CCM 101: Introducing the Cloud Control Matrix

Cloud service providers compliant with the Cloud Controls Matrix framework earn customer trust through more effective cloud security.
Troy Fine

by Troy Fine

November 22, 2023
CCM 101 - Header

With the addition of the Cloud Security Alliance’s (CSA’s) Cloud Controls Matrix (CCM) to our compliance automation solution, Drata customers can now continuously monitor their CCM compliance and streamline audits.

For those new to CCM, this blog post will introduce the security framework, how it works, and why it can be beneficial for your organization.

What is CCM?

While the cloud’s business case is as compelling as ever, securing cloud infrastructure remains challenging. At the center of this challenge is the shared responsibility model that divides security responsibilities between cloud service providers (CSPs) and their customers. CSP customers are ultimately responsible for the security of their data, but they do not control all aspects of cloud security. The degree of control customers may exercise varies depending on the service provider, the CSP’s cloud business model, and the nature of the customer’s own cloud infrastructure.

The CSA created CCM to help clarify responsibilities and make cloud data more secure by:

  • Defining 17 domains of cloud technology.

  • Describing 197 security control objectives within those domains.

  • Providing guidance for appropriate implementation of these controls.

  • Mapping CCM controls to other security frameworks.

  • Creating a questionnaire for self-assessments of CCM compliance.

Every organization in the cloud supply chain can use CCM to enhance their security controls, assess vendor compliance, and reassure customers that their security systems follow the cloud computing industry’s best practices.

In a recent survey of the financial industry, the CSA found that 65% of responding enterprises use CCM to establish internal controls, manage cloud risks, and demonstrate compliance.

CSA simplified the sharing of CCM compliance information by creating a central repository where cloud service customers can retrieve self-assessments and audit reports from thousands of cloud service providers.

Who is CCM For?

CCM serves organizations throughout the cloud supply chain since it clarifies everyone’s security responsibilities and control requirements. 

These factors will vary depending on a CSP’s cloud business model. From Infrastructure-as-a-Service to Platform-as-a-Service and Software-as-a-Service, each model progressively shifts more responsibility for security to the service provider. 

In addition, customers must understand how the shared responsibility model fits into the compliance requirements of their hybrid, public, and private cloud infrastructures.

Security Professionals

Security professionals at cloud service providers use CCM to evaluate and monitor their security practices. They also map CCM controls to other security frameworks, such as SOC 2 , ISO/IEC 27001, NIST SP 800-53 or ISO/IEC 27017, to streamline their compliance programs.

Enterprises taking on a new CSP receive CCM documentation describing how each side of the relationship addresses cloud data security. With this information, the customer’s security teams can implement or reinforce controls that maintain their company’s compliance obligations.

Cloud Service Providers (CSPs)

In addition to strengthening a CSP’s security practices, CCM compliance establishes trust and fosters the CSP’s business relationships. CSPs can share audit reports, self-assessments, and other documentation with their customers directly or through the STAR.

CCM prevents security gaps within the shared responsibility model by delineating between the security controls a CSP owns and those its customers must address. By improving communications and preventing misunderstandings within the business relationship, CCM compliance helps CSPs build long-term success.

Cloud Service Customers (Organizations)

Enterprises adopting cloud architectures have little direct visibility into or control of their cloud vendors’ security practices. CCM provides an objective framework for evaluating their CSPs’ security practices.

The latest version of the CCM standard includes the Consensus Assessment Initiative Questionnaire (CAIQ), which service providers use to describe their CCM compliance. Companies can incorporate the CAIQ in their RFPs and use the responses to evaluate potential vendors.


Licensed auditors, as well as a CSP’s internal auditors, rely on CCM’s principles and guidelines to assess compliance status properly. Given the industry’s variety, a one-size-fits-all standard is impossible. By necessity, the standard’s control descriptions are too general to tell a specific service provider which technologies and procedures to use.

Auditors use the CCM framework to properly scope the audit and determine the appropriate controls a CSP should have in place. For example, the maturity level of a startup would allow for controls that would be inappropriate for an established global service provider.

What’s Included in CCM?

CCM includes a spreadsheet and questionnaire that service providers and customers can use to improve cloud data security.

Domains and Control Areas

The latest version of CCM groups every aspect of cloud security into 17 domains, such as data center security, identity and access management, and logging and monitoring.

Control Objectives and Implementation Guidance

The CCM domains define 197 control objectives and provide guidance for their implementation based on the CSP’s shared responsibility model, information architecture, maturity level, and other factors.

Mapping to Industry Standards and Regulations

Although CCM security controls are similar to those in other security frameworks, CCM compliance does not guarantee a company meets these different standards’ requirements.

CSA has mapped CCM’s security controls to those in frameworks such as ISO 27018, PCI-DSS, and SOC 2, as well as others. A CSP’s compliance teams can use these mappings to reduce duplicative control development and evidence gathering, simplifying compliance with multiple frameworks.

Self-Assessment Questionnaire

The CAIQ is a set of yes-or-no questions that lets a CSP describe its CCM compliance for cloud consumers and auditors to assess information security capabilities for cloud providers. Customers can use the CAIQ to compare potential vendors and identify differences between each vendor’s shared responsibility model.

What are the Benefits of CCM?

As seen in the CSA’s survey results, enterprises find CCM a useful framework for implementing and monitoring cloud security.

Enhanced Cloud Security

CSA’s CCM makes the entire cloud supply chain more secure. A service provider uses the framework to identify and mitigate security gaps as well as continuously monitor its compliance posture.

Cloud service customers use CCM to evaluate and monitor the quality of their vendors’ security practices, thus building more secure cloud and hybrid cloud architectures.

Both organizations benefit from a clarified shared responsibility model. CCM tells customers and vendors which controls they must implement and where security responsibilities pass to the other side.

Simplified Compliance

CCM streamlines implementation and simplifies compliance programs by providing a comprehensive framework for securing cloud architectures.

CSP compliance teams can use CCM’s framework maps to reduce the time, effort, and resources devoted to meeting the requirements of multiple security standards.

CSP customers can use their vendors’ audit reports, responsibility models, and CAIQ responses to meet their own compliance requirements.

Risk Mitigation

Migrating IT assets to the cloud from on-premises data centers limits enterprise risk exposure since companies no longer maintain servers and other network infrastructure. However, the loss of control creates a new type of risk—unless cloud service providers can demonstrate effective security practices.

CCM-compliant cloud service providers help their customers manage risk by providing independently-audited proof that their cloud infrastructure is secure.

Enhanced Customer Trust

Enhanced trust makes customers more likely to select and retain CCM-compliant service providers. Customers know where their security responsibilities end and where their vendors’ responsibilities pick up.

Enterprise security teams can concentrate on implementing and monitoring their internal controls, confident that their CSPs have appropriate internal controls.

Furthermore, having CCM-compliant service providers reduces misunderstandings on either side of the relationship, helping to prevent subsequent security gaps.

How Can I Achieve CCM Compliance?

As a cloud service provider, you must decide the listing type in the CSA’s compliance repository. STAR offers which offers two levels of registration:

STAR Level One organizations complete the CAIQ and post it to the registry.

STAR Level Two organizations submit to an independent audit that evaluates CCM compliance within the context of SOC 2 or ISO/IEC 27001 STAR level two audits must be performed by firms accredited by the CSA.

Whichever CSA assurance level you choose, a CCM implementation program will follow these four steps:

  1. Conduct a self-assessment

  2. Establish policies and procedures

  3. Implement security controls

  4. Continuously monitor compliance

At this point, you will be ready to complete the CCM questionnaire or submit to a CCM audit. Drata’s compliance automation solution can streamline this process by consolidating evidence collection, monitoring, and reporting within a single pane of glass. Request a demo to see how Drata can guide your compliance journey from start to audit-ready.

Trusted Newsletter
Resources for you
AWS re invent - Everything You Need to Know

Going to AWS re:Invent 2023? Here’s Everything You Need to Know

CCM and ISO Blog Thumb Image

CCM, ISO 27017, and ISO 27018 Now Available in Drata

Compliance Automation Hero

Compliance Automation: Your Audit Experience Before and After

Cloud Compliance (1)

What is Cloud Compliance? + Best Practices

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
AWS re invent - Everything You Need to Know

Going to AWS re:Invent 2023? Here’s Everything You Need to Know

CCM and ISO Blog Thumb Image

CCM, ISO 27017, and ISO 27018 Now Available in Drata

Compliance Automation Hero

Compliance Automation: Your Audit Experience Before and After

Cloud Compliance (1)

What is Cloud Compliance? + Best Practices