Back to Frameworks
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1
International
v4.0.1
17 domains
197 controls
Cloud Security Alliance Cloud Controls Matrix - cybersecurity control framework for cloud computing
Unverified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (17)
A&A - Audit & Assurance
6 controls
| Code | Title |
|---|---|
| CCM-A&A-01 | Audit and Assurance Policy and Procedures |
| CCM-A&A-02 | Independent Assessments |
| CCM-A&A-03 | Risk Based Planning Assessment |
| CCM-A&A-04 | Requirements Compliance |
| CCM-A&A-05 | Audit Management Process |
| CCM-A&A-06 | Remediation |
AIS - Application & Interface Security
7 controls
| Code | Title |
|---|---|
| CCM-AIS-01 | Application and Interface Security Policy and Procedures |
| CCM-AIS-02 | Application Security Baseline Requirements |
| CCM-AIS-03 | Application Security Metrics |
| CCM-AIS-04 | Secure Application Design and Development |
| CCM-AIS-05 | Automated Application Security Testing |
| CCM-AIS-06 | Automated Secure Application Deployment |
| CCM-AIS-07 | Application Vulnerability Remediation |
BCR - Business Continuity Management & Operational Resilience
11 controls
| Code | Title |
|---|---|
| CCM-BCR-01 | Business Continuity Management Policy and Procedures |
| CCM-BCR-02 | Risk Assessment and Impact Analysis |
| CCM-BCR-03 | Business Continuity Strategy |
| CCM-BCR-04 | Business Continuity Planning |
| CCM-BCR-05 | Documentation |
| CCM-BCR-06 | Business Continuity Exercises |
| CCM-BCR-07 | Communication |
| CCM-BCR-08 | Backup |
| CCM-BCR-09 | Disaster Response Plan |
| CCM-BCR-10 | Response Plan Exercise |
| CCM-BCR-11 | Equipment Redundancy |
CCC - Change Control & Configuration Management
9 controls
| Code | Title |
|---|---|
| CCM-CCC-01 | Change Management Policy and Procedures |
| CCM-CCC-02 | Quality Testing |
| CCM-CCC-03 | Change Management Technology |
| CCM-CCC-04 | Unauthorized Change Protection |
| CCM-CCC-05 | Change Agreements |
| CCM-CCC-06 | Change Management Baseline |
| CCM-CCC-07 | Detection of Baseline Deviation |
| CCM-CCC-08 | Exception Management |
| CCM-CCC-09 | Change Restoration |
CEK - Cryptography, Encryption & Key Management
21 controls
| Code | Title |
|---|---|
| CCM-CEK-01 | Encryption and Key Management Policy and Procedures |
| CCM-CEK-02 | CEK Roles and Responsibilities |
| CCM-CEK-03 | Data Encryption |
| CCM-CEK-04 | Encryption Algorithm |
| CCM-CEK-05 | Encryption Change Management |
| CCM-CEK-06 | Encryption Change Cost Benefit Analysis |
| CCM-CEK-07 | Encryption Risk Management |
| CCM-CEK-08 | CSC Key Management Capability |
| CCM-CEK-09 | Encryption and Key Management Audit |
| CCM-CEK-10 | Key Generation |
| CCM-CEK-11 | Key Purpose |
| CCM-CEK-12 | Key Rotation |
| CCM-CEK-13 | Key Revocation |
| CCM-CEK-14 | Key Destruction |
| CCM-CEK-15 | Key Activation |
| CCM-CEK-16 | Key Suspension |
| CCM-CEK-17 | Key Deactivation |
| CCM-CEK-18 | Key Archival |
| CCM-CEK-19 | Key Compromise |
| CCM-CEK-20 | Key Recovery |
| CCM-CEK-21 | Key Inventory Management |
DCS - Datacenter Security
15 controls
| Code | Title |
|---|---|
| CCM-DCS-01 | Off-Site Equipment Disposal Policy and Procedures |
| CCM-DCS-02 | Off-Site Transfer Authorization Policy and Procedures |
| CCM-DCS-03 | Secure Area Policy and Procedures |
| CCM-DCS-04 | Secure Media Transportation Policy and Procedures |
| CCM-DCS-05 | Assets Classification |
| CCM-DCS-06 | Assets Cataloguing and Tracking |
| CCM-DCS-07 | Controlled Access Points |
| CCM-DCS-08 | Equipment Identification |
| CCM-DCS-09 | Secure Area Authorization |
| CCM-DCS-10 | Surveillance System |
| CCM-DCS-11 | Unauthorized Access Response Training |
| CCM-DCS-12 | Cabling Security |
| CCM-DCS-13 | Environmental Systems |
| CCM-DCS-14 | Secure Utilities |
| CCM-DCS-15 | Equipment Location |
DSP - Data Security & Privacy Lifecycle Management
19 controls
| Code | Title |
|---|---|
| CCM-DSP-01 | Security and Privacy Policy and Procedures |
| CCM-DSP-02 | Secure Disposal |
| CCM-DSP-03 | Data Inventory |
| CCM-DSP-04 | Data Classification |
| CCM-DSP-05 | Data Flow Documentation |
| CCM-DSP-06 | Data Ownership and Stewardship |
| CCM-DSP-07 | Data Protection by Design and Default |
| CCM-DSP-08 | Data Privacy by Design and Default |
| CCM-DSP-09 | Data Protection Impact Assessment |
| CCM-DSP-10 | Sensitive Data Transfer |
| CCM-DSP-11 | Personal Data Access, Reversal, Rectification and Deletion |
| CCM-DSP-12 | Limitation of Purpose in Personal Data Processing |
| CCM-DSP-13 | Personal Data Sub-processing |
| CCM-DSP-14 | Disclosure of Data Sub-processors |
| CCM-DSP-15 | Limitation of Production Data Use |
| CCM-DSP-16 | Data Retention and Deletion |
| CCM-DSP-17 | Sensitive Data Protection |
| CCM-DSP-18 | Disclosure Notification |
| CCM-DSP-19 | Data Location |
GRC - Governance, Risk & Compliance
8 controls
| Code | Title |
|---|---|
| CCM-GRC-01 | Governance Program Policy and Procedures |
| CCM-GRC-02 | Risk Management Program |
| CCM-GRC-03 | Organizational Policy Reviews |
| CCM-GRC-04 | Policy Exception Process |
| CCM-GRC-05 | Information Security Program |
| CCM-GRC-06 | Governance Responsibility Model |
| CCM-GRC-07 | Information System Regulatory Mapping |
| CCM-GRC-08 | Special Interest Groups |
HRS - Human Resources Security
13 controls
| Code | Title |
|---|---|
| CCM-HRS-01 | Background Screening Policy and Procedures |
| CCM-HRS-02 | Acceptable Use of Technology Policy and Procedures |
| CCM-HRS-03 | Clean Desk Policy and Procedures |
| CCM-HRS-04 | Remote and Home Working Policy and Procedures |
| CCM-HRS-05 | Asset returns |
| CCM-HRS-06 | Employment Termination |
| CCM-HRS-07 | Employment Agreement Process |
| CCM-HRS-08 | Employment Agreement Content |
| CCM-HRS-09 | Personnel Roles and Responsibilities |
| CCM-HRS-10 | Non-Disclosure Agreements |
| CCM-HRS-11 | Security Awareness Training |
| CCM-HRS-12 | Personal and Sensitive Data Awareness and Training |
| CCM-HRS-13 | Compliance User Responsibility |
IAM - Identity & Access Management
16 controls
| Code | Title |
|---|---|
| CCM-IAM-01 | Identity and Access Management Policy and Procedures |
| CCM-IAM-02 | Strong Password Policy and Procedures |
| CCM-IAM-03 | Identity Inventory |
| CCM-IAM-04 | Separation of Duties |
| CCM-IAM-05 | Least Privilege |
| CCM-IAM-06 | User Access Provisioning |
| CCM-IAM-07 | User Access Changes and Revocation |
| CCM-IAM-08 | User Access Review |
| CCM-IAM-09 | Segregation of Privileged Access Roles |
| CCM-IAM-10 | Management of Privileged Access Roles |
| CCM-IAM-11 | CSCs Approval for Agreed Privileged Access Roles |
| CCM-IAM-12 | Safeguard Logs Integrity |
| CCM-IAM-13 | Uniquely Identifiable Users |
| CCM-IAM-14 | Strong Authentication |
| CCM-IAM-15 | Passwords Management |
| CCM-IAM-16 | Authorization Mechanisms |
IPY - Interoperability & Portability
4 controls
| Code | Title |
|---|---|
| CCM-IPY-01 | Interoperability and Portability Policy and Procedures |
| CCM-IPY-02 | Application Interface Availability |
| CCM-IPY-03 | Secure Interoperability and Portability Management |
| CCM-IPY-04 | Data Portability Contractual Obligations |
IVS - Infrastructure & Virtualization Security
9 controls
| Code | Title |
|---|---|
| CCM-IVS-01 | Infrastructure and Virtualization Security Policy and Procedures |
| CCM-IVS-02 | Capacity and Resource Planning |
| CCM-IVS-03 | Network Security |
| CCM-IVS-04 | OS Hardening and Base Controls |
| CCM-IVS-05 | Production and Non-Production Environments |
| CCM-IVS-06 | Segmentation and Segregation |
| CCM-IVS-07 | Migration to Cloud Environments |
| CCM-IVS-08 | Network Architecture Documentation |
| CCM-IVS-09 | Network Defense |
LOG - Logging & Monitoring
13 controls
| Code | Title |
|---|---|
| CCM-LOG-01 | Logging and Monitoring Policy and Procedures |
| CCM-LOG-02 | Audit Logs Protection |
| CCM-LOG-03 | Security Monitoring and Alerting |
| CCM-LOG-04 | Audit Logs Access and Accountability |
| CCM-LOG-05 | Audit Logs Monitoring and Response |
| CCM-LOG-06 | Clock Synchronization |
| CCM-LOG-07 | Logging Scope |
| CCM-LOG-08 | Log Records |
| CCM-LOG-09 | Log Protection |
| CCM-LOG-10 | Encryption Monitoring and Reporting |
| CCM-LOG-11 | Transaction/Activity Logging |
| CCM-LOG-12 | Access Control Logs |
| CCM-LOG-13 | Failures and Anomalies Reporting |
SEF - Security Incident Management, E-Discovery & Cloud Forensics
8 controls
| Code | Title |
|---|---|
| CCM-SEF-01 | Security Incident Management Policy and Procedures |
| CCM-SEF-02 | Service Management Policy and Procedures |
| CCM-SEF-03 | Incident Response Plans |
| CCM-SEF-04 | Incident Response Testing |
| CCM-SEF-05 | Incident Response Metrics |
| CCM-SEF-06 | Event Triage Processes |
| CCM-SEF-07 | Security Breach Notification |
| CCM-SEF-08 | Points of Contact Maintenance |
STA - Supply Chain Management, Transparency & Accountability
14 controls
| Code | Title |
|---|---|
| CCM-STA-01 | SSRM Policy and Procedures |
| CCM-STA-02 | SSRM Supply Chain |
| CCM-STA-03 | SSRM Guidance |
| CCM-STA-04 | SSRM Control Ownership |
| CCM-STA-05 | SSRM Documentation Review |
| CCM-STA-06 | SSRM Control Implementation |
| CCM-STA-07 | Supply Chain Inventory |
| CCM-STA-08 | Supply Chain Risk Management |
| CCM-STA-09 | Primary Service and Contractual Agreement |
| CCM-STA-10 | Supply Chain Agreement Review |
| CCM-STA-11 | Internal Compliance Testing |
| CCM-STA-12 | Supply Chain Service Agreement Compliance |
| CCM-STA-13 | Supply Chain Governance Review |
| CCM-STA-14 | Supply Chain Data Security Assessment |
TVM - Threat & Vulnerability Management
10 controls
| Code | Title |
|---|---|
| CCM-TVM-01 | Threat and Vulnerability Management Policy and Procedures |
| CCM-TVM-02 | Malware Protection Policy and Procedures |
| CCM-TVM-03 | Vulnerability Remediation Schedule |
| CCM-TVM-04 | Detection Updates |
| CCM-TVM-05 | External Library Vulnerabilities |
| CCM-TVM-06 | Penetration Testing |
| CCM-TVM-07 | Vulnerability Identification |
| CCM-TVM-08 | Vulnerability Prioritization |
| CCM-TVM-09 | Vulnerability Management Reporting |
| CCM-TVM-10 | Vulnerability Management Metrics |
UEM - Universal Endpoint Management
14 controls
| Code | Title |
|---|---|
| CCM-UEM-01 | Endpoint Devices Policy and Procedures |
| CCM-UEM-02 | Application and Service Approval |
| CCM-UEM-03 | Compatibility |
| CCM-UEM-04 | Endpoint Inventory |
| CCM-UEM-05 | Endpoint Management |
| CCM-UEM-06 | Automatic Lock Screen |
| CCM-UEM-07 | Operating Systems |
| CCM-UEM-08 | Storage Encryption |
| CCM-UEM-09 | Anti-Malware Detection and Prevention |
| CCM-UEM-10 | Software Firewall |
| CCM-UEM-11 | Data Loss Prevention |
| CCM-UEM-12 | Remote Locate |
| CCM-UEM-13 | Remote Wipe |
| CCM-UEM-14 | Third-Party Endpoint Security Posture |
Your Compliance Coverage
If you comply with Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1, you already cover:
Maps to 19 other frameworks
197 total controls
NIST SP 800-53 Rev 5
33 source controls mapped|30 target controls covered
17%
CNCF Security Technical Advisory Group (TAG)
21 source controls mapped|24 target controls covered
11%
ISO 27018:2019
12 source controls mapped|10 target controls covered
6%
ISO 27002:2022
9 source controls mapped|7 target controls covered
5%
SOC 2
7 source controls mapped|7 target controls covered
4%
CSA STAR (Security, Trust, Assurance, and Risk)
4 source controls mapped|11 target controls covered
2%
ISO 27701:2019
4 source controls mapped|5 target controls covered
2%
Commercial National Security Algorithm Suite (CNSA) 2.0
4 source controls mapped|4 target controls covered
2%
ISO 31000:2018
3 source controls mapped|3 target controls covered
2%
ISO 13485:2016
2 source controls mapped|2 target controls covered
1%
ISO 27017:2015
2 source controls mapped|2 target controls covered
1%
ISO/IEC 42001:2023
2 source controls mapped|2 target controls covered
1%
ISO/IEC 23894:2023
2 source controls mapped|4 target controls covered
1%
ISO 10005:2005
1 source controls mapped|1 target controls covered
1%
ISO 19011
1 source controls mapped|1 target controls covered
1%
ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence
1 source controls mapped|1 target controls covered
1%
ISO 27005:2022
1 source controls mapped|1 target controls covered
1%
ISO 10006:2003
1 source controls mapped|1 target controls covered
1%
ISO 22301:2019
1 source controls mapped|3 target controls covered
1%
Frequently Asked Questions
What is Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1?
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 is a compliance framework from International with 17 domains and 197 controls. Cloud Security Alliance Cloud Controls Matrix - cybersecurity control framework for cloud computing It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 have?
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 has 197 controls organised across 17 domains. The largest domains are CEK - Cryptography, Encryption & Key Management (21 controls), DSP - Data Security & Privacy Lifecycle Management (19 controls), IAM - Identity & Access Management (16 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 map to?
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 maps to 19 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (17% coverage), CNCF Security Technical Advisory Group (TAG) (11% coverage), ISO 27018:2019 (6% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 compliance?
Start your Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 197 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required