CSA Cloud Controls Matrix v4

International

17 domains

197 controls

Cloud Security Alliance Cloud Controls Matrix v4. 197 controls across 17 cloud security domains.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (17)

Application & Interface Security

7 controls

Controls in the Application & Interface Security domain of CSA Cloud Controls Matrix v4 — 7 controls
Code	Title	Description
AIS-01	Application and Interface Security Policy and Procedures	Establish policies and procedures for application security including secure development lifecycle.
AIS-02	Application Security Baseline Requirements	Establish baseline security requirements applicable to applications.
AIS-03	Application Security Metrics	Define and implement technical and operational metrics for application security.
AIS-04	Secure Application Design and Development	Define and implement processes for secure application design and development.
AIS-05	Automated Application Security Testing	Implement automated SAST tools during application development.
AIS-06	Automated Secure Application Deployment	Establish and implement strategies for secure, standardized and compliant application deployment.
AIS-07	Application Vulnerability Remediation	Define and implement a process for remediation of identified application vulnerabilities.

Audit & Assurance

6 controls

Controls in the Audit & Assurance domain of CSA Cloud Controls Matrix v4 — 6 controls
Code	Title	Description
AAS-01	Audit and Assurance Policy and Procedures	Establish, document and review audit and assurance policies and procedures at least annually.
AAS-02	Independent Assessments	Conduct independent audits at planned intervals against defined standards.
AAS-03	Risk Based Planning Assessment	Plan audit activities based on a risk based methodology.
AAS-04	Requirements Compliance	Verify compliance with statutory, regulatory and contractual requirements.
AAS-05	Audit Management Process	Define and implement audit management process to support planning, executing and reporting.
AAS-06	Remediation	Establish and document a risk based remediation process for audit findings.

Business Continuity

11 controls

Controls in the Business Continuity domain of CSA Cloud Controls Matrix v4 — 11 controls
Code	Title	Description
BCR-01	Business Continuity Management Policy	Establish business continuity policies and procedures aligned to recovery objectives.
BCR-02	Risk Assessment and Impact Analysis	Determine impact of business disruptions and risks to recovery objectives.
BCR-03	Business Continuity Strategy	Establish strategies to reduce impact, withstand and recover from disruptions.
BCR-04	Business Continuity Planning	Establish documented BC plans based on the strategy.
BCR-05	Documentation	Maintain BC documentation accessible to authorized personnel.
BCR-06	Business Continuity Exercises	Exercise and test BC plans at least annually.
BCR-07	Communication	Establish communication with stakeholders during disruptions.
BCR-08	Backup	Define backup methods including frequency, retention and restoration testing.
BCR-09	Disaster Response Testing	Test continuity and disaster recovery plans at planned intervals or upon significant changes.
BCR-10	Response Plan Exercise	Exercise the disaster response plan annually or upon significant change.
BCR-11	Equipment Redundancy	Implement equipment redundancy in critical systems.

Change Control & Configuration Management

9 controls

Controls in the Change Control & Configuration Management domain of CSA Cloud Controls Matrix v4 — 9 controls
Code	Title	Description
CCC-01	Change Management Policy	Document a change management policy and enforce it across infrastructure and applications.
CCC-02	Quality Testing	Follow defined quality assurance testing before deployment.
CCC-03	Change Management Technology	Manage risks associated with applying changes to organization assets via technology controls.
CCC-04	Unauthorized Change Protection	Restrict unauthorized additions, removals, updates and management of resources.
CCC-05	Change Agreements	Establish change agreements with stakeholders for impactful changes.
CCC-06	Change Management Baseline	Establish a baseline configuration of systems.
CCC-07	Detection of Baseline Deviation	Establish detection measures for baseline deviation.
CCC-08	Exception Management	Process exceptions to baseline with approval and review.
CCC-09	Change Restoration	Define and implement restoration process when changes fail.

Cryptography Encryption & Key Management

21 controls

Controls in the Cryptography Encryption & Key Management domain of CSA Cloud Controls Matrix v4 — 21 controls
Code	Title	Description
CEK-01	Encryption and Key Management Policy	Define encryption requirements and key management lifecycle controls.
CEK-02	CEK Roles and Responsibilities	Define roles and responsibilities for cryptography and key management.
CEK-03	Data Encryption	Encrypt data at rest and in transit using approved algorithms and key strengths.
CEK-04	Encryption Algorithm	Use industry standard algorithms and parameters approved for use.
CEK-05	Encryption Change Management	Manage changes to cryptographic infrastructure under change control.
CEK-06	Encryption Change Cost Benefit Analysis	Evaluate risk and value of changes to encryption.
CEK-07	Encryption Risk Management	Identify and address risks specific to cryptography.
CEK-08	CSC Key Management Capability	Provide CSCs ability to manage their own keys (BYOK/HYOK).
CEK-09	Encryption and Key Management Audit	Audit encryption and key management systems at least annually.
CEK-10	Key Generation	Generate cryptographic keys using approved methods.
CEK-11	Key Rotation	Define and implement key rotation procedures for all cryptographic keys.
CEK-12	Key Rotation	Rotate cryptographic keys based on defined cryptoperiods.
CEK-13	Key Revocation	Revoke keys when compromised or no longer required.
CEK-14	Key Destruction	Destroy keys at end of lifecycle in defined manner.
CEK-15	Key Activation	Implement defined methods to activate keys.
CEK-16	Key Suspension	Implement defined methods to suspend keys.
CEK-17	Key Deactivation	Implement defined methods to deactivate keys.
CEK-18	Key Archival	Archive keys for recovery and historical access.
CEK-19	Key Compromise	Manage cryptographic key compromise events.
CEK-20	Key Recovery	Establish key recovery processes.
CEK-21	Key Inventory Management	Maintain inventory of cryptographic keys.

Data Security & Privacy

19 controls

Controls in the Data Security & Privacy domain of CSA Cloud Controls Matrix v4 — 19 controls
Code	Title	Description
DSP-01	Disposal and End-of-Mission	Securely dispose of mission data, keys and assets at end of mission.
DSP-02	Data Inventory	Maintain inventory of customer and operational data including location and retention.
DSP-03	Data Inventory	Maintain inventory of personal and sensitive data.
DSP-04	Data Classification	Classify data by sensitivity and criticality.
DSP-05	Data Flow Documentation	Document and review personal data flows.
DSP-06	Data Ownership and Stewardship	Define data ownership and stewardship roles.
DSP-07	Data Protection by Design and Default	Develop systems and processes that protect personal data by design and by default.
DSP-08	Data Privacy by Design and Default	Conduct privacy impact assessments for new processing.
DSP-09	Data Protection Impact Assessment	Conduct DPIAs prior to high risk processing.
DSP-10	Sensitive Data Transfer	Manage cross border and sensitive data transfers.
DSP-11	Personal Data Access Disclosure and Notification	Provide data subjects access, disclosure and notification.
DSP-12	Limitation of Purpose in Personal Data Processing	Limit personal data processing to defined purpose.
DSP-13	Personal Data Sub processing	Manage subprocessors handling personal data.
DSP-14	Disclosure of Data Sub processors	Disclose subprocessors to customers with notification of changes.
DSP-15	Limitation of Production Data Use	Restrict use of production data in non production environments.
DSP-16	Data Retention and Deletion	Define and enforce data retention and deletion schedules.
DSP-17	Sensitive Data Protection	Protect sensitive data using enhanced controls.
DSP-18	Disclosure Notification	Notify customers of unauthorized disclosure events.
DSP-19	Data Location	Define and document the location and movement of data.

Datacenter Security

15 controls

Controls in the Datacenter Security domain of CSA Cloud Controls Matrix v4 — 15 controls
Code	Title	Description
DCS-01	Off-site Equipment Disposal	Securely dispose of off-site equipment containing customer data.
DCS-02	Off Site Transfer Authorization Policy and Procedures	Authorize off site asset transfers with documented approvals.
DCS-03	Secure Area Policy and Procedures	Define and enforce policies for physical secure areas.
DCS-04	Secure Media Transportation Policy and Procedures	Define policies for transporting media securely.
DCS-05	Assets Classification	Classify and inventory all assets including datacenter components.
DCS-06	Assets Cataloguing and Tracking	Catalogue and track all hardware and software assets.
DCS-07	Controlled Access Points	Implement controlled physical access points to datacenter facilities.
DCS-08	Equipment Identification	Uniquely identify each piece of equipment.
DCS-09	Secure Area Authorization	Restrict access to secure areas to authorized personnel.
DCS-10	Surveillance System	Implement physical surveillance of secure areas.
DCS-11	Unauthorized Access Response Training	Train staff for physical unauthorized access response.
DCS-12	Cabling Security	Protect telecom and network cabling from interception or damage.
DCS-13	Environmental Systems	Maintain environmental controls (HVAC, fire, water).
DCS-14	Secure Utilities	Secure utilities for datacenter facilities (power, water).
DCS-15	Equipment Location	Site equipment to minimize environmental hazards.

Governance Risk & Compliance

8 controls

Controls in the Governance Risk & Compliance domain of CSA Cloud Controls Matrix v4 — 8 controls
Code	Title	Description
GRC-01	Governance Program	Establish a governance program covering risk, policy, compliance and assurance.
GRC-02	Risk Management Program	Establish enterprise risk management program.
GRC-03	Organizational Policy Reviews	Review policies at least annually.
GRC-04	Policy Exception Process	Establish and document a policy exception process.
GRC-05	Information Security Program	Establish formal information security program.
GRC-06	Governance Responsibility Model	Define governance responsibilities including board oversight.
GRC-07	Information System Regulatory Mapping	Map information systems to regulatory requirements.
GRC-08	Special Interest Groups	Participate in security special interest groups and forums.

Human Resources

13 controls

Controls in the Human Resources domain of CSA Cloud Controls Matrix v4 — 13 controls
Code	Title	Description
HRS-01	Background Screening	Conduct background screening of personnel with access to customer data.
HRS-02	Security Training	Deliver mandatory security training to staff and contractors.
HRS-03	Clean Desk Policy and Procedures	Establish clean desk policy for sensitive information.
HRS-04	Employment Termination	Define and document procedures for employment termination and change of role.
HRS-05	Asset returns	Document return of organizational assets upon termination.
HRS-06	Employment Termination	Manage termination of employment with access removal.
HRS-07	Employment Agreement Process	Include security responsibilities in employment agreements.
HRS-08	Employment Agreement Content	Include security and privacy clauses in employment contracts.
HRS-09	Personnel Roles and Responsibilities	Document personnel roles and security responsibilities.
HRS-10	Non Disclosure Agreements	Execute NDAs with personnel and third parties.
HRS-11	Security Awareness Training	Provide security awareness training to personnel.
HRS-12	Personal and Sensitive Data Awareness and Training	Provide privacy training on personal data handling.
HRS-13	Compliance User Responsibility	Communicate user responsibilities for compliance.

Identity & Access Management

16 controls

Controls in the Identity & Access Management domain of CSA Cloud Controls Matrix v4 — 16 controls
Code	Title	Description
IAM-01	Identity and Access Management Policy	Define identity and access management policy covering lifecycle, privilege and authentication.
IAM-02	Strong Authentication	Enforce strong authentication for privileged and customer-facing administrative access.
IAM-03	Identity Inventory	Maintain an inventory of all identities including human and non-human.
IAM-04	Separation of Duties	Implement separation of duties to mitigate conflicts.
IAM-05	Least Privilege	Apply least privilege principle to access rights.
IAM-06	User Access Provisioning	Provision user access with documented approval.
IAM-07	User Access Changes and Revocation	Manage access changes and revocations promptly.
IAM-08	User Access Review	Review user access rights at planned intervals.
IAM-09	Segregation of Privileged Access Roles	Segregate privileged roles from standard user roles.
IAM-10	Management of Privileged Access Roles	Manage privileged access using PAM controls.
IAM-11	CSCs Approval for Agreed Privileged Access Roles	Obtain CSC approval before CSP personnel access CSC environments.
IAM-12	Safeguard Logs Integrity	Protect IAM logs from tampering.
IAM-13	Uniquely Identifiable Users	Ensure all user accounts are uniquely identifiable.
IAM-14	Strong Authentication	Implement strong authentication for access to systems and data.
IAM-15	Passwords Management	Securely manage passwords lifecycle.
IAM-16	Authorization Mechanisms	Use authorization mechanisms consistent with policies.

Infrastructure & Virtualization Security

9 controls

Controls in the Infrastructure & Virtualization Security domain of CSA Cloud Controls Matrix v4 — 9 controls
Code	Title	Description
IVS-01	Infrastructure and Virtualization Security	Harden hypervisors and virtual infrastructure with tenant isolation controls.
IVS-02	Capacity and Resource Planning	Plan capacity and resources to maintain availability.
IVS-03	Network Security	Implement network security architecture.
IVS-04	Network Security	Implement network security controls including segmentation and traffic inspection.
IVS-05	Production and Non Production Environments	Separate production from non production environments.
IVS-06	Segmentation and Segregation	Segment networks and tenants to limit blast radius.
IVS-07	Migration to Cloud Environments	Securely migrate workloads to cloud environments.
IVS-08	Network Architecture Documentation	Document and maintain network architecture.
IVS-09	Network Defense	Implement network defenses against threats.

Interoperability & Portability

4 controls

Controls in the Interoperability & Portability domain of CSA Cloud Controls Matrix v4 — 4 controls
Code	Title	Description
IPY-01	Interoperability and Portability	Support documented interoperability and portability of customer data and configurations.
IPY-02	Interoperability and Portability Policies	Establish policies and procedures for interoperability and portability of data and applications.
IPY-03	Secure Interoperability and Portability Management	Manage interoperability and portability with secure controls.
IPY-04	Data Portability Contractual Obligations	Document data portability obligations in customer agreements.

Logging and Monitoring

13 controls

Controls in the Logging and Monitoring domain of CSA Cloud Controls Matrix v4 — 13 controls
Code	Title	Description
LOG-01	Logging and Monitoring	Collect, protect and review logs from cloud infrastructure and services.
LOG-02	Audit Logs Protection	Protect audit logs from unauthorized modification.
LOG-03	Security Monitoring and Alerting	Monitor and alert on security events.
LOG-04	Audit Logs Access and Accountability	Restrict and account for access to audit logs.
LOG-05	Audit Logs Monitoring and Response	Monitor audit logs and respond to anomalies.
LOG-06	Clock Synchronization	Synchronize system clocks to authoritative time source.
LOG-07	Logging Scope	Define logging scope and content.
LOG-08	Log Records	Generate and retain log records sufficient to detect, investigate, and respond to security events.
LOG-09	Log Protection	Protect logs against tampering and disclosure.
LOG-10	Encryption Monitoring and Reporting	Monitor encryption operations and report on usage.
LOG-11	Transaction/Activity Logging	Log transactions and activities to support investigation.
LOG-12	Access Control Logs	Log access control events including failed logins.
LOG-13	Failures and Anomalies	Detect, report, and respond to failures and anomalies in logging and monitoring systems.

Security Incident Mgmt

8 controls

Controls in the Security Incident Mgmt domain of CSA Cloud Controls Matrix v4 — 8 controls
Code	Title	Description
SEF-01	Security Incident Management Policy	Document and operate a security incident management policy covering detection, response and notification.
SEF-02	Service Management Policy and Procedures	Define service management for incidents.
SEF-03	Incident Response Plans	Establish, document, approve, and maintain security incident response plans.
SEF-04	Incident Response Testing	Test incident response plans at least annually.
SEF-05	Incident Response Metrics	Track incident response metrics.
SEF-06	Event Triage Processes	Define event triage process.
SEF-07	Security Breach Notification	Notify affected parties of security breaches per requirements.
SEF-08	Points of Contact Maintenance	Maintain incident contact lists.

Supply Chain Management

14 controls

Controls in the Supply Chain Management domain of CSA Cloud Controls Matrix v4 — 14 controls
Code	Title	Description
STA-01	SSRM Policy and Procedures	Maintain Shared Security Responsibility Model documentation and supplier management policies.
STA-02	SSRM Supply Chain	Apply SSRM to supply chain relationships.
STA-03	SSRM Guidance	Provide CSC guidance on SSRM scope.
STA-04	SSRM Control Ownership	Identify control ownership in shared model.
STA-05	SSRM Documentation Review	Review SSRM documentation periodically.
STA-06	Supply Chain Data Security	Review and validate supplier and partner data security practices.
STA-07	Supply Chain Inventory	Maintain inventory of supply chain vendors.
STA-08	Supply Chain Risk Management	Manage supply chain risks with assessments.
STA-09	Primary Service and Contractual Agreement	Establish contractual agreements with vendors.
STA-10	Supply Chain Agreement Review	Review supply chain agreements periodically.
STA-11	Internal Compliance Testing	Test vendor compliance internally.
STA-12	Supply Chain Service Agreement Compliance	Verify vendor compliance with service agreements.
STA-13	Supply Chain Governance Review	Govern supply chain at executive level.
STA-14	Supply Chain Data Security Assessment	Assess vendor data security controls.

Threat & Vulnerability

10 controls

Controls in the Threat & Vulnerability domain of CSA Cloud Controls Matrix v4 — 10 controls
Code	Title	Description
TVM-01	Threat and Vulnerability Management Policy	Document and operate threat and vulnerability management policies with timely remediation.
TVM-02	Malware Protection Policy and Procedures	Establish malware protection policies.
TVM-03	Vulnerability Remediation Schedule	Define and enforce vulnerability remediation SLAs.
TVM-04	Detection Updates	Update detection tools, threat signatures, and indicators of compromise on at least a weekly basis or as new releases be...
TVM-05	External Library Vulnerabilities	Manage vulnerabilities in third party libraries.
TVM-06	Penetration Testing	Conduct penetration testing at planned intervals.
TVM-07	Vulnerability Prioritization	Use a risk-based model to prioritize remediation of vulnerabilities.
TVM-08	Vulnerability Prioritization	Prioritize vulnerabilities using risk based approach.
TVM-09	Vulnerability Management Reporting	Report vulnerability management metrics to stakeholders.
TVM-10	Vulnerability Management Metrics	Define metrics for vulnerability management.

Universal Endpoint Management

14 controls

Controls in the Universal Endpoint Management domain of CSA Cloud Controls Matrix v4 — 14 controls
Code	Title	Description
UEM-01	Endpoint Management	Manage endpoints with hardening, patching, EDR and acceptable use enforcement.
UEM-02	Application and Service Approval	Approve applications and services on endpoints.
UEM-03	Compatibility	Ensure endpoint device compatibility with security controls.
UEM-04	Endpoint Inventory	Maintain inventory of endpoint devices.
UEM-05	Endpoint Management	Manage endpoints via MDM/UEM platform.
UEM-06	Automatic Lock Screen	Enforce automatic lock screen on endpoints.
UEM-07	Operating Systems	Enforce supported operating systems on endpoints.
UEM-08	Storage Encryption	Encrypt storage on endpoint devices.
UEM-09	Endpoint Management Software Firewall	Configure and manage host-based firewalls on managed endpoints.
UEM-10	Software Firewall	Enable software firewall on endpoints.
UEM-11	Data Loss Prevention	Deploy DLP controls on endpoints.
UEM-12	Remote Locate	Enable and enforce remote locate capabilities for managed mobile endpoints.
UEM-13	Remote Wipe	Remotely wipe endpoint devices when lost or off boarded.
UEM-14	Third Party Endpoint Security Posture	Verify security posture of third party endpoints.

Frequently Asked Questions

What is CSA Cloud Controls Matrix v4?

CSA Cloud Controls Matrix v4 is a compliance framework from International with 17 domains and 197 controls. Cloud Security Alliance Cloud Controls Matrix v4. 197 controls across 17 cloud security domains. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does CSA Cloud Controls Matrix v4 have?

CSA Cloud Controls Matrix v4 has 197 controls organised across 17 domains. The largest domains are Cryptography Encryption & Key Management (21 controls), Data Security & Privacy (19 controls), Identity & Access Management (16 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does CSA Cloud Controls Matrix v4 map to?

CSA Cloud Controls Matrix v4 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with CSA Cloud Controls Matrix v4 compliance?

Start your CSA Cloud Controls Matrix v4 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CSA Cloud Controls Matrix v4 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 197 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required