The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors. It offers a controls framework to give you a detailed understanding of cloud-related security concepts. The framework covers three areas – cloud architecture, governing in the cloud and operating in the cloud – and is aligned to the CSA guidance in 16 domains.

The CCM is part of the CSA’s Governance, Risk and Compliance (GRC) Stack. This helps to align the CCM with other industry-accepted security standards, regulations, and controls frameworks, such as ISO 27001, ISACA COBIT, PCI and NIST.

You can use the matrix to submit your organisation to the CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that documents the security controls provided by cloud service providers.


As a cloud vendor, your reputation and business viability rely on you offering a secure service. The CSA CCM provides you with the needed structure, detail and clarity relating to information security tailored to the cloud industry and allows you to strengthen information security control environments.

Although not an industry standard itself, the CSA CCM is currently considered a de-facto standard for cloud security assurance and compliance. By complementing other industry standards, it will save you time and effort when creating or demonstrating compliance to those other standards.

Working with the CCM means your customers can assess the overall security risk of selecting your service for their cloud requirements. They can use the CCM as an evaluation tool because it is a standardised metric against which to make comparisons. The CCM also aligns with the Consensus Assessments Initiative Questionnaire (CAIQ), a yes/no question set for identifying specific topics a prospective customer may wish to discuss.


You can download the CCM from the CSA website and begin using it right away. However, if you are daunted by the prospect or do not have the time or resource to work through it, Ascentor can help.

Ascentor can steer you through what is needed to complete the CCM ready to upload to the STAR. We start with our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.

Ascentor GDPR gap analysis process

On completion of an Ascentor Gap Analysis, you will understand where you are today, what needs to be done and an outline plan of how to achieve it. We can then support identified remediation activities and provide ongoing support to maintain your status and continually improve your cyber security posture in accordance with your business objectives.

Contact us

Your cyber security challenges and our pragmatic approach - we could be the perfect fit. Contact the team at Ascentor for an informal chat.