Methodology for the Mapping of the Cloud Controls Matrix
Blog Article Published: 07/09/2018
By Victor Chin, Research Analyst, Cloud Security Alliance
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. To reduce compliance fatigue in the cloud services industry, the CCM program also includes controls mappings to other key industry frameworks such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, National Institute of Standards and Technology (NIST) 800-53, and American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC).
Historically, these mappings come from two main sources: third-party organizations and CCM Working Group volunteers. Over time, processes to incorporate these mappings have evolved organically but were not formally documented.
The Methodology for the Mapping of the Cloud Controls Matrix document aims to formally document and enhance these processes. They include a controls mapping methodology, the identification of gaps between two frameworks, the creation of a mapping work package, naming references, and project management guidelines.
By documenting these processes, we aim to fulfill four primary functions:
- Provide clarity and transparency regarding the CSA CCM Working Group’s mapping approach, guidelines and naming conventions;
- Encourage process review and improvement suggestions by the CSA community;
- Yield a valuable reference for organizations—especially those seeking to benefit from and contribute to interoperable efforts by mapping their frameworks to the CCM; and
- Improve assessor criteria understanding and interpretation of all mapping processes through criteria mapping exercises.
Moving forward, we hope that this document will be a valuable reference to all key stakeholders in the CCM ecosystem, as well as contribute to the maturity of the CCM program.
The success of the CCM continues to be the result of the dedicated professionals within the CCM Working Group. This document would not have been possible without the expertise, focus, and collaboration of the following working group members:
- Sean Cordero
- Ai-Ping Foo
- Kimberley Laris
- Ahmed Maaloul
- Michael Roza
- Eric Tierling
Download the Methodology for the Mapping of the Cloud Controls Matrix.
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Related Articles:
CSA Community Spotlight: Establishing Cloud Security Standards with Dr. Ricci Ieong
Published: 04/03/2024
CSA Community Spotlight: Propelling the Industry Forward with Larry Whiteside Jr.
Published: 03/12/2024