually. Shared Shared
Determine the impact of business disruptions and risks to establish criteria for developing
business continuity and operational resilience strategies and capabilities. Shared Shared
Establish strategies to reduce the impact of, withstand, and recover from business
disruptions within risk appetite. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a business
continuity plan based on the results of the operational resilience strategies and capabilities. Shared Shared
Develop, identify, and acquire documentation that is relevant to support the business
continuity and operational resilience programs. Make the documentation available to
authorized stakeholders and review periodically. Shared Shared
Exercise and test business continuity and operational resilience plans at least annually or
upon significant changes. Shared Shared
Establish communication with stakeholders and participants in the course of business
continuity and resilience procedures. Shared Shared
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and
availability of the backup, and verify data restoration from backup for resiliency. Shared Shared
Establish, document, approve, communicate, apply, evaluate and maintain a disaster

response plan to recover from natural and man-made disasters. Update the plan at least
annually or upon significant changes. CSP-Owned CSP-Owned
Exercise the disaster response plan annually or upon significant changes, including if
possible local emergency authorities. CSP-Owned CSP-Owned
Supplement business-critical equipment with redundant equipment independently located
at a reasonable minimum distance in accordance with applicable industry standards. CSP-Owned CSP-Owned
rol and Configuration Management - CCC
procedures for managing the risks associated with applying changes to organization assets,
including application, systems, infrastructure, configuration, etc., regardless of whether the
assets are managed internally or externally (i.e., outsourced). Review and update the Shared Shared
policies and procedures at least annually.
Follow a defined quality change control, approval and testing process with established
baselines, testing, and release standards. CSP-Owned Shared
Manage the risks associated with applying changes to organization assets, including
application, systems, infrastructure, configuration, etc., regardless of whether the assets are
managed internally or externally (i.e., outsourced). Shared Shared
Restrict the unauthorized addition, removal, update, and management of organization

assets. Shared Shared
Include provisions limiting changes directly impacting CSCs owned environments/tenants
to explicitly authorized requests within service level agreements between CSPs and CSCs. CSP-Owned Shared
Establish change management baselines for all relevant authorized changes on

organization assets. Shared Shared
Implement detection measures with proactive notification in case of changes deviating
from the established baseline. CSP-Owned Shared
Implement a procedure for the management of exceptions, including emergencies, in the
change and configuration process. Align the procedure with the requirements of GRC-04: Shared Shared
Policy Exception Process.
Define and implement a process to proactively roll back changes to a previous known
good state in case of errors or security concerns. Shared Shared
y, Encryption & Key Management - CEK
procedures for Cryptography, Encryption and Key Management. Review and update the
policies and procedures at least annually. Shared Shared
Define and implement cryptographic, encryption and key management roles and
responsibilities. Shared Shared
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries
certified to approved standards. Shared Shared
Use encryption algorithms that are appropriate for data protection, considering the
classification of data, associated risks, and usability of the encryption technology. Shared Shared
Establish a standard change management procedure, to accommodate changes from

internal and external sources, for review, approval, implementation and communication of
cryptographic, encryption and key management technology changes. Shared Shared
Manage and adopt changes to cryptography-, encryption-, and key management-related

systems (including policies and procedures) that fully account for downstream effects of
proposed changes, including residual risk, cost, and benefits analysis. Shared Shared
Establish and maintain an encryption and key management risk program that includes
provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. Shared Shared
CSPs must provide the capability for CSCs to manage their own data encryption keys.
Shared Shared
Audit encryption and key management systems, policies, and processes with a frequency
that is proportional to the risk exposure of the system with audit occurring preferably
continuously but at least annually and after any security event(s). Shared Shared
Generate Cryptographic keys using industry accepted cryptographic libraries specifying

the algorithm strength and the random number generator used. Shared Shared
Manage cryptographic secret and private keys that are provisioned for a unique purpose.
Shared Shared
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes
provisions for considering the risk of information disclosure and legal and regulatory Shared Shared
requirements.
Define, implement and evaluate processes, procedures and technical measures to revoke
and remove cryptographic keys prior to the end of its established cryptoperiod, when a key
is compromised, or an entity is no longer part of the organization, which include Shared Shared
provisions for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to destroy
keys stored outside a secure environment and revoke keys stored in Hardware Security
Modules (HSMs) when they are no longer needed, which include provisions for legal and Shared Shared
regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to create
keys in a pre-activated state when they have been generated but not authorized for use,
which include provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to monitor,
review and approve key transitions from any state to/from suspension, which include
provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to
deactivate keys at the time of their expiration date, which include provisions for legal and Shared Shared
Define, implement and evaluate processes, procedures and technical measures to manage
archived keys in a secure repository requiring least privilege access, which include
provisions for legal and regulatory requirements. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to use
compromised keys to encrypt information only in controlled circumstance, and thereafter
exclusively for decrypting data and never for encrypting data, which include provisions for Shared Shared
legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to assess the
risk to operational continuity versus the risk of the keying material and the information it
protects being exposed if control of the keying material is lost, which include provisions Shared Shared
for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures in order for
the key management system to track and report all cryptographic materials and changes in
status, which include provisions for legal and regulatory requirements. Shared Shared

procedures for the secure disposal of equipment used outside the organization's premises.
If the equipment is not physically destroyed a data destruction procedure that renders
recovery of information impossible must be applied. Review and update the policies and CSP-Owned CSP-Owned
procedures for the relocation or transfer of hardware, software, or data/information to an
offsite or alternate location. The relocation or transfer request requires the written or
cryptographically verifiable authorization. Review and update the policies and procedures CSP-Owned CSP-Owned
at least annually.
procedures for maintaining a safe and secure working environment in offices, rooms, and
facilities. Review and update the policies and procedures at least annually. CSP-Owned CSP-Owned
procedures for the secure transportation of physical media. Review and update the policies CSP-Owned CSP-Owned
and procedures at least annually.
Classify and document the physical, and logical assets (e.g., applications) based on the
organizational business risk. Shared Shared
Catalogue and track all relevant physical and logical assets located at all of the CSP's sites
within a secured system. CSP-Owned Shared
Implement physical security perimeters to safeguard personnel, data, and information
systems. Establish physical security perimeters between the administrative and business
areas and the data storage and processing facilities areas. CSP-Owned CSP-Owned
Use equipment identification as a method for connection authentication. CSP-Owned Shared

Allow only authorized personnel access to secure areas, with all ingress and egress points
restricted, documented, and monitored by physical access control mechanisms. Retain
access control records on a periodic basis as deemed appropriate by the organization. CSP-Owned CSP-Owned
Implement, maintain, and operate datacenter surveillance systems at the external perimeter
and at all the ingress and egress points to detect unauthorized ingress and egress attempts. CSP-Owned CSP-Owned
Train datacenter personnel to respond to unauthorized ingress or egress attempts.
CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and technical measures that ensure
a risk-based protection of power and telecommunication cables from a threat of
interception, interference or damage at all facilities, offices and rooms. CSP-Owned CSP-Owned
Implement and maintain data center environmental control systems that monitor, maintain
and test for continual effectiveness the temperature and humidity conditions within CSP-Owned CSP-Owned
accepted industry standards.
Secure, monitor, maintain, and test utilities services for continual effectiveness at planned
intervals. CSP-Owned CSP-Owned
Keep business-critical equipment away from locations subject to high probability for
environmental risk events. CSP-Owned CSP-Owned
and Privacy Lifecycle Management - DSP

procedures for the classification, protection and handling of data throughout its lifecycle,
and according to all applicable laws and regulations, standards, and risk level. Review and CSC-Owned CSC-Owned
Apply industry accepted methods for the secure disposal of data from storage media such
that data is not recoverable by any forensic means. Shared Shared
Create and maintain a data inventory, at least for any sensitive data and personal data.
Shared Shared
Classify data according to its type and sensitivity level. CSC-Owned CSC-Owned
Create data flow documentation to identify what data is processed, stored or transmitted
where. Review data flow documentation at defined intervals, at least annually, and after CSC-Owned CSC-Owned
any change.
Document ownership and stewardship of all relevant documented personal and sensitive
data. Perform review at least annually. CSC-Owned CSC-Owned
Develop systems, products, and business practices based upon a principle of security by
design and industry best practices. Shared Shared
Develop systems, products, and business practices based upon a principle of privacy by
design and industry best practices. Ensure that systems' privacy settings are configured by
default, according to all applicable laws and regulations. CSC-Owned CSC-Owned
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature,
particularity and severity of the risks upon the processing of personal data, according to
any applicable laws, regulations and industry best practices. CSC-Owned CSC-Owned
any transfer of personal or sensitive data is protected from unauthorized access and only
processed within scope as permitted by the respective laws and regulations. CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures to enable data
subjects to request access to, modification, or deletion of their personal data, according to CSC-Owned CSC-Owned
any applicable laws and regulations.
Define, implement and evaluate processes, procedures and technical measures to ensure
that personal data is processed according to any applicable laws and regulations and for
the purposes declared to the data subject. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures for the
transfer and sub-processing of personal data within the service supply chain, according to
any applicable laws and regulations. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures to disclose
the details of any personal or sensitive data access by sub-processors to the data owner
prior to initiation of that processing. CSC-Owned CSC-Owned
Obtain authorization from data owners, and manage associated risk before replicating or
using production data in non-production environments. CSC-Owned CSC-Owned
Data retention, archiving and deletion is managed in accordance with business

requirements, applicable laws and regulations. CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures to protect sensitive
data throughout it's lifecycle. CSC-Owned CSC-Owned
The CSP must have in place, and describe to CSCs the procedure to manage and respond
to requests for disclosure of Personal Data by Law Enforcement Authorities according to
applicable laws and regulations. The CSP must give special attention to the notification
procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under
criminal law to preserve confidentiality of a law enforcement investigation. CSP-Owned CSP-Owned
Define and implement, processes, procedures and technical measures to specify and
document the physical locations of data, including any locations in which data is processed CSP-Owned CSP-Owned
or backed up.
nance, Risk and Compliance - GRC

procedures for an information governance program, which is sponsored by the leadership
of the organization. Review and update the policies and procedures at least annually. Shared Shared
Establish a formal, documented, and leadership-sponsored Enterprise Risk Management
(ERM) program that includes policies and procedures for identification, evaluation,
ownership, treatment, and acceptance of cloud security and privacy risks. Shared Shared
Review all relevant organizational policies and associated procedures at least annually or
when a substantial change occurs within the organization. Shared Shared
Establish and follow an approved exception process as mandated by the governance

program whenever a deviation from an established policy occurs. Shared Shared
Develop and implement an Information Security Program, which includes programs for all
the relevant domains of the CCM.
Shared Shared
Define and document roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs. Shared Shared
Identify and document all relevant standards, regulations, legal/contractual, and statutory
requirements, which are applicable to your organization. Shared Shared
Establish and maintain contact with cloud-related special interest groups and other relevant
entities in line with business context. Shared Shared

procedures for background verification of all new employees (including but not limited to
remote employees, contractors, and third parties) according to local laws, regulations,
ethics, and contractual constraints and proportional to the data classification to be
accessed, the business requirements, and acceptable risk. Review and update the policies Shared Shared
procedures for defining allowances and conditions for the acceptable use of
organizationally-owned or managed assets. Review and update the policies and procedures Shared Shared
at least annually.
procedures that require unattended workspaces to not have openly visible confidential
data. Review and update the policies and procedures at least annually. Shared Shared
procedures to protect information accessed, processed or stored at remote sites and
locations. Review and update the policies and procedures at least annually. Shared Shared
Establish and document procedures for the return of organization-owned assets by

terminated employees. Shared Shared
Establish, document, and communicate to all personnel the procedures outlining the roles
and responsibilities concerning changes in employment. Shared Shared
Employees sign the employee agreement prior to being granted access to organizational
information systems, resources and assets. Shared Shared
The organization includes within the employment agreements provisions and/or terms for
adherence to established information governance and security policies. Shared Shared
Document and communicate roles and responsibilities of employees, as they relate to
information assets and security. Shared Shared
Identify, document, and review, at planned intervals, requirements for
non-disclosure/confidentiality agreements reflecting the organization's needs for the Shared Shared
protection of data and operational details.
Establish, document, approve, communicate, apply, evaluate and maintain a security
awareness training program for all employees of the organization and provide regular Shared Shared
training updates.
Provide all employees with access to sensitive organizational and personal data with
appropriate security awareness training and regular updates in organizational procedures,
processes, and policies relating to their professional function relative to the organization. Shared Shared
Make employees aware of their roles and responsibilities for maintaining awareness and
compliance with established policies and procedures and applicable legal, statutory, or
regulatory compliance obligations. Shared Shared
tity & Access Management - IAM

Establish, document, approve, communicate, implement, apply, evaluate and maintain
policies and procedures for identity and access management. Review and update the

strong password policies and procedures. Review and update the policies and procedures Shared Shared
at least annually.
Manage, store, and review the information of system identities, and level of access.
Shared Shared
Employ the separation of duties principle when implementing information system access.
Shared Shared
Employ the least privilege principle when implementing information system access.
Shared Shared
Define and implement a user access provisioning process which authorizes, records, and
communicates access changes to data and assets. Shared Shared
De-provision or respectively modify access of movers / leavers or system identity changes

in a timely manner in order to effectively adopt and communicate identity and access Shared Shared
management policies.
Review and revalidate user access for least privilege and separation of duties with a
frequency that is commensurate with organizational risk tolerance. Shared Shared
segregation of privileged access roles such that administrative access to data, encryption
and key management capabilities and logging capabilities are distinct and separated. Shared Shared
Define and implement an access process to ensure privileged access roles and rights are
granted for a time limited period, and implement procedures to prevent the culmination of Shared Shared
segregated privileged access.
Define, implement and evaluate processes and procedures for customers to participate,
where applicable, in the granting of access for agreed, high risk (as defined by the
organizational risk assessment) privileged access roles. Shared Shared
the logging infrastructure is read-only for all with write access, including privileged access
roles, and that the ability to disable it is controlled through a procedure that ensures the Shared Shared
segregation of duties and break glass procedures.
users are identifiable through unique IDs or which can associate individuals to the usage of Shared Shared
user IDs.
Define, implement and evaluate processes, procedures and technical measures for
authenticating access to systems, application and data assets, including multifactor
authentication for at least privileged user and sensitive data access. Adopt digital
certificates or alternatives which achieve an equivalent level of security for system Shared Shared
identities.
secure management of passwords. Shared Shared
Define, implement and evaluate processes, procedures and technical measures to verify
access to data and system functions is authorized. Shared Shared
eroperability & Portability - IPY

Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for interoperability and portability including
requirements for:
a. Communications between application interfaces
b. Information processing interoperability
c. Application development portability CSC-Owned Shared
d. Information/Data exchange, usage, portability, integrity, and persistence
Review and update the policies and procedures at least annually.
Provide application interface(s) to CSCs so that they programmatically retrieve their data
to enable interoperability and portability. CSC-Owned Shared
Implement cryptographically secure and standardized network protocols for the
management, import and export of data. CSC-Owned Shared
Agreements must include provisions specifying CSCs access to data
upon contract termination and will include:
a. Data format
b. Length of time the data will be stored CSC-Owned Shared
c. Scope of the data retained and made available to the CSCs
d. Data deletion policy
ucture & Virtualization Security - IVS

procedures for infrastructure and virtualization security. Review and update the policies
and procedures at least annually. CSP-Owned CSP-Owned
Plan and monitor the availability, quality, and adequate capacity of resources in order to
deliver the required system performance as determined by the business. Shared CSP-Owned
Monitor, encrypt and restrict communications between environments to only authenticated

and authorized connections, as justified by the business. Review these configurations at
least annually, and support them by a documented justification of all allowed services, CSP-Owned CSP-Owned
protocols, ports, and compensating controls.
Harden host and guest OS, hypervisor or infrastructure control plane according to their
respective best practices, and supported by technical controls, as part of a security CSP-Owned CSP-Owned
baseline.
Separate production and non-production environments. CSP-Owned CSP-Owned
Design, develop, deploy and configure applications and infrastructures such that CSP and
CSC (tenant) user access and intra-tenant access is appropriately segmented and
segregated, monitored and restricted from other tenants. CSP-Owned CSP-Owned
Use secure and encrypted communication channels when migrating servers, services,
applications, or data to cloud environments. Such channels must include only up-to-date
and approved protocols. Shared Shared
Identify and document high-risk environments.

CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and defense-in-depth techniques for
protection, detection, and timely response to network-based attacks. CSP-Owned CSP-Owned
ogging and Monitoring - LOG

procedures for logging and monitoring. Review and update the policies and procedures at Shared Shared
least annually.
the security and retention of audit logs. Shared Shared
Identify and monitor security-related events within applications and the underlying
infrastructure. Define and implement a system to generate alerts to responsible
stakeholders based on such events and corresponding metrics. CSC-Owned Shared
Restrict audit logs access to authorized personnel and maintain records that provide unique
access accountability. Shared Shared
Monitor security audit logs to detect activity outside of typical or expected patterns.
Establish and follow a defined process to review and take appropriate and timely actions Shared Shared
on detected anomalies.
Use a reliable time source across all relevant information processing systems.
Shared CSP-Owned
Establish, document and implement which information meta/data system events should be
logged. Review and update the scope at least annually or whenever there is a change in the Shared Shared
threat environment.
Generate audit records containing relevant security information. Shared Shared
The information system protects audit records from unauthorized access, modification, and
deletion. Shared Shared
Establish and maintain a monitoring and internal reporting capability over the operations
of cryptographic, encryption and key management policies, processes, procedures, and Shared Shared
controls.
Log and monitor key lifecycle management events to enable auditing and reporting on
usage of cryptographic keys. Shared Shared
Monitor and log physical access using an auditable access control system.
CSP-Owned CSP-Owned
reporting of anomalies and failures of the monitoring system and provide immediate Shared Shared
notification to the accountable party.
anagement, E-Discovery, & Cloud Forensics - SEF

procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review
and update the policies and procedures at least annually. Shared Shared
procedures for the timely management of security incidents. Review and update the
incident response plan, which includes but is not limited to: relevant internal departments,
impacted CSCs, and other business critical relationships (such as supply-chain) that may Shared Shared
be impacted.
Test and update as necessary incident response plans at planned intervals or upon
significant organizational or environmental changes for effectiveness. Shared Shared
Establish and monitor information security incident metrics. Shared Shared

Define, implement and evaluate processes, procedures and technical measures supporting
business processes to triage security-related events. Shared Shared
Define and implement, processes, procedures and technical measures for security breach
notifications. Report security breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws and regulations. Shared Shared
Maintain points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities. Shared Shared
gement, Transparency, and Accountability - STA

procedures for the application of the Shared Security Responsibility Model (SSRM) within
the organization. Review and update the policies and procedures at least annually. Shared Shared
Apply, document, implement and manage the SSRM throughout the supply chain for the
cloud service offering. Shared Shared
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability
throughout the supply chain. CSP-Owned CSP-Owned
Delineate the shared ownership and applicability of all CSA CCM controls according to
the SSRM for the cloud service offering. CSP-Owned CSP-Owned
Review and validate SSRM documentation for all cloud services offerings the organization
uses. Shared Shared
Implement, operate, and audit or assess the portions of the SSRM which the organization
is responsible for. Shared Shared
Develop and maintain an inventory of all supply chain relationships. Shared Shared
CSPs periodically review risk factors associated with all organizations within their supply
chain. Shared Shared
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment Shared Shared
• Service termination
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually. Shared Shared
Define and implement a process for conducting internal assessments to confirm
conformance and effectiveness of standards, policies, procedures, and service level Shared Shared
agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply with
information security, confidentiality, access control, privacy, audit, personnel policy and
service level requirements and standards. Shared Shared
Periodically review the organization's supply chain partners' IT governance policies and
procedures. Shared Shared
Define and implement a process for conducting security assessments periodically for all
organizations within the supply chain. Shared Shared
& Vulnerability Management - TVM

procedures to identify, report and prioritize the remediation of vulnerabilities, in order to
protect systems against vulnerability exploitation. Review and update the policies and Shared Shared
procedures to protect against malware on managed assets. Review and update the policies Shared Shared
Define, implement and evaluate processes, procedures and technical measures to enable
both scheduled and emergency responses to vulnerability identifications, based on the Shared Shared
identified risk.
Define, implement and evaluate processes, procedures and technical measures to update
detection tools, threat signatures, and indicators of compromise on a weekly, or more Shared Shared
frequent basis.
Define, implement and evaluate processes, procedures and technical measures to identify
updates for applications which use third party or open source libraries according to the
organization's vulnerability management policy. Shared Shared
periodic performance of penetration testing by independent third parties. Shared Shared
detection of vulnerabilities on organizationally managed assets at least monthly. Shared Shared
Use a risk-based model for effective prioritization of vulnerability remediation using an

industry recognized framework. Shared Shared
Define and implement a process for tracking and reporting vulnerability identification and
remediation activities that includes stakeholder notification. Shared Shared
Establish, monitor and report metrics for vulnerability identification and remediation at
defined intervals. Shared Shared
rsal Endpoint Management - UEM

procedures for all endpoints. Review and update the policies and procedures at least Shared Shared
annually.
Define, document, apply and evaluate a list of approved services, applications and sources
of applications (stores) acceptable for use by endpoints when accessing or storing Shared Shared
organization-managed data.
Define and implement a process for the validation of the endpoint device's compatibility
with operating systems and applications. CSC-Owned Shared
Maintain an inventory of all endpoints used to store and access company data.
CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical measures to enforce
policies and controls for all endpoints permitted to access systems and/or store, transmit,
or process organizational data. CSC-Owned CSC-Owned
Configure all relevant interactive-use endpoints to require an automatic lock screen.

CSC-Owned CSC-Owned
Manage changes to endpoint operating systems, patch levels, and/or applications through
the company's change management processes. CSC-Owned Shared
Protect information from unauthorized disclosure on managed endpoint devices with
storage encryption. CSC-Owned CSC-Owned
Configure managed endpoints with anti-malware detection and prevention technology and
services. CSC-Owned CSC-Owned
Configure managed endpoints with properly configured software firewalls.
CSC-Owned CSC-Owned
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in
accordance with a risk assessment. CSC-Owned CSC-Owned
Enable remote geo-location capabilities for all managed mobile endpoints.
CSC-Owned CSC-Owned
the deletion of company data remotely on managed endpoint devices. CSC-Owned CSC-Owned
Define, implement and evaluate processes, procedures and technical and/or contractual
measures to maintain proper security of third-party endpoints with access to organizational CSC-Owned CSC-Owned
assets.
End of Standard
ability and Ownership Architectural Relevance - Cloud Stack Components
SaaS Phys Network Compute Storage
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 0 0 0 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 0 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 0 0 0 0
Shared 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 0 0 0
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSC-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
Shared 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 1 1 0
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 1
CSC-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
Shared 0 1 0 1
Shared 1 1 1 1
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 1 0
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
k Components Org
App Data Cybersecurity Internal Audit Architecture Team
1 1 0 0 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 0 1 1
0 0 0 1 0
1 1 0 1 1
1 1 1 0 0
0 0 0 0 0
1 1 1 0 1
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 1 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 0
1 1 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 1
1 1 0 1 1
0 0 0 0 1
0 0 0 0 1
0 0 1 0 1
0 0 0 0 1
1 0 0 0 1
0 0 0 0 1
1 1 1 0 1
1 0 0 0 1
0 0 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
1 1 1 0 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 0 1
1 1 1 0 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
Organizational Relevance
Supply Chain
SW Development Operations Legal/Privacy GRC Team
Management
1 1 1 1 1
0 0 0 1 0
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 0 0 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
0 0 0 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 0 1
0 0 1 1 0
1 1 1 1 1
1 1 0 0 1
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 0 0 0
0 1 0 0 1
1 1 0 0 0
0 1 0 0 1
0 1 0 0 1
0 1 0 1 0
0 1 0 0 1
0 1 0 1 1
0 1 0 1 1
0 1 1 1 0
0 0 0 1 1
0 0 0 1 1
0 1 1 0 0
0 1 0 1 0
0 0 0 0 0
0 1 0 0 0
1 0 0 0 0
1 0 1 0 0
0 1 1 0 0
0 1 0 1 0
0 1 1 0 0
1 0 1 1 0
1 0 1 1 1
1 1 1 1 1
1 1 0 0 0
0 1 1 1 0
1 1 0 0 0
0 0 1 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 0
0 0 0 0 0
1 0 0 0 1
0 0 1 1 0
0 0 0 1 0
0 1 0 0 0
1 1 0 1 1
1 1 0 0 0
1 1 0 0 0
1 1 0 0 1
1 1 0 1 1
0 0 0 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 0 0
0 0 1 1 0
0 1 1 1 1
0 1 0 1 1
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
0 1 0 1 1
0 0 0 0 1
0 0 0 1 1
0 1 1 0 1
0 0 1 0 1
0 0 0 1 1
0 1 1 0 1
0 0 0 1 1
0 0 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
HR
0
1
1
1
0
0
0
1
1
1
1
1
0
0
0
1
0
0
0
0
1
1
0
1
1
1
1
1
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
v4.0.2+0
Audit and Assurance Policy and

Audit & Assurance A&A-01
Procedures
Audit & Assurance Independent Assessments A&A-02
Audit & Assurance Risk Based Planning Assessment A&A-03
Audit & Assurance Audit Management Process A&A-05

Audit & Assurance Remediation A&A-06
Application & Interface Application and Interface Security

AIS-01
Security Policy and Procedures
Application & Interface Application Security Baseline

AIS-02
Security Requirements

Application Security Metrics AIS-03
Security
Application & Interface Secure Application Design and

AIS-04
Security Development
Application & Interface Automated Application Security
AIS-05
Security Testing
Application & Interface Automated Secure Application

AIS-06
Security Deployment

Application Vulnerability Remediation AIS-07
Security
Business Continuity
Business Continuity Management
Management and BCR-01
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Business Continuity
Management and Business Continuity Strategy BCR-03
Business Continuity
Management and Business Continuity Planning BCR-04
Business Continuity
Management and Documentation BCR-05
Business Continuity
Management and Business Continuity Exercises BCR-06
Business Continuity
Management and Communication BCR-07
Business Continuity
Management and Backup BCR-08
Business Continuity
Management and Disaster Response Plan BCR-09
Business Continuity
Management and Response Plan Exercise BCR-10
Business Continuity
Management and Equipment Redundancy BCR-11
Change Control and

Change Management Policy and
Configuration CCC-01
Procedures
Management
Change Control and

Configuration Quality Testing CCC-02
Management
Change Control and
Configuration Change Management Technology CCC-03
Management
Change Control and

Configuration Unauthorized Change Protection CCC-04
Management
Change Control and

Configuration Change Agreements CCC-05
Management
Change Control and

Configuration Change Management Baseline CCC-06
Management
Change Control and
Configuration Detection of Baseline Deviation CCC-07
Management
Change Control and

Configuration Exception Management CCC-08
Management
Change Control and

Configuration Change Restoration CCC-09
Management

Cryptography,
Encryption and Key Management
Management
Cryptography,
Encryption & Key CEK Roles and Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management

Off-Site Equipment Disposal Policy
and Procedures
Off-Site Transfer Authorization Policy

and Procedures
Datacenter Security Secure Area Policy and Procedures DCS-03
Secure Media Transportation Policy

and Procedures
Datacenter Security Assets Classification DCS-05
Datacenter Security Assets Cataloguing and Tracking DCS-06

Datacenter Security Controlled Access Points DCS-07
Datacenter Security Equipment Identification DCS-08
Datacenter Security Secure Area Authorization DCS-09
Datacenter Security Surveillance System DCS-10
Unauthorized Access Response

Training
Datacenter Security Cabling Security DCS-12
Datacenter Security Environmental Systems DCS-13
Datacenter Security Secure Utilities DCS-14
Datacenter Security Equipment Location DCS-15

Data Security and
Security and Privacy Policy and
Procedures
Management
Data Security and

Privacy Lifecycle Secure Disposal DSP-02
Management
Data Security and

Privacy Lifecycle Data Inventory DSP-03
Management
Data Security and
Privacy Lifecycle Data Classification DSP-04
Management
Data Security and
Privacy Lifecycle Data Flow Documentation DSP-05
Management
Data Security and

Privacy Lifecycle Data Ownership and Stewardship DSP-06
Management
Data Security and
Privacy Lifecycle Data Protection by Design and Default DSP-07
Management
Data Security and

Privacy Lifecycle Data Privacy by Design and Default DSP-08
Management
Data Security and

Privacy Lifecycle Data Protection Impact Assessment DSP-09
Management
Data Security and

Privacy Lifecycle Sensitive Data Transfer DSP-10
Management
Data Security and

Personal Data Access, Reversal,
Rectification and Deletion
Management
Data Security and

Limitation of Purpose in Personal Data
Processing
Management
Data Security and

Privacy Lifecycle Personal Data Sub-processing DSP-13
Management
Data Security and
Privacy Lifecycle Disclosure of Data Sub-processors DSP-14
Management
Data Security and

Privacy Lifecycle Limitation of Production Data Use DSP-15
Management
Data Security and

Privacy Lifecycle Data Retention and Deletion DSP-16
Management
Data Security and

Privacy Lifecycle Sensitive Data Protection DSP-17
Management
Data Security and
Privacy Lifecycle Disclosure Notification DSP-18
Management
Data Security and

Privacy Lifecycle Data Location DSP-19
Management
Governance, Risk and Governance Program Policy and

GRC-01
Compliance Procedures

Compliance
Organizational Policy Reviews GRC-03
Compliance

Policy Exception Process GRC-04
Compliance

Information Security Program GRC-05
Compliance

Governance Responsibility Model GRC-06
Compliance
Governance, Risk and Information System Regulatory

GRC-07
Compliance Mapping

Compliance
Background Screening Policy and

Procedures
Acceptable Use of Technology Policy

and Procedures
Human Resources Clean Desk Policy and Procedures HRS-03
Remote and Home Working Policy and

Procedures
Human Resources Asset returns HRS-05
Human Resources Employment Termination HRS-06

Human Resources Employment Agreement Process HRS-07
Human Resources Employment Agreement Content HRS-08
Human Resources Personnel Roles and Responsibilities HRS-09
Human Resources Non-Disclosure Agreements HRS-10
Human Resources Security Awareness Training HRS-11

Personal and Sensitive Data Awareness
and Training
Human Resources Compliance User Responsibility HRS-13
Identity & Access Identity and Access Management

IAM-01
Identity & Access

Strong Password Policy and Procedures IAM-02
Management
Identity & Access
Management
Identity & Access

Management
Identity & Access

Management
Identity & Access

User Access Provisioning IAM-06
Management
Identity & Access

User Access Changes and Revocation IAM-07
Management
Identity & Access

Management
Identity & Access

Segregation of Privileged Access Roles IAM-09
Management
Identity & Access Management of Privileged Access
IAM-10
Management Roles
Identity & Access CSCs Approval for Agreed Privileged

IAM-11
Management Access Roles
Identity & Access

Safeguard Logs Integrity IAM-12
Management
Identity & Access

Uniquely Identifiable Users IAM-13
Management
Identity & Access
Management
Identity & Access

Management
Identity & Access

Authorization Mechanisms IAM-16
Management

Interoperability & Interoperability and Portability Policy
IPY-01
Portability and Procedures
Interoperability &
Application Interface Availability IPY-02
Portability
Interoperability & Secure Interoperability and Portability

IPY-03
Portability Management
Interoperability & Data Portability Contractual

IPY-04
Portability Obligations
Infrastructure & Infrastructure and Virtualization

IVS-01
Virtualization Security Security Policy and Procedures
Infrastructure &
Capacity and Resource Planning IVS-02
Infrastructure &
Infrastructure &
OS Hardening and Base Controls IVS-04
Infrastructure & Production and Non-Production

IVS-05
Virtualization Security Environments
Infrastructure &
Segmentation and Segregation IVS-06
Infrastructure &
Migration to Cloud Environments IVS-07
Infrastructure &
Network Architecture Documentation IVS-08
Infrastructure &
Logging and Monitoring Policy and

Logging and Monitoring LOG-01
Procedures
Logging and Monitoring Audit Logs Protection LOG-02
Logging and Monitoring Security Monitoring and Alerting LOG-03

Logging and Monitoring Audit Logs Access and Accountability LOG-04
Logging and Monitoring Audit Logs Monitoring and Response LOG-05
Logging and Monitoring Clock Synchronization LOG-06
Logging and Monitoring Logging Scope LOG-07
Logging and Monitoring Log Records LOG-08
Logging and Monitoring Log Protection LOG-09
Logging and Monitoring Encryption Monitoring and Reporting LOG-10
Logging and Monitoring Transaction/Activity Logging LOG-11
Logging and Monitoring Access Control Logs LOG-12
Logging and Monitoring Failures and Anomalies Reporting LOG-13

Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Security Incident
Forensics E-
Management,
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain
Management,
SSRM Policy and Procedures STA-01
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Threat & Vulnerability Threat and Vulnerability Management

TVM-01
Threat & Vulnerability Malware Protection Policy and
TVM-02

Vulnerability Remediation Schedule TVM-03
Management

Management
External Library Vulnerabilities TVM-05
Management

Management

Vulnerability Identification TVM-07
Management

Vulnerability Prioritization TVM-08
Management

Vulnerability Management Reporting TVM-09
Management

Vulnerability Management Metrics TVM-10
Management

Universal Endpoint Endpoint Devices Policy and
UEM-01
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
ON 4.0.2
Control Specification Control Mapping

Establish, document, approve, communicate, apply, evaluate and maintain audit and
assurance policies and procedures and standards. Review and update the policies and
procedures at least annually. 8.1
Conduct independent audit and assurance assessments according to relevant standards at

least annually. No Mapping
Perform independent audit and assurance assessments according to risk-based plans and
policies. 7.2
Verify compliance with all relevant standards, regulations, legal/contractual, and statutory
requirements applicable to the audit.
No Mapping
Define and implement an Audit Management process to support audit planning, risk
analysis, security control assessment, conclusion, remediation schedules, report
generation, and review of past reports and supporting evidence. No Mapping
Establish, document, approve, communicate, apply, evaluate and maintain a risk-based
corrective action plan to remediate audit findings, review and report remediation status to No Mapping
relevant stakeholders.

procedures for application security to provide guidance to the appropriate planning,
delivery and support of the organization's application security capabilities. Review and
update the policies and procedures at least annually. 16.1

applications.
16.7
Define and implement technical and operational metrics in alignment with business
objectives, security requirements, and compliance obligations. 16.2
Define and implement a SDLC process for application design, development, deployment,
and operation in accordance with security requirements defined by the organization.
16.1
Implement a testing strategy, including criteria for acceptance of new information systems,
upgrades and new versions, which provides application security assurance and maintains
compliance while enabling organizational speed of delivery goals. Automate when
applicable and possible.
16.12
16.13
Establish and implement strategies and capabilities for secure, standardized, and compliant
application deployment. Automate where possible. No Mapping
Define and implement a process to remediate application security vulnerabilities,

automating remediation when possible.
16.2
16.6

Establish, document, approve, communicate, apply, evaluate and maintain business
continuity management and operational resilience policies and procedures. Review and
update the policies and procedures at least annually. No Mapping
Determine the impact of business disruptions and risks to establish criteria for developing
business continuity and operational resilience strategies and capabilities.
No Mapping
Establish strategies to reduce the impact of, withstand, and recover from business
disruptions within risk appetite.
No Mapping
Establish, document, approve, communicate, apply, evaluate and maintain a business

continuity plan based on the results of the operational resilience strategies and capabilities. No Mapping
Develop, identify, and acquire documentation that is relevant to support the business
continuity and operational resilience programs. Make the documentation available to
authorized stakeholders and review periodically. No Mapping
Exercise and test business continuity and operational resilience plans at least annually or
upon significant changes. No Mapping
Establish communication with stakeholders and participants in the course of business
continuity and resilience procedures. No Mapping
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and 11.1
availability of the backup, and verify data restoration from backup for resiliency. 11.2
11.3
11.4
11.5
Establish, document, approve, communicate, apply, evaluate and maintain a disaster
response plan to recover from natural and man-made disasters. Update the plan at least
annually or upon significant changes. No Mapping
Exercise the disaster response plan annually or upon significant changes, including if
possible local emergency authorities. No Mapping
Supplement business-critical equipment with redundant equipment independently located
at a reasonable minimum distance in accordance with applicable industry standards. No Mapping

procedures for managing the risks associated with applying changes to organization assets,
including application, systems, infrastructure, configuration, etc., regardless of whether the
assets are managed internally or externally (i.e., outsourced). Review and update the 4.1
Follow a defined quality change control, approval and testing process with established
baselines, testing, and release standards. No Mapping
Manage the risks associated with applying changes to organization assets, including
application, systems, infrastructure, configuration, etc., regardless of whether the assets are
managed internally or externally (i.e., outsourced).
No Mapping
Restrict the unauthorized addition, removal, update, and management of organization

assets.
No Mapping
Include provisions limiting changes directly impacting CSCs owned environments/tenants

to explicitly authorized requests within service level agreements between CSPs and CSCs.
No Mapping

organization assets.
No Mapping
Implement detection measures with proactive notification in case of changes deviating
from the established baseline.
No Mapping
Implement a procedure for the management of exceptions, including emergencies, in the

change and configuration process. Align the procedure with the requirements of GRC-04:
Policy Exception Process. No Mapping
Define and implement a process to proactively roll back changes to a previous known
good state in case of errors or security concerns.
No Mapping

procedures for Cryptography, Encryption and Key Management. Review and update the
No Mapping
responsibilities.
No Mapping
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries
certified to approved standards.
3.6
3.1
3.11
11.3
16.11
Use encryption algorithms that are appropriate for data protection, considering the
classification of data, associated risks, and usability of the encryption technology.
16.11
internal and external sources, for review, approval, implementation and communication of
cryptographic, encryption and key management technology changes.
No Mapping
Manage and adopt changes to cryptography-, encryption-, and key management-related

systems (including policies and procedures) that fully account for downstream effects of
proposed changes, including residual risk, cost, and benefits analysis.
No Mapping
Establish and maintain an encryption and key management risk program that includes
provisions for risk assessment, risk treatment, risk context, monitoring, and feedback.
No Mapping
CSPs must provide the capability for CSCs to manage their own data encryption keys.
No Mapping
Audit encryption and key management systems, policies, and processes with a frequency
that is proportional to the risk exposure of the system with audit occurring preferably
continuously but at least annually and after any security event(s).
No Mapping
Generate Cryptographic keys using industry accepted cryptographic libraries specifying

the algorithm strength and the random number generator used.
16.11
Manage cryptographic secret and private keys that are provisioned for a unique purpose.
No Mapping
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes
provisions for considering the risk of information disclosure and legal and regulatory
requirements. No Mapping
Define, implement and evaluate processes, procedures and technical measures to revoke
and remove cryptographic keys prior to the end of its established cryptoperiod, when a key
is compromised, or an entity is no longer part of the organization, which include No Mapping
Define, implement and evaluate processes, procedures and technical measures to destroy
keys stored outside a secure environment and revoke keys stored in Hardware Security
Modules (HSMs) when they are no longer needed, which include provisions for legal and
No Mapping
Define, implement and evaluate processes, procedures and technical measures to create
keys in a pre-activated state when they have been generated but not authorized for use,
which include provisions for legal and regulatory requirements. No Mapping
Define, implement and evaluate processes, procedures and technical measures to monitor,
review and approve key transitions from any state to/from suspension, which include
provisions for legal and regulatory requirements. No Mapping

deactivate keys at the time of their expiration date, which include provisions for legal and
regulatory requirements. No Mapping
Define, implement and evaluate processes, procedures and technical measures to manage
archived keys in a secure repository requiring least privilege access, which include
No Mapping
Define, implement and evaluate processes, procedures and technical measures to use
compromised keys to encrypt information only in controlled circumstance, and thereafter
exclusively for decrypting data and never for encrypting data, which include provisions for
legal and regulatory requirements.
No Mapping
Define, implement and evaluate processes, procedures and technical measures to assess the
risk to operational continuity versus the risk of the keying material and the information it
protects being exposed if control of the keying material is lost, which include provisions No Mapping
Define, implement and evaluate processes, procedures and technical measures in order for
the key management system to track and report all cryptographic materials and changes in
status, which include provisions for legal and regulatory requirements. No Mapping

procedures for the secure disposal of equipment used outside the organization's premises.
If the equipment is not physically destroyed a data destruction procedure that renders
recovery of information impossible must be applied. Review and update the policies and 3.1
procedures at least annually. 3.5
procedures for the relocation or transfer of hardware, software, or data/information to an
offsite or alternate location. The relocation or transfer request requires the written or
cryptographically verifiable authorization. Review and update the policies and procedures No Mapping
at least annually.
procedures for maintaining a safe and secure working environment in offices, rooms, and
facilities. Review and update the policies and procedures at least annually.
No Mapping
procedures for the secure transportation of physical media. Review and update the policies No Mapping
Classify and document the physical, and logical assets (e.g., applications) based on the
organizational business risk. No Mapping
Catalogue and track all relevant physical and logical assets located at all of the CSP's sites
within a secured system. 1.1
2.1
Implement physical security perimeters to safeguard personnel, data, and information
systems. Establish physical security perimeters between the administrative and business
areas and the data storage and processing facilities areas. No Mapping
Use equipment identification as a method for connection authentication. 1.3

1.5
Allow only authorized personnel access to secure areas, with all ingress and egress points
restricted, documented, and monitored by physical access control mechanisms. Retain
access control records on a periodic basis as deemed appropriate by the organization. No Mapping
Implement, maintain, and operate datacenter surveillance systems at the external perimeter
and at all the ingress and egress points to detect unauthorized ingress and egress attempts. No Mapping
Train datacenter personnel to respond to unauthorized ingress or egress attempts.

14.6
a risk-based protection of power and telecommunication cables from a threat of
interception, interference or damage at all facilities, offices and rooms. No Mapping
Implement and maintain data center environmental control systems that monitor, maintain
and test for continual effectiveness the temperature and humidity conditions within No Mapping
accepted industry standards.
Secure, monitor, maintain, and test utilities services for continual effectiveness at planned
intervals. No Mapping
Keep business-critical equipment away from locations subject to high probability for
environmental risk events. No Mapping

procedures for the classification, protection and handling of data throughout its lifecycle,
and according to all applicable laws and regulations, standards, and risk level. Review and
3.1
Apply industry accepted methods for the secure disposal of data from storage media such
that data is not recoverable by any forensic means.
3.5
Create and maintain a data inventory, at least for any sensitive data and personal data.
3.2
Classify data according to its type and sensitivity level.
3.7
Create data flow documentation to identify what data is processed, stored or transmitted
where. Review data flow documentation at defined intervals, at least annually, and after 3.8
any change.
Document ownership and stewardship of all relevant documented personal and sensitive
data. Perform review at least annually.
3.1
Develop systems, products, and business practices based upon a principle of security by
design and industry best practices.
16.1
Develop systems, products, and business practices based upon a principle of privacy by
design and industry best practices. Ensure that systems' privacy settings are configured by
default, according to all applicable laws and regulations. No Mapping
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature,
particularity and severity of the risks upon the processing of personal data, according to
any applicable laws, regulations and industry best practices. No Mapping
any transfer of personal or sensitive data is protected from unauthorized access and only
processed within scope as permitted by the respective laws and regulations. 3.1
3.12
3.13
Define and implement, processes, procedures and technical measures to enable data
subjects to request access to, modification, or deletion of their personal data, according to No Mapping
any applicable laws and regulations.
that personal data is processed according to any applicable laws and regulations and for
the purposes declared to the data subject. No Mapping
transfer and sub-processing of personal data within the service supply chain, according to
any applicable laws and regulations. No Mapping
Define, implement and evaluate processes, procedures and technical measures to disclose
the details of any personal or sensitive data access by sub-processors to the data owner
prior to initiation of that processing. No Mapping
Obtain authorization from data owners, and manage associated risk before replicating or
using production data in non-production environments.
No Mapping

requirements, applicable laws and regulations. 3.4
3.5
Define and implement, processes, procedures and technical measures to protect sensitive
data throughout it's lifecycle.
3.1
3.1
3.14
The CSP must have in place, and describe to CSCs the procedure to manage and respond
to requests for disclosure of Personal Data by Law Enforcement Authorities according to
applicable laws and regulations. The CSP must give special attention to the notification
procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under
criminal law to preserve confidentiality of a law enforcement investigation. No Mapping
Define and implement, processes, procedures and technical measures to specify and
document the physical locations of data, including any locations in which data is processed No Mapping
or backed up.

procedures for an information governance program, which is sponsored by the leadership
of the organization. Review and update the policies and procedures at least annually. 3.1
Establish a formal, documented, and leadership-sponsored Enterprise Risk Management

(ERM) program that includes policies and procedures for identification, evaluation,
ownership, treatment, and acceptance of cloud security and privacy risks. No Mapping
Review all relevant organizational policies and associated procedures at least annually or
when a substantial change occurs within the organization. 3.1
3.8
4.1
4.2
7.1
8.1
9.1
11.1
12.4
16.1
16.2
Establish and follow an approved exception process as mandated by the governance

program whenever a deviation from an established policy occurs. No Mapping
Develop and implement an Information Security Program, which includes programs for all
the relevant domains of the CCM. 14.1
Define and document roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs.
No Mapping
Identify and document all relevant standards, regulations, legal/contractual, and statutory
requirements, which are applicable to your organization.
No Mapping
Establish and maintain contact with cloud-related special interest groups and other relevant
entities in line with business context. No Mapping
procedures for background verification of all new employees (including but not limited to
remote employees, contractors, and third parties) according to local laws, regulations,
ethics, and contractual constraints and proportional to the data classification to be
accessed, the business requirements, and acceptable risk. Review and update the policies No Mapping
procedures for defining allowances and conditions for the acceptable use of
organizationally-owned or managed assets. Review and update the policies and procedures No Mapping
at least annually.
procedures that require unattended workspaces to not have openly visible confidential
data. Review and update the policies and procedures at least annually.
14.4
procedures to protect information accessed, processed or stored at remote sites and 13.5
locations. Review and update the policies and procedures at least annually. 14.8
Establish and document procedures for the return of organization-owned assets by

terminated employees. No Mapping
Establish, document, and communicate to all personnel the procedures outlining the roles
and responsibilities concerning changes in employment. 6.1
6.2
Employees sign the employee agreement prior to being granted access to organizational
information systems, resources and assets.
No Mapping
The organization includes within the employment agreements provisions and/or terms for
adherence to established information governance and security policies.
No Mapping
Document and communicate roles and responsibilities of employees, as they relate to

information assets and security. 14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9

non-disclosure/confidentiality agreements reflecting the organization's needs for the
protection of data and operational details.
No Mapping

awareness training program for all employees of the organization and provide regular 14
training updates.
Provide all employees with access to sensitive organizational and personal data with
appropriate security awareness training and regular updates in organizational procedures, 14.1
processes, and policies relating to their professional function relative to the organization. 14.9
Make employees aware of their roles and responsibilities for maintaining awareness and
compliance with established policies and procedures and applicable legal, statutory, or
regulatory compliance obligations. No Mapping

policies and procedures for identity and access management. Review and update the 6.1
policies and procedures at least annually. 6.2
6.6

strong password policies and procedures. Review and update the policies and procedures
at least annually.
5.2
Manage, store, and review the information of system identities, and level of access.
5.1
5.2
Employ the separation of duties principle when implementing information system access.
6.8
Employ the least privilege principle when implementing information system access.
6.8
Define and implement a user access provisioning process which authorizes, records, and
communicates access changes to data and assets. 6.1
De-provision or respectively modify access of movers / leavers or system identity changes

in a timely manner in order to effectively adopt and communicate identity and access 5.3
management policies. 6.2
Review and revalidate user access for least privilege and separation of duties with a
frequency that is commensurate with organizational risk tolerance.
5.1
segregation of privileged access roles such that administrative access to data, encryption
and key management capabilities and logging capabilities are distinct and separated. 5.4
Define and implement an access process to ensure privileged access roles and rights are
granted for a time limited period, and implement procedures to prevent the culmination of 5.1
segregated privileged access. 6.5
Define, implement and evaluate processes and procedures for customers to participate,
where applicable, in the granting of access for agreed, high risk (as defined by the
organizational risk assessment) privileged access roles. No Mapping
the logging infrastructure is read-only for all with write access, including privileged access
roles, and that the ability to disable it is controlled through a procedure that ensures the
segregation of duties and break glass procedures.
3.3
users are identifiable through unique IDs or which can associate individuals to the usage of No Mapping
user IDs.
authenticating access to systems, application and data assets, including multifactor
authentication for at least privileged user and sensitive data access. Adopt digital
certificates or alternatives which achieve an equivalent level of security for system
identities. 6.3
6.5
12.5
12.7
secure management of passwords.
No Mapping
Define, implement and evaluate processes, procedures and technical measures to verify
access to data and system functions is authorized.
5.1

policies and procedures for interoperability and portability including
requirements for:
b. Information processing interoperability
c. Application development portability No Mapping
Review and update the policies and procedures at least annually.
Provide application interface(s) to CSCs so that they programmatically retrieve their data
to enable interoperability and portability. No Mapping

management, import and export of data.
No Mapping

a. Data format
b. Length of time the data will be stored No Mapping

procedures for infrastructure and virtualization security. Review and update the policies
and procedures at least annually. No Mapping
Plan and monitor the availability, quality, and adequate capacity of resources in order to
deliver the required system performance as determined by the business.
No Mapping
Monitor, encrypt and restrict communications between environments to only authenticated

and authorized connections, as justified by the business. Review these configurations at 3.8
least annually, and support them by a documented justification of all allowed services, 3.1
protocols, ports, and compensating controls. 12.2
13.6
13.9
Harden host and guest OS, hypervisor or infrastructure control plane according to their
respective best practices, and supported by technical controls, as part of a security
baseline. 4.1
4.2
Separate production and non-production environments.
16.8
Design, develop, deploy and configure applications and infrastructures such that CSP and
CSC (tenant) user access and intra-tenant access is appropriately segmented and
segregated, monitored and restricted from other tenants. No Mapping
Use secure and encrypted communication channels when migrating servers, services,
applications, or data to cloud environments. Such channels must include only up-to-date
and approved protocols. No Mapping
Identify and document high-risk environments.
No Mapping
Define, implement and evaluate processes, procedures and defense-in-depth techniques for
protection, detection, and timely response to network-based attacks.
13.3
13.8

procedures for logging and monitoring. Review and update the policies and procedures at 8.1
least annually.
Define, implement and evaluate processes, procedures and technical measures to ensure 8.1
the security and retention of audit logs. 8.9
8.1
Identify and monitor security-related events within applications and the underlying
infrastructure. Define and implement a system to generate alerts to responsible
stakeholders based on such events and corresponding metrics. 8.5
Restrict audit logs access to authorized personnel and maintain records that provide unique
access accountability. 3.14
Monitor security audit logs to detect activity outside of typical or expected patterns.
Establish and follow a defined process to review and take appropriate and timely actions 8.8
on detected anomalies. 8.11
8.4
Establish, document and implement which information meta/data system events should be
logged. Review and update the scope at least annually or whenever there is a change in the 8.1
threat environment.
Generate audit records containing relevant security information.
8.2
The information system protects audit records from unauthorized access, modification, and
deletion. No Mapping
Establish and maintain a monitoring and internal reporting capability over the operations
of cryptographic, encryption and key management policies, processes, procedures, and
controls. No Mapping
Log and monitor key lifecycle management events to enable auditing and reporting on
usage of cryptographic keys. No Mapping
No Mapping
reporting of anomalies and failures of the monitoring system and provide immediate
notification to the accountable party. No Mapping
procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review
and update the policies and procedures at least annually. 17.4
procedures for the timely management of security incidents. Review and update the
17.4

incident response plan, which includes but is not limited to: relevant internal departments,
impacted CSCs, and other business critical relationships (such as supply-chain) that may 17.2
be impacted. 17.4
Test and update as necessary incident response plans at planned intervals or upon
significant organizational or environmental changes for effectiveness. 17.7
Establish and monitor information security incident metrics. 17.9

Define, implement and evaluate processes, procedures and technical measures supporting
business processes to triage security-related events.
No Mapping
Define and implement, processes, procedures and technical measures for security breach
notifications. Report security breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws and regulations.
17.2
17.3
17.4
Maintain points of contact for applicable regulation authorities, national and local law
enforcement, and other legal jurisdictional authorities.
17.2

procedures for the application of the Shared Security Responsibility Model (SSRM) within
the organization. Review and update the policies and procedures at least annually.
No Mapping
Apply, document, implement and manage the SSRM throughout the supply chain for the
cloud service offering.
No Mapping
Provide SSRM Guidance to the CSC detailing information about the SSRM applicability
throughout the supply chain.
No Mapping
Delineate the shared ownership and applicability of all CSA CCM controls according to
the SSRM for the cloud service offering.
No Mapping
Review and validate SSRM documentation for all cloud services offerings the organization
uses.
No Mapping
Implement, operate, and audit or assess the portions of the SSRM which the organization
is responsible for. No Mapping
Develop and maintain an inventory of all supply chain relationships.

15.1
CSPs periodically review risk factors associated with all organizations within their supply
chain. 15.3
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Right to audit and third party assessment 15.4
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
15.4
conformance and effectiveness of standards, policies, procedures, and service level No Mapping
agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply with
information security, confidentiality, access control, privacy, audit, personnel policy and
service level requirements and standards.
15.5
Periodically review the organization's supply chain partners' IT governance policies and
procedures.
15.5
Define and implement a process for conducting security assessments periodically for all
organizations within the supply chain.
15.6

procedures to identify, report and prioritize the remediation of vulnerabilities, in order to
protect systems against vulnerability exploitation. Review and update the policies and 7.1
procedures to protect against malware on managed assets. Review and update the policies
9.7
10.1
both scheduled and emergency responses to vulnerability identifications, based on the 7.2
identified risk. 7.7
17.9
Define, implement and evaluate processes, procedures and technical measures to update
detection tools, threat signatures, and indicators of compromise on a weekly, or more
frequent basis. 10.2
Define, implement and evaluate processes, procedures and technical measures to identify
updates for applications which use third party or open source libraries according to the
organization's vulnerability management policy. 2.6
periodic performance of penetration testing by independent third parties. 18.1
18.2
Define, implement and evaluate processes, procedures and technical measures for the 7.1
detection of vulnerabilities on organizationally managed assets at least monthly. 7.5
7.6
Use a risk-based model for effective prioritization of vulnerability remediation using an 7.2
industry recognized framework. 18.3
16.6
Define and implement a process for tracking and reporting vulnerability identification and
remediation activities that includes stakeholder notification.
7.1
Establish, monitor and report metrics for vulnerability identification and remediation at
defined intervals. 7.2

procedures for all endpoints. Review and update the policies and procedures at least
annually.
No Mapping
Define, document, apply and evaluate a list of approved services, applications and sources
of applications (stores) acceptable for use by endpoints when accessing or storing
organization-managed data.
No Mapping
Define and implement a process for the validation of the endpoint device's compatibility
with operating systems and applications. No Mapping
1.1
Define, implement and evaluate processes, procedures and technical measures to enforce
policies and controls for all endpoints permitted to access systems and/or store, transmit, 1.3
or process organizational data. 1.4
1.5
Configure all relevant interactive-use endpoints to require an automatic lock screen.

4.3
Manage changes to endpoint operating systems, patch levels, and/or applications through
the company's change management processes.
No Mapping
Protect information from unauthorized disclosure on managed endpoint devices with

storage encryption.
3.6
Configure managed endpoints with anti-malware detection and prevention technology and
services. 9.7
10.1
Configure managed endpoints with properly configured software firewalls.
4.4
4.5
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in
accordance with a risk assessment.
3.13
Enable remote geo-location capabilities for all managed mobile endpoints.

No Mapping
the deletion of company data remotely on managed endpoint devices. 4.11
Define, implement and evaluate processes, procedures and technical and/or contractual
measures to maintain proper security of third-party endpoints with access to organizational
assets.
15.4
End of Standard
CIS v8.0
Gap Level Addendum Control Mapping
Recommend the full V4 control specification to be used to close the CC2.2

gap. CC2.3
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that CC3.2
is, covering in part the V4 control: CC5.3
(8.1) 'Establish and maintain an audit log management process',
The full V4
'Review andcontrol
update specification
documentationis missing from CISv8.0 and has to
annually'.
Full Gap be used to close the gap. CC4.1
Recommend the full V4 control specification to be used to close the
Partial Gap gap. CC4.1
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control: (7.2) 'Establish and maintain
The full V4 control
a risk-based specification
remediation strategy'.is missing from CISv8.0 and has to
be used to close the gap.
Full Gap CC3.1
The full V4 control specification is missing from CISv8.0 and has to

be used to close the gap. CC3.1
Full Gap
CC3.2
Missing specification(s) in CISv8:

'Establish, document, approve, communicate, apply, evaluate and
CC2.2
maintain
CC2.3
Partial Gap policies and procedures for application security'.
CC5.3
CC7.3
N/A
CC8.1
No Gap CC4.1
CC5.3

Partial Gap 'metrics in alignment with business objectives'. No Mapping
N/A
CC6.8
No Gap
CC8.1
gap.
is, covering in part the V4 control:
(16.12) 'Implement Code-Level Security Checks' (as part of AIS-05 CC6.8
Partial Gap
testing CC8.1
strategy)
(16.13) 'Conduct Application Penetration Testing' (as part of AIS-05
testing strategy).
Full Gap be used to close the gap. No Mapping

'Automating remediation when possible'.
CC7.1
Partial Gap CC7.4
CC8.1

Full Gap CC9.1
A1.2
CC3.2
A1.2
Full Gap
CC7.3
CC7.4
CC7.5

CC7.4
Full Gap
CC7.5
A1.2
The full V4 control specification is missing from CISv8.0 and has to CC7.5
Full Gap be used to close the gap. A1.2
A1.3
Full Gap
PI1.1
The full V4 control specification is missing from CISv8.0 and has to A1.3
CC9.1
'Periodically backup data stored in the cloud'
A1.2
Partial Gap
A1.3
be used to close the gap. A1.2
Full Gap
CC3.2

be used to close the gap. A1.2
Full Gap
CC3.2

gap.
CC8.1
Partial Gap is, covering in part the V4 control:
CC5.3
(4.1) 'Establish and maintain a secure configuration process for
enterprise assets', 'Review and update documentation annually'.

Full Gap CC8.1

Full Gap CC8.1

Full Gap CC8.1

Full Gap CC8.1
Full Gap CC8.1
Full Gap
CC8.1
CC9.2
Full Gap CC8.1

CC5.3
Full Gap CC6.1
CC6.7
Full Gap No Mapping

'using cryptographic libraries certified to approved standards.'
CC6.1
Partial Gap
CC6.7

'considering the classification of data, associated risks, and usability
of the encryption technology.'
CC6.1
Partial Gap
CC6.7
Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping

'libraries specifying the algorithm strength and the random number
generator used.'
Partial Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping
Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping
Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping

Full Gap No Mapping
Missing specifications in CISv8.0:
"Establish, document, approve, communicate, apply, evaluate and P5.1
maintain CC5.3
policies and procedures for the secure disposal of equipment used CC6.5
Partial Gap outside CC3.3
the organization's premises". P1.1
P2.1
P4.0
A1.2
Full Gap CC5.3
CC6.1

CC5.3
Full Gap CC6.4
CC6.5
CC6.7


N/A
No Gap CC6.1
Full Gap
CC6.5
CC6.7
N/A
No Gap CC6.1
Full Gap CC6.4
CC6.5

Missing specifications in CISv8.0: CC1.4

Partial Gap 'Train datacenter personnel.' CC6.4
Full Gap A1.2


The full V4 control specification is missing from CISv8.0 and has to A1.2
N/A
PI1.1
PI1.5
P4.1
No Gap
P4.2
P4.3
CC5.3

'data is not recoverable by any forensic means.' CC6.1
CC6.2
CC6.3
Partial Gap CC6.4
CC6.5
CC6.7
P4.3
N/A
No Gap CC6.1
N/A CC6.1
No Gap
C1.1
N/A
No Gap No Mapping
N/A
CC1.1
CC1.3
CC1.5
No Gap
P2.1
P3.2
P6.7
gap. PI1.2
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that PI1.3
(16.1) 'Establish and maintain a secure application development
process.
be usedprocess,
In the to closeaddress
the gap.such items as: secure application design
Full Gap standards, secure coding practices'. P1.1

Full Gap CC3.2
Missing specification(s) in CISv8.0:

'transfer of personal data is protected'.
Partial Gap CC6.7

Full Gap be used to close the gap. P2.1

Full Gap P2.1

Full Gap P2.1
Full Gap P6.1

Full Gap No Mapping
Missing specification(s) in CISv8: C1.1

'in accordance with applicable laws and regulations'. C1.2
Partial Gap
CC3.1
P4.2
N/A
CC2.1
CC6.1
CC6.3
CC6.7
CC8.1
No Gap C1.1
P2.0
P3.0
P4.0
P5.0
P6.0
Full Gap P4.1


gap. CC1.3
(3.1) 'Establish and maintain a data management process'.
Full Gap
CC5.1
A1.2
gap.
'Review and update documentation annually, or when significant
enterprise
Partial Gap changes occur that could impact this Safeguard' (3.1, 3.8, 4.1, 4.2, 7.1, CC5.3
8.1, 9.1, 11.1, 12.4, 16.1, 16.2).

Full Gap
CC9.2

Partial Gap gap. No Mapping
Portion
The fullin
V4the mapped
control control(s) contributing
specification to the
is missing from partialand
CISv8.0 gap,has
thatto
is, covering in part the
be used to close the gap.V4 control:
(14.1) 'Establish and maintain a security awareness program'.
CC1.3
Full Gap
CC1.4

Full Gap
CC7.4

CC1.4
Full Gap CC9.2
CC5.3

Full Gap CC5.3

maintain
CC2.2
Partial Gap policies and procedures' 'Review and update the policies and
CC5.3
procedures
at least annually'.

gap. CC2.2
(13.5) 'Manage access control for assets remotely connecting to
The full V4resources.'
enterprise control specification is missing
(14.8) 'all users from
securely CISv8.0their
configure andhome
has to
Full Gap be used to
network close the gap.
infrastructure'. No Mapping

Partial Gap gap. CC2.2
(6.1) 'Establish and follow a process, preferably automated, for
granting
access to enterprise assets upon new hire, rights grant, or role change
of a user.' (6.2) 'revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation,
Full Gap CC2.2
CC5.2
CC5.3
Full Gap CC2.2
CC5.2
CC5.3
N/A
CC1.3
CC1.4
No Gap
CC1.5
CC2.2

CC9.2
Full Gap
P6.4
N/A
No Gap CC2.2
'Provide all employees with access to personal data with appropriate
Partial Gap security awareness training' CC2.2

Full Gap CC1.5
CC2.2
Recommend the full V4 control specification to be used to close the CC5.3

gap. CC6.1
6.1 'Establish an Access Granting Process'
N/A
6.2 'Establish an Access Revoking Process'
6.6 'Establish and Maintain an Inventory of Authentication and
Authorization Systems'.
No Gap No Mapping
N/A
CC6.1
No Gap
CC6.3
N/A CC1.3
No Gap CC5.1
CC6.3
N/A
No Gap CC6.3
N/A
CC6.3
No Gap
CC8.1
N/A
CC5.3
No Gap
CC6.3

'Review and revalidate user access for separation of duties'.
CC6.2
Partial Gap
CC6.3

gap. CC5.1
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that is, CC6.1
covering in part the V4 control: CC6.3
(5.4) 'Restrict Administrator Privileges to Dedicated Administrator
Accounts: Restrict administrator privileges to dedicated administrator
accounts on enterprise assets'.
'roles and rights are granted for a time limited period' CC6.1
Partial Gap CC6.2
CC6.3

Full Gap CC6.1
CC6.3

gap.
(3.3) 'Configure Data Access Control Lists'.

'Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities'.
CC6.1
Partial Gap
CC6.2

CC6.1
Full Gap
CC6.2
N/A
CC6.1
No Gap CC6.2
CC6.3
Full Gap CC5.3
The full V4 control specification is missing from CISv8.0 and has to PI1.1
Full Gap be used to close the gap. PI1.2
PI1.3
Full Gap CC6.7

PI1.1
Full Gap PI1.2
PI1.3

Full Gap CC5.2
CC5.3
Full Gap A1.1
N/A
CC6.1
No Gap
CC6.7
N/A
CC6.1
No Gap CC6.8
CC7.1
N/A
No Gap No Mapping

Full Gap No Mapping

CC6.1
Full Gap
CC6.7
CC3.2
CC6.1
Full Gap CC7.1
CC7.2
CC7.3

'protection and timely response to network-based attacks'.
CC6.6
CC6.8
Partial Gap CC7.1
CC7.2
CC7.5

'approve, communicate, apply, evaluate'. CC5.3
Partial Gap
CC7.2

Partial Gap 'Define, technical measures to ensure the security of audit logs'. No Mapping

'Define and implement a system to generate alerts to responsible CC6.8
Partial Gap stakeholders based on such events and corresponding metrics'. CC7.3
Partial Gap 'maintain records that provide unique access accountability'. No Mapping
N/A
No Gap CC7.2
N/A
No Gap No Mapping
N/A
No Gap CC7.2
N/A
No Gap CC7.2

Full Gap
CC7.2
Full Gap
CC7.3
Missing specification(s) in CISv8: CC5.3
'Establish, document, approve, communicate, apply, evaluate and CC7.3
Partial Gap maintain CC7.4
policies and procedures for E-Discovery, and Cloud Forensics.' CC7.5
N/A
CC5.3
No Gap CC7.3
CC7.4
N/A
CC7.2
No Gap CC7.3
CC7.4

Partial Gap '(Test) upon significant organizational or environmental changes for CC7.5
effectiveness.'
No Gap N/A CC7.2
Full Gap CC7.3

'Report security breaches and assumed security breaches including
any
relevant supply chain breaches, as per applicable SLAs, laws and
regulations'
CC7.4
Partial Gap
CC7.5
N/A
No Gap CC2.3

Full Gap No Mapping

Full Gap No Mapping

CC2.3
Full Gap
CC9.2

Full Gap No Mapping

Full Gap No Mapping

N/A
No Gap No Mapping
N/A
No Gap CC9.2
• Scope, characteristics and location of business relationship and
services offered
• SSRM requirements
• Right to audit and third party assessment
Partial Gap • Service termination CC9.2
N/A
No Gap No Mapping

gap.
Portion in the mapped control(s) contributing to the partial gap, that is,
Partial Gap covering in part the V4 control: CC9.2
(15.5) 'Assess Service Providers'
N/A
No Gap CC3.2
N/A
No Gap CC3.2
N/A CC3.2
CC5.3
No Gap CC6.6
CC7.1
CC7.4
'Review and update the policies and procedures at least annually.'
CC5.3
Partial Gap
CC6.8
N/A
CC5.3
No Gap CC7.1
CC7.4
N/A
No Gap CC7.2
'Define, implement and evaluate processes, procedures and technical
Partial Gap measures to identify updates' CC3.2
N/A
CC4.1
No Gap
CC7.1
N/A
No Gap CC7.1
N/A
No Gap No Mapping
Missing specification(s) in CISv8: CC2.2

'reporting vulnerability identification and remediation activities that CC7.3
Partial Gap includes stakeholder notification.' CC7.4
CC7.5
Partial Gap 'report metrics for vulnerability identification' No Mapping
CC5.3
Full Gap
CC6.7

Full Gap No Mapping

N/A
No Gap No Mapping
gap.
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that No Mapping
(1.3) 'Utilize an Active Discovery Tool'
N/A
(1.4) 'Use Dynamic Host Configuration Protocol (DHCP) Logging to
No Gap No Mapping
Update
N/AEnterprise Asset Inventory'
(1.5) 'Use a Passive Asset Discovery Tool'
CC3.4
Full Gap
CC8.1
N/A
CC6.1
No Gap
CC6.7
N/A
No Gap CC6.8
N/A
No Gap CC6.6
N/A
No Gap CC6.7

N/A
No Gap No Mapping
gap.
(15.4) 'Ensure Service Provider Contracts Include Security
Partial Gap Requirements' No Mapping
AICPA TSC 2017 ISO
Missing specification(s) in TSC 2017:

'Review and update the policies and procedures at least annually'.
Partial Gap 27001: 9.2
Missing specification(s) in TSC 2017: 27001: A.18.2.1

Partial Gap 'at least annually'. 27002: 18.2.1
N/A 27001: A.18.2.1
No Gap 27002: 18.2.1
27018: 18.2.1
N/A 27001: A.18.2.2
27002: 18.2.2
No Gap
27001: A.18.2.3
27002: 18.2.3
'audit planning, security control assessment, conclusion, 27001: 9.2.c
Partial Gap remediation schedules, report generation, and review of past reports 27001: A.18.2.2
and 27002: 18.2.2
supporting evidence'.
gap. 27001: A.18.2.2
Partial Gap
Portion in the mapped control(s) contributing to the partial gap, that 27002: 18.2.2
(CC3.2) 'Determines How to Respond to Risks'.

27001: A.14.2.1
27002: 14.2.1
27017: 14.2.1
Partial Gap
27001: A.14.2.5
27001: 14.2.5
27017: 14.2.5
Requirements to 'document baseline requirements for securing 27017: 5.1.1
Partial Gap different 27001: A.7.2.2
applications'. 27002: 7.2.2
The full V4 control specification is missing from TSC 2017 and has to 27001: 9.1
Full Gap be used to close the gap. 27001: A.18.2.2
27002: 18.2.2
Requirement 'at least annually' is not covered. 27001: A.14.1.1
27002: 14.1.1
27017: 14.1.1
27001: A.14.1.2
Partial Gap 27002: 14.1.2
27017: 14.1.2
27001: A.14.2.1
27002: 14.2.1
27017: 14.2.1
'criteria for acceptance of new information systems, upgrades and new 27001: A.14.2.8
versions' 27001: A.14.2.9
'application security assurance and (testing strategy) maintains 27001: A.12.1.2
compliance' 27002: 12.1.2
Partial Gap
'Automate when applicable and possible'. 27001: A.14.1.1
27002: 14.1.1
27001: A.14.2.2
27002: 14.2.2
The full V4 control specification is missing from TSC 2017 and has to
Full Gap be used to close the gap. No mapping
N/A
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
No Gap 27001: A.12.6.1
27002: 12.6.1
27017: 12.6.1
27018: 12.6.1

'Establish, document, approve, communicate, apply, evaluate and 27001: 5.2
maintain 27001: A.5.1
Partial Gap
policies and procedures' 27001: A.7.2.1
'Review and update the policies and procedures at least annually'. 27001: A.17.1.2
N/A
27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
No Gap 27001: 8.2
27001: 8.3
27001: A.16.1.6
27001: A.17.1
'Establish strategies', 'risk appetite'.
27001: A.17.1.1
Partial Gap
27001: A.17.1.2

'operational resilience strategies'. 27001: A.17.1.1
Partial Gap
27001: A.17.1.3

'documentation to support business continuity and operational
Partial Gap resilience 27001: 7.5.1a
programs'.

Partial Gap 'Exercise and test operational resilience plans' 27001: A.17.1.3
Requirement of testing the
Missing specification(s) in plans 'at least annually'.
TSC 2017:
Partial Gap 'Establish communication in the course of business continuity'. No Mapping
N/A
27001: A.12.3
No Gap 27017: 12.3
27018: 12.3.1
'to recover from man-made disasters'.
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
27001: A.12.1.1
27001: A.12.1.2
27002: 12.1.2
No Gap
27017: 12.1.2
27001: A.14.2.2
27001: A.14.2.3
N/A 27001: A.14.2.2
No Gap 27002: 14.2.2
27017: 14.2.2
N/A
27001:A.5.1.1
27017: 5.1.1
27001: A.12.1.2
27002: 12.1.2
27001: A.12.1.4
No Gap
27001: A.14.2.3
27001: A.15.2.2
27002: 15.2.2
27001: A.14.2.6
27002: 14.2.6
N/A
27001: A.12.1.4
27002: 12.1.4
27001: A.12.4.2
No Gap
27002: 12.4.2
27001: A.14.2.2
27017: 14.2.2
N/A 27001: A.15.2.2
27001: A.14.2.2
No Gap 27002: 14.2.2
27001: A.12.1.2
27017: 12.1.2
N/A 27001: A.12.1.1
27002: 12.1.1
No Gap
27001: 14.2.2
27002: 14.2.2
N/A
27001: A.14.2.2
27001: A.14.2.4
27001: A.12.4.1
No Gap
27002: 12.4.1 (g)
27001: A.5.1.1
27017: 5.1.1
'Implement a procedure for the management of exceptions'. 27001: A.12.1.2
Partial Gap 27002: 12.1.2 (h)
27017: 12.1.2
N/A
27001: A.12.1.2
27002: 12.1.2 (g)
27001: A.12.5.1
No Gap
27002: 12.5.1 (e)
27001: A.12.3.1
27017: 12.3.1
27001: A.5
27002: 5
27001: 5.2
27001: 5.3
27001: A.6.1.1
Recommend the full V4 control specification to be used to close the 27002 6.1.1
gap. 27001: A.6.1.2
is, covering in part the V4 control: 27001: 8.2
(CC6.1) 'Protects Encryption Keys', 'Uses Encryption to Protect Data' 27001: 8.3
(CC6.7) 'Uses Encryption Technologies or Secure Communication 27001: 9.1
Channels to 27001: A.16
Protect Data' 27002: 16
(CC5.3) 'Establishes Policies and Procedures to Support Deployment 27001: A.16.1
of 27001: 9.2
Management’s Directives', 'Reassesses Policies and Procedures'. 27001: 9.3
27001: A.10
27002: 10
27001: A.10.1.1
27001: A.10.1.2
27001: A.12.4
27002: 12.4
27001: A.12.7
27002: 12.7
27017: 12.7
27001: A.18.1.1-to-5
27001: A.12.1.2
27002: 12.1.2
27001: A.12.3.1
27017: 12.3.1
27001: A.15.1.2
27017: 15.1.2
27001: A.18.1.1
27017: 18.1.1
27001: A.18.1.5
27017: 18.1.5
27001: A.18
27002: 18
27001: A.18.2
27002: 18.2
27001: 5.1
27001: 5.3
27001: A.5.1.1
27002: 5.1.1
27001: A.6.1.1
27002: 6.1.1
27017: 6.1.1
27001: A.6.1.2
27017: 6.1.2
27001: A.9.1
27002: 9.1
Full Gap 27001: A.10.1.1
27002: 10.1.1
27001: A.15.1.2
27017: 15.1.2
27001: A.13.1.3
27017: 13.1.3
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27017: CLD 6.3
'Cryptographic libraries certified to approved standards'.
27001: A.18.1.1
27001: A.18.1.2
27001: A.18.1.3
27001: A.18.1.4
27001: A.18.1.5
27001: A.10.1
27002: 10.1
27001: A.13.2.1
27002: 13.2.1
Partial Gap 27001: A.18
27002: 18
27001: A.14.1.2
27002: 14.1.2
27001: A.14.1.3
27002 14.1.3 c)
27001 - A.10.1.1
27017 - 10.1.1
27001 - A.10.1.2
27017 - 10.1.2

'considering the classification of data', 'usability of encryption 27001: A.8.2
technology'. 27002: 8.2
27001: A.8.3
Partial Gap 27001: A.10.1.1
27002: 10.1.1 (b)
27001: A.10.1.2
27002: 10.1.2
be used to close the gap. 27001: A.12.1.2
27002: 12.1.2
27017: 12.1.2
Full Gap 27001: A.10.1.2
27002: 10.1.2 e)
27001: A.14.2.2
27002: 14.2.2
27002: 12.1.2
27001: A.10.1.2
27002: 10.1.2 e)
Full Gap
27017: 10.1.2
27001: A.10.1.1
27002: 10.1.1
27017: 10.1.1
be used to close the gap. 27001: 8.2
27001: 8.3
27001: A.10.1.1
Full Gap 27002: 10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27001: A.10.1
27017: 10.1
27001: A.10.1.1
Full Gap
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27001: A.18.2.1
27001: A.18.2.2
27001: A.12.7
Full Gap 27002: 12.7
27017: 12.7
27001: A.10.1.2
27001: A.10.1.2
27002: 10.1.2 k)
27002: 10.1.1 (e)
27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2
27002: 10.1.2 (a)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to 27001: A.10.1.1
be used to close the gap. 27017: 10.1.1
Full Gap 27001: A.10.1.2
27002: 10.1.2 (c)
27017: 10.1.2
Full Gap 27001: A.10.1.2
27002: 10.1.2 e)
27017: 10.1.2
Full Gap 27001: A.10.1.2
27002: 10.1.2 (g),(f)
27017: 10.1.2
27017: 10.1.1
27017: 10.1.2
Full Gap 27001: A.10.1.2
27002: 10.1.2 (j)
27001: A.18.1.3
27002: 18.1.3
Full Gap 27001: A.10.1.2
27002: 10.1.2 a)
27017: 10.1.2
Full Gap
27001: A.10.1.2
27017: 10.1.2
Full Gap 27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
Full Gap
27002: 10.1.2 (i)
27001: 9.0
27002: 9.0
27017: 9.0
27002: 10.1.1 (d)
27001: A.10.1.2
Full Gap 27002: 10.1.2 (f),(g)
27001: A.18.1.5
27001: A.18.1.3
27002: 18.1.3
Full Gap 27001: A.10.1.2
27002: 10.1.2 (h)
27001: A.18.1.5
Full Gap
27017: 10.1.2
27001: A.18.1.5
maintain
policies and procedures' 27001: A.11.2.7
Partial Gap 'If the equipment is not physically destroyed a data destruction 27002: 11.2.7
procedure that renders recovery of information impossible must be 27017: 11.2.7
applied'
'policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location'
No Gap 'Review and update the policies and procedures at least annually'. 27001: A.11.2.5

27001: A.11.1.3
'policies and procedures for maintaining a safe and secure working
27002: 11.1.3
environment in offices, rooms, and facilities'
27017: 11.1.3
Partial Gap 'Review and update the policies and procedures at least annually'.
27001: A.11.1.5
27002: 11.1.5
27017: 11.1.5
Partial Gap 'policies and procedures for the secure transportation of physical 27007: 8.3.3
media' 27017: 8.3.3
Partial Gap 'document the physical and logical assets' 27002: 8.2.1
'based on the organizational business risk'. 27017: 8.2.1
Partial Gap 'track the physical and logical assets' 27002: 8.1.1
'located at all of the CSPs sites'. 27017: 8.1.1
'Establish physical security perimeters between the administrative and 27001: A.11.1.1
Partial Gap business areas and the data storage and processing facilities areas'. 27002: 11.1.1
27017: 11.1.1

Partial Gap 'Use equipment identification as a method for connection No Mapping
authentication'.
'retain access control records on a periodic basis as deemed
Partial Gap appropriate 27001: A.11.1.2
by the organization'.

Portion in thethe
Recommend mapped
full V4control(s) contributing to
control specification to be
theused
partial gap, that
to close the
is,
gap.covering in part the V4 control:
Full Gap (CC1.4)
Portion in'Provides Training
the mapped to Maintain
control(s) Technical
contributing to theCompetencies'
partial gap, that 27001: A.11.2.3
(CC6.4) 'Creates or Modifies Physical
is, covering in part the V4 control: Access'.
(A1.2) 'Identifies Environmental Threats', 'Implements and Maintains
Missing specification(s)
Environmental ProtectioninMechanisms'.
TSC 2017:
Partial Gap 'temperature and humidity conditions within accepted industry 27001: A.11
standards'.
27001: A.11.2.2
Recommend the full V4 control specification to be used to close the 27001: A.11.2.1
Partial Gap gap. 27002: 11.2.1
(A1.2) 'Identifying Environmental Threats'
(CC3.2) 'Analyzes Internal and External Factors', 'Identifies and
Assesses Criticality of Information Assets and Identifies Threats and
Vulnerabilities'.
'data classification policies and procedures' 27001: A.8.2.1
'Review and update the policies and procedures at least annually'. 27001: A.5.1
27001: 5.2
27001: A.5.1.1
27001: A.5.1.2
27002: 5.1.2
27001: A.12.1
27002: 12.1

'disposal of data from storage media is not recoverable by any forensic
means'. 27001: A.8.3.2
27002: 8.3.2
Partial Gap
27001: A.11.2.7
27002: 11.2.7
N/A 27001: A.8.1.1

No Gap
27002: 8.1.1
N/A 27001: A.8.2.1
No Gap
27002: 8.2.1
N/A
No Gap 27001: A.8.1.2

'security by design'. 27002:14.1.1
Partial Gap
27001: A.14.2.5
27002:14.2.5
'privacy settings are configured by default'.

'Data Protection Impact Assessment (DPIA)'.

27001: A.13.2.1
'transfer of personal data is protected'.
27002: 13.2.1
27001: A.8.3.3
Partial Gap
27002: 8.3.3
27001: A.13.2.3
27002: 13.2.3
Partial Gap 'according to any applicable laws and regulations'. No Mapping
N/A
27001: A.18.1.4
No Gap
27002: 18.1.4
N/A
No Gap No Mapping
N/A
No Gap 27018: A.6.2
Full Gap
27001: A.12.1.4
27002: 12.1.4
N/A
No Gap 27001: A.18.1.3
N/A
27001: A.18.1.3
27002: 18.1.3
No Gap
27001:A.18.1.4
27002:18.1.4
N/A
No Gap 27018: A.6.1

Partial Gap 'document the physical locations of data'. 27002: 8.1.1
27017: 8.1.1
N/A
27001: 5.1
No Gap 27001: 5.2
27001: 5.3
N/A
27001: A.6.1.2
No Gap
27001: 6.2
N/A
No Gap 27001:7.5.2 (c)

'deviation from an established policy' (There is no reference to 27001: A.5.1.1
Partial Gap
handling 27002: 5.1.1 (c)
exceptions/deviations related to policies).
The full V4 control specification is missing from TSC 2017 and has to 27001: 1
Full Gap be used to close the gap. 27001: 4.3
N/A
27001: 5.3
27001: A.6.1.1
27002: 6.1.1
No Gap
27001: A.7.2.1
27002: 7.2.1
27018: 5.1.1
N/A 27001: A.18.1
27001: A.18.2.2
No Gap
27018: A.18.1
27018: A.18.2.2
27001: A.7.1.1
27017: 7.1.1

'policies and procedures for defining allowances and conditions for the 27001: A.8.1.3
Partial Gap acceptable use of organizationally-owned or managed assets.' 27002: 8.1.3
'Review and update the policies and procedures at least annually'. 27017: 8.1.3

27001: A.11.2.8
'policies and procedures that require unattended workspaces to not
27002: 11.2.8
have
27017: 11.2.8
Partial Gap openly visible confidential data'
27001: A.11.2.9
27002: 11.2.9
27017: 11.2.9
'information processed or stored at remote locations.' 27002: 6.2.2
Partial Gap 'Review and update the policies and procedures at least annually'. 27001: A.11.2.6
27002: 11.2.6
Full Gap be used to close the gap. 27002: 8.1.4
27017: 8.1.4
N/A 27001: A.7.3.1
No Gap 27002: 7.3.1
27017: 7.3.1
N/A
No Gap No Mapping
N/A
27001: A.7.1.2
No Gap 27002: 7.1.2
27017: 7.1.2
N/A
27001: A.6.1.1
No Gap 27002: 6.1.1
27017: 6.1.1
N/A
27001: A.7.1.2
27002: 7.1.2
27017: 7.1.2
No Gap
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
Partial Gap 'provide regular training updates'. 27002: 7.2.2
27017: 7.2.2
'sensitive organizational and personal data with appropriate security 27001: A.7.2.2
Partial Gap awareness training'. 27002: 7.2.2
27017: 7.2.2
N/A
27001: A.7.2.1
No Gap 27002: 7.2.1
27017: 7.2.1
N/A 27001: A.9.1.1

27002: 9.1.1
No Gap
27001: A.5.1.2
27002: 5.1.2
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
27001: A.9.2.4
27002: 9.2.4
Full Gap 27017: 9.2.4
27001: A.7.2.2
27002:7.2.2
27001: A.9.2.6
27002: 9.2.6
27001: A.9.2.3
27002: 9.2.3
N/A 27001: A.8.1.1
27002: 8.1.1
No Gap
27001: A.9.4.1
27002: 9.4.1
N/A
27001: A.6.1.2
No Gap
27002: 6.1.2
N/A
27001: A.9.1.1
27002: 9.1.1
27001: A.9.1.2
No Gap
27002: 9.1.2
27001: A.9.2.3
27002: 9.2.3
N/A
No Gap No Mapping
N/A
No Gap No Mapping

27001: A.9.2.5
'for least privilege and separation of duties with a frequency that is
27001: A.9.2.6
commensurate with organizational risk tolerance'.
27001: A.9.4.1
Partial Gap
27017: 9.4.1
27001: A.6.1.2
27001: A 9.2.5
'segregation of privileged access roles pertaining to administrative 27002: 9.2.3
Partial Gap access to data, encryption and key management capabilities and 27017: 9.2.3
logging 27018: 9.2.3
capabilities'.
'privileged access roles and rights are granted for a time limited 27002: 9.2.3
Partial Gap period'. 27017: 9.2.3
27018: 9.2.3
gap.
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that No Mapping
(CC3.2) 'Identifies and Assesses Criticality of Information Assets and
The full V4
Identifies controland
Threats specification is missing
Vulnerabilities', from Threats
'Analyzes TSC 2017andand has to
be used to closeFrom
Vulnerabilities the gap.
Vendors, Business Partners, and Other Parties', 27001: A.12.4.1
'Considers the Significance of the Risk' 27002: 12.4.1
(CC6.1) 'Restricts Logical Access' 27017: 12.4.1
(CC6.3) 'Reviews Access Roles and Rules'. 27018: 12.4.1
27001: A.12.4.2
27002: 12.4.2
Full Gap
27017: 12.4.2
27018: 12.4.2
27001: A.12.4.3
27002: 12.4.3
27017: 12.4.3
27018: 12.4.3

'unique IDs or which can associate individuals to the usage of user 27001: A.9.2.1
Partial Gap
IDs'. 27002: 9.2.1
'multi-factor authentication'. 27001: A.9.1.2
27002: 9.1.2
27017: 9.1.2
27001: A.9.2.4
27002: 9.2.4
Partial Gap
27017: 9.2.4
27001: A.9.4.2
27002: 9.4.2
27017: 9.4.2
27018: 9.4.2
N/A
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27018: 9.2.4
27001: A.9.3.1
27002: 9.3.1
No Gap
27017: 9.3.1
27018: 9.3.1
27001: A.9.4.3
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
N/A 27001: A.9.2.5

27002: 9.2.5
No Gap
27017: 9.2.5
27018: 9.2.5
gap. 27001: A.14.1.1
is, covering in part the V4 control: 27001: A.14.1.2
(CC5.3) 'Establishes Policies and Procedures to Support Deployment 27002: 14.1.2
of 27017: 14.1.2
Partial Gap
Management’s Directives', 'Reassesses Policies and Procedures'. 27001: A.14.2
27002: 14.2
27001: A.14.2.1
27017: 14.2.1
27001: A.14.2.5

N/A
(PI1.1) All points of focus 27001: A.18.1
(PI1.3) 'Defines Processing Specifications'. 27001: A.15.1.1
No Gap
27002: 15.1.1
27017: 15.1.1
'a. Data format
b. Length of time the data will be stored
Partial Gap c. Scope of the data retained and made available to the CSCs No Mapping
d. Data deletion policy'.
Missing specification(s) in TSC 2017: 27001: A.5

'Review and update the policies and procedures at least annually'. 27002: 5
Partial Gap
27017: 5
27018: 5
N/A 27001: 5.3
27001: 6.1
No Gap 27001: 9.1
27001: A.12.1.3
27002: 12.1.3
27001: A.13.1.1
'Review these configurations at least annually, and support them by
27002: 13.1.1
a documented justification of all allowed services, protocols, ports,
27001: A.13.1.2
Partial Gap and
27002: 13.1.2
compensating controls'.
27001: A.13.1.3
27002: 13.1.3
'security baseline'. 27002: 14.2.2
Partial Gap 27001: A.14.2.3
27001 A.14.2.4
27001: 7.4
27018: 12.1.2
27001: A.13.1.1
The full V4 control specification is missing from TSC 2017 and has to 27002: 13.1.1
27001
27017:A.12.1.4
13.1.1
be used to close the gap. 27002 12.1.4
Full Gap 27018: 13.1.1
27017A.13.1.2
27001: 12.1.4
27018 12.1.4
27002: 13.1.2
The full V4 control specification is missing from TSC 2017 and has to 27017: 13.1.2
be used to close the gap. 27018:A.13.1.3
27001: 13.1.2
Full Gap 27001: A.13.1.3
27002: 13.1.3
27002:
27017: 13.1.3
27017: 13.1.3
Recommend the full V4 control specification to be used to close the 27018: 13.1.3
gap. 27001: A.13.2.1
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that 27002: 13.2.1
is, covering in part the V4 control: 27017: 13.2.1
(CC6.1) 'Uses Encryption to Protect Data' 27018: 13.2.1
(CC6.7) 'Uses Encryption Technologies or Secure Communication 27001: A.13.2.2
Channels to 27002: 13.2.2
Protect Data'. 27017: 13.2.2
27018: 13.2.2
27001: A.13.2.3
27002: 13.2.3
N/A
27001: A.9.1.2
27002: 9.1.2
27017: 9.1.2
27001: A.9.4.2
27002: 9.4.2
No Gap
27017: 9.4.2
27018: 9.4.2
27001: A.14.2.5
27002: 14.2.5
27017: 14.2.5
N/A
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
No Gap 27001: A.11.1.4
27002: 11.1.4
27017: 11.1.4
27018: 16.1.1

Partial Gap 'Review and update the policies and procedures at least annually'. No mapping
Full Gap
27002: 18.1.3

'generate alerts to responsible stakeholders based on corresponding 27001: A.12.4.1
Partial Gap metrics'. 27002: 12.4.1
27002: 12.4.2
N/A
27001: A.12.4.3
No Gap
27002: 12.4.3
27017: 12.4.4
N/A 27001: A.12.4.1
No Gap 27002: 12.4.1
27017: 12.4.1
N/A 27001: A.12.4.1
No Gap 27002: 12.4.1
27017: 12.4.1
Recommend the full V4 control specification to be used to close the 27001: A.10.1
gap. 27002: 10.1
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that 27001: A.10.1.2
(CC6.1) 'Uses Encryption to Protect Data'
Recommend the full V4
(CC7.2) ''Implements control specification
Detection to be used
Policies, Procedures, andtoTools',
close the 27001: A.10.1.2
Partial Gap gap.
'Monitors Detection Tools for Effective Operation'. 27017: 10.1.2
Portion
N/A in the mapped control(s) contributing to the partial gap, that 27001: A.11.1.2
No Gap is, covering in part the V4 control:
(CC6.1) 'Uses Encryption to Protect Data' 27002: 11.1.2
N/A
(CC7.2) ''Implements Detection Policies, Procedures, and Tools', 27001: A.16.1.1
'Monitors Detection Tools for Effective Operation'. 27002: 16.1.1
No Gap
27001: A.16.1.2
27017: 16.1.2
Missing specification(s) in TSC 2017: 27001: A.16.1
'Cloud Forensics' 27002: 16.1
Partial Gap 'Review and update the policies and procedures at least annually'. 27017: 16.1
27018: 16.1
'Review and update the policies and procedures at least annually'. 27001: A.16.1.2
27002: 16.1.2
27017: 16.1.2
27018: 16.1.2
Partial Gap
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5

'business critical relationships (such as supply-chain) that may be 27002: 16.1.5
Partial Gap impacted'. 27017: 16.1.5
27017: CLD.12.1.5
27018: 16.1.5
N/A
No Gap No Mapping
No Gap N/A No Mapping

N/A
27001: A.16.1.4
27002: 16.1.4
27017: 16.1.4
27018: 16.1.4
No Gap
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5

gap. 27001: A.16.1.1
(CC7.4) 'Develops and Implements Communication Protocols for 27018: 16.1.1
Security 27001: A.16.1.2
Incidents' 27002: 16.1.2
Partial Gap (CC7.5) 'Communicates Information About the Event'. 27017: 16.1.2
27018: 16.1.2
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
N/A
27001: 4.2
27001: A.6.1.3
27002: 6.1.3
27017: 6.1.3
27018: 6.1.3
No Gap 27001: A.16.1.1
27002: 16.1.1
27001: A.18.1.1
27002: 18.1.1
27017: 18.1.1
27018: 18.1.1
be used to close the gap. 27001: 5.1a
27001: 5.2
27001: 6.2
27001: 9.1
Full Gap
27001: 9.3
27001: A.5.1
27001: A.5.2
27001: A.15.1.1
27001: 7.1
27001: 8.1
27001: 8.2
Full Gap
27001: 9.1
27001: 9.3
27001: A.15.1
27001: A.15.2
Missing specification(s) in TSC 2017: 27001: 6.2
'SSRM' (Mapped controls don't specifically call out SSRM). 27001: 7.4
Partial Gap 27001: 9.1
27001: A.15.1.2
27001: A.15.1.3
Full Gap 27001: 9.1
27001: A.15.1.2
27001: A.15.2
27001: 6.2
27001: 7.4
27001: 9.1
Full Gap
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
27001: A.15.1.3
27001: A.15.1.3
N/A 27001: 8.1
No Gap 27001: A.15.1.2
27001: A.15.1.3
• Scope, characteristics and location of business relationship and
services offered
• Incident management and communication procedures 27001: 8.1
Partial Gap • Right to audit and third party assessment 27001: A.15.1.2
• Service termination 27001: A.15.1.3
• Data privacy.
The full V4 control specification is missing from TSC 2017 and has to 27001: A.15.1
Full Gap be used to close the gap. 27001: A.15.2
Full Gap be used to close the gap. 27001: A.15.2
N/A
27001: 5.2
27001: A.5.1
27001: A.5.2
No Gap
27001: A.7.2.1
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 8.1
27001: 9.1
27001: 9.2
No Gap
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
N/A 27001: 8.1
27001: 8.2
No Gap 27001: 8.3
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 5.2
No Gap 27001: A.5.1.1
27002: 5.1.1 (c), (h)
N/A
27001: A.5.1.1
27002: 5.1.1 (g), (c)
27001: A.5.1.2
27002: 5.1.2
27001: 5.2
27001: A.12.2.1
27001: A.6.2.1
27002: 6.2.1 (h)
27001: A.6.2.2
27002: 6.2.2 (j)
No Gap 27001: A.7.2.2
27002: 7.2.2 (d)
27001: A.10.1.1
27002: 10.1.1 (g)
27001: A.13.2.1
27002: 13.2.1 (b)
27001: A.15.1.2
27017: 15.1.2
27001: A.12.2.1
27002: 12.2.1 (a),(d)
27017: CLD.9.5.2
Missing specification(s) in TSC 2017: 27001: A12.2.1

'responses to vulnerability identifications, based on the identified 27001: A.12.6.1
Partial Gap risk'. 27002: 12.6.1(c)(d)(j)
27018: 12.6.1(k)(i)
'on a weekly. or more frequent basis'. 27002: 5.1.1 (h)
Partial Gap
27001: A.12.6.1
27002: 12.6.1 (b),(c)
"third party or open source libraries" and "according to the 27001: A.12.6.2
Partial Gap organization's vulnerability management policy". 27002: 12.6.2

Missing
(CC4.1) specification(s) in TSC
'Considers Different 2017:
Types of Ongoing and Separate 27001: A.12.6
Partial Gap 'at least monthly'.
Evaluations' 27001: A.12.6.1
- 'including penetration testing' 27002: 12.6.1
(CC full
The 7.1)V4
'Conducts
control Vulnerability
specification isScans' - 'The
missing entity
from TSCconducts
2017 and has to
Full Gap vulnerability scans designed
be used to close the gap. to identify potential vulnerabilities'. No Mapping
N/A 27001: A.16.1.2

27002: 16.1.2
No Gap
27001: A.16.1.3
27002: 16.1.3
Full Gap be used to close the gap. 27001: 9.1(a)(e)
Requirement on 'endpoint' systems (AICPA TSC CC6.7 has reference
to
"Protect Mobile Devices" only whereas CCM control refers to
endpoint
devices such as: mobile devices, servers, desktops, IoT, virtual etc.) 27001: A.6.2.1
'Review the policies and procedures at least annually'. 27002: 6.2.1
Partial Gap
27017: 6.2.1
27018: 6.2.1
27002: 9.1.1
27001: A.9.2.2
27002: 9.2.2
27001: A.12.1.2
27002: 12.1.2
Full Gap
27001: A.12.5
27002: 12.5
27001: A.13.2.3
27002: 13.2.3
27001: A.14.2.2
27002:14.2.2
27017: 8.1.1
Full Gap
27002:12.6.2
27001: A.14.2
Requirement on 'endpoint' systems.
27001: A.14.2.2
27002: 14.2.2
Partial Gap
27001: A.14.2.3
27001: A.14.2.4
27018: 12.1.2
Requirement on 'endpoint' systems. 27001: A.11.2.7
27002: 11.2.7
27001: A.18.1.1
27017: 18.1.1
Partial Gap
27001: A.12.3.1
27017: 12.3.1
27018: A.11.4
27018: A.11.5
Missing specification(s) in TSC 2017: 27001: A.12.2

Requirement on 'endpoint' systems. 27002: 12.2
Partial Gap
27017: 12.2
27018: 12.2
Requirement on 'endpoint' systems. 27001: A.12.6.1
27002: 12.6.1
27001: A.13.1.2
27001: A.6.2.2
27002: 6.2.2
27018: 16.1
Requirement on 'endpoint' systems. 27001: A.12.3
27002: 12.3
27001: A.8.3.1
27002: 8.3.1
27001: A.12.2
27002: 12.2
27001: A.18.1.3
Partial Gap
27002: 18.1.3
27001: A.3.2.2
27002: 3.2.2
27001: A.6.1.1
27017: 6.1.1
27018: 12.3.1
27018: 10.1
Full Gap
27002: 6.2.1
27002: 15.1.1
27001: A.14.1.2
27002: 14.1.2
27001: A.6.1.1
Full Gap
27017: 6.1.1
27001: A.9.2.2
27017: 9.2.2
27001: A.9.2.4
27017: 9.2.4
ISO/IEC 27001/02/17/18
Missing specification(s) in ISOs:

Requirement of 'at least annually' in last sentence. GRM-06
Partial Gap
GRM-09

Partial Gap Terms 'audit and assurance' and 'at least annually' are not specifically AAC-02
called
N/A out.
AAC-01
No Gap
AAC-02
N/A
GRM-01
No Gap
GRM-03
N/A
No Gap AAC-01
'Establish, document, approve, communicate, apply, evaluate and GRM-10
Partial Gap
maintain a risk-based corrective action plan to remediate audit GRM-11
findings'.

'to review and update the policies and procedures at least annually.'
AIS-01
Partial Gap
AIS-04

ISO does not explicitly stipulate baseline requirements for securing
Partial Gap different applications. AIS-01

Partial Gap ISO does not explicitly specify the need to implement technical and No Mapping
operational metrics in alignment with business objectives, security
requirements, and compliance obligations.
N/A
AIS-01
No Gap
AIS-03
N/A
AIS-01
No Gap
AIS-03
The full V4 control specification is missing from the ISOs and has to
be used to close the gap. AIS-01
Full Gap
AIS-03
N/A
No Gap TVM-02
Missing specification(s) in ISOs: BCR-07

The requirement to provide a framework for setting business BCR-10
Partial Gap continuity objectives. BCR-11
GRM-06
GRM-09
The specific references to a BIA.
Partial Gap BCR-09
Missing specification(s) in ISOs: BCR-04

No reference to Business Continuity Strategies BCR-06
Partial Gap BCR-08
BCR-09
BCR-10
Partial Gap No reference to Business Continuity Strategies BCR-01

No reference to Business Continuity Strategies BCR-01
Partial Gap
BCR-04

Partial Gap 'Table Top Exercises' BCR-02
be used to close the gap. BCR-01
Full Gap
BCR-02

ISO does not specify the need to verify data restoration from backup
Partial Gap for resiliency. BCR-11
Full Gap No Mapping
Full Gap be used to close the gap. BCR-06

'Review and update the policies and procedures at least annually.'
CCC-05
Partial Gap GRM-06
GRM-09

Partial Gap 'Quality and baselines' CCC-03
N/A
No Gap CCC-05
N/A
No Gap CCC-04
N/A
No Gap CCC-05

'Establish change management baselines'
N/A
No Gap GRM-01
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
EKM-01
EKM-02
No Gap EKM-03
GRM-06
GRM-09
N/A
No Gap No Mapping
N/A
EKM-03
No Gap
EKM-04
N/A
No Gap EKM-04
N/A
No Gap EKM-02
N/A
No Gap No Mapping
N/A
No Gap No Mapping

'The cloud service provider should provide capabilities to permit the
cloud service customer to independently store and manage encryption
Partial Gap keys used for protection of any data owned or managed by the cloud No Mapping
service customer'
N/A
No Gap No Mapping
N/A
No Gap EKM-04
N/A
No Gap No Mapping

'Keys Rotation' requirement not mentioned
N/A
No Gap No Mapping
N/A
No Gap No Mapping

'Keys Pre-Activation' requirement not mentioned

'Keys Suspension' requirement not mentioned
N/A
No Gap No Mapping
'secure repository requiring least privileged access'
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
DCS-05
No Gap GRM-06
GRM-09

'Apply and maintain policies and procedures for the relocation or
transfer of hardware, software, or data/information to an offsite or DCS-04
Partial Gap alternate location' GRM-06
'relocation requires the cryptographically verifiable authorization.' GRM-09
N/A
DCS-06
No Gap GRM-06
GRM-09
N/A
GRM-06
No Gap
GRM-09

Partial Gap 'classify physical assets' DCS - 01

Partial Gap 'classify physical assets' DCS - 01
N/A
DCS-02
No Gap
DCS-08
Full Gap be used to close the gap. DCS - 03
N/A
DCS-07
No Gap
DCS-09
The full V4 control specification is missing from the ISOs and has to DCS-02
Full Gap be used to close the gap. DCS-07
DCS-08
Full Gap be used to close the gap. HRS-09
N/A
No Gap BCR - 03
N/A
No Gap BCR - 03

Partial Gap No requirements to exercise environmental controls BCR - 03
N/A
No Gap BCR - 06
Requirement to review and update the policies and procedures at least
annually.
DSI-04
Partial Gap GRM-06
GRM-09

Requirement to ensure that data is not recoverable by any forensic
means.
Partial Gap DSI-07

Partial Gap Requirement for maintaining an inventory for personal data No Mapping
N/A
No Gap DSI-01
Full Gap be used to close the gap. DSI-02

Requirement to perform a review at least annually.
Partial Gap DSI-06

incorporating security requirements at the design stage
Full Gap No Mapping
Full Gap No Mapping

Requirement to ensure information is only processed within scope as
permitted by the respective laws and regulations.
GRM-02
Partial Gap
EKM-03

Processing personal data as per the purpose declared to the data
Partial Gap subject No Mapping
Full Gap No Mapping
Requirement to disclose the details of any personal or sensitive data
Partial Gap access by sub-processors to the data owner prior to initiation of that No Mapping
processing.

Obtain explicit authorization from data owners
Partial Gap DSI-05
N/A
GRM-02
No Gap
BCR-11
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A
No Gap No Mapping
Missing in the ISOs:

"document, approve, apply, evaluate and maintain policies and GRM-06
Partial Gap procedures for an information governance program" GRM-09
"Review and update the policies and procedures at least annually."
N/A
GRM-08
No Gap GRM-10
GRM-11
Requirement of 'at least annually'
Partial Gap GRM-09
N/A
No Gap GRM-01

Partial Gap 'domains of the CCMv4.0' missing from ISOs GRM-04
Missing in the ISOs:
'for planning, implementing, operating, assessing, and improving
governance programs.'
Partial Gap 'document roles and responsibilities' No Mapping
N/A
No Gap AAC-03
N/A
No Gap No Mapping
requirement to review and update the policies and procedures at least
annually.
HRS-02
Partial Gap GRM-06
GRM-09

requirement to review and update the policies and procedures at least HRS-08
Partial Gap annually. GRM-06
GRM-09

requirement to review and update the policies and procedures at least
annually. HRS-11
Partial Gap GRM-06
GRM-09

requirement to review and update the policies and procedures at least GRM-06
N/A
No Gap HRS-01
N/A
No Gap HRS-04
Full Gap HRS-03
N/A
No Gap HRS-03
N/A
HRS-07
No Gap
HRS-10
N/A
No Gap HRS-06
N/A
HRS-09
No Gap
HRS-10
Requirement to focus training on 'sensitive organizational and HRS-09
Partial Gap personal data' HRS-10

requirement to focus on 'applicable legal, statutory, or regulatory
Partial Gap compliance obligations.' HRS-10
N/A
IAM-02
No Gap GRM-06
GRM-09

annually.
IAM-02
IAM-12
Partial Gap
GRM-06
GRM-09
ISO partially addressed Identity Inventory under asset management IAM-04
Partial Gap IAM-08
IAM-10
N/A
No Gap IAM-05
N/A
IAM-02
No Gap IAM-06
IVS-11
The full V4 control specification is missing from ISOs and has to be

Full Gap used to close the gap. IAM-09
The full V4 control specification is missing from ISOs and has to be

Full Gap used to close the gap. IAM-11

Requirement of separation of duties in reviewing of user access rights.
Partial Gap IAM-10
N/A
No Gap No Mapping
Requirement to prevent the culmination of segregated privileged
Partial Gap access. No Mapping
N/A
Full Gap No Mapping

Requirement to control the ability to disable logs through a procedure
that ensures the segregation of duties and break glass procedures.
N/A
No Gap No Mapping
Requirement to include multifactor authentication for at least
privileged user and sensitive data access.
IAM-02
Partial Gap
IAM-05
N/A
No Gap No Mapping
N/A
No Gap IAM-02
Requirement of communications between application services (APIs)
IPY-03
Partial Gap GRM-06
GRM-09
N/A
No Gap IPY-04
Full Gap No Mapping

Requirement of "Infrastructure & Virtualization Security" GRM-06
Partial Gap
GRM-09
Requirement of "Infrastructure & Virtualization Security"
Partial Gap IVS-04

Partial Gap IVS-06

Partial Gap IVS-07

Partial Gap IVS-08

'Design, develop, deploy and configure applications and
Partial Gap infrastructures' IVS-09
'monitored and restricted from other tenants.'
Requirement of "Infrastructure & Virtualization Security
Partial Gap IVS-10
Requirement of "Infrastructure & Virtualization Security
Partial Gap IVS-13

Requirement of Infrastructure & Virtualization Security
Requirement for defense-in-depth approach
Partial Gap IVS-13
be used to close the gap. GRM-06
Full Gap
GRM-09

Partial Gap Requirement for the review and update of policies and procedures.
IVS-01

Requirement to generate alerts to responsible stakeholders. SEF-03
Partial Gap
SEF-05
N/A
No Gap IVS-01
N/A
No Gap No Mapping
N/A
No Gap IVS-03
N/A
No Gap No Mapping
N/A
No Gap No Mapping
N/A GRM-04
No Gap
IVS-01
N/A
EKM-02
No Gap
EKM-03
N/A
No Gap EKM-02
N/A
No Gap DCS-08
N/A
No Gap SEF-03
Requirement to review and update the policies and procedures at least SEF-02
GRM-09

annually.
SEF-02
Partial Gap GRM-06
GRM-09
N/A
No Gap BCR-02
Full Gap be used to close the gap. BCR-02
Full Gap The full V4 control specification is missing from the ISOs and has to SEF-05
N/A
No Gap SEF-02

Requirement to report relevant supply chain breaches.
Requirement to report as per applicable SLAs, laws and regulations.
SEF-04
Partial Gap
STA-05
N/A
No Gap SEF-01

Requirement of a Shared Security Responsibility Model (SSRM).





Partial Gap Requirement of a Shared Security Responsibility Model (SSRM). No Mapping

Partial Gap Requirement of a Shared Security Responsibility Model (SSRM). No Mapping

Requirement of a Shared Security Responsibility Model (SSRM). STA-06
Partial Gap
STA-08
Partial Gap STA-05

Partial Gap Requirement of a Shared Security Responsibility Model (SSRM). STA-07
Partial Gap Requirement of a Shared Security Responsibility Model (SSRM). STA-04

STA-01
Partial Gap
STA-09

Partial Gap STA-06

Partial Gap STA-08
N/A
TVM-02
No Gap GRM-06
GRM-09
Requirement of 'malware policy and procedures'
TVM-01
Partial Gap GRM-06
GRM-09
N/A
No Gap TVM-02

Requirement of 'detection tools and or a specific time frame for
Partial Gap updates as well as no mention of IOC's' No mapping
Requirement of 'for applications which use...open source libraries
Partial Gap according to the organization's vulnerability management standard.' No mapping
Full Gap be used to close the gap. TVM-02
N/A
No Gap TVM-02
Full Gap be used to close the gap. TVM-02
N/A
No Gap TVM-02

Partial Gap Requirement of 'vulnerability remediation' No mapping
Term 'endpoint' device GRM-06
GRM-09
MOS-03
MOS-04
MOS-05
MOS-08
Partial Gap
MOS-11
MOS-12
MOS-13
MOS-16
MOS-17
MOS-20

Term 'endpoint' device
MOS-02
MOS-03
Partial Gap
MOS-04
MOS-06

Partial Gap Term 'endpoint' device MOS-07
Partial Gap MOS-10
Full Gap be used to close the gap. MOS-14
MOS-15
Partial Gap
MOS-19

Partial Gap MOS-11



Partial Gap Term 'endpoint' device No Mapping

CCM v3.0.1
Gap Level Addendum
Missing specification(s) in CCMv3.0.1:

'apply and evaluate audit and assurance policies, procedures and
Partial Gap standards'
Requirement of 'at least annually' in last sentence.
N/A
No Gap
N/A
No Gap
N/A
No Gap

gap.
Partial Gap Portion in the mapped control(s) contributing to the partial gap, that is,
covering in part the V4 control: (AAC-01) 'Audit plans shall be
developed' and 'Auditing plans shall focus on reviewing the
effectiveness of the implementation of security operations'.
Partial Gap 'Establish, document, approve, communicate, apply, evaluate and
maintain a risk-based corrective action plan'

'apply, evaluate, maintain policies and procedures for application
security'
Partial Gap Requirement of 'at least annually' in last sentence.
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has

Full Gap to be used to close the gap.

gap.
covering in part the V4 control: (AIS-01) 'Applications and
Partial Gap programming interfaces (APIs) shall be designed, developed,
deployed, and tested in accordance with leading industry standards'
'Automate when applicable and possible.'
Partial Gap

Partial Gap 'Automate where possible.'

'Automating remediation when possible.'
Partial Gap

Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Partial Gap 'at least annually'
N/A
No Gap

'Ensure the confidentiality, integrity and availability of the backup'
Partial Gap
to be used to close the gap.
Full Gap

N/A
No Gap

'apply, evaluate policies and procedures for managing the risks
associated with applying changes to organization assets'
Partial Gap 'regardless of whether the assets are managed internally or externally
(i.e., outsourced)'
N/A
No Gap
'regardless of whether the assets are managed internally or externally
(i.e., outsourced)'
Partial Gap

'removal, update, and management of organization assets'
Partial Gap
N/A
No Gap

Full Gap
'detection measures with proactive notification'
Partial Gap

Full Gap

Full Gap
'Apply and evaluate the policies and procedures for Cryptography,
Encryption and Key Management'
Partial Gap
Full Gap
N/A
No Gap

'considering the classification of data, associated risks, and usability of
the encryption technology.'
Partial Gap
gap.
covering in part the V4 control: (EKM-02) 'lifecycle
Partial Gap management/replacement' and 'changes within the cryptosystem'

Full Gap

Full Gap

Full Gap
Full Gap

gap.
covering in part the V4 control: (EKM-04) 'open/validated formats
Partial Gap and standard algorithms shall be required'.

Full Gap

Full Gap
Full Gap

Full Gap

Full Gap

Full Gap

Full Gap
Full Gap

Full Gap

Full Gap

Full Gap
'apply and evaluate policies and procedures for the secure disposal of
equipment used outside the organization's premises'
Partial Gap

'apply and evaluate policies and procedures for the relocation or
transfer of hardware, software, or data/information to an offsite or
Partial Gap alternate location'
'or cryptographically verifiable authorization'

'evaluate (implementation of) policies and procedures'
Partial Gap

Partial Gap 'apply and evaluate policies and procedures for the secure
transportation of physical media.'
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'all ingress and egress points (are) documented'
Partial Gap 'Retain access control records on a periodic basis as deemed
appropriate by the organization.'

Partial Gap 'maintain datacenter surveillance systems'

Partial Gap gap.
Portion
Missinginspecification(s)
the mapped control(s) contributing to the partial gap, that is,
in CCMv3.0.1:
covering
'Define, implement and evaluate processes,'All
in part the V4 control: (HRS-09) individuals
procedures andwith access
technical
Partial Gap to organizational
measures dataashall
that ensure receiveprotection
risk-based appropriateof awareness training
telecommunication
relating
cables' to their professional function relative to the organization.'

Partial Gap 'within accepted industry standards'
N/A
No Gap
N/A
No Gap
'apply and evaluate policies and procedures for the classification,
protection and handling of data throughout its lifecycle and according
to all applicable laws and regulations, standards, and risk level.'
Partial Gap

'Apply industry accepted methods for the secure disposal of data'
Partial Gap

N/A
No Gap
Partial Gap 'Review data flow documentation at defined intervals, at least
annually, and after any change.'
'Document ownership'
'all relevant documented personal data'
Partial Gap 'Perform review at least annually'
Full Gap

Full Gap

Full Gap

The reference to personal data: 'transfer of personal data is protected
from unauthorized access and only processed within scope as
Partial Gap permitted by the respective laws and regulations'


Full Gap

Full Gap
Full Gap
N/A
No Gap
N/A
No Gap

Full Gap
Full Gap


'apply and evaluate policies and procedures for an information
Partial Gap governance program'
'Enterprise Risk Management (ERM) program (as it includes
Partial Gap information security risks but is not limited to only those)'
'(ERM) program that includes policies and procedures for
identification, evaluation, ownership, treatment, and acceptance of
privacy risks' (focus is on missing requirement for risk management
on privacy)
N/A
No Gap

Partial Gap 'deviation from an established policy'

Partial Gap 'all the domains of the CCM' (i.e., reference to CCMv4.0)
Full Gap
N/A
No Gap

'apply, evaluate, policies and procedures for background verification
of all new employees'
Partial Gap

Partial Gap

'apply, evaluate, policies and procedures that require unattended
workspaces to not have openly visible confidential data'

'apply, evaluate, policies and procedures to protect information
Partial Gap accessed, processed or stored at remote sites and locations'

Partial Gap 'Establish and document procedures'
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Partial Gap 'approve, evaluate and maintain a security awareness training program'
'Provide all employees with access to sensitive organizational and
Partial Gap personal data with appropriate security
awareness training'
N/A
No Gap

Partial Gap
(If Password is equal to "authentication secrets" then)

Partial Gap
'system identities'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'Review and revalidate user access for separation of duties'
'a frequency that is commensurate with organizational risk tolerance'
Partial Gap

Full Gap
Full Gap

Full Gap

Full Gap

'Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities'
Partial Gap

Full Gap
N/A
No Gap
'apply and evaluate policies and procedures for interoperability and
portability.'
Partial Gap

N/A
No Gap

Full Gap

'apply and evaluate policies and procedures for infrastructure and
Partial Gap virtualization security.'
N/A
No Gap
N/A
No Gap

'Host and guest OS',
Partial Gap 'hypervisor',
'infrastructure control plane'.
N/A
No Gap
N/A
No Gap

'Such channels must include only up-to-date and approved protocols'.
Partial Gap
N/A
No Gap
N/A
No Gap

Partial Gap 'apply and evaluate policies and procedures for logging and
monitoring'
Partial Gap 'Define, implement and evaluate processes, procedures and technical
measures'
'Define and implement a system to generate alerts to responsible
Partial Gap stakeholders based on such events and corresponding metrics.'
Partial Gap 'Restrict audit logs access to authorized personnel'

N/A
No Gap



Partial Gap gap.
Portion
gap. in the mapped control(s) contributing to the partial gap, that is,
Partial Gap covering in part the V4 control: (IVS-01) 'Higher levels of assurance
are required
Portion in thefor protection
mapped of audit
control(s) logs', (GRM-04)
contributing 'to protect
to the partial gap, assets
that is,
and data from loss, misuse, unauthorized access, disclosure,
covering in part the V4 control: (EKM-02) 'Policies and procedures alteration,
and
shalldestruction'.
Recommend the fullfor
be established V4the
control specification
management to be used tokeys',
of cryptographic close the
Partial Gap gap.
(EKM-03) 'Policies and procedures shall be established, and
supporting
Missing business processes
specification(s) and technical measures implemented,
in CCMv3.0.1:
Partial Gap Portion
for the in
use the
of mapped
encryptioncontrol(s) contributing
protocols'.
'log physical access using an auditable access to the partial
control gap, that is,
system.'
covering in part the V4 control: (EKM-02) 'management of
Missing specification(s)
cryptographic keys in theinservice's
CCMv3.0.1:
cryptosystem'.
Partial Gap measures for the reporting of anomalies and failures of the monitoring
system'
'policies and procedures for E-Discovery and Cloud Forensics'.

Partial Gap

'Establish, document, approve, communicate, apply, a security
Partial Gap incident response plan, which Include relevant internal departments'
N/A
No Gap
No Gap N/A
N/A
No Gap

'Define and implement, processes, procedures and technical measures
for security breach notifications'
'Report assumed security breaches'
Partial Gap
N/A
No Gap

Full Gap

Full Gap
Full Gap

Full Gap

Full Gap


N/A
No Gap
'Logging and monitoring capability'
'Data Privacy'
Partial Gap
N/A
No Gap
N/A
No Gap

'to comply with privacy, personnel policy.'
Partial Gap
N/A
No Gap
N/A
No Gap

Partial Gap
Partial Gap
N/A
No Gap

Full Gap
Full Gap

Partial Gap gap.
Missing
coveringspecification(s) in CCMv3.0.1:
in part the V4 control: (TVM-02) 'supporting processes and
Partial Gap Requirement of 'at least
technical measures monthly'. for timely detection of
implemented,
vulnerabilities within organizationally-owned or managed
applications,
Missing infrastructure
specification(s) network and system components (e.g.,
in CCMv3.0.1:
Partial Gap penetration testing)'
'vulnerability remediation using an industry recognized framework'.
N/A
No Gap

'endpoints' (The term is missing from CCMv3.0.1 and MOS domain.
Mobile device policies are a subset of endpoint devices policy).
'apply, evaluate policies and procedures for all endpoints'.
Partial Gap

'endpoint'.
'Define, apply and evaluate a list'
Partial Gap

Partial Gap 'endpoint'.
'Define
Missingand implement a in
specification(s) process'.
CCMv3.0.1:
Partial Gap 'endpoints'.
'endpoints'.
Partial Gap 'Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints'.

'endpoint'.
Partial Gap

'endpoint'.
Partial Gap

Full Gap
Full Gap

Full Gap

measures'.
Full Gap
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE VERSION 4.0.2
v4.0.2+0
Audit and Assurance

A&A-01
Independent Assessments A&A-02
Risk Based Planning

A&A-03
Assessment
Audit Management
A&A-05
Process
Remediation A&A-06

Application and
Interface Security AIS-01
Application Security
AIS-02
Baseline Requirements
Application Security
AIS-03
Metrics
Secure Application
Application & Interface AIS-04
Design and Development
Security
Automated Application
AIS-05
Security Testing
Automated Secure
AIS-06
Application Deployment
Application
Vulnerability AIS-07
Remediation
Business Continuity
Management Policy and BCR-01
Procedures
Risk Assessment and
BCR-02
Impact Analysis
Business Continuity
BCR-03
Strategy
Business Continuity
BCR-04
Planning
Documentation BCR-05
Business Continuity
Management and
Operational Resilience Business Continuity
BCR-06
Exercises
Communication BCR-07
Backup BCR-08
Disaster Response Plan BCR-09
Response Plan Exercise BCR-10

Equipment Redundancy BCR-11
Change Management
CCC-01
Quality Testing CCC-02
Change Management
CCC-03
Technology
Unauthorized Change
Change Control and CCC-04
Protection
Configuration
Management
Change Agreements CCC-05
Change Management
CCC-06
Baseline
Detection of Baseline
CCC-07
Deviation
Exception Management CCC-08

Change Restoration CCC-09
Encryption and Key

Management Policy and CEK-01
Procedures
CEK Roles and

CEK-02
Responsibilities
Data Encryption CEK-03
Encryption Algorithm CEK-04
Encryption Change
CEK-05
Management
Encryption Change Cost

CEK-06
Benefit Analysis
Encryption Risk
CEK-07
Management
CSC Key Management

CEK-08
Capability
Encryption and Key
CEK-09
Management Audit
Key Generation CEK-10
Key Purpose CEK-11
Cryptography, Key Rotation CEK-12

Encryption & Key
Management
Key Revocation CEK-13
Key Destruction CEK-14
Key Activation CEK-15
Key Suspension CEK-16

Key Deactivation CEK-17
Key Archival CEK-18
Key Compromise CEK-19
Key Recovery CEK-20
Key Inventory
CEK-21
Management
Off-Site Equipment
Disposal Policy and DCS-01
Procedures
Off-Site Transfer
Authorization Policy DCS-02
and Procedures
Secure Area Policy and

DCS-03
Procedures
Secure Media
Transportation Policy DCS-04
and Procedures
Assets Classification DCS-05

Datacenter Security
Assets Cataloguing and
DCS-06
Tracking
Controlled Access
DCS-07
Points
Equipment
DCS-08
Identification
Secure Area
DCS-09
Authorization
Surveillance System DCS-10
Unauthorized Access
DCS-11
Response Training
Cabling Security DCS-12
Environmental Systems DCS-13
Secure Utilities DCS-14
Equipment Location DCS-15
Security and Privacy

DSP-01
Secure Disposal DSP-02
Data Inventory DSP-03

Data Classification DSP-04
Data Flow Documentation DSP-05
Data Ownership and

DSP-06
Stewardship
Data Protection by
DSP-07
Design and Default
Data Privacy by Design

DSP-08
and Default
Data Protection Impact

DSP-09
Assessment
Data Security and

Privacy Lifecycle
Management Sensitive Data Transfer DSP-10
Personal Data Access,

Reversal, Rectification DSP-11
and Deletion
Management
Limitation of Purpose
in Personal Data DSP-12
Processing
Personal Data
DSP-13
Sub-processing
Disclosure of Data
DSP-14
Sub-processors
Limitation of
DSP-15
Production Data Use
Data Retention and
DSP-16
Deletion
Sensitive Data
DSP-17
Protection
Disclosure Notification DSP-18
Data Location DSP-19
Governance Program
GRC-01
Governance Program
GRC-01
Organizational Policy
GRC-03
Governance, Risk and Reviews
Compliance Policy Exception
GRC-04
Process
Information Security
GRC-05
Program
Governance
GRC-06
Responsibility Model
Information System
GRC-07
Regulatory Mapping
Background Screening
HRS-01
Acceptable Use of
Technology Policy and HRS-02
Procedures
Clean Desk Policy and

HRS-03
Procedures
Remote and Home Working

HRS-04
Human Resources
Asset returns HRS-05
Employment Termination HRS-06
Employment Agreement
HRS-07
Process
Employment Agreement
HRS-08
Content
Personnel Roles and
HRS-09
Responsibilities
Non-Disclosure
HRS-10
Agreements
Security Awareness
HRS-11
Training
Personal and Sensitive

Data Awareness and HRS-12
Training
Compliance User
HRS-13
Responsibility
Identity and Access

Management Policy and IAM-01
Procedures
Strong Password Policy

IAM-02
and Procedures

User Access
IAM-06
Provisioning
User Access Changes and

IAM-07
Revocation
Segregation of
IAM-09
Privileged Access Roles
Identity & Access
Management
Management of
IAM-10
Privileged Access Roles
CSCs Approval for

Agreed Privileged IAM-11
Access Roles
Safeguard Logs
IAM-12
Integrity
Uniquely Identifiable
IAM-13
Users
Authorization
IAM-16
Mechanisms
Interoperability and
Portability Policy and IPY-01
Procedures
Interoperability &
Portability
Application Interface
IPY-02
Availability
Secure Interoperability
and Portability IPY-03
Management
Portability
Data Portability
IPY-04
Contractual Obligations
Infrastructure and
Virtualization Security IVS-01
Capacity and Resource

IVS-02
Planning
Infrastructure &
Virtualization Security OS Hardening and Base
IVS-04
Controls
Production and
Non-Production IVS-05
Environments
Infrastructure &
Segmentation and
IVS-06
Segregation
Migration to Cloud
IVS-07
Environments
Network Architecture
IVS-08
Documentation
Logging and Monitoring

LOG-01
Audit Logs Protection LOG-02
Security Monitoring and

LOG-03
Alerting
Audit Logs Access and

LOG-04
Accountability
Audit Logs Monitoring

LOG-05
and Response

Clock Synchronization LOG-06
Logging Scope LOG-07
Log Records LOG-08

Log Protection LOG-09
Encryption Monitoring
LOG-10
and Reporting
Transaction/Activity
LOG-11
Logging
Access Control Logs LOG-12
Failures and Anomalies

LOG-13
Reporting
Security Incident
Management Policy and SEF-01
Procedures
Service Management
SEF-02
Security Incident
Management,
Service Management
SEF-02
Security Incident Incident Response Plans SEF-03

Management,
E-Discovery, & Cloud
Forensics Incident Response
SEF-04
Testing
Incident Response
SEF-05
Metrics
Security Breach
SEF-07
Notification
Points of Contact
SEF-08
Maintenance
SSRM Policy and

STA-01
Procedures

SSRM Documentation
STA-05
Review
SSRM Control
STA-06
Implementation
Supply Chain Inventory STA-07
Supply Chain Risk
STA-08
Management
Supply Chain
Management,
Transparency, and
Accountability
Primary Service and

STA-09
Contractual Agreement
Supply Chain Agreement

STA-10
Review
Internal Compliance
STA-11
Testing
Supply Chain Service

STA-12
Agreement Compliance
Supply Chain Governance
STA-13
Review
Supply Chain Data
STA-14
Security Assessment
Threat and
Vulnerability
TVM-01
Management Policy and
Procedures
Malware Protection
TVM-02
Vulnerability
TVM-03
Remediation Schedule

Management
External Library
TVM-05
Vulnerabilities

Vulnerability
TVM-07
Identification
Vulnerability
TVM-08
Prioritization
Vulnerability
TVM-09
Management Reporting
Vulnerability
TVM-10
Management Metrics
Endpoint Devices Policy

UEM-01
and Procedures
Application and Service

UEM-02
Approval
Universal Endpoint
Management
Universal Endpoint
Management
Anti-Malware Detection
UEM-09
and Prevention
Remote Wipe UEM-13
Third-Party Endpoint
UEM-14
Security Posture
End of Standard
TIVE QUESTIONNAIRE VERSION 4.0.2
Control Specification Question ID

Establish, document, approve, communicate, apply, evaluate and maintain audit
and assurance policies and procedures and standards. Review and update the A&A-01.1
A&A-01.2
Conduct independent audit and assurance assessments according to relevant
standards at least annually. A&A-02.1
Perform independent audit and assurance assessments according to risk-based
plans and policies. A&A-03.1
Verify compliance with all relevant standards, regulations, legal/contractual,
and statutory requirements applicable to the audit. A&A-04.1
Define and implement an Audit Management process to support audit planning,
risk analysis, security control assessment, conclusion, remediation schedules,
report generation, and review of past reports and supporting evidence. A&A-05.1
Establish, document, approve, communicate, apply, evaluate and maintain a

risk-based corrective action plan to remediate audit findings, review and A&A-06.1
report remediation status to relevant stakeholders.
A&A-06.2

policies and procedures for application security to provide guidance to the
appropriate planning, delivery and support of the organization's application AIS-01.1
security capabilities. Review and update the policies and procedures at least
annually.
AIS-01.2
applications. AIS-02.1
Define and implement technical and operational metrics in alignment with
business objectives, security requirements, and compliance obligations. AIS-03.1
Define and implement a SDLC process for application design, development,
deployment, and operation in accordance with security requirements defined by AIS-04.1
the organization.
Implement a testing strategy, including criteria for acceptance of new
information systems, upgrades and new versions, which provides application AIS-05.1
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible.
AIS-05.2
Establish and implement strategies and capabilities for secure, standardized,
and compliant application deployment. Automate where possible. AIS-06.1
AIS-06.2
Define and implement a process to remediate application security
vulnerabilities, automating remediation when possible. AIS-07.1
AIS-07.2

business continuity management and operational resilience policies and BCR-01.1
procedures. Review and update the policies and procedures at least annually.
BCR-01.2
Determine the impact of business disruptions and risks to establish criteria
for developing business continuity and operational resilience strategies and BCR-02.1
capabilities.
Establish strategies to reduce the impact of, withstand, and recover from
business disruptions within risk appetite. BCR-03.1
business continuity plan based on the results of the operational resilience BCR-04.1
strategies and capabilities.
Develop, identify, and acquire documentation that is relevant to support the
business continuity and operational resilience programs. Make the documentation BCR-05.1
available to authorized stakeholders and review periodically.
BCR-05.2
BCR-05.3
Exercise and test business continuity and operational resilience plans at least
annually or upon significant changes. BCR-06.1
Establish communication with stakeholders and participants in the course of
business continuity and resilience procedures. BCR-07.1
Periodically backup data stored in the cloud. Ensure the confidentiality, BCR-08.1
integrity and availability of the backup, and verify data restoration from BCR-08.2
backup for resiliency. BCR-08.3
disaster response plan to recover from natural and man-made disasters. Update BCR-09.1
the plan at least annually or upon significant changes.
BCR-09.2
Exercise the disaster response plan annually or upon significant changes,
including if possible local emergency authorities. BCR-10.1
BCR-10.2
Supplement business-critical equipment with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry BCR-11.1
standards.

policies and procedures for managing the risks associated with applying changes
to organization assets, including application, systems, infrastructure, CCC-01.1
configuration, etc., regardless of whether the assets are managed internally or
externally (i.e., outsourced). Review and update the policies and procedures at
least annually.
CCC-01.2
Follow a defined quality change control, approval and testing process with
established baselines, testing, and release standards. CCC-02.1
Manage the risks associated with applying changes to organization assets,
including application, systems, infrastructure, configuration, etc., regardless CCC-03.1
of whether the assets are managed internally or externally (i.e., outsourced).
Restrict the unauthorized addition, removal, update, and management of
organization assets. CCC-04.1
Include provisions limiting changes directly impacting CSCs owned
environments/tenants to explicitly authorized requests within service level CCC-05.1
agreements between CSPs and CSCs.
organization assets. CCC-06.1
Implement detection measures with proactive notification in case of changes
deviating from the established baseline. CCC-07.1
Implement a procedure for the management of exceptions, including emergencies,
in the change and configuration process. Align the procedure with the CCC-08.1
requirements of GRC-04: Policy Exception Process.
CCC-08.2
Define and implement a process to proactively roll back changes to a previous
known good state in case of errors or security concerns. CCC-09.1

policies and procedures for Cryptography, Encryption and Key Management. Review CEK-01.1
and update the policies and procedures at least annually.
CEK-01.2
responsibilities. CEK-02.1
Provide cryptographic protection to data at-rest and in-transit, using
cryptographic libraries certified to approved standards. CEK-03.1
Use encryption algorithms that are appropriate for data protection, considering
the classification of data, associated risks, and usability of the encryption CEK-04.1
technology.
internal and external sources, for review, approval, implementation and CEK-05.1
communication of cryptographic, encryption and key management technology
changes.
Manage and adopt changes to cryptography-, encryption-, and key
management-related systems (including policies and procedures) that fully
account for downstream effects of proposed changes, including residual risk, CEK-06.1
cost, and benefits analysis.
Establish and maintain an encryption and key management risk program that
includes provisions for risk assessment, risk treatment, risk context, CEK-07.1
monitoring, and feedback.
CSPs must provide the capability for CSCs to manage their own data encryption
keys. CEK-08.1
Audit encryption and key management systems, policies, and processes with a
frequency that is proportional to the risk exposure of the system with audit CEK-09.1
occurring preferably continuously but at least annually and after any security
event(s).
CEK-09.2
Generate Cryptographic keys using industry accepted cryptographic libraries
specifying the algorithm strength and the random number generator used. CEK-10.1
Manage cryptographic secret and private keys that are provisioned for a unique
purpose. CEK-11.1
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which
includes provisions for considering the risk of information disclosure and CEK-12.1
legal andimplement
Define, regulatoryand
requirements.
evaluate processes, procedures and technical measures to
revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the CEK-13.1
organization, which include provisions for legal and regulatory requirements.

destroy keys stored outside a secure environment and revoke keys stored in
Hardware Security Modules (HSMs) when they are no longer needed, which include CEK-14.1
create keys in a pre-activated state when they have been generated but not
authorized for use, which include provisions for legal and regulatory CEK-15.1
requirements.

monitor, review and approve key transitions from any state to/from suspension,
which include provisions for legal and regulatory requirements. CEK-16.1
deactivate keys at the time of their expiration date, which include provisions CEK-17.1
manage archived keys in a secure repository requiring least privilege access,
which include provisions for legal and regulatory requirements. CEK-18.1

use compromised keys to encrypt information only in controlled circumstance,
and thereafter exclusively for decrypting data and never for encrypting data, CEK-19.1
which include provisions for legal and regulatory requirements.

assess the risk to operational continuity versus the risk of the keying
material and the information it protects being exposed if control of the keying CEK-20.1
material is lost, which include provisions for legal and regulatory
requirements.
Define, implement and evaluate processes, procedures and technical measures in
order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and CEK-21.1

policies and procedures for the secure disposal of equipment used outside the DCS-01.1
organization's premises. If the equipment is not physically destroyed a data
destruction procedure that renders recovery of information impossible must be
applied. Review and update the policies and procedures at least annually. DCS-01.2
DCS-01.3
policies and procedures for the relocation or transfer of hardware, software, DCS-02.1
or data/information to an offsite or alternate location. The relocation or
transfer request requires the written or cryptographically verifiable
authorization. Review and update the policies and procedures at least annually. DCS-02.2
DCS-02.3

policies and procedures for maintaining a safe and secure working environment DCS-03.1
in offices, rooms, and facilities. Review and update the policies and
DCS-03.2
policies and procedures for the secure transportation of physical media. Review DCS-04.1
DCS-04.2
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk. DCS-05.1
Catalogue and track all relevant physical and logical assets located at all of
the CSP's sites within a secured system. DCS-06.1
Implement physical security perimeters to safeguard personnel, data, and
information systems. Establish physical security perimeters between the DCS-07.1
administrative and business areas and the data storage and processing
facilities areas. DCS-07.2
Use equipment identification as a method for connection authentication. DCS-08.1
Allow only authorized personnel access to secure areas, with all ingress and
egress points restricted, documented, and monitored by physical access control DCS-09.1
mechanisms. Retain access control records on a periodic basis as deemed
appropriate by the organization.
DCS-09.2
Implement, maintain, and operate datacenter surveillance systems at the
external perimeter and at all the ingress and egress points to detect DCS-10.1
unauthorized ingress
Train datacenter and egress
personnel attempts.
to respond to unauthorized ingress or egress
attempts. DCS-11.1
Define, implement and evaluate processes, procedures and technical measures
that ensure a risk-based protection of power and telecommunication cables from
a threat of interception, interference or damage at all facilities, offices and DCS-12.1
rooms.
Implement and maintain data center environmental control systems that monitor,
maintain and test for continual effectiveness the temperature and humidity DCS-13.1
conditions within accepted industry standards.
Secure, monitor, maintain, and test utilities services for continual
effectiveness at planned intervals. DCS-14.1
Keep business-critical equipment away from locations subject to high
probability for environmental risk events. DCS-15.1

policies and procedures for the classification, protection and handling of data
throughout its lifecycle, and according to all applicable laws and regulations, DSP-01.1
standards, and risk level. Review and update the policies and procedures at
least annually.
DSP-01.2
Apply industry accepted methods for the secure disposal of data from storage
media such that data is not recoverable by any forensic means. DSP-02.1
Create and maintain a data inventory, at least for any sensitive data and
personal data. DSP-03.1
Classify data according to its type and sensitivity level. DSP-04.1
Create data flow documentation to identify what data is processed, stored or
transmitted where. Review data flow documentation at defined intervals, at DSP-05.1
least annually, and after any change.
DSP-05.2
Document ownership and stewardship of all relevant documented personal and
sensitive data. Perform review at least annually. DSP-06.1
DSP-06.2
Develop systems, products, and business practices based upon a principle of
security by design and industry best practices. DSP-07.1
Develop systems, products, and business practices based upon a principle of
privacy by design and industry best practices. Ensure that systems' privacy DSP-08.1
settings are configured by default, according to all applicable laws and
regulations. DSP-08.2
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin,
nature, particularity and severity of the risks upon the processing of personal
data, according to any applicable laws, regulations and industry best DSP-09.1
practices.

that ensure any transfer of personal or sensitive data is protected from
unauthorized access and only processed within scope as permitted by the DSP-10.1
respective laws and regulations.
Define and implement, processes, procedures and technical measures to enable
data subjects to request access to, modification, or deletion of their personal DSP-11.1
data, according to any applicable laws and regulations.
ensure that personal data is processed according to any applicable laws and DSP-12.1
regulations and for the purposes declared to the data subject.
the transfer and sub-processing of personal data within the service supply DSP-13.1
chain, according to any applicable laws and regulations.
disclose the details of any personal or sensitive data access by sub-processors DSP-14.1
to the data owner prior to initiation of that processing.
Obtain authorization from data owners, and manage associated risk before
replicating or using production data in non-production environments. DSP-15.1
requirements, applicable laws and regulations. DSP-16.1
Define and implement, processes, procedures and technical measures to protect
sensitive data throughout it's lifecycle. DSP-17.1
The CSP must have in place, and describe to CSCs the procedure to manage and
respond to requests for disclosure of Personal Data by Law Enforcement DSP-18.1
Authorities according to applicable laws and regulations. The CSP must give
special attention to the notification procedure to interested CSCs, unless
otherwise prohibited, such as a prohibition under criminal law to preserve
confidentiality of a law enforcement investigation. DSP-18.2
Define and implement, processes, procedures and technical measures to specify

and document the physical locations of data, including any locations in which DSP-19.1
data is processed or backed up.

policies and procedures for an information governance program, which is GRC-01.1
sponsored by the leadership of the organization. Review and update the policies
policies and procedures for an information governance program, which is
sponsored by the leadership of the organization. Review and update the policies
GRC-01.2
Establish a formal, documented, and leadership-sponsored Enterprise Risk
Management (ERM) program that includes policies and procedures for
identification, evaluation, ownership, treatment, and acceptance of cloud GRC-02.1
security and privacy risks.
Review all relevant organizational policies and associated procedures at least

annually or when a substantial change occurs within the organization. GRC-03.1
Establish and follow an approved exception process as mandated by the
governance program whenever a deviation from an established policy occurs. GRC-04.1
Develop and implement an Information Security Program, which includes programs
for all the relevant domains of the CCM. GRC-05.1
Define and document roles and responsibilities for planning, implementing,
operating, assessing, and improving governance programs. GRC-06.1
Identify and document all relevant standards, regulations, legal/contractual,
and statutory requirements, which are applicable to your organization. GRC-07.1
Establish and maintain contact with cloud-related special interest groups and
other relevant entities in line with business context. GRC-08.1

policies and procedures for background verification of all new employees
(including but not limited to remote employees, contractors, and third parties) HRS-01.1
according to local laws, regulations, ethics, and contractual constraints and
proportional to the data classification to be accessed, the business
requirements, and acceptable risk. Review and update the policies and
procedures at least annually. HRS-01.2
HRS-01.3
policies and procedures for defining allowances and conditions for the HRS-02.1
acceptable use of organizationally-owned or managed assets. Review and update
the policies and procedures at least annually.
HRS-02.2

policies and procedures that require unattended workspaces to not have openly HRS-03.1
visible confidential data. Review and update the policies and procedures at
least annually.
HRS-03.2
policies and procedures to protect information accessed, processed or stored at HRS-04.1
remote sites and locations. Review and update the policies and procedures at
least annually.
HRS-04.2
Establish and document procedures for the return of organization-owned assets
by terminated employees. HRS-05.1
Establish, document, and communicate to all personnel the procedures outlining
the roles and responsibilities concerning changes in employment. HRS-06.1
Employees sign the employee agreement prior to being granted access to
organizational information systems, resources and assets. HRS-07.1
The organization includes within the employment agreements provisions and/or
terms for adherence to established information governance and security HRS-08.1
policies.
Document and communicate roles and responsibilities of employees, as they
relate to information assets and security. HRS-09.1
non-disclosure/confidentiality agreements reflecting the organization's needs HRS-10.1
for the protection of data and operational details.
security awareness training program for all employees of the organization and HRS-11.1
provide regular training updates.
HRS-11.2
Provide all employees with access to sensitive organizational and personal data
with appropriate security awareness training and regular updates in HRS-12.1
organizational procedures, processes, and policies relating to their
professional function relative to the organization.
HRS-12.2
Make employees aware of their roles and responsibilities for maintaining

awareness and compliance with established policies and procedures and HRS-13.1
applicable legal, statutory, or regulatory compliance obligations.

Establish, document, approve, communicate, implement, apply, evaluate and
maintain policies and procedures for identity and access management. Review and IAM-01.1
IAM-01.2
Establish, document, approve, communicate, implement, apply, evaluate and
maintain strong password policies and procedures. Review and update the IAM-02.1
IAM-02.2
Manage, store, and review the information of system identities, and level of
access. IAM-03.1
Employ the separation of duties principle when implementing information system
access. IAM-04.1
Employ the least privilege principle when implementing information system
access. IAM-05.1
Define and implement a user access provisioning process which authorizes,
records, and communicates access changes to data and assets. IAM-06.1
De-provision or respectively modify access of movers / leavers or system
identity changes in a timely manner in order to effectively adopt and IAM-07.1
communicate identity and access management policies.
Review and revalidate user access for least privilege and separation of duties
with a frequency that is commensurate with organizational risk tolerance. IAM-08.1
the segregation of privileged access roles such that administrative access to
data, encryption and key management capabilities and logging capabilities are IAM-09.1
distinct and separated.
Define and implement an access process to ensure privileged access roles and
rights are granted for a time limited period, and implement procedures to IAM-10.1
prevent the culmination of segregated privileged access.
IAM-10.2
Define, implement and evaluate processes and procedures for customers to
participate, where applicable, in the granting of access for agreed, high risk IAM-11.1
(as defined by the organizational risk assessment) privileged access roles.
ensure the logging infrastructure is read-only for all with write access, IAM-12.1
including privileged access roles, and that the ability to disable it is
controlled through a procedure that ensures the segregation of duties and break
glass procedures.
IAM-12.2

that ensure users are identifiable through unique IDs or which can associate IAM-13.1
individuals to the usage of user IDs.
authenticating access to systems, application and data assets, including
multifactor authentication for at least privileged user and sensitive data IAM-14.1
access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities.
IAM-14.2
the secure management of passwords. IAM-15.1
verify access to data and system functions is authorized. IAM-16.1

policies and procedures for interoperability and portability including IPY-01.1
requirements for:
b. Information processing interoperability IPY-01.2
c. Application development portability
Review and update the policies and procedures at least annually. IPY-01.3
IPY-01.4
IPY-01.5
Provide application interface(s) to CSCs so that they programmatically retrieve
their data to enable interoperability and portability. IPY-02.1
management, import and export of data. IPY-03.1
a. Data format
b. Length of time the data will be stored IPY-04.1

policies and procedures for infrastructure and virtualization security. Review IVS-01.1
IVS-01.2
Plan and monitor the availability, quality, and adequate capacity of resources
in order to deliver the required system performance as determined by the IVS-02.1
business.
Monitor, encrypt and restrict communications between environments to only IVS-03.1
authenticated and authorized connections, as justified by the business. Review IVS-03.2
these configurations at least annually, and support them by a documented
justification of all allowed services, protocols, ports, and compensating IVS-03.3
controls.
IVS-03.4
IVS-03.5
Harden host and guest OS, hypervisor or infrastructure control plane according
to their respective best practices, and supported by technical controls, as IVS-04.1
part of a security baseline.
Separate production and non-production environments. IVS-05.1
Design, develop, deploy and configure applications and infrastructures such
that CSP and CSC (tenant) user access and intra-tenant access is appropriately
segmented and segregated, monitored and restricted from other tenants. IVS-06.1
Use secure and encrypted communication channels when migrating servers,

services, applications, or data to cloud environments. Such channels must IVS-07.1
include only up-to-date and approved protocols.
Identify and document high-risk environments. IVS-08.1
Define, implement and evaluate processes, procedures and defense-in-depth
techniques for protection, detection, and timely response to network-based IVS-09.1
attacks.

policies and procedures for logging and monitoring. Review and update the LOG-01.1
policies and procedures at least annually. LOG-01.2
ensure the security and retention of audit logs. LOG-02.1
Identify and monitor security-related events within applications and the
underlying infrastructure. Define and implement a system to generate alerts to LOG-03.1
responsible stakeholders based on such events and corresponding metrics.
LOG-03.2
Restrict audit logs access to authorized personnel and maintain records that
provide unique access accountability. LOG-04.1
Monitor security audit logs to detect activity outside of typical or expected
patterns. Establish and follow a defined process to review and take appropriate LOG-05.1
and timely actions on detected anomalies.
LOG-05.2
LOG-06.1
Establish, document and implement which information meta/data system events
should be logged. Review and update the scope at least annually or whenever LOG-07.1
there is a change in the threat environment.
LOG-07.2
Generate audit records containing relevant security information. LOG-08.1
The information system protects audit records from unauthorized access,
modification, and deletion. LOG-09.1
Establish and maintain a monitoring and internal reporting capability over the
operations of cryptographic, encryption and key management policies, processes, LOG-10.1
procedures, and controls.
Log and monitor key lifecycle management events to enable auditing and
reporting on usage of cryptographic keys. LOG-11.1
LOG-12.1
the reporting of anomalies and failures of the monitoring system and provide LOG-13.1
immediate notification to the accountable party. LOG-13.2

policies and procedures for Security Incident Management, E-Discovery, and SEF-01.1
Cloud Forensics. Review and update the policies and procedures at least
annually.
SEF-01.2
policies and procedures for the timely management of security incidents. Review SEF-02.1
policies and procedures for the timely management of security incidents. Review
SEF-02.2
security incident response plan, which includes but is not limited to: relevant
internal departments, impacted CSCs, and other business critical relationships SEF-03.1
(such as supply-chain) that may be impacted.
Test and update as necessary incident response plans at planned intervals or
upon significant organizational or environmental changes for effectiveness. SEF-04.1
Establish and monitor information security incident metrics. SEF-05.1

supporting business processes to triage security-related events. SEF-06.1
Define and implement, processes, procedures and technical measures for security
breach notifications. Report security breaches and assumed security breaches SEF-07.1
including any relevant supply chain breaches, as per applicable SLAs, laws and
regulations. SEF-07.2
Maintain points of contact for applicable regulation authorities, national and
local law enforcement, and other legal jurisdictional authorities. SEF-08.1

policies and procedures for the application of the Shared Security STA-01.1
Responsibility Model (SSRM) within the organization. Review and update the
STA-01.2
Apply, document, implement and manage the SSRM throughout the supply chain for
the cloud service offering. STA-02.1
Provide SSRM Guidance to the CSC detailing information about the SSRM
applicability throughout the supply chain. STA-03.1
Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering. STA-04.1
Review and validate SSRM documentation for all cloud services offerings the
organization uses. STA-05.1
Implement, operate, and audit or assess the portions of the SSRM which the
organization is responsible for. STA-06.1
Develop and maintain an inventory of all supply chain relationships. STA-07.1
CSPs periodically review risk factors associated with all organizations within
their supply chain. STA-08.1
Service agreements between CSPs and CSCs (tenants) must incorporate at least
the following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services
offered
• Incident management and communication procedures STA-09.1
• Right to audit and third party assessment
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually. STA-10.1
conformance and effectiveness of standards, policies, procedures, and service STA-11.1
level agreement activities at least annually.
Implement policies requiring all CSPs throughout the supply chain to comply
with information security, confidentiality, access control, privacy, audit, STA-12.1
personnel policy and service level requirements and standards.
Periodically review the organization's supply chain partners' IT governance
policies and procedures. STA-13.1
Define and implement a process for conducting security assessments periodically
for all organizations within the supply chain. STA-14.1

policies and procedures to identify, report and prioritize the remediation of
vulnerabilities, in order to protect systems against vulnerability TVM-01.1
exploitation. Review and update the policies and procedures at least annually.
TVM-01.2
policies and procedures to protect against malware on managed assets. Review TVM-02.1
TVM-02.2
enable both scheduled and emergency responses to vulnerability identifications, TVM-03.1
based on the identified risk.
update detection tools, threat signatures, and indicators of compromise on a TVM-04.1
weekly, or more frequent basis.
identify updates for applications which use third party or open source
libraries according to the organization's vulnerability management policy. TVM-05.1
the periodic performance of penetration testing by independent third parties. TVM-06.1
the detection of vulnerabilities on organizationally managed assets at least TVM-07.1
monthly.
Use a risk-based model for effective prioritization of vulnerability
remediation using an industry recognized framework. TVM-08.1
Define and implement a process for tracking and reporting vulnerability
identification and remediation activities that includes stakeholder TVM-09.1
notification.
Establish, monitor and report metrics for vulnerability identification and
remediation at defined intervals. TVM-10.1

policies and procedures for all endpoints. Review and update the policies and UEM-01.1
UEM-01.2
Define, document, apply and evaluate a list of approved services, applications
and sources of applications (stores) acceptable for use by endpoints when
accessing or storing organization-managed data. UEM-02.1
Define and implement a process for the validation of the endpoint device's
compatibility with operating systems and applications. UEM-03.1
UEM-04.1
enforce policies and controls for all endpoints permitted to access systems UEM-05.1
and/or store, transmit, or process organizational data.
Configure all relevant interactive-use endpoints to require an automatic lock
screen. UEM-06.1
Manage changes to endpoint operating systems, patch levels, and/or applications
through the company's change management processes. UEM-07.1
Protect information from unauthorized disclosure on managed endpoint devices
with storage encryption. UEM-08.1
Configure managed endpoints with anti-malware detection and prevention
technology and services. UEM-09.1
Configure managed endpoints with properly configured software firewalls. UEM-10.1
Configure managed endpoints with Data Loss Prevention (DLP) technologies and
rules in accordance with a risk assessment. UEM-11.1
Enable remote geo-location capabilities for all managed mobile endpoints. UEM-12.1
enable the deletion of company data remotely on managed endpoint devices. UEM-13.1
Define, implement and evaluate processes, procedures and technical and/or
contractual measures to maintain proper security of third-party endpoints with UEM-14.1
access to organizational assets.
End of Standard
Consensus Assessments Question
Are audit and assurance policies, procedures, and standards established,

documented, approved, communicated, applied, evaluated, and maintained?
Are audit and assurance policies, procedures, and standards reviewed and
updated at least annually?
Are independent audit and assurance assessments conducted according to relevant
standards at least annually?
Are independent audit and assurance assessments performed according to
risk-based plans and policies?
Is compliance verified regarding all relevant standards, regulations,
legal/contractual, and statutory requirements applicable to the audit?
Is an audit management process defined and implemented to support audit
planning, risk analysis, security control assessments, conclusions, remediation
schedules, report generation, and reviews of past reports and supporting
evidence?
Is a risk-based corrective action plan to remediate audit findings established,

Is the remediation status of audit findings reviewed and reported to relevant
stakeholders?
Are application security policies and procedures established, documented,
approved, communicated, applied, evaluated, and maintained to guide appropriate
planning, delivery, and support of the organization's application security
capabilities?
Are application security policies and procedures reviewed and updated at least
annually?
Are baseline requirements to secure different applications established,
documented, and maintained?
Are technical and operational metrics defined and implemented according to
business objectives, security requirements, and compliance obligations?
Is an SDLC process defined and implemented for application design, development,
deployment, and operation per organizationally designed security requirements?
Does the testing strategy outline criteria to accept new information systems,
upgrades, and new versions while ensuring application security, compliance
adherence, and organizational speed of delivery goals?
Is testing automated when applicable and possible?
Are strategies and capabilities established and implemented to deploy
application code in a secure, standardized, and compliant manner?
Is the deployment and integration of application code automated where possible?
Are application security vulnerabilities remediated following defined
processes?
Is the remediation of application security vulnerabilities automated when
possible?
Are business continuity management and operational resilience policies and

procedures established, documented, approved, communicated, applied, evaluated,
and maintained?
Are the policies and procedures reviewed and updated at least annually?
Are criteria for developing business continuity and operational resiliency
strategies and capabilities established based on business disruption and risk
impacts?
Are strategies developed to reduce the impact of, withstand, and recover from
business disruptions in accordance with risk appetite?
Are operational resilience strategies and capability results incorporated to
establish, document, approve, communicate, apply, evaluate, and maintain a
business continuity plan?
Is relevant documentation developed, identified, and acquired to support
business continuity and operational resilience plans?
Is business continuity and operational resilience documentation available to
authorized stakeholders?
Is business continuity and operational resilience documentation reviewed
periodically?
Are the business continuity and operational resilience plans exercised and
tested at least annually and when significant changes occur?
Do business continuity and resilience procedures establish communication with
stakeholders and participants?
Is cloud data periodically backed up?
Is the confidentiality, integrity, and availability of backup data ensured?
Can backups be restored appropriately for resiliency?
Is a disaster response plan established, documented, approved, applied,
evaluated, and maintained to ensure recovery from natural and man-made
disasters?
Is the disaster response plan updated at least annually, and when significant
changes occur?
Is the disaster response plan exercised annually or when significant changes
occur?
Are local emergency authorities included, if possible, in the exercise?
Is business-critical equipment supplemented with redundant equipment
independently located at a reasonable minimum distance in accordance with
applicable industry standards?
Are risk management policies and procedures associated with changing

organizational assets including applications, systems, infrastructure,
configuration, etc., established, documented, approved, communicated, applied,
evaluated and maintained (regardless of whether asset management is internal or
external)?
Is a defined quality change control, approval and testing process (with
established baselines, testing, and release standards) followed?
Are risks associated with changing organizational assets (including
applications, systems, infrastructure, configuration, etc.) managed, regardless
of whether asset management occurs internally or externally (i.e., outsourced)?
Is the unauthorized addition, removal, update, and management of organization
assets restricted?
Are provisions to limit changes that directly impact CSC-owned environments and
require tenants to authorize requests explicitly included within the service
level agreements (SLAs) between CSPs and CSCs?
Are change management baselines established for all relevant authorized changes
on organizational assets?
Are detection measures implemented with proactive notification if changes
deviate from established baselines?
Is a procedure implemented to manage exceptions, including emergencies, in the
change and configuration process?
Is the procedure aligned with the requirements of the GRC-04: Policy Exception
Process?
Is a process to proactively roll back changes to a previously known "good
state" defined and implemented in case of errors or security concerns?
Are cryptography, encryption, and key management policies and procedures

established, documented, approved, communicated, applied, evaluated, and
maintained?
Are cryptography, encryption, and key management policies and procedures
reviewed and updated at least annually?
Are cryptography, encryption, and key management roles and responsibilities
defined and implemented?
Are data at-rest and in-transit cryptographically protected using cryptographic
libraries certified to approved standards?
Are appropriate data protection encryption algorithms used that consider data
classification, associated risks, and encryption technology usability?
Are standard change management procedures established to review, approve,
implement and communicate cryptography, encryption, and key management
technology changes that accommodate internal and external sources?
Are changes to cryptography-, encryption- and key management-related systems,
policies, and procedures, managed and adopted in a manner that fully accounts
for downstream effects of proposed changes, including residual risk, cost, and
benefits analysis?
Is a cryptography, encryption, and key management risk program established and

maintained that includes risk assessment, risk treatment, risk context,
monitoring, and feedback provisions?
Are CSPs providing CSCs with the capacity to manage their own data encryption
keys?
Are encryption and key management systems, policies, and processes audited with
a frequency proportional to the system's risk exposure, and after any security
event?
Are encryption and key management systems, policies, and processes audited
(preferably continuously but at least annually)?
Are cryptographic keys generated using industry-accepted and approved
cryptographic libraries that specify algorithm strength and random number
generator specifications?
Are private keys provisioned for a unique purpose managed, and is cryptography
secret?
Are cryptographic keys rotated based on a cryptoperiod calculated while
considering information disclosure risks and legal and regulatory requirements?
Are cryptographic keys revoked and removed before the end of the established
cryptoperiod (when a key is compromised, or an entity is no longer part of the
organization) per defined, implemented, and evaluated processes, procedures,
and technical measures to include legal and regulatory requirement provisions?
Are processes, procedures and technical measures to destroy unneeded keys

defined, implemented and evaluated to address key destruction outside secure
environments, revocation of keys stored in hardware security modules (HSMs),
and include applicable legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to create keys in a
pre-activated state (i.e., when they have been generated but not authorized for
use) being defined, implemented, and evaluated to include legal and regulatory
requirement provisions?
Are processes, procedures, and technical measures to monitor, review and

approve key transitions (e.g., from any state to/from suspension) being
defined, implemented, and evaluated to include legal and regulatory requirement
provisions?
Are processes, procedures, and technical measures to deactivate keys (at the
time of their expiration date) being defined, implemented, and evaluated to
include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to manage archived keys in a
secure repository (requiring least privilege access) being defined,
implemented, and evaluated to include legal and regulatory requirement
provisions?
Are processes, procedures, and technical measures to encrypt information in
specific scenarios (e.g., only in controlled circumstances and thereafter only
for data decryption and never for encryption) being defined, implemented, and
evaluated to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to assess operational

continuity risks (versus the risk of losing control of keying material and
exposing protected data) being defined, implemented, and evaluated to include
legal and regulatory requirement provisions?
Are key management system processes, procedures, and technical measures being
defined, implemented, and evaluated to track and report all cryptographic
materials and status changes that include legal and regulatory requirements
provisions?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises established, documented, approved, communicated,
enforced, and maintained?
Is a data destruction procedure applied that renders information recovery
information impossible if equipment is not physically destroyed?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises reviewed and updated at least annually?
Are policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location established,
documented, approved, communicated, implemented, enforced, maintained?
Does a relocation or transfer request require written or cryptographically
verifiable authorization?
Are policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location reviewed and
Are policies and procedures for maintaining a safe and secure working
environment (in offices, rooms, and facilities) established, documented,
approved, communicated, enforced, and maintained?
Are policies and procedures for maintaining safe, secure working environments
(e.g., offices, rooms) reviewed and updated at least annually?
Are policies and procedures for the secure transportation of physical media
established, documented, approved, communicated, enforced, evaluated, and
maintained?
Are policies and procedures for the secure transportation of physical media
Is the classification and documentation of physical and logical assets based on
the organizational business risk?
Are all relevant physical and logical assets at all CSP sites cataloged and
tracked within a secured system?
Are physical security perimeters implemented to safeguard personnel, data, and
information systems?
Are physical security perimeters established between administrative and
business areas, data storage, and processing facilities?
Is equipment identification used as a method for connection authentication?
Are solely authorized personnel able to access secure areas, with all ingress
and egress areas restricted, documented, and monitored by physical access
control mechanisms?
Are access control records retained periodically, as deemed appropriate by the
organization?
Are external perimeter datacenter surveillance systems and surveillance systems
at all ingress and egress points implemented, maintained, and operated?
Are datacenter personnel trained to respond to unauthorized access or egress
attempts?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to ensure risk-based protection of power and telecommunication cables
from interception, interference, or damage threats at all facilities, offices,
and rooms?
Are data center environmental control systems designed to monitor, maintain,

and test that on-site temperature and humidity conditions fall within accepted
industry standards effectively implemented and maintained?
Are utility services secured, monitored, maintained, and tested at planned
intervals for continual effectiveness?
Is business-critical equipment segregated from locations subject to a high
probability of environmental risk events?
Are policies and procedures established, documented, approved, communicated,

enforced, evaluated, and maintained for the classification, protection, and
handling of data throughout its lifecycle according to all applicable laws and
regulations, standards, and risk level?
Are data security and privacy policies and procedures reviewed and updated at
least annually?
Are industry-accepted methods applied for secure data disposal from storage
media so information is not recoverable by any forensic means?
Is a data inventory created and maintained for sensitive and personal
information (at a minimum)?
Is data classified according to type and sensitivity levels?
Is data flow documentation created to identify what data is processed and where
it is stored and transmitted?
Is data flow documentation reviewed at defined intervals, at least annually,
and after any change?
Is the ownership and stewardship of all relevant personal and sensitive data
documented?
Is data ownership and stewardship documentation reviewed at least annually?
Are systems, products, and business practices based on security principles by
design and per industry best practices?
Are systems, products, and business practices based on privacy principles by
design and according to industry best practices?
Are systems' privacy settings configured by default and according to all
applicable laws and regulations?
Is a data protection impact assessment (DPIA) conducted when processing
personal data and evaluating the origin, nature, particularity, and severity of
risks according to any applicable laws, regulations and industry best
practices?

evaluated to ensure any transfer of personal or sensitive data is protected
from unauthorized access and only processed within scope (as permitted by
respective laws and regulations)?
evaluated to enable data subjects to request access to, modify, or delete
personal data (per applicable laws and regulations)?
evaluated to ensure personal data is processed (per applicable laws and
regulations and for the purposes declared to the data subject)?
evaluated for the transfer and sub-processing of personal data within the
service supply chain (according to any applicable laws and regulations)?
evaluated to disclose details to the data owner of any personal or sensitive
data access by sub-processors before processing initiation?
Is authorization from data owners obtained, and the associated risk managed,
before replicating or using production data in non-production environments?
Do data retention, archiving, and deletion practices follow business
requirements, applicable laws, and regulations?
Are processes, procedures, and technical measures defined and implemented to
protect sensitive data throughout its lifecycle?
Does the CSP have in place, and describe to CSCs, the procedure to manage and
respond to requests for disclosure of Personal Data by Law Enforcement
Authorities according to applicable laws and regulations?
Does the CSP give special attention to the notification procedure to interested
CSCs, unless otherwise prohibited, such as a prohibition under criminal law to
preserve confidentiality of a law enforcement investigation?
Are processes, procedures, and technical measures defined and implemented to
specify and document physical data locations, including locales where data is
processed or backed up?
Are information governance program policies and procedures sponsored by

organizational leadership established, documented, approved, communicated,
applied, evaluated, and maintained?
Is there an established formal, documented, and leadership-sponsored enterprise
risk management (ERM) program that includes policies and procedures for
identification, evaluation, ownership, treatment, and acceptance of cloud
security and privacy risks?
Are all relevant organizational policies and associated procedures reviewed at

least annually, or when a substantial organizational change occurs?
Is an approved exception process mandated by the governance program established
and followed whenever a deviation from an established policy occurs?
Has an information security program (including programs of all relevant CCM
domains) been developed and implemented?
Are roles and responsibilities for planning, implementing, operating,
assessing, and improving governance programs defined and documented?
Are all relevant standards, regulations, legal/contractual, and statutory
requirements applicable to your organization identified and documented?
Is contact established and maintained with cloud-related special interest
groups and other relevant entities?
Are background verification policies and procedures of all new employees

(including but not limited to remote employees, contractors, and third parties)
maintained?
Are background verification policies and procedures designed according to local

laws, regulations, ethics, and contractual constraints and proportional to the
data classification to be accessed, business requirements, and acceptable risk?
Are background verification policies and procedures reviewed and updated at
least annually?
Are policies and procedures for defining allowances and conditions for the
acceptable use of organizationally-owned or managed assets established,
Are the policies and procedures for defining allowances and conditions for the
acceptable use of organizationally-owned or managed assets reviewed and updated
at least annually?
Are policies and procedures requiring unattended workspaces to conceal
confidential data established, documented, approved, communicated, applied,
evaluated, and maintained?
Are policies and procedures requiring unattended workspaces to conceal
confidential data reviewed and updated at least annually?
Are policies and procedures to protect information accessed, processed, or
stored at remote sites and locations established, documented, approved,
communicated, applied, evaluated, and maintained?
Are policies and procedures to protect information accessed, processed, or
stored at remote sites and locations reviewed and updated at least annually?
Are return procedures of organizationally-owned assets by terminated employees
established and documented?
Are procedures outlining the roles and responsibilities concerning changes in
employment established, documented, and communicated to all personnel?
Are employees required to sign an employment agreement before gaining access to
organizational information systems, resources, and assets?
Are provisions and/or terms for adherence to established information governance
and security policies included within employment agreements?
Are employee roles and responsibilities relating to information assets and
security documented and communicated?
Are requirements for non-disclosure/confidentiality agreements reflecting
organizational data protection needs and operational details identified,
documented, and reviewed at planned intervals?
Is a security awareness training program for all employees of the organization
established, documented, approved, communicated, applied, evaluated and
maintained?
Are regular security awareness training updates provided?
Are all employees granted access to sensitive organizational and personal data
provided with appropriate security awareness training?
Are all employees granted access to sensitive organizational and personal data
provided with regular updates in procedures, processes, and policies relating
to their professional function?
Are employees notified of their roles and responsibilities to maintain
awareness and compliance with established policies, procedures, and applicable
legal, statutory, or regulatory compliance obligations?
Are identity and access management policies and procedures established,

documented, approved, communicated, implemented, applied, evaluated, and
maintained?
Are identity and access management policies and procedures reviewed and updated
at least annually?
Are strong password policies and procedures established, documented, approved,
communicated, implemented, applied, evaluated, and maintained?
Are strong password policies and procedures reviewed and updated at least
annually?
Is system identity information and levels of access managed, stored, and
reviewed?
Is the separation of duties principle employed when implementing information
system access?
Is the least privilege principle employed when implementing information system
access?
Is a user access provisioning process defined and implemented which authorizes,
records, and communicates data and assets access changes?
Is a process in place to de-provision or modify the access, in a timely manner,
of movers / leavers or system identity changes, to effectively adopt and
communicate identity and access management policies?
Are reviews and revalidation of user access for least privilege and separation
of duties completed with a frequency commensurate with organizational risk
tolerance?
Are processes, procedures, and technical measures for the segregation of
privileged access roles defined, implemented, and evaluated such that
administrative data access, encryption, key management capabilities, and
logging capabilities are distinct and separate?
Is an access process defined and implemented to ensure privileged access roles

and rights are granted for a limited period?
Are procedures implemented to prevent the culmination of segregated privileged
access?
Are processes and procedures for customers to participate, where applicable, in
granting access for agreed, high risk as (defined by the organizational risk
assessment) privileged access roles defined, implemented and evaluated?
Are processes, procedures, and technical measures to ensure the logging
infrastructure is "read-only" for all with write access (including privileged
access roles) defined, implemented, and evaluated?
Is the ability to disable the "read-only" configuration of logging
infrastructure controlled through a procedure that ensures the segregation of
duties and break glass procedures?
Are processes, procedures, and technical measures that ensure users are
identifiable through unique identification (or can associate individuals with
user identification usage) defined, implemented, and evaluated?
Are processes, procedures, and technical measures for authenticating access to
systems, application, and data assets including multifactor authentication for
a least-privileged user and sensitive data access defined, implemented, and
evaluated?
Are digital certificates or alternatives that achieve an equivalent security

level for system identities adopted?
Are processes, procedures, and technical measures for the secure management of
passwords defined, implemented, and evaluated?
Are processes, procedures, and technical measures to verify access to data and
system functions authorized, defined, implemented, and evaluated?

applied, evaluated, and maintained for communications between application
services (e.g., APIs)?
applied, evaluated, and maintained for information processing interoperability?
applied, evaluated, and maintained for application development portability?
applied, evaluated, and maintained for information/data exchange, usage,
portability, integrity, and persistence?
Are interoperability and portability policies and procedures reviewed and
Are CSCs able to programmatically retrieve their data via an application
interface(s) to enable interoperability and portability?
Are cryptographically secure and standardized network protocols implemented for
the management, import, and export of data?
Do agreements include provisions specifying CSC data access upon contract
termination, and have the following?
a. Data format
b. Duration data will be stored
Are infrastructure and virtualization security policies and procedures

maintained?
Are infrastructure and virtualization security policies and procedures reviewed
and updated at least annually?
Is resource availability, quality, and capacity planned and monitored in a way
that delivers required system performance, as determined by the business?
Are communications between environments monitored?
Are communications between environments encrypted?
Are communications between environments restricted to only authenticated and
authorized connections, as justified by the business?
Are network configurations reviewed at least annually?
Are network configurations supported by the documented justification of all
allowed services, protocols, ports, and compensating controls?
Is every host and guest OS, hypervisor, or infrastructure control plane
hardened (according to their respective best practices) and supported by
technical controls as part of a security baseline?
Are production and non-production environments separated?
Are applications and infrastructures designed, developed, deployed, and
configured such that CSP and CSC (tenant) user access and intra-tenant access
is appropriately segmented, segregated, monitored, and restricted from other
tenants?
Are secure and encrypted communication channels including only up-to-date and
approved protocols used when migrating servers, services, applications, or data
to cloud environments?
Are high-risk environments identified and documented?
Are processes, procedures, and defense-in-depth techniques defined,
implemented, and evaluated for protection, detection, and timely response to
network-based attacks?
Are logging and monitoring policies and procedures established, documented,

approved, communicated, applied, evaluated, and maintained?
Are policies and procedures reviewed and updated at least annually?
evaluated to ensure audit log security and retention?
Are security-related events identified and monitored within applications and
the underlying infrastructure?
Is a system defined and implemented to generate alerts to responsible
stakeholders based on security events and their corresponding metrics?
Is access to audit logs restricted to authorized personnel, and are records
maintained to provide unique access accountability?
Are security audit logs monitored to detect activity outside of typical or
expected patterns?
Is a process established and followed to review and take appropriate and timely
actions on detected anomalies?
Is a reliable time source being used across all relevant information processing
systems?
Are logging requirements for information meta/data system events established,
documented, and implemented?
Is the scope reviewed and updated at least annually, or whenever there is a
change in the threat environment?
Are audit records generated, and do they contain relevant security information?
Does the information system protect audit records from unauthorized access,
modification, and deletion?
Are monitoring and internal reporting capabilities established to report on
cryptographic operations, encryption, and key management policies, processes,
procedures, and controls?
Are key lifecycle management events logged and monitored to enable auditing and
reporting on cryptographic keys' usage?
Is physical access logged and monitored using an auditable access control
system?
Are processes and technical measures for reporting monitoring system anomalies
and failures defined, implemented, and evaluated?
Are accountable parties immediately notified about anomalies and failures?
Are policies and procedures for security incident management, e-discovery, and
cloud forensics established, documented, approved, communicated, applied,
Are policies and procedures reviewed and updated annually?
Are policies and procedures for timely management of security incidents
maintained?
Are policies and procedures for timely management of security incidents
Is a security incident response plan that includes relevant internal
departments, impacted CSCs, and other business-critical relationships (such as
supply-chain) established, documented, approved, communicated, applied,
Is the security incident response plan tested and updated for effectiveness, as
necessary, at planned intervals or upon significant organizational or
environmental changes?
Are information security incident metrics established and monitored?
Are processes, procedures, and technical measures supporting business processes
to triage security-related events defined, implemented, and evaluated?
Are processes, procedures, and technical measures for security breach
notifications defined and implemented?
Are security breaches and assumed security breaches reported (including any
relevant supply chain breaches) as per applicable SLAs, laws, and regulations?
Are points of contact maintained for applicable regulation authorities,
national and local law enforcement, and other legal jurisdictional authorities?
Are policies and procedures implementing the shared security responsibility

model (SSRM) within the organization established, documented, approved,
communicated, applied, evaluated, and maintained?
Are the policies and procedures that apply the SSRM reviewed and updated
annually?
Is the SSRM applied, documented, implemented, and managed throughout the supply
chain for the cloud service offering?
Is the CSC given SSRM guidance detailing information about SSRM applicability
throughout the supply chain?
Is the shared ownership and applicability of all CSA CCM controls delineated
according to the SSRM for the cloud service offering?
Is SSRM documentation for all cloud services the organization uses reviewed and
validated?
Are the portions of the SSRM the organization is responsible for implemented,
operated, audited, or assessed?
Is an inventory of all supply chain relationships developed and maintained?
Are risk factors associated with all organizations within the supply chain
periodically reviewed by CSPs?
Do service agreements between CSPs and CSCs (tenants) incorporate at least the
following mutually agreed upon provisions and/or terms?
• Scope, characteristics, and location of business relationship and services
offered
• Right to audit and third-party assessment
• Data privacy
Are supply chain agreements between CSPs and CSCs reviewed at least annually?
Is there a process for conducting internal assessments at least annually to
confirm the conformance and effectiveness of standards, policies, procedures,
and SLA activities?
Are policies that require all supply chain CSPs to comply with information
security, confidentiality, access control, privacy, audit, personnel policy,
and service level requirements and standards implemented?
Are supply chain partner IT governance policies and procedures reviewed
periodically?
Is a process to conduct periodic security assessments for all supply chain
organizations defined and implemented?

applied, evaluated, and maintained to identify, report, and prioritize the
remediation of vulnerabilities to protect systems against vulnerability
exploitation?
Are threat and vulnerability management policies and procedures reviewed and
Are policies and procedures to protect against malware on managed assets
maintained?
Are asset management and malware protection policies and procedures reviewed
and updated at least annually?
evaluated to enable scheduled and emergency responses to vulnerability
identifications (based on the identified risk)?
evaluated to update detection tools, threat signatures, and compromise
indicators weekly (or more frequent) basis?
evaluated to identify updates for applications that use third-party or
open-source libraries (according to the organization's vulnerability management
policy)?

evaluated for periodic, independent, third-party penetration testing?
evaluated for vulnerability detection on organizationally managed assets at
least monthly?
Is vulnerability remediation prioritized using a risk-based model from an
industry-recognized framework?
Is a process defined and implemented to track and report vulnerability
identification and remediation activities that include stakeholder
notification?
Are metrics for vulnerability identification and remediation established,
monitored, and reported at defined intervals?

applied, evaluated, and maintained for all endpoints?
Are universal endpoint management policies and procedures reviewed and updated
at least annually?
Is there a defined, documented, applicable and evaluated list containing
approved services, applications, and the sources of applications (stores)
acceptable for use by endpoints when accessing or storing organization-managed
data?
Is a process defined and implemented to validate endpoint device compatibility

with operating systems and applications?
Is an inventory of all endpoints used and maintained to store and access
company data?
Are processes, procedures, and technical measures defined, implemented and
evaluated, to enforce policies and controls for all endpoints permitted to
access systems and/or store, transmit, or process organizational data?
Are all relevant interactive-use endpoints configured to require an automatic
lock screen?
Are changes to endpoint operating systems, patch levels, and/or applications
managed through the organizational change management process?
Is information protected from unauthorized disclosure on managed endpoints with
storage encryption?
Are anti-malware detection and prevention technology services configured on
managed endpoints?
Are software firewalls configured on managed endpoints?
Are managed endpoints configured with data loss prevention (DLP) technologies
and rules per a risk assessment?
Are remote geolocation capabilities enabled for all managed mobile endpoints?
evaluated to enable remote company data deletion on managed endpoint devices?
Are processes, procedures, and technical and/or contractual measures defined,
implemented, and evaluated to maintain proper security of third-party endpoints
with access to organizational assets?
v4.0.2+0
Change Log
Version Date Component
CCM v4.0.2 2021/07/13 Mapping
CCM v4.0.1 2021/06/07 CAIQ
CCM v4.0.1 2021/06/07 Mapping
CCM v4.0.0 2021/01/21 Control
CCM v4.0.0 2021/01/21 Mapping
End of Change Log

N 4.0.2
Change Log
Description of Change
The mappings of CCM v4.0 to AICPA TSC 2017 and CIS v8.0 are included in the
standard.
The Consensus Assessment Initiative Questionnaire version 4 (CAIQ v4.0) is

released.
The CCMv4.0 to CCMv3.0.1 mapping is updated. Changes that are applied:

MOS-19 (CCMv3.0.1) is mapped to UEM-07 (CCMv4.0).
MOS-05 (CCMv3.0.1) is mapped to UEM-01 (CCMv4.0).
IVS-11 (CCMv3.0.1) is mapped to IAM-05 (CCMv4.0).
IAM-08 (CCMv3.0.1) is mapped to IAM-03 (CCMv4.0).
STA-01 (CCMv3.0.1) is mapped to STA-12 (CCMv4.0).
The Cloud Control Matrix version 4 (CCM v4.0) is released (including the
controls applicability matrix).
The mappings of CCM v4.0 to CCM v3.0.1 and ISO/IEC 27001/02/17/18 are included
in the first release of the standard.
End of Change Log

u may download, store, display on your computer, view, print, and link to
” at http://www.cloudsecurityalliance.org subject to the following: (a) the
mational, non-commercial use; (b) the Cloud Controls Matrix v4.0.2 may not
ay not be redistributed; and (d) the trademark, copyright or other notices
x v4.0.2 as permitted by the Fair Use provisions of the United States
ty Alliance Cloud Controls Matrix Version 4.0.2. If you are interested
copyright notice, please contact info@cloudsecurityalliance.org.
v4.0.2+0
CCM v4.0.0 Controls Applicability Matrix
Authors Contributors
Martin Acherman
Ricky Arora
Christian Banse
Renu Bedi
Rolf Becker
Jon-Michael Brook
John Britton
Angell Duran
Jon-Michael Brook
Odutola Ekundayo
Bobbie-Lynn Burton
Rajeev Gupta
Daniele Catteddu
Roberto Hernandez
Sean Cordero
Joel John
Peter Dickman
Erik Johnson
Sean Estrada
Bala Kaundinya
Tom Follo
Nancy Kramer
Shawn Harris
Claus Matzke
Matthew Hoerig
Vani Murthy
Erik Johnson
Johan Olivier
Harry Lu
Michael Roza
Surinder S. Rait
Chirag Sheth
Michael Roza
Ashish Vashishtha
Agnidipta Sarkar
Dimitri Vekris
Chris Shull
Lefteris Skoutaris
Tony Snook
Contributors
Kai Axford
Darin Blank
Kevin Burgin
Martin Capuder
Vishal Chaudhary
Aradhna Chetal
Jeff Cook
Angela Dogan
Doug Egan
Andreas von Grebmer
Mohin Gulzar
Frank Jaramillo
Gaurav Khanna
Keri Kusznir
Jens Laundrup
Robin Lyons
Loredana Mancini
Julien Mauvieux
Bill Marriott
Claus Matzke
Matthew Meersman
David Nance
Christine Peters
Lisa Peterson
Paul Rich
Max Simakov
Tima Soni
Luke Synnestvedt
Eric Tierling
Raj Tuliani
Editorial Team
Darin Blank (Team Lead)
Bobbie-Lynn Burton
Martin Capuder
Lisa Peterson
Luke Synnestvedt
CCM Leadership
Daniele Catteddu (CSA)

Sean Cordero
Sean Estrada
Shawn Harris
Harry Lu
Lefteris Skoutaris (CSA)
End of acknowledgments
© Copyright 2019-2021 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and
link to the Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.2” at http://www.cloudsecurityalliance.org subject to the
following: (a) the Cloud Controls Matrix v4.0.2 may be used solely for your personal, informational, non-commercial use; (b) the Cloud
Controls Matrix v4.0.2 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.2 may not be redistributed; and (d)
the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.2 as permitted by
the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud
Controls Matrix Version 4.0.2. If you are interested in obtaining a license to this material for other usages not addresses in the
copyright notice, please contact info@cloudsecurityalliance.org.
ability Matrix CCM v4.0 - CIS v8.0 Mapping CCM v4.0 - AICPA TSC 2017 M
utors Contributors Contributors

Renu Bedi
Bedi Renu Bedi Madhav Chablani
el Brook Geoff Bird Angela Dogan
Duran Ramon Codina Angell Duran
kundayo Angell Duran Odutola Ekundayo
Gupta David Friedenberg Roberto Hernandez
ernandez Yogesh Gupta Frank Jaramillo
ohn Frank Jaramillo Joel John
hnson Joel John Audrey Katcher
ndinya Bala Kaundinya Bala Kaundinya
Kramer Claus Matzke Giovanni Massard
Matzke Vani Murthy Vani Murthy
urthy Johan Olivier Johan Olivier
Olivier Michael Roza Michael Roza
Roza Thomas Sager Agnidipta Sarkar
Sheth Keith Stocks Chirag Sheth
shishtha Ashish Vashishtha Ashish Vashishtha
Vekris Dimitri Vekris Dimitri Vekris
Surya Vinjamuri
omputer, view, print, and
nce.org subject to the
ial use; (b) the Cloud
redistributed; and (d)
ix v4.0.2 as permitted by
curity Alliance Cloud
sses in the
CCM v4.0 - AICPA TSC 2017 Mapping CCM v4.0.1 - ISO27001/02/17/18 Mapping
Contributors Contributors
Sandra Ackland
Renu Bedi
Renu Bedi
Anders Brännfors
Madhav Chablani
Ramon Codina
Angela Dogan
Angela Dogan
Angell Duran
Brian Dorsey
Odutola Ekundayo
Angell Duran
Roberto Hernandez
Odutola Ekundayo
Frank Jaramillo
Roberto Hernandez
Joel John
Frank Jaramillo
Audrey Katcher
Bala Kaundinya
Bala Kaundinya
Nancy Kramer
Giovanni Massard
Vani Murthy
Vani Murthy
Johan Olivier
Johan Olivier
Surinder Singh Rait
Michael Roza
Michael Roza
Agnidipta Sarkar
Agnidipta Sarkar
Chirag Sheth
Chirag Sheth
Ashish Vashishtha
Chris Shull
Dimitri Vekris
Ashish Vashishtha
Surya Vinjamuri
Dimitri Vekris
Surya Vinjamuri
CCM v4.0.1 - CCM v3.0.1 Mapping CAIQ v4.0.1
Contributors Contributors
Tony Snook (Team Lead)
Renu Bedi
Sandra Ackland
Geoff Bird
Renu Bedi
John Britton
Glenn Bluff
Jon-Michael Brook
Anders Brännfors
Bobbie-Lynn Burton
Madhav Chablani
Hannah Day
Aislin Cole
Angela Dogan
Brian Dorsey
Brian Dorsey
Angell Duran
Angell Duran
Rajeev Gupta
Odutola Ekundayo
Frank Jaramillo
Rajeev Gupta
Bala Kaundinya
Roberto Hernandez
Nancy Kramer
Frank Jaramillo
Claus Matzke
Erik Johnson
Vani Murthy
Bala Kaundinya
Johan Olivier
Johan Olivier
Michael Roza
Michael Roza
Surinder Singh Rait
Lefteris Skoutaris
Ashish Vashishtha
Luis Urena
Dimitri Vekris
Ashish Vashishtha
Casey Wood
v4.0.1
utors
Team Lead)
Bedi
Bird
ritton
el Brook
nn Burton
h Day
Dogan
orsey
Duran
kundayo
Gupta
ernandez
ramillo
hnson
ndinya
Olivier
Roza
koutaris
rena
shishtha
Wood

CCMv4 0 2 - 2021-07-07

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCMv4 0 2 - 2021-07-07

Uploaded by

Copyright:

Available Formats

CLOUD CONTROLS MATRIX VERSION 4.0.

II. Components Description

Typical Control Applicability and Ownership:

Architectural Relevance - Cloud Stack Components:

c. Consensus Assessments Initiative Questionnaire (CAIQ):

II. Components Description

ol and its implementation by the respective cloud relevant functions within an

UE” if the control is relevant to a component and “FALSE” if it is not.

1) corresponds to the CCM control.

y the corresponding CCM control’s requirements.

ssessments Initiative Questionnaire (CAIQ):

Control Domain Control Title Control ID

Audit & Assurance - A&A

Audit and Assurance Policy and

Audit & Assurance Independent Assessments A&A-02

Audit & Assurance Risk Based Planning Assessment A&A-03

Audit & Assurance Requirements Compliance A&A-04

Audit & Assurance Audit Management Process A&A-05

Audit & Assurance Remediation A&A-06

Application & Interface Security - AIS

Application & Interface Application Security Baseline

Application & Interface

Application & Interface Secure Application Design and

Application & Interface Automated Application Security

Application & Interface Automated Secure Application

Application & Interface

Business Continuity Management and Operational Resilience - BCR

Change Control and

Change Control and

Datacenter Security - DCS

Off-Site Equipment Disposal Policy

Datacenter Security Secure Area Policy and Procedures DCS-03

Secure Media Transportation Policy

Datacenter Security Assets Classification DCS-05

Datacenter Security Assets Cataloguing and Tracking DCS-06

Datacenter Security Controlled Access Points DCS-07

Datacenter Security Equipment Identification DCS-08

Datacenter Security Secure Area Authorization DCS-09

Datacenter Security Surveillance System DCS-10

Datacenter Security Cabling Security DCS-12

Datacenter Security Environmental Systems DCS-13

Datacenter Security Secure Utilities DCS-14

Datacenter Security Equipment Location DCS-15

Data Security and Privacy Lifecycle Management - DSP

Data Security and

Data Security and

Data Security and

Data Security and

Data Security and

Data Security and

Data Security and

Data Security and

Data Security and

Data Security and

Governance, Risk and Compliance - GRC

Governance, Risk and Governance Program Policy and

Governance, Risk and

Governance, Risk and

Governance, Risk and

Governance, Risk and

Governance, Risk and Information System Regulatory

Governance, Risk and

Human Resources - HRS