CCMv4.0.6 - Generated at - 2022 12 14

CLOUD CONTROLS MATRIX v4.0.
6
v4.0.6
Introduction
This section explains the CCM V4 spreadsheet structure and describes its components.
I. Structure
The CCM V4 spreadsheet includes five tabs:
• Introduction.
• CCM Controls.
• CCM Implementation Guidelines.
• CCM Auditing Guidelines.
• CCM Scope Applicability (Mappings).
• Consensus Assessments Initiative Questionnaire (CAIQ).
• Acknowledgments.
II. Components Description
a. CCM Controls
This is the core of the CCM V4. It includes 197 controls structured in 17 domains.
Each control is described by a:
• Control Domain: the name of the domain to which the control pertains.
• Control Title: the title of the control.
• Control ID: the control identifier.
• Control Specification: the requirement(s) description of the control.
In addition, this tab includes the following sections (groups of columns)
Typical Control Applicability and Ownership:
This group of columns describes the typical applicability of controls for the three main cloud delivery models: infrastructure-as-a-service (IaaS), platform-
and software-as-a-service (SaaS). Additionally, the section explores the typical SSRM-based (Shared Security Responsibility Model) allocation of respons
implementation of a given CCM control between a cloud service provider (CSP) and a cloud service customer (CSC). The matrix clarifies if a control’s re
be “CSP-Owned”, “CSC-Owned”, or “Shared”.
IMPORTANT NOTE: Both the control applicability to IaaS, PaaS, and SaaS models—and the control ownership attributions—are meant to represent a hi
simplification. The CCM user should revise those attributions depending on the contractually agreed SSRM for the specific cloud environment.
Architectural Relevance - Cloud Stack Components:
This group of columns indicates the architectural relevance of each CCM control per cloud stack component from the perspective of the CSA Cloud Refer
section focuses on components, including physical, network, compute, storage, application, and data.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The architectural relevance is meant to represent a high-level simplification. The CCM user should revise those attributions depend
cloud environment and technologies used.
Organizational Relevance:
This group of columns indicates the relevance between each CCM control and its implementation by the respective cloud relevant functions within an orga
functions included are: Cybersecurity, Internal Audit, Architecture Team, Software Development Team, Operations, Legal/Privacy, Governance/Risk/Con
Management, and Human.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The organizational relevance is meant to represent a high-level simplification. The user of the CCM should revise those attributions
specific cloud environment and organizational structure.
b. CCM Implementation Guidelines:
This tab includes the CCM V4 Implementation Guidelines that are tailored to the security and privacy control specifications of the 17 cloud security doma
with their main goal being to provide guidance and recommendations in support to the controls’ proper implementation.
IMPORTANT NOTE:
The implementation guidelines are not exhaustive and neither prescriptive in nature, but rather represent a generic guide in form of recommendations. The
will largely depend on the nature of the IT/service architecture, the type of technology used and risks faced, applicable regulations, organizational policies
significant factors.
The guidelines can be downloaded in PDF format here
c. CCM Auditing Guidelines:

This tab includes the CCM V4 Implementation Guidelines that are tailored to the security and privacy control specifications of the 17 cloud security doma
with their main goal being to provide auditors with assessment guidelines per CCM control allowing to facilitate a CCM audit and assessment.
IMPORTANT NOTE:
The auditing guidelines are not exhaustive or prescriptive by nature but rather represent a generic guide in form of recommendations for CCM controls im
assessment. Auditors must customize the descriptions, procedures, risks, controls, and documentation to organizational specific audit work programs and s
scope of the assessment to address the specific audit objectives.
The guidelines can be downloaded in PDF format here
.
d. CCM Scope Applicability (Mappings):
This tab includes the mappings between CCM V4 and numerous standards (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud com
For each standard, CCM V4 is mapped to include the following three columns:
Control Mapping
The indication of which control(s) in the target standard (e.g., ISO27001) corresponds to the CCM control.
Gap Level
The level of gap a control (or controls) in the target standard has when compared with the CCM control. The gap levels used are:
• No Gap: In case of full correspondence.
• Partial Gap: If the control(s) in the target standard does not fully satisfy the corresponding CCM control’s requirements.
• Full Gap: If there is no control in the target standard to fulfill the corresponding CCM control’s requirements.
Addendum
The column describes the suggested compensating control that organizations must implement to cover the gap between the control in the target standard an
CCM control.
e. Consensus Assessments Initiative Questionnaire (CAIQ):
This tab includes the questionnaire associated with CCM V4 controls, commonly known as CAIQ. The CAIQ consists of 261 questions structured in the 1
CCM. Each question is described in the following manner:
• Question ID: the questions identifier.
• Question: the description of the question.
IMPORTANT NOTE: The CAIQ version in this spreadsheet is NOT meant to be used in lieu of submitting self-assessments (STAR Level 1) into the STA
separate submission form has been created for that purpose:
Download it here
f. Acknowledgments:
This tab acknowledges the volunteers who contributed to the CCM V4’s development.
End of Introduction
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
Introduction
s components.
I. Structure
II. Components Description
a. CCM Controls
7 domains.
the three main cloud delivery models: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS),
typical SSRM-based (Shared Security Responsibility Model) allocation of responsibilities for the
er (CSP) and a cloud service customer (CSC). The matrix clarifies if a control’s responsibility should
SaaS models—and the control ownership attributions—are meant to represent a high-level
g on the contractually agreed SSRM for the specific cloud environment.
M control per cloud stack component from the perspective of the CSA Cloud Reference Model. The
torage, application, and data.
UE” if the control is relevant to a component and “FALSE” if it is not.
a high-level simplification. The CCM user should revise those attributions depending on its specific
ol and its implementation by the respective cloud relevant functions within an organization. The
m, Software Development Team, Operations, Legal/Privacy, Governance/Risk/Control, Supply Chain
UE” if the control is relevant to a component and “FALSE” if it is not.
nt a high-level simplification. The user of the CCM should revise those attributions depending on the
CM Implementation Guidelines:
ed to the security and privacy control specifications of the 17 cloud security domains of the CCM,
support to the controls’ proper implementation.
ve in nature, but rather represent a generic guide in form of recommendations. Their operationalization
of technology used and risks faced, applicable regulations, organizational policies and other
c. CCM Auditing Guidelines:

ed to the security and privacy control specifications of the 17 cloud security domains of the CCM,
s per CCM control allowing to facilitate a CCM audit and assessment.
rather represent a generic guide in form of recommendations for CCM controls implementations’
controls, and documentation to organizational specific audit work programs and service(s) in the
M Scope Applicability (Mappings):
ds (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud computing.
lumns:
) corresponds to the CCM control.
ompared with the CCM control. The gap levels used are:
y the corresponding CCM control’s requirements.
sponding CCM control’s requirements.
ions must implement to cover the gap between the control in the target standard and the corresponding
ssessments Initiative Questionnaire (CAIQ):
ommonly known as CAIQ. The CAIQ consists of 261 questions structured in the 17 domains of the
eant to be used in lieu of submitting self-assessments (STAR Level 1) into the STAR Registry. A
f. Acknowledgments:
development.
End of Introduction
You may download, store, display on your computer, view, print, and link to the Cloud Security
loudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used
ud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix
r notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as
provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix
al for other usages not addresses in the copyright notice, please contact
CLOUD CONTROLS MATRIX v4.0.6
v4.0.6
Control Domain Control Title Control ID
Audit & Assurance - A&A
Audit and Assurance Policy and

Audit & Assurance A&A-01
Procedures
Audit & Assurance Independent Assessments A&A-02
Audit & Assurance Risk Based Planning Assessment A&A-03

Audit & Assurance Requirements Compliance A&A-04
Audit & Assurance Audit Management Process A&A-05
Audit & Assurance Remediation A&A-06
Application & Interface Security - AIS

Application & Interface Application and Interface Security
AIS-01
Security Policy and Procedures
Application & Interface Application Security Baseline

AIS-02
Security Requirements
Application & Interface

Application Security Metrics AIS-03
Security
Application & Interface Secure Application Design and

AIS-04
Security Development
Application & Interface Automated Application Security
AIS-05
Security Testing
Application & Interface Automated Secure Application

AIS-06
Security Deployment

Application Vulnerability Remediation AIS-07
Security
Business Continuity Management and Operational Resilience - BCR
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Business Continuity
Management and Business Continuity Strategy BCR-03
Business Continuity
Management and Business Continuity Planning BCR-04
Business Continuity
Management and Documentation BCR-05
Business Continuity
Management and Business Continuity Exercises BCR-06
Business Continuity
Management and Communication BCR-07
Business Continuity
Management and Backup BCR-08
Business Continuity
Management and Disaster Response Plan BCR-09
Business Continuity
Management and Response Plan Exercise BCR-10
Business Continuity
Management and Equipment Redundancy BCR-11
Change Control and Configuration Management - CCC
Change Control and

Change Management Policy and
Configuration CCC-01
Procedures
Management
Change Control and

Configuration Quality Testing CCC-02
Management
Change Control and

Configuration Change Management Technology CCC-03
Management
Change Control and

Configuration Unauthorized Change Protection CCC-04
Management
Change Control and
Configuration Change Agreements CCC-05
Management
Change Control and

Configuration Change Management Baseline CCC-06
Management
Change Control and

Configuration Detection of Baseline Deviation CCC-07
Management
Change Control and

Configuration Exception Management CCC-08
Management
Change Control and

Configuration Change Restoration CCC-09
Management
Cryptography, Encryption & Key Management - CEK

Cryptography,
Encryption and Key Management
Encryption & Key CEK-01
Management
Cryptography,
Encryption & Key CEK Roles and Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Datacenter Security - DCS
Off-Site Equipment Disposal Policy

Datacenter Security DCS-01
and Procedures
Off-Site Transfer Authorization Policy
and Procedures
Datacenter Security Secure Area Policy and Procedures DCS-03
Secure Media Transportation Policy

and Procedures
Datacenter Security Assets Classification DCS-05

Datacenter Security Assets Cataloguing and Tracking DCS-06
Datacenter Security Controlled Access Points DCS-07
Datacenter Security Equipment Identification DCS-08
Datacenter Security Secure Area Authorization DCS-09
Datacenter Security Surveillance System DCS-10

Unauthorized Access Response
Training
Datacenter Security Cabling Security DCS-12
Datacenter Security Environmental Systems DCS-13
Datacenter Security Secure Utilities DCS-14
Datacenter Security Equipment Location DCS-15
Data Security and Privacy Lifecycle Management - DSP

Data Security and
Security and Privacy Policy and
Privacy Lifecycle DSP-01
Procedures
Management
Data Security and

Privacy Lifecycle Secure Disposal DSP-02
Management
Data Security and

Privacy Lifecycle Data Inventory DSP-03
Management
Data Security and

Privacy Lifecycle Data Classification DSP-04
Management
Data Security and

Privacy Lifecycle Data Flow Documentation DSP-05
Management
Data Security and
Privacy Lifecycle Data Ownership and Stewardship DSP-06
Management
Data Security and

Privacy Lifecycle Data Protection by Design and Default DSP-07
Management
Data Security and

Privacy Lifecycle Data Privacy by Design and Default DSP-08
Management
Data Security and

Privacy Lifecycle Data Protection Impact Assessment DSP-09
Management
Data Security and
Privacy Lifecycle Sensitive Data Transfer DSP-10
Management
Data Security and

Personal Data Access, Reversal,
Rectification and Deletion
Management
Data Security and

Limitation of Purpose in Personal Data
Processing
Management
Data Security and

Privacy Lifecycle Personal Data Sub-processing DSP-13
Management
Data Security and
Privacy Lifecycle Disclosure of Data Sub-processors DSP-14
Management
Data Security and

Privacy Lifecycle Limitation of Production Data Use DSP-15
Management
Data Security and

Privacy Lifecycle Data Retention and Deletion DSP-16
Management
Data Security and

Privacy Lifecycle Sensitive Data Protection DSP-17
Management
Data Security and
Privacy Lifecycle Disclosure Notification DSP-18
Management
Data Security and

Privacy Lifecycle Data Location DSP-19
Management
Governance, Risk and Compliance - GRC
Governance, Risk and Governance Program Policy and

GRC-01
Compliance Procedures
Governance, Risk and
Risk Management Program GRC-02
Compliance

Organizational Policy Reviews GRC-03
Compliance

Policy Exception Process GRC-04
Compliance

Information Security Program GRC-05
Compliance

Governance Responsibility Model GRC-06
Compliance
Governance, Risk and Information System Regulatory
GRC-07
Compliance Mapping

Special Interest Groups GRC-08
Compliance
Human Resources - HRS
Background Screening Policy and

Human Resources HRS-01
Procedures
Acceptable Use of Technology Policy
and Procedures
Human Resources Clean Desk Policy and Procedures HRS-03
Remote and Home Working Policy and

Procedures
Human Resources Asset returns HRS-05

Human Resources Employment Termination HRS-06
Human Resources Employment Agreement Process HRS-07
Human Resources Employment Agreement Content HRS-08
Human Resources Personnel Roles and Responsibilities HRS-09
Human Resources Non-Disclosure Agreements HRS-10

Human Resources Security Awareness Training HRS-11
Personal and Sensitive Data Awareness

and Training
Human Resources Compliance User Responsibility HRS-13
Identity & Access Management - IAM
Identity & Access Identity and Access Management

IAM-01
Management Policy and Procedures
Identity & Access
Strong Password Policy and Procedures IAM-02
Management
Identity & Access

Identity Inventory IAM-03
Management
Identity & Access

Separation of Duties IAM-04
Management
Identity & Access

Least Privilege IAM-05
Management
Identity & Access

User Access Provisioning IAM-06
Management
Identity & Access

User Access Changes and Revocation IAM-07
Management
Identity & Access
User Access Review IAM-08
Management
Identity & Access

Segregation of Privileged Access Roles IAM-09
Management
Identity & Access Management of Privileged Access

IAM-10
Management Roles
Identity & Access CSCs Approval for Agreed Privileged

IAM-11
Management Access Roles
Identity & Access
Safeguard Logs Integrity IAM-12
Management
Identity & Access

Uniquely Identifiable Users IAM-13
Management
Identity & Access

Strong Authentication IAM-14
Management
Identity & Access
Passwords Management IAM-15
Management
Identity & Access

Authorization Mechanisms IAM-16
Management
Interoperability & Portability - IPY
Interoperability & Interoperability and Portability Policy

IPY-01
Portability and Procedures
Interoperability &
Application Interface Availability IPY-02
Portability
Interoperability & Secure Interoperability and Portability

IPY-03
Portability Management
Interoperability & Data Portability Contractual
IPY-04
Portability Obligations
Infrastructure & Virtualization Security - IVS
Infrastructure & Infrastructure and Virtualization

IVS-01
Virtualization Security Security Policy and Procedures
Infrastructure &
Capacity and Resource Planning IVS-02
Virtualization Security
Infrastructure &
Network Security IVS-03
Infrastructure &
OS Hardening and Base Controls IVS-04
Infrastructure & Production and Non-Production

IVS-05
Virtualization Security Environments
Infrastructure &
Segmentation and Segregation IVS-06
Infrastructure &
Migration to Cloud Environments IVS-07
Infrastructure &
Network Architecture Documentation IVS-08
Infrastructure &
Network Defense IVS-09
Logging and Monitoring - LOG
Logging and Monitoring Policy and

Logging and Monitoring LOG-01
Procedures
Logging and Monitoring Audit Logs Protection LOG-02

Logging and Monitoring Security Monitoring and Alerting LOG-03
Logging and Monitoring Audit Logs Access and Accountability LOG-04
Logging and Monitoring Audit Logs Monitoring and Response LOG-05
Logging and Monitoring Clock Synchronization LOG-06
Logging and Monitoring Logging Scope LOG-07

Logging and Monitoring Log Records LOG-08
Logging and Monitoring Log Protection LOG-09
Logging and Monitoring Encryption Monitoring and Reporting LOG-10
Logging and Monitoring Transaction/Activity Logging LOG-11
Logging and Monitoring Access Control Logs LOG-12
Logging and Monitoring Failures and Anomalies Reporting LOG-13
Security Incident Management, E-Discovery, & Cloud Forensics - SEF

Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain Management, Transparency, and Accountability - STA

Supply Chain
Management,
SSRM Policy and Procedures STA-01
Transparency, and
Accountability
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency, and
Accountability
Supply Chain
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Threat & Vulnerability Management - TVM

Threat & Vulnerability Threat and Vulnerability Management
TVM-01
Threat & Vulnerability Malware Protection Policy and

TVM-02
Management Procedures
Threat & Vulnerability

Vulnerability Remediation Schedule TVM-03
Management

Detection Updates TVM-04
Management
External Library Vulnerabilities TVM-05
Management

Penetration Testing TVM-06
Management

Vulnerability Identification TVM-07
Management

Vulnerability Prioritization TVM-08
Management

Vulnerability Management Reporting TVM-09
Management
Vulnerability Management Metrics TVM-10
Management
Universal Endpoint Management - UEM
Universal Endpoint Endpoint Devices Policy and

UEM-01
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
Typical Control Applicability and Ownershi
Control Specification IaaS PaaS

Establish, document, approve, communicate, apply, evaluate and maintain
audit and assurance policies and procedures and standards. Review and update
the policies and procedures at least annually.
Shared Shared
Conduct independent audit and assurance assessments according to

relevant standards at least annually.
Shared Shared
Perform independent audit and assurance assessments according to

risk-based plans and policies.
Shared Shared
Verify compliance with all relevant standards, regulations, legal/contractual,
and statutory requirements applicable to the audit.
Shared Shared
Define and implement an Audit Management process to support audit

planning, risk analysis, security control assessment, conclusion, remediation
schedules, report generation, and review of past reports and supporting evidence.
Shared Shared

a risk-based corrective action plan to remediate audit findings, review and
report remediation status to relevant stakeholders.
Shared Shared
ication & Interface Security - AIS

policies and procedures for application security to provide guidance to the
appropriate planning, delivery and support of the organization's application
security capabilities. Review and update the policies and procedures at least
annually.
Shared CSC-Owned
Establish, document and maintain baseline requirements for securing

different applications.
Shared Shared
Define and implement technical and operational metrics in alignment

with business objectives, security requirements, and compliance obligations.
Shared Shared
Define and implement a SDLC process for application design, development,

deployment, and operation in accordance with security requirements defined by
the organization.
Shared Shared
Implement a testing strategy, including criteria for acceptance of
new information systems, upgrades and new versions, which provides application
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible.
Shared Shared
Establish and implement strategies and capabilities for secure, standardized,

and compliant application deployment. Automate where possible.
Shared Shared
Define and implement a process to remediate application security

vulnerabilities, automating remediation when possible.
Shared Shared
Management and Operational Resilience - BCR

business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually.
Shared Shared
Determine the impact of business disruptions and risks to establish
criteria for developing business continuity and operational resilience strategies
and capabilities.
Shared Shared
Establish strategies to reduce the impact of, withstand, and recover

from business disruptions within risk appetite.
Shared Shared

a business continuity plan based on the results of the operational resilience
strategies and capabilities.
Shared Shared
Develop, identify, and acquire documentation that is relevant to

support the business continuity and operational resilience programs. Make the
documentation available to authorized stakeholders and review periodically.
Shared Shared
Exercise and test business continuity and operational resilience

plans at least annually or upon significant changes.
Shared Shared
Establish communication with stakeholders and participants in the
course of business continuity and resilience procedures.
Shared Shared
Periodically backup data stored in the cloud. Ensure the confidentiality,

integrity and availability of the backup, and verify data restoration from backup
for resiliency.
Shared Shared

a disaster response plan to recover from natural and man-made disasters. Update
the plan at least annually or upon significant changes.
CSP-Owned CSP-Owned
Exercise the disaster response plan annually or upon significant

changes, including if possible local emergency authorities.
CSP-Owned CSP-Owned
Supplement business-critical equipment with redundant equipment independently

located at a reasonable minimum distance in accordance with applicable industry
standards.
CSP-Owned CSP-Owned
rol and Configuration Management - CCC
policies and procedures for managing the risks associated with applying changes
to organization assets, including application, systems, infrastructure, configuration,
etc., regardless of whether the assets are managed internally or externally
(i.e., outsourced). Review and update the policies and procedures at least annually.
Shared Shared
Follow a defined quality change control, approval and testing process

with established baselines, testing, and release standards.
CSP-Owned Shared
Manage the risks associated with applying changes to organization

assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced).
Shared Shared
Restrict the unauthorized addition, removal, update, and management

of organization assets.
Shared Shared
Include provisions limiting changes directly impacting CSCs owned
environments/tenants to explicitly authorized requests within service level
agreements between CSPs and CSCs.
CSP-Owned Shared
Establish change management baselines for all relevant authorized

changes on organization assets.
Shared Shared
Implement detection measures with proactive notification in case

of changes deviating from the established baseline.
CSP-Owned Shared
'Implement a procedure for the management of exceptions, including

emergencies, in the change and configuration process. Align the procedure with
the requirements of GRC-04: Policy Exception Process.'
Shared Shared
Define and implement a process to proactively roll back changes to

a previous known good state in case of errors or security concerns.
Shared Shared
y, Encryption & Key Management - CEK

policies and procedures for Cryptography, Encryption and Key Management. Review
and update the policies and procedures at least annually.
Shared Shared
Define and implement cryptographic, encryption and key management

roles and responsibilities.
Shared Shared
Provide cryptographic protection to data at-rest and in-transit,

using cryptographic libraries certified to approved standards.
Shared Shared
Use encryption algorithms that are appropriate for data protection,

considering the classification of data, associated risks, and usability of the
encryption technology.
Shared Shared
Establish a standard change management procedure, to accommodate

changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
changes.
Shared Shared
Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis.
Shared Shared
Establish and maintain an encryption and key management risk program

that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback.
Shared Shared
CSPs must provide the capability for CSCs to manage their own data
encryption keys.
Shared Shared
Audit encryption and key management systems, policies, and processes

with a frequency that is proportional to the risk exposure of the system with
audit occurring preferably continuously but at least annually and after any
security event(s).
Shared Shared
Generate Cryptographic keys using industry accepted cryptographic
libraries specifying the algorithm strength and the random number generator
used.
Shared Shared
Manage cryptographic secret and private keys that are provisioned

for a unique purpose.
Shared Shared
Rotate cryptographic keys in accordance with the calculated cryptoperiod,

which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements.
Shared Shared
Define, implement and evaluate processes, procedures and technical

measures to revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the
organization, which include provisions for legal and regulatory requirements.
Shared Shared
measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements.
Shared Shared

measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements.
Shared Shared

measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements.
Shared Shared

measures to deactivate keys at the time of their expiration date, which include
provisions for legal and regulatory requirements.
Shared Shared
measures to manage archived keys in a secure repository requiring least privilege
access, which include provisions for legal and regulatory requirements.
Shared Shared

measures to use compromised keys to encrypt information only in controlled circumstance,
and thereafter exclusively for decrypting data and never for encrypting data,
which include provisions for legal and regulatory requirements.
Shared Shared

measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements.
Shared Shared
measures in order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and regulatory
requirements.
Shared Shared

policies and procedures for the secure disposal of equipment used outside the
organization's premises. If the equipment is not physically destroyed a data
destruction procedure that renders recovery of information impossible must be
applied. Review and update the policies and procedures at least annually.
CSP-Owned CSP-Owned
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
CSP-Owned CSP-Owned

policies and procedures for maintaining a safe and secure working environment
in offices, rooms, and facilities. Review and update the policies and procedures
at least annually.
CSP-Owned CSP-Owned

policies and procedures for the secure transportation of physical media. Review
CSP-Owned CSP-Owned
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
Shared Shared
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
CSP-Owned CSP-Owned
Implement physical security perimeters to safeguard personnel, data,

and information systems. Establish physical security perimeters between the
administrative and business areas and the data storage and processing facilities
areas.
CSP-Owned CSP-Owned
Use equipment identification as a method for connection authentication.

CSP-Owned Shared
Allow only authorized personnel access to secure areas, with all

ingress and egress points restricted, documented, and monitored by physical
access control mechanisms. Retain access control records on a periodic basis
as deemed appropriate by the organization.
CSP-Owned CSP-Owned
Implement, maintain, and operate datacenter surveillance systems

at the external perimeter and at all the ingress and egress points to detect
unauthorized ingress and egress attempts.
CSP-Owned CSP-Owned
Train datacenter personnel to respond to unauthorized ingress or
egress attempts.
CSP-Owned CSP-Owned

measures that ensure a risk-based protection of power and telecommunication
cables from a threat of interception, interference or damage at all facilities,
offices and rooms.
CSP-Owned CSP-Owned
Implement and maintain data center environmental control systems

that monitor, maintain and test for continual effectiveness the temperature
and humidity conditions within accepted industry standards.
CSP-Owned CSP-Owned
Secure, monitor, maintain, and test utilities services for continual

effectiveness at planned intervals.
CSP-Owned CSP-Owned
Keep business-critical equipment away from locations subject to high

probability for environmental risk events.
CSP-Owned CSP-Owned
and Privacy Lifecycle Management - DSP

policies and procedures for the classification, protection and handling of data
throughout its lifecycle, and according to all applicable laws and regulations,
standards, and risk level. Review and update the policies and procedures at
least annually.
CSC-Owned CSC-Owned
Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
Shared Shared
Create and maintain a data inventory, at least for any sensitive

data and personal data.
Shared Shared
Classify data according to its type and sensitivity level.

CSC-Owned CSC-Owned
Create data flow documentation to identify what data is processed,

stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change.
CSC-Owned CSC-Owned
Document ownership and stewardship of all relevant documented personal
and sensitive data. Perform review at least annually.
CSC-Owned CSC-Owned
Develop systems, products, and business practices based upon a principle

of security by design and industry best practices.
Shared Shared

of privacy by design and industry best practices. Ensure that systems' privacy
settings are configured by default, according to all applicable laws and regulations.
CSC-Owned CSC-Owned
Conduct a Data Protection Impact Assessment (DPIA) to evaluate the

origin, nature, particularity and severity of the risks upon the processing
of personal data, according to any applicable laws, regulations and industry
best practices.
CSC-Owned CSC-Owned
measures that ensure any transfer of personal or sensitive data is protected
from unauthorized access and only processed within scope as permitted by the
respective laws and regulations.
CSC-Owned CSC-Owned
Define and implement, processes, procedures and technical measures

to enable data subjects to request access to, modification, or deletion of their
personal data, according to any applicable laws and regulations.
CSC-Owned CSC-Owned

measures to ensure that personal data is processed according to any applicable
laws and regulations and for the purposes declared to the data subject.
CSC-Owned CSC-Owned

measures for the transfer and sub-processing of personal data within the service
supply chain, according to any applicable laws and regulations.
CSC-Owned CSC-Owned
measures to disclose the details of any personal or sensitive data access by
sub-processors to the data owner prior to initiation of that processing.
CSC-Owned CSC-Owned
Obtain authorization from data owners, and manage associated risk

before replicating or using production data in non-production environments.
CSC-Owned CSC-Owned
Data retention, archiving and deletion is managed in accordance with

business requirements, applicable laws and regulations.
CSC-Owned CSC-Owned

to protect sensitive data throughout it's lifecycle.
CSC-Owned CSC-Owned
The CSP must have in place, and describe to CSCs the procedure to
manage and respond to requests for disclosure of Personal Data by Law Enforcement
Authorities according to applicable laws and regulations. The CSP must give
special attention to the notification procedure to interested CSCs, unless otherwise
prohibited, such as a prohibition under criminal law to preserve confidentiality
of a law enforcement investigation.
CSP-Owned CSP-Owned

to specify and document the physical locations of data, including any locations
in which data is processed or backed up.
CSP-Owned CSP-Owned
nance, Risk and Compliance - GRC

policies and procedures for an information governance program, which is sponsored
by the leadership of the organization. Review and update the policies and procedures
at least annually.
Shared Shared
Establish a formal, documented, and leadership-sponsored Enterprise
Risk Management (ERM) program that includes policies and procedures for identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy
risks.
Shared Shared
Review all relevant organizational policies and associated procedures

at least annually or when a substantial change occurs within the organization.
Shared Shared
Establish and follow an approved exception process as mandated by

the governance program whenever a deviation from an established policy occurs.
Shared Shared
Develop and implement an Information Security Program, which includes

programs for all the relevant domains of the CCM.
Shared Shared
Define and document roles and responsibilities for planning, implementing,

operating, assessing, and improving governance programs.
Shared Shared
Identify and document all relevant standards, regulations, legal/contractual,
and statutory requirements, which are applicable to your organization.
Shared Shared
Establish and maintain contact with cloud-related special interest

groups and other relevant entities in line with business context.
Shared Shared

policies and procedures for background verification of all new employees (including
but not limited to remote employees, contractors, and third parties) according
to local laws, regulations, ethics, and contractual constraints and proportional
to the data classification to be accessed, the business requirements, and acceptable
risk. Review and update the policies and procedures at least annually.
Shared Shared
policies and procedures for defining allowances and conditions for the acceptable
use of organizationally-owned or managed assets. Review and update the policies
and procedures at least annually.
Shared Shared

policies and procedures that require unattended workspaces to not have openly
visible confidential data. Review and update the policies and procedures at
least annually.
Shared Shared

policies and procedures to protect information accessed, processed or stored
at remote sites and locations. Review and update the policies and procedures
at least annually.
Shared Shared
Establish and document procedures for the return of organization-owned

assets by terminated employees.
Shared Shared
Establish, document, and communicate to all personnel the procedures
outlining the roles and responsibilities concerning changes in employment.
Shared Shared
Employees sign the employee agreement prior to being granted access

to organizational information systems, resources and assets.
Shared Shared
The organization includes within the employment agreements provisions

and/or terms for adherence to established information governance and security
policies.
Shared Shared
Document and communicate roles and responsibilities of employees,

as they relate to information assets and security.
Shared Shared
Identify, document, and review, at planned intervals, requirements

for non-disclosure/confidentiality agreements reflecting the organization's
needs for the protection of data and operational details.
Shared Shared
a security awareness training program for all employees of the organization
and provide regular training updates.
Shared Shared
Provide all employees with access to sensitive organizational and

personal data with appropriate security awareness training and regular updates
in organizational procedures, processes, and policies relating to their professional
function relative to the organization.
Shared Shared
Make employees aware of their roles and responsibilities for maintaining

awareness and compliance with established policies and procedures and applicable
legal, statutory, or regulatory compliance obligations.
Shared Shared
tity & Access Management - IAM

Establish, document, approve, communicate, implement, apply, evaluate
and maintain policies and procedures for identity and access management. Review
Shared Shared
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually.
Shared Shared
Manage, store, and review the information of system identities, and

level of access.
Shared Shared
Employ the separation of duties principle when implementing information

system access.
Shared Shared
Employ the least privilege principle when implementing information

system access.
Shared Shared
Define and implement a user access provisioning process which authorizes,

records, and communicates access changes to data and assets.
Shared Shared
De-provision or respectively modify access of movers / leavers or

system identity changes in a timely manner in order to effectively adopt and
communicate identity and access management policies.
Shared Shared
Review and revalidate user access for least privilege and separation
of duties with a frequency that is commensurate with organizational risk tolerance.
Shared Shared

measures for the segregation of privileged access roles such that administrative
access to data, encryption and key management capabilities and logging capabilities
are distinct and separated.
Shared Shared
Define and implement an access process to ensure privileged access

roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access.
Shared Shared
Define, implement and evaluate processes and procedures for customers

to participate, where applicable, in the granting of access for agreed, high
risk (as defined by the organizational risk assessment) privileged access roles.
Shared Shared
measures to ensure the logging infrastructure is read-only for all with write
access, including privileged access roles, and that the ability to disable it
is controlled through a procedure that ensures the segregation of duties and
break glass procedures.
Shared Shared

measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs.
Shared Shared

measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities.
Shared Shared
measures for the secure management of passwords.
Shared Shared

measures to verify access to data and system functions is authorized.
Shared Shared
eroperability & Portability - IPY

policies and procedures for interoperability and portability including
requirements for:
a. Communications between application interfaces
b. Information processing interoperability
c. Application development portability
d. Information/Data exchange, usage, portability, integrity, and persistence CSC-Owned Shared
Provide application interface(s) to CSCs so that they programmatically

retrieve their data to enable interoperability and portability.
CSC-Owned Shared
Implement cryptographically secure and standardized network protocols

for the management, import and export of data.
CSC-Owned Shared
Agreements must include provisions specifying CSCs access to data
upon contract termination and will include:
a. Data format
b. Length of time the data will be stored
c. Scope of the data retained and made available to the CSCs CSC-Owned Shared
d. Data deletion policy
ucture & Virtualization Security - IVS

policies and procedures for infrastructure and virtualization security. Review
CSP-Owned CSP-Owned
Plan and monitor the availability, quality, and adequate capacity

of resources in order to deliver the required system performance as determined
by the business.
Shared CSP-Owned
Monitor, encrypt and restrict communications between environments
to only authenticated and authorized connections, as justified by the business.
Review these configurations at least annually, and support them by a documented
justification of all allowed services, protocols, ports, and compensating controls.
CSP-Owned CSP-Owned
Harden host and guest OS, hypervisor or infrastructure control plane

according to their respective best practices, and supported by technical controls,
as part of a security baseline.
CSP-Owned CSP-Owned
Separate production and non-production environments.

CSP-Owned CSP-Owned
Design, develop, deploy and configure applications and infrastructures

such that CSP and CSC (tenant) user access and intra-tenant access is appropriately
segmented and segregated, monitored and restricted from other tenants.
CSP-Owned CSP-Owned
Use secure and encrypted communication channels when migrating servers,
services, applications, or data to cloud environments. Such channels must include
only up-to-date and approved protocols.
Shared Shared
Identify and document high-risk environments.

CSP-Owned CSP-Owned
Define, implement and evaluate processes, procedures and defense-in-depth

techniques for protection, detection, and timely response to network-based attacks.
CSP-Owned CSP-Owned
ogging and Monitoring - LOG

policies and procedures for logging and monitoring. Review and update the policies
Shared Shared

measures to ensure the security and retention of audit logs.
Shared Shared
Identify and monitor security-related events within applications
and the underlying infrastructure. Define and implement a system to generate
alerts to responsible stakeholders based on such events and corresponding metrics.
CSC-Owned Shared
Restrict audit logs access to authorized personnel and maintain records

that provide unique access accountability.
Shared Shared
Monitor security audit logs to detect activity outside of typical

or expected patterns. Establish and follow a defined process to review and take
appropriate and timely actions on detected anomalies.
Shared Shared
Use a reliable time source across all relevant information processing

systems.
Shared CSP-Owned
Establish, document and implement which information meta/data system

events should be logged. Review and update the scope at least annually or whenever
there is a change in the threat environment.
Shared Shared
Generate audit records containing relevant security information.
Shared Shared
The information system protects audit records from unauthorized access,

modification, and deletion.
Shared Shared
Establish and maintain a monitoring and internal reporting capability

over the operations of cryptographic, encryption and key management policies,
processes, procedures, and controls.
Shared Shared
Log and monitor key lifecycle management events to enable auditing

and reporting on usage of cryptographic keys.
Shared Shared
Monitor and log physical access using an auditable access control

system.
CSP-Owned CSP-Owned

measures for the reporting of anomalies and failures of the monitoring system
and provide immediate notification to the accountable party.
Shared Shared
anagement, E-Discovery, & Cloud Forensics - SEF

policies and procedures for Security Incident Management, E-Discovery, and Cloud
Forensics. Review and update the policies and procedures at least annually.
Shared Shared

policies and procedures for the timely management of security incidents. Review
Shared Shared
'Establish, document, approve, communicate, apply, evaluate and maintain

a security incident response plan, which includes but is not limited to: relevant
internal departments, impacted CSCs, and other business critical relationships
(such as supply-chain) that may be impacted.'
Shared Shared
Test and update as necessary incident response plans at planned intervals

or upon significant organizational or environmental changes for effectiveness.
Shared Shared
Establish and monitor information security incident metrics.
Shared Shared

measures supporting business processes to triage security-related events.
Shared Shared

for security breach notifications. Report security breaches and assumed security
breaches including any relevant supply chain breaches, as per applicable SLAs,
laws and regulations.
Shared Shared
Maintain points of contact for applicable regulation authorities,

national and local law enforcement, and other legal jurisdictional authorities.
Shared Shared
gement, Transparency, and Accountability - STA

policies and procedures for the application of the Shared Security Responsibility
Model (SSRM) within the organization. Review and update the policies and procedures
at least annually.
Shared Shared
Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
Shared Shared
Provide SSRM Guidance to the CSC detailing information about the

SSRM applicability throughout the supply chain.
CSP-Owned CSP-Owned
Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
CSP-Owned CSP-Owned
Review and validate SSRM documentation for all cloud services offerings
the organization uses.
Shared Shared
Implement, operate, and audit or assess the portions of the SSRM

which the organization is responsible for.
Shared Shared
Develop and maintain an inventory of all supply chain relationships.
Shared Shared
CSPs periodically review risk factors associated with all organizations

within their supply chain.
Shared Shared
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
• Service termination Shared Shared
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
Shared Shared
Define and implement a process for conducting internal assessments
to confirm conformance and effectiveness of standards, policies, procedures,
and service level agreement activities at least annually.
Shared Shared
Implement policies requiring all CSPs throughout the supply chain

to comply with information security, confidentiality, access control, privacy,
audit, personnel policy and service level requirements and standards.
Shared Shared
Periodically review the organization's supply chain partners' IT

governance policies and procedures.
Shared Shared
Define and implement a process for conducting security assessments

periodically for all organizations within the supply chain.
Shared Shared
& Vulnerability Management - TVM

policies and procedures to identify, report and prioritize the remediation of
vulnerabilities, in order to protect systems against vulnerability exploitation.
Shared Shared

policies and procedures to protect against malware on managed assets. Review
Shared Shared

measures to enable both scheduled and emergency responses to vulnerability
identifications,
based on the identified risk. Shared Shared

measures to update detection tools, threat signatures, and indicators of compromise
on a weekly, or more frequent basis.
Shared Shared
measures to identify updates for applications which use third party or open
source libraries according to the organization's vulnerability management policy.
Shared Shared

measures for the periodic performance of penetration testing by independent
third parties.
Shared Shared

measures for the detection of vulnerabilities on organizationally managed assets
at least monthly.
Shared Shared
Use a risk-based model for effective prioritization of vulnerability

remediation using an industry recognized framework.
Shared Shared
Define and implement a process for tracking and reporting vulnerability

identification and remediation activities that includes stakeholder notification.
Shared Shared
Establish, monitor and report metrics for vulnerability identification
and remediation at defined intervals.
Shared Shared
rsal Endpoint Management - UEM

policies and procedures for all endpoints. Review and update the policies and
procedures at least annually.
Shared Shared
Define, document, apply and evaluate a list of approved services,

applications and sources of applications (stores) acceptable for use by endpoints
when accessing or storing organization-managed data.
Shared Shared
Define and implement a process for the validation of the endpoint

device's compatibility with operating systems and applications.
CSC-Owned Shared
Maintain an inventory of all endpoints used to store and access company

data.
CSC-Owned CSC-Owned
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data.
CSC-Owned CSC-Owned
Configure all relevant interactive-use endpoints to require an automatic

lock screen.
CSC-Owned CSC-Owned
Manage changes to endpoint operating systems, patch levels, and/or

applications through the company's change management processes.
CSC-Owned Shared
Protect information from unauthorized disclosure on managed endpoint

devices with storage encryption.
CSC-Owned CSC-Owned
Configure managed endpoints with anti-malware detection and prevention

technology and services.
CSC-Owned CSC-Owned
Configure managed endpoints with properly configured software firewalls.

CSC-Owned CSC-Owned
Configure managed endpoints with Data Loss Prevention (DLP) technologies

and rules in accordance with a risk assessment.
CSC-Owned CSC-Owned
Enable remote geo-location capabilities for all managed mobile endpoints.
CSC-Owned CSC-Owned

measures to enable the deletion of company data remotely on managed endpoint
devices.
CSC-Owned CSC-Owned

and/or contractual measures to maintain proper security of third-party endpoints
with access to organizational assets.
CSC-Owned CSC-Owned
End of Standard
ability and Ownership Architectural Relevance - Cloud Stack Components
SaaS Phys Network Compute Storage
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 0 0 0 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 0 0 0 0
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 0 0 0
Shared 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 0 0 0
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSC-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
Shared 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 1 1 0
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 1
CSC-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
Shared 0 1 0 1
Shared 1 1 1 1
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 1 0
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
k Components Org
App Data Cybersecurity Internal Audit Architecture Team
1 1 0 0 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 0 1 1
0 0 0 1 0
1 1 0 1 1
1 1 1 0 0
0 0 0 0 0
1 1 1 0 1
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 1 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 0
1 1 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 1
1 1 0 1 1
0 0 0 0 1
0 0 0 0 1
0 0 1 0 1
0 0 0 0 1
1 0 0 0 1
0 0 0 0 1
1 1 1 0 1
1 0 0 0 1
0 0 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
1 1 1 0 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 0 1
1 1 1 0 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
Organizational Relevance
Supply Chain
SW Development Operations Legal/Privacy GRC Team
Management
1 1 1 1 1
0 0 0 1 0
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 0 0 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
0 0 0 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 0 1
0 0 1 1 0
1 1 1 1 1
1 1 0 0 1
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 0 0 0
0 1 0 0 1
1 1 0 0 0
0 1 0 0 1
0 1 0 0 1
0 1 0 1 0
0 1 0 0 1
0 1 0 1 1
0 1 0 1 1
0 1 1 1 0
0 0 0 1 1
0 0 0 1 1
0 1 1 0 0
0 1 0 1 0
0 0 0 0 0
0 1 0 0 0
1 0 0 0 0
1 0 1 0 0
0 1 1 0 0
0 1 0 1 0
0 1 1 0 0
1 0 1 1 0
1 0 1 1 1
1 1 1 1 1
1 1 0 0 0
0 1 1 1 0
1 1 0 0 0
0 0 1 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 0
0 0 0 0 0
1 0 0 0 1
0 0 1 1 0
0 0 0 1 0
0 1 0 0 0
1 1 0 1 1
1 1 0 0 0
1 1 0 0 0
1 1 0 0 1
1 1 0 1 1
0 0 0 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 0 0
0 0 1 1 0
0 1 1 1 1
0 1 0 1 1
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
0 1 0 1 1
0 0 0 0 1
0 0 0 1 1
0 1 1 0 1
0 0 1 0 1
0 0 0 1 1
0 1 1 0 1
0 0 0 1 1
0 0 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
HR
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
TRUE
FALSE
FALSE
TRUE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
FALSE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
v4.0.6

Procedures


AIS-01
AIS-02
Security
AIS-06
Security Deployment
Security

Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Change Control and

Procedures
Management
Change Control and
Management
Change Control and
Management
Change Control and

Management
Change Control and
Management
Change Control and

Management
Change Control and

Management
Change Control and

Management
Change Control and
Management

Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Analysis
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management

and Procedures

and Procedures

and Procedures



Training

Data Security and

Procedures
Management
Data Security and
Management
Data Security and

Management
Data Security and

Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and

Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and

Processing
Management
Data Security and
Management
Data Security and

Management
Data Security and

Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and

Management

GRC-01

Compliance

Compliance
Compliance
Compliance
Compliance

GRC-07
Compliance Mapping

Compliance

Procedures
and Procedures
Procedures



and Training

IAM-01
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management
Identity & Access

Management
Identity & Access

Management
Identity & Access
Management
IAM-10
Management Roles

IAM-11
Identity & Access
Management
Identity & Access

Management
Identity & Access
Management
Identity & Access
Management
Identity & Access
Management

IPY-01
Interoperability &
Portability
IPY-03

IPY-04

IVS-01
Infrastructure &
Infrastructure &
Infrastructure &
IVS-05
Infrastructure &
Infrastructure &
Infrastructure &
Infrastructure &

Procedures





Security Incident
SEF-01
Forensics
Security Incident
SEF-02
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics

Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-09
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-12
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-14
Accountability

TVM-01
TVM-02
Management

Management
Management

Management
Management

Management

Management

Management
UEM-01
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Management
End of Guidelines
Control Specification





annually.
the organization.


and capabilities.
for resiliency.

standards.

outsourced).






changes.

encryption keys.

security event(s).
used.


requirements.


requirements.
requirements.


at least annually.


areas.



egress attempts.
offices and rooms.



least annually.





best practices.







at least annually.

risks.




least annually.
at least annually.

policies.





level of access.

system access.
system access.





requirements for:
d. Information/Data exchange, usage, portability, integrity, and persistence


a. Data format
c. Scope of the data retained and made available to the CSCs

by the business.







systems.



system.






at least annually.



• Service termination
• Data privacy




identifications,
based on the identified risk.


third parties.
at least monthly.





data.

lock screen.



devices.
End of Guidelines
Implementation Guidelines
Both the cloud service provider (CSP) and cloud service customer (CSC) should develop a "customized
integrated framework" of audit and assurance policies and procedures. This framework should
incorporate/demonstrate compliance to leading industry standards and self-imposed business requirements while
providing appropriate coverage of controls to assess the respective cloud environment and corresponding
services.
At a minimum, audit and assurance policies and procedures should include:
a. Audit and assurance functions indicating purposes, responsibilities, authorities, and

accountabilities to ensure organizational independence, professional care, audit objectivity,
and proficiency,
b. Audit and assurance plans,
c. Audit development policies and procedures to determine criteria and assertions against which
the subject matter will be assessed, quality assurance and supervision, sufficient and appropriate
evidence, in accordance with commonly accepted frameworks and audit best practices,
d. Audit reporting to communicate audit results and findings,
e. Follow-up activities to monitor audit findings implementation progress
Independent audit and assurance should be free from conflict of interest and undue influence in all matters related
to audit and assurance engagements.
The frequency of audit and assurance evaluations should comply with applicable standards, regulations,
legal/contractual obligations, and statutory requirements.
The audit and assurance process should assess all applicable CCM domains.
Independent audit and assurance assessments should be based on risk-based plans that define audit objectives,
scope, resources, timeline and deliverables, documentation and reporting requirements, use of relevant
technology and data analysis techniques, costs, communication, and escalation protocols.
Both CSPs and CSCs may take guidance from industry standards like the Committee of Sponsoring
Organizations (COSO) or the International Organization for Standardization (ISO) 31000 for risk management
and risk-based planning.
Verify compliance with all relevant standards applicable to the audit, such as:
a. Country regulations
b. Standards and certifications
c. Industry sector regulations
d. International applicable regulations such as those regarding privacy and cybersecurity
Audit management process security should include:
a. Secure role-based access and authorization and secure communication and storage.
b. Controls to protect audit data confidentiality, integrity, and availability.
c. Periodic reporting, including issues and remediation plans per organizational requirements.
The organization should document a well-defined remediation plan that includes:
a. Remediation tasks and their risk levels.

b. Proactive, continuous monitoring (where applicable) to identify anomalies using a risk-based approach.
c. Specific task owners.
d. Milestones with due dates.
e. Deliverables and current status.
The organization should document, communicate, and enforce change management best practices to address audit
findings based on a risk-based approach.
The policy should:
a. Include defined roles and responsibilities supported by regular workforce training.

b. Align with organizational purpose and strategy.
c. Provide a framework for setting application security baselines (e.g., NIST, ISO, OWASP, and CIS
benchmarks).
d. Guide the development of application security controls.
e. Include a commitment to satisfy applicable requirements and continual improvement.
f. Cover all relevant applications regardless of whether they are developed in-house or via one’s supply chain.
g. Promote the use of an established software development lifecycle (SDLC) in software development, including
code review, secure coding training, testing (functional, regression, security, etc.), vulnerability testing, and
change management.
h. Ensure vulnerability processes are followed with regular patching, scanning, and remediation before
production deployment.
i. Be reviewed by management periodically or after significant changes.
At a minimum, baseline requirements should include:
a. An alignment with established application security policies and industry standards.

b. Risk assessment (business, technical risks) to evaluate application security alignment with the baseline and the
performance of regular auditing (scanning/monitoring) to ensure such alignment is achieved.
c. A consideration for unique requirements and characteristics of each application.
d. Consideration and integration of lessons learned from issues/incidents back into the security policy.
e. Incorporation of guidelines on how to meet and/or stay aligned with the established baseline.
f. Periodic management review.
Actionable metrics should be defined with consideration to business goals, the criticality of service, security
requirements, and compliance obligations.
Example technical metrics include:

• Count or percentage of vulnerabilities by weakness.
• Count or percentage of vulnerabilities by severity.
• Count or percentage of vulnerabilities by detection source (design review, code review, SAST, DAST,
penetration test, VDP, or bug bounty).
• Count or percentage of vulnerabilities by environment detected (pre-production vs. production).
• Average time to resolution.
• Count exceeding remediation service level objectives (SLOs).
Example operational metrics include:

• Count or percentage of applications using automated security testing by test type (SAST, DAST, SCA).
• Count or percentage of applications have completed penetration testing in the last “n” months.
• Count or percentage of development teams or individuals who have completed application security training in
the last “n” months.
• Count of proactive engagements by development and business teams.
• Results from surveys delivered to application security customers, such as business and development teams.
Reporting:
Reporting should be designed with various users in mind. For example, security professionals, engineering teams,
business stakeholders, and executives will often have different interests requiring specialized views, filtering, and
delivery mechanisms.
a. The collection, visualization, and distribution of reporting data should be automated.

b. Data may be further analyzed using application criticality, business units, platforms, languages, and other
factors relevant to the viewer.
c. Compare actual metrics to standards to evaluate performance.
d. Enable comparisons over time to identify trends.
e. Enable correlations, such as relating a reduction in vulnerabilities of a specific type after new tools or training.
Defining security requirements should be the first step in the secure software development lifecycle (SSDLC)
process to ensure that security is integrated into the product from its creation. All security requirement aspects
should be considered from functional, physical, and business requirements perspectives. In addition, security
requirements should derive from security objectives and/or organizational goals and regulatory requirements.
Industry standards should be applied at project inception and every stage of the SSDLC process—including
requirements analysis, design, coding, testing, deployment, and end-of-life (EoL) processes.
To successfully enable SSDLC security, roles and expectations should be clearly defined and published, and an
inventory of applications and their metadata should exist in an easily accessible format.
Appropriate security practice examples for the common stages of an SSDLC are provided below to include the
following categories: training, requirements, design, development, testing, and release and response.
A. Training:
a. Role-based secure development training should be required at multiple stages of employment (or other
contractual relationships), including on-boarding and role changes.
b. Refresher training should be delivered throughout one's career, regardless of position or movement in their
organization.
c. Targeted, specialty training should be created and made available as the organization adopts new technologies.
d. Progressively advanced training should be made available to relevant employees (and contractors whenever
applicable) as they transition through technical roles and/or champion program participants.
B. Requirements:
a. Generic and specialized security requirements should be defined, published, organized, and easily accessible to
all organizational roles.
b. Every application, during each iteration, should review existing requirements and research if additional
requirements are necessary. It is beneficial for the engineering teams to consult with a security professional at this
time.
C. Design:
a. Security-focused design reviews are conducted.
b. Threat models are developed or modified.
c. The design of new or enhanced security controls, required by the application design, is developed.
D. Development:
a. Develop, as per design specifications.
b. Abuse cases are used to develop a security-focused unit and integration tests during development.
c. Secure coding practices are implemented and enforced through automation and manual peer code reviews.
E. Security Testing:
Note: The implementation guidelines of AIS-05 should be interpreted as further guidance in addition to what is
specified in AIS-03 and AIS-04.
Automation of security testing should be implemented to reduce risks and errors and enable the scaling of
security practices to meet organizational demands. Multiple test types and integration points will likely be needed
to provide the appropriate level of assurance throughout the SDLC. Criteria should be developed for use when
assessing the automation required by an application, as not all systems will benefit equally.
Strategy:
a. Identify the goals and requirements of the automation implementation.
Example goals:
• Security requirements are not relaxed to improve speed.
• All developers can leverage tools to detect security weaknesses while developing software.
• All third-party libraries are scanned for known vulnerabilities.
• All authentication and authorization functions “pass” abuse case unit tests before deployment.
• All website security headers are verified to meet security requirements when deployed.
Example requirements:
• Applicable programming languages should be supported by static analysis tools.
• Python and C# should be supported by select static analysis tools.
• Automation should not require infrastructure support.
• All automation tools should offer an application programming interface (API).
• All website security headers are verified to meet security requirements when deployed.
Strategy can also include, but is not limited to:

b. Security testing for unintentional side effects and behaviors that are not specified in the test plan or design.
c. Security testing for incident response procedures, such as simulating breaches.
d. Determining which portfolio applications warrant investment in automation. Prioritize the adoption order based
on criticality.
Considerations:
e. Security requirements
f. Risk, business, and compliance requirements
g. Development methodology
h. Lifecycle
i. Metrics establishment
Example:
• Count or percentage of (test type) adoption among applications requiring (test type) SAST, DAST, SCA, etc.
The strategies should include:
a. Defined security and automation requirements based on an organization's application deployment needs and
standards.
b. Defined roles and responsibilities between security, application teams, and other stakeholder groups.
c. Identification and integration with existing application deployment processes.
d. Customization of secure application deployment for deployment types such as operating systems, network
connections, configuration, etc.
e. Logging and monitoring of secure application deployment so that data issues can be promptly addressed by the
appropriate people (incident or forensics).
f. Metrics to effectively measure deployment success.
The capabilities should be based on the organization's SSDLC and should include, for instance:
g. Defined and approved list of deployment and automation technologies.
h. Enablement for team members (e.g., developers, administrators, etc.) to dynamically address security issues
when needed.
The strategies and capabilities should be reviewed periodically by senior management.

Application security remediation should adhere to the following guidelines:
a. Follow defined remediation processes, designed, tested, and implemented by security and application teams.
b. Remediate risks as early in the SDLC as possible, such as during the design or development stages.
c. Have defined roles and responsibilities, including escalation paths for application security incident response
and remediation.
d. Follow a risk-based approach to address high-risk incidents that significantly impact application availability,
integrity, or confidentiality.
e. Leverage automation when possible to increase remediation efficiency and accuracy.
Processes, roles, responsibilities, and documentation established for application security remediation should be
reviewed periodically by management.
Example:
• GitOps-based remediation of application vulnerabilities.
• Automated remediation efficacy metric: total number of remediations of active critical/high vulnerabilities
performed through Git for the given period.
• Total number of active critical/ high vulnerabilities identified for the given period.
The policies should include defined roles and responsibilities supported by regular workforce training.
The policies should:

a. Be appropriate to the organization’s purpose.
b. Provide a framework for setting business continuity objectives.
c. Include a commitment to satisfy applicable requirements and continual improvement.
d. Include organizational risk appetite and tolerance to facilitate appropriate planning, delivery, and support of
capabilities in the event of a business disruption.
e. Take guidance from industry standards, such as ISO 22300.
The business impact analysis (BIA) should incorporate the following components:
a. Identification of critical products and services with their inherent risks.
b. The likelihood and impact of each risk.
c. The organization's risk appetite and tolerance.
d. The identification of risk dependencies.
e. The identification of appropriate and relevant countermeasures to prevent, detect, and react to the identified
risks.
The impact analysis should incorporate the following elements:

f. The immediate and ongoing impacts resulting from disruptions.
g. A recovery time objective (RTO) and recovery point objective (RPO).
h. The estimated internal and external resources required for recovery and resumption.
Business continuity and operational resilience strategies should:
a. Be developed by both cloud service providers and cloud service consumers with consideration of acceptable
limits regarding risk appetite and tolerance.
b. Cover all aspects of business continuity and resilience planning—taking inputs from assessed impact and risks
—to consider activities for before, during, and after a disruption.
c. Account for the unavailability of all relevant components required to operate the business “as usual” or in a
disrupted mode (in parts or total) during a disruption.
d. Cover all actions required to continue and recover prioritized activities within identified timeframes and
aligned with organizational risk appetite and tolerance (including the invocation of continuity plans and crisis
management capabilities).
e. Cover all activities within the defined scope to protect prioritized activities, reduce disruption likelihood, and
limit cloud capability disruption through adequate resourcing.
f. Include detailed solutions and measures for each strategy.
All relevant business continuity plans should be developed consistently to address priorities for operational
resilience, testing, maintenance, and information security requirements.
Business continuity plans should be accessible and available to those with the need-to-know and include the
following elements:
a. Defined purpose and scope, aligned with relevant dependencies.
b. Assigned roles and responsibilities (i.e., review, update, and approval).
c. Defined lines of communication, roles, and responsibilities.
d. Detailed recovery procedures, manual workaround, and reference information.
e. Method for plan invocation.
The plans should be tested and reviewed at planned intervals (e.g., annually or upon significant organizational or
environmental changes).
The documentation should include but is not limited to:
a. Administrator and user guides
b. Database backup and replication guidelines
c. Architecture diagrams
d. Incident playbooks
Documentation availability is intended to support successful continuity of the following activities:

e. Configuring, installing, deploying changes, and operating the system and/or infrastructure.
f. Effectively using the system’s security and business continuity features.
g. Using system automation and structured playbooks where available for fast incident recovery.
The documentation should be interconnected and comparable.

Exercise and test business continuity and operational resilience plans at least annually or upon significant
changes.
Exercises and tests should include but are not limited to:
a. Processes established in the business continuity plan.
b Alignment with business continuity policies.
c. Critical systems and equipment relevant to the business continuity plan.
d. Roles and responsibilities of the various parties involved in the exercises.
e. The use of CSP support mechanisms in CSC exercises.
f. A review and update of communication templates.
g. Lessons learned from previous events and exercises.
h. Tabletop exercises.
Depending on the level of CSP maturity, the CSP’s practices may include automated chaos testing.
A business continuity and resilience program should:
a. Communicate the importance of effective business continuity and the consequences of disruptions to all
relevant stakeholders.
b. Communicate the business continuity and resilience policy, objectives, and plans to all relevant stakeholders.
c. Communicate the roles, responsibilities, authorities, and expected competencies to all relevant stakeholders.
d. Establish the criteria, thresholds, and indicators to demonstrate when and how business continuity-related
communications should be sent, who should send them, and to whom they should be sent.
e. Establish templates for common communications during a disruption regarding the activation, operation,
coordination, and communication of a business continuity response.
f. Establish the people, technology, and processes required for business continuity communications.
g. Establish a response structure that will enable timely warnings and communication to relevant stakeholders.
Clear and effective communication channels should remain available to disseminate information to participants
and stakeholders, assess and relay damage, and coordinate a recovery strategy. Failed communication often
results in failed business continuity efforts. Thorough planning, testing, and exercising communication
procedures within the following four phases are essential to support effective business continuity and the viability
of critical business operations.
Implementation of backups and/or other means of data preservation (e.g., replication) should follow the following
guidelines.
a. The scope, frequency, and duration of cloud data retention should comply with:
Applicable laws
Contractual agreements with the cloud customers
The cloud provider’s business requirements
b. The backup approach, including the physical location of backup files, should comply with the privacy and data
protection laws and regulations applicable to the data collected.
c. The data backup process should be monitored by employing technical and organizational safeguards. At a
minimum, malfunctions should be examined and eliminated promptly by qualified employees to support
compliance with the retention’s scope, frequency, and duration.
d. Backup and restoration procedures should be periodically tested and the results documented to ensure data can
be successfully restored. Tests should be designed so that the reliability of the backup media and the restoration
time (RPO, RTO) can be established with sufficient certainty. Any errors and identified improvements (corrective
and preventive actions) should be addressed promptly.
e. Restorations should be carried out only after they have been approved by authorized persons (according to
contractual agreements with cloud customers or the internal policies of the cloud provider).
f. The cloud service provider, when appropriate, should be able to disclose the exercise results to the cloud
services customer as part of the assurance of business continuity and resilience.
Additional guidance is also available in the NIST Special Publication 800-53 (Rev. 4) CP-9 INFORMATION
SYSTEM BACKUP (latest revision).
The response plan should include the ability to protect systems—including the physical environment when
possible—from inadvertent unauthorized access during an emergency.
The response plan should include the following when describing environmental threats/natural disasters: fires,
medical emergencies, tornadoes, hurricanes, flooding, earthquakes, and other natural disasters.
Civil disturbances can include disgruntled employees/contractors/customers, terrorist attacks, biological attacks,
and airborne agents.
Emergency authorities can include first responders and other law enforcement entities.
The plan should be executed at regular intervals based on the organization’s BIA. It should be performed as a
tabletop exercise and incorporate an annual live event with local authorities (e.g., fire departments, health
officials, police departments, anti-terrorist organizations, and anti-cybercrime groups).
Depending on regulatory requirements, the business, and the industry, a disaster recovery (DR) exercise might be
required. For example, financial institutions may consider running live on DR for extended periods or simulate
component or partial failures to test overall organizational resiliency and recovery abilities.
The minimum distance between mirrored or redundant physical systems should support compliance with the
organization's defined continuity and availability within contractual agreements or service-level agreements
(SLAs).
A documented and approved change management policy (and associated process documentation) should:
a. Ensure that changes are tested, documented, risk assessed, and authorized in a consistent and timely manner.
All changes (e.g., major, minor, and emergency and the qualifying criteria) in organization assets, applications,
system software, and informational technology (IT) infrastructure (e.g., hardware, operating systems,
communications equipment, and software) and associated configurations should be under the scope of the change
management policy.
b. Be communicated and made accessible to all employees and interested parties involved within the change
management process (e.g., service/application owners, project leaders, IT, operating systems staff, contractors,
etc.).
c. Include the management of emergency changes.
A plan to test and review during the development process should be prepared. This plan should include (but is not
limited to) relevant activities and test inputs, and expected outputs regarding various conditions that may impact
the outcome. For internal organizational developments, the team that oversees development efforts initially can
perform such tests. Independent acceptance testing can then be performed (both for internal and external
development sources) to determine whether the system functions as intended. Testing should be proportionate to
the system’s relevance based on its nature.
Testing record(s) should be documented before implementing all planned changes to organization assets
(including applications, systems, infrastructure, configuration, etc.), regardless of whether the assets are managed
internally or externally (i.e., outsourced).
The record(s) should comprise a test plan, configuration baseline before the change, the test result, and the new
configuration baseline.
The quality testing plan might align with relevant standards or guidelines (i.e., ITIL or ISO 20000, etc.)
The organization should:
Collaborate with relevant internal and external parties involved in the change management process.
Assess the impact and type of change to determine the risk of the change before it is applied.
Adopt Change Management Technologies to manage the change management workflow.
These tools should help adequately manage the authorization process, including activity logging. In addition, real-
time reporting/monitoring capabilities should be implemented to monitor change progress so that quick decisions
can be made to manage the risks of unforeseen issues due to the change implementation.
Understanding how those relevant components impact the security and usability of the supply chain that supports
organizational environments should be one aspect of such collaboration.
The organization should establish procedures and implement technical measures to prevent and/or detect any
unwanted/unauthorized changes (e.g., additions, removals, and updates) to organizational assets production,
including applications, systems, infrastructure, configuration, etc.
Processes and procedures established by both the CSP and CSC should reflect respective change management
responsibilities with respect to the scope of services being provided and/or consumed. There should be
acknowledgement of each party's responsibility, where applicable and it should be part of a written change
management agreement between CSC and CSP. The acknowledgment should include a reference to limitations
related to changes impacting CSC-owned environments/tenants.
NOTE: The CSP may need to apply changes that impact CSC-owned environments/tenants without the explicit
authorization of the CSC (in case those changes would be required for the overall security of the CSP system). If
those types of changes are applied, the CSC should be consulted promptly.
A change management baseline reflects the minimum policies, procedures and technical measures established to
achieve organizational objectives, and requirements (i.e., CCC-02 implementation guidelines).
The organization should establish a policy and procedures to detect deviations from the established control
baseline. When a deviation is detected, the organization should follow the incidence management policies and
procedures defined in SEF-01.
The procedure for exceptions’ management should include, but is not limited to:
a. Change management baselines
b. Unauthorized assets
c. Evidence collection and management
Rollback procedures should be created and tested with each change request.
Policies and procedures on the use, protection, and lifetime of cryptographic keys should be developed and
implemented through their full lifecycle.
Policies and procedures include but are not limited to the following considerations:
A. Policies and procedures relating to organization/management.

a. Roles and responsibilities (See GRM for general considerations)
b. Data protection (DSP domain for general considerations)
1) Data encryption
2) Algorithm
c. Change management (See CCC domain for general considerations)
1) Cost-Benefit analysis
d. Risk management (See BCR/GRC domains for general considerations)
e. Monitoring and reporting (see LOG and monitoring domain for general considerations )
f. Transaction/activity logging (see LOG and monitoring domain for general considerations)
g. Incident handling (see SEF domain for general considerations)
h. Audit (See A&A domain for general considerations)
B. Policies and procedures relating to key management.

a. Key generation
b. Key distribution
c. Key rotation
d. Key revocation
e. Key destruction
f. Key activation
g. Key suspension
h. Key deactivation
i. Key archival
j. Key compromise
k. Key recovery
l. Key inventory management
m. Key purposes
n. Key access
Below are some examples of possible roles and responsibilities:
a. Keys managers should not be able to access protected data or the cryptographic engine.
b. Separation of duties should include two or more individuals control a single process.
c. Split Knowledge requires no one person knows the complete value of an encryption key.
d. No one person should know the entire passphrase used to create encryption keys.
e. Restrict access rights to the least resources required (least privilege).
f. A policy authority is responsible for all operational cryptographic key management system (CKMS) roles and
reports to the executive IT.
Roles and responsibilities should be defined and followed:

a. Generation or acquisition of key information .
b. Secure distribution of private and secret keys,and the metadata.
c. Establishment of cryptoperiods.
d. Key and certificate inventory management.
e. Revocation of compromised keys and the establishment of replacement keys and/or certificates.
f. Management of the storage and recovery of operational and backed-up key information.
g. Storage and recovery of archived key information.
h. Checking the integrity of stored key information before using it.
i. Destruction of private or secret keys that are no longer required.
Data protection/data encryption is the process of changing plaintext into ciphertext using a cryptographic
algorithm and key.
a. Organizations should be able to either encrypt all information on storage devices (i.e., full disk encryption) or
encrypt specific data structures (e.g., files, records, or fields).
b. Data at rest involves databases, end-user workstations, and file servers.
c. Data in transit involves system interfaces, public networks, and electronic messaging.
d. Cryptography provides data protection: confidentiality, integrity, availability, and source authentication.
e. Cryptographic key management system security policies rules need to protect the confidentiality, integrity,
availability, and source authentication of all keys, algorithms, and metadata.
f. Key management technology and processes should be NIST FIPS validated and/or National Security Agency
(NSA)-approved by other relevant international standardization bodies.
g. Approved algorithms and key sizes should reside in the CKMS.
h. Quantum-resistant encryption is developing quickly, and it is recommended that this technology is closely
monitored so the organization is not exposed.
A risk-based approach to encryption algorithms adoption should consider, but not be limited to:
a. Cryptographic key management system algorithms should not exceed the anticipated lifetime of the CKMS and
the information it protects.
b. Cryptographic key management system security policies should protect the confidentiality, integrity,
availability, and source authentication of all keys, algorithms, and metadata.
c. The (CKMS) should include, but is not limited to:
Approved algorithms
Hardware security modules (HSMs)
Key sizes
d. The adoption of the appropriate key size and algorithm types should be done based on cost-benefit analysis and
the level of risk to data (please see the reference to quantum-resistant encryption in CEK-03).
Key change management is the process of managing all changes to key management governance, organization,
infrastructure, and activities.
a. Changes to the key management system and its policies and procedures should be analyzed and approved
before implementation.
b. Changes should be documented to show the reasoning behind the changes and include a path to rollback to the
previous status.
c. If unauthorized changes are made to the software, the software should be recovered.
d. There should be security audits after every significant change to the key management system.
e. All audit results should be reported to the system authority.
Encryption change cost-benefit analysis is the process of comparing the benefit of encryption changes to its cost.
a. Key change management cost-benefit analysis/return on investment (ROI) should be calculated for all key
management-related changes.
b. Every analysis should fully account for downstream effects of proposed changes, including residual risks.
c. Every analysis should be reviewed and approved.
d. Six months after a change, compare the anticipated ROI to the actual ROI.
e. Significant deviation from the planned ROI should be audited.
f. Report all audit results to the system authority.
Key risk management is the process of managing the risks to key management governance, organization,
infrastructure, and activities.
a. Assess the risks of unauthorized disclosure, modification, destruction, or information loss.
b. Cryptoperiod selections should consider the risk and consequences of information exposure.
c. Evaluate the tradeoffs of manual versus automated key distribution.
d. Reduce compromised key risks by (1) not using such keys for new encryption activities and (2) only using
keys to decrypt material previously decrypted under this key.
e. Adjust the audit scope and frequency to align with the risk assessment.
f. Apply algorithm strength in proportion to the risk of information exposure.
g. Assess risks to operational continuity versus the risks of key material data exposure when considering key
recovery.
Key management capability is the process of CSPs providing CSCs the capability to manage CSC-owned or
generated encryption keys.
a. The CSC and CSP should agree on the definition and scope of CSC-managed keys and document this (shared
responsibility) in the SLA, applicable contracts, policies, and procedures.
b. The CSP should allow the CSC to manage policies, procedures, and processes.
c. The CSP should empower the CSC to manage keys and data encryption keys.
d. The CSP should enable the CSC to manage key encryption keys or master keys used to encrypt data keys.
e. The CSP should allow the CSC to use the key management system (e.g., transactions, reporting, etc.).
f. Optionally, the CSC should supply CSC-generated master encryption keys using bring-your-own-key (BYOK)
mechanisms per the SLA.
Key audit is the process of assessing the organization, governance, infrastructure, policies, procedures, and
activities.
a. Audits assess compliance with "key management" policies and procedures.
b. Audits assess the design and effectiveness of "key management" controls and the control environment.
c. Audits assess compliance with industry and regulatory standards (e.g., Health Insurance Portability and
Accountability Act (HIPAA), payment card industry (PCI)).
d. Audits results are reported to the key management system authority.
e. Audits are performed according to key- and risk-management policies.
f. Request third-party certification reports and review issues with the CSP and auditor.
g. At a minimum, sensitive audit information and sensitive audit tools should be cryptographically protected.
The key generation process should be cryptographically secure.
a. Keys should be generated:
using random bit generators (RBGs) and possibly other parameters, or
generated based on keys that are created in this fashion.
b. Key management technology and processes should be NIST FIPS validated or NSA-approved or comparable.
c. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Key distribution is the process of logically or physically transferring keys.

a. Distribution of asymmetric key pairs (public, ephemeral, centrally) requires protection mechanisms.
b. Distribution of symmetric keys requires their own protection mechanisms.
c. Distribution of other key materials requires their own protection mechanisms.
d. Distributed keys should be protected at rest, in storage, in transit, and to the appropriate extent (even when in
use).
e. Distribution controls must address confidentiality, integrity, and availability.
f. Manual or automated (preferable) distribution may be used.
g. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Key rotation generates (based on policy) a new key version of a key used to encrypt data.
a. Non-primary (old) keys should be used to decrypt data previously encrypted before re-encrypting the data with
new keys.
b. Old data may be re-encrypted using new keys based on organizational policy and technology capacity.
c. When rotating keys, consider the following principles:
• Cryptographic mechanism strength: algorithm, key length, and mode of operation.
• The volume of information flow or the number of transactions.
• The security life of the data.
• The security functions, such as data encryption, digital signature, and key protection.
• The number of key copies and the distribution of those copies.
d. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Key revocation removes keys from operational use before their expiration dates.
a. Key revocation of a “symmetric key” restricts the use of the key material.
b. Key revocation of an asymmetric key specifically refers to the private key.
c. Perform emergency revocation when keys are lost or compromised.
d. Revocation statuses should be available to all who have relied on the key.
e. Use certificate revocation lists (CRLs) or other relevant mechanisms to inform stakeholders.
f. ROI: Cost to decrypt then re-encrypt large distributed databases with a significant number of key holders.
g. ROI: Risk of long-term cryptoperiods versus short and the amount of data encrypted with one key.
h. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Key destruction removes all traces to prevent recovery by physical or electronic means.
a. When a key is to be destroyed, all key copies should be destroyed.
b. Keys should be destroyed when they are not needed to minimize compromise risks.
c. Secret and private keys should be destroyed so they cannot be recovered by any means.
d. Public keys may be kept or destroyed.
e. Notify stakeholders in advance of key destruction.
f. Consider laws, regulations, and their retention requirements for keys and/or metadata.
g. Key recovery information (KRI) should be protected against unauthorized disclosure or destruction.
h. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Activated keys are used to protect information cryptographically.
a. Pre-activated keys are activated by entering the start date of the validity/cryptoperiod.
b. Keys which are not activated for use are not ready to encrypt data.
c. Non-activated keys should only be used to perform proof-of-possession or key confirmation.
d. If pre-activated keys are no longer needed, they should be destroyed.
e. If there are suspicions about the integrity of a given key, it should be moved to the compromised state.
f.All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Suspended keys are not used for a period.

a. Keys may be suspended for leaves of absence or suspicion of compromise.
b. Suspensions should be investigated before transitioning to activation, revocation, or replacement.
c. Suspended keys should not be used to encrypt data, but they can decrypt data.
d. Do not process encryption applied after the beginning of a suspension period.
e. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Deactivated keys should not be used to encrypt but can be used to decrypt.
a. Upon the expiration date, keys should not be able to encrypt data.
b. The deactivated state should transition to the destroyed state when keys are no longer needed.
c. Metadata should be retained for audit purposes.
d. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Key archiving places keys in long-term storage.

a. Archived key material can support the later recovery of information.
b. While archived key material may be needed in the future, the key material should be destroyed when no longer
required.
c. The key recovery process should include the generation, storage, and access of the long-term storage keys used
to protect backed-up and archived key information.
d. Archives should be used for long-term key access.
e. The inventory system should record the storage and recovery of archived key information.
f. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Compromised keys/states are keys that may be waiting for the performance of an investigation to determine the
appropriate disposition. Compromised keys should be revoked using the organization’s emergency revocation
policy.
When appropriate, relevant stakeholders should be notified that keys previously used to encrypt their data have
been compromised and that those keys are no longer used for encryption.
These compromised keys should be notated in the organization’s “Compromised Key Lists (CKLs)” along with a
summary of users notified, notification timeframes, or reasons that notifications were not made to compromised
key users.
Compromised keys await an investigation to determine disposition.

a. Perform emergency revocation when keys are lost or compromised.
b. A compromised status must be available to all who have relied on the key.
c. Use CKLs to inform stakeholders.
d. Compromised status is also reflected in the inventory management system.
e. Use audits to uncover undetected compromised keys.
f. Analyze events to support recovery from compromises.
g. Detail the method for revoking and re-keying compromised keys.
h. Use cryptoperiods to limit compromised key damage.
i. A compromised key should only be used to process data it has protected for the sole purpose of de-encrypting
the data.
j. All transitions/activity shall be recorded (logged) and the key state updated in the inventory management
system (CKMS).
Key recovery retrieves or reconstructs keys from backups or archives. When recovering keys, consider:
a. The type of key (e.g., private signature keys or symmetric data encryption keys).
b. The application in which the key will be used (e.g., interactive communication or file storage).
c. Whether the key is “owned” by the local entity, another entity, or is shared.
d. The role of the entity in communication (e.g., sender or receiver).
e. The algorithm or computation in which the key will be used.
f. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Cryptographic Key Management Systems (CKMS), whether manual or automated, exist to process, control, store
and report key management activity.
The CKMS should:

a. Capture, track and label all changes in status.
b. Continuously monitor for unknown cryptographic assets.
c. Generate and distribute key information.
d. Acquire or generate public-key certificates.
e.Backup archive and inventory key information.
f. Maintain a database that maps entities to an organization’s certificate or key structure.
g. Provide maintenance and distribution of revoked key or certificate reports.
h. Generate audit requests and process audit responses.
i. Crypto materials include keys, certificates, and HSMs.
j. Key management technology and processes should be NIST FIPS validated and NSA-approved.
k. Cryptographic key management system security policies should protect the confidentiality, integrity,
availability, and source authentication of all keys, certificates, algorithms, and metadata.
l. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
When clients delete, leave, or egress a cloud platform, the provider should follow a sequence of structured steps
to ensure that client data has been expunged from the provider environment according to the terms in the contract
and best practice (per vetted guidance sources such as NIST 800-88). In addition, the client may request
verification that data has been effectively removed.
These steps should include, but are not limited to:

a. Removal of sensitive data or systems not regularly accessed by the organization, service provider, partner, etc.
(stand-alone systems).
b. Completion of a confidentiality assessment—including a verified process for select information sanitization
and disposal processes.
c. A record of the process should be documented and communicated to support decisions.
d. All sanitized or destroyed assets should be logged into a tracking system with a certificate of media disposition
(clear, purge, or destroy).
The communications between services that facilitate movements of workloads, application data, etc., should be
encrypted based on globally recognized crypto algorithms such as AES-256. Additionally, communication may
include measures such as obfuscation or de-identification to render the information in transit illegible. NIST 800-
122 (Guide to Protecting the Confidentiality of Personally Identifiable Information - PII) provides relevant and
effective techniques for obscuring sensitive data, such as personally identifiable information (PII), etc.
The CSP should identify the manageable parts of the data center and consider operational criteria, such as
effectivity, efficiency, compliance, reliability, risk management, functionality, availability, integrity, and
confidentiality. Then, the CSP should prepare and maintain policies and procedures for each part.
Policies and procedures should include provisions to restrict physical access to the facilities to prevent
unauthorized entry.
Facility areas that house, store, and transact customer data should be configured to prevent confidential
information or activities from being visible and audible from the outside.
Electromagnetic shielding should also be considered as appropriate (ISO standard; ISO_IEC_27002_2013 -
11.1.3 (c)).
In addition, the facility itself should be designed and positioned to reduce the risk of natural disasters. Systems
and infrastructure should be deployed to enhance fire prevention—typically utilizing zoned dry-pipe sprinkler
systems. These systems are intended to be deployed throughout the facility and not just within the computer
room.
Secure transportation of physical media should include secure information-handling policies and procedures for
storage, packaging by internal or external personnel (third-parties, such as couriers), internal delivery, packaging
for external mail or courier services, and shipping tracking.
The facility management should develop a naming convention for asset classification that meets legal, value, and
business requirements to protect restricted information sharing.
Datacenter personnel should utilize a solution that enables inventory tracking and managing physical locations of
servers and other data center assets while eliminating paper and manual processes. A hosted asset tracking
solution for servers, switches, data center asset tracking and racks typically uses passive radio frequency
identification (RFID), global positioning system (GPS), and/or Bluetooth Low Energy (BLE) technologies.
Physical security perimeters should be restricted to authorized personnel only. They may include (but are not
limited to): fences, walls, barriers, guards, gates, external boundary protection, bollards, fencing, guard dogs,
armed guards, physical authentication mechanisms, reception desks, and security patrols.
Where applicable, use location-aware technologies to validate connection authentication integrity based on
known equipment locations.
Monitor, control, and isolate data storage and processing facilities, including ingress and egress points to service
and delivery areas and other points where unauthorized personnel may enter the premises. Organizations should
retain access logs for authorized personnel for no less than six (6) months. Facilities owners should adopt the
ISO/IEC_27001_2013-A.11.1.2 standard. Record the dates and times of visitor entries and departures, and
supervise all visitors unless their access has been previously approved. Visitors should only be granted access for
specific, authorized purposes and issued with instructions on area security requirements and emergency
procedures. Authenticate visitor identities by any appropriate means (i.e., validation with government-issued
identification (ID), such as an official identity document, driver's license, passport, etc.).
Equip external and internal perimeters with security alarm systems and surveillance devices such as movement
sensors and cameras. Monitor these perimeters with security personnel. Retain any recordings for a defined
period.
Comprehensive training on detecting and responding to various kinds of unauthorized access attempts must be
provided to relevant data center personnel and issued periodically.
All cabling should be shielded (when possible) to protect against electromagnetic interference (EMI).
Additionally, hide cabling (i.e., under the floor, above cabinets in caged, cable-management systems, etc.) or—at
a minimum—protect with (PVC) tubing (or something similar) when possible to protect against unauthorized
physical access.
Examples of environmental systems include but are not limited to temperature and humidity systems, fire
prevention, and detection systems.
Environmental system reviews should include activities to ensure continual effectiveness, and environmental
control systems should be maintained at normal operational levels during a power outage.
Examples of utility services include but are not limited to water, power, telecommunications, and internet
connectivity.
Service reviews should include activities to protect from unauthorized interception or damage and ensure the
services are designed with automated failover or other redundancies if planned or unplanned disruptions occur.
Keep business-critical equipment away from locations subject to a high probability of environmental risks, such
as switchyards and chemical facilities. Hazards include fires, flooding (e.g., waterlogging, water pipe exposure),
dust, wind (i.e., exposure to open doors/windows), and natural disasters (earthquakes and hurricanes).
Policies and procedures should include provisions for the following:

a. Data classifications with clear definitions and examples.
b. Acceptable use, handling, and storage of data by classifications.
c. How long the classified data should be retained.
d. How/when the classified data should be destroyed.
e. Responsibilities of data stewards.
Maintain a data inventory and document data flow diagrams and associated technical measures.
Document data protection controls and third-party data sharing practices. This documentation and associated risks
should be shared with customers and data owners as needed.
Examples include but are not limited to:

• Access controls and data loss prevention (DLP) solutions with data tagging capabilities.
• Define testing intervals based on data classification types or levels.
• Executive leadership should approve policies (cf. GRC-01).
• Note: Data life cycles include all stages (processing, storage, and transmission).
Data deletion should be conducted securely and effectively to ensure that it is not recoverable by any means,
including forensic techniques. Examples include but are not limited to cross-cut shredding or incinerating hard
copy materials, and writing zeros.
The data inventory should provide visibility into the location, volume, and context of all sensitive data and PII
through data discovery activities that result in a data inventory. Continuously support the classification process
using discovery.
Implement data classification by defining organizational data categories, such as public data, confidential data,
etc. Automated tools to label files, per their sensitivity levels, may be used. Appropriate security
measures/protection should be implemented, per its categorization.
Use data classification, tagging, or metadata fields based on industry-standard frameworks such as (but not
limited to):
a. Carnegie Mellon University: Guidelines for Data Classification
b. SANS Institute: Tagging Data to Prevent Data Leakage (Forming Content Repositories)
Review and update the data flow documentation periodically.

A data responsibility matrix can be defined, documented, and communicated. The matrix should include, but is
not limited to:
a. Data type.
b. The associated obligations (regulatory, contractual, or otherwise).
c. The persons or roles responsible for the data.
d. The frequency at which the documented personal and sensitive data should be reviewed.
Data protection and privacy consideration must be included by default at the design stage and throughout the
product development lifecycle. In addition, design documentation should clearly describe how data is protected.
In line with privacy considerations by design and default principles, the default/out-of-the-box settings should
align with the applicable regional privacy regulations.
Data protection impact assessment, which is essentially risk assessment from a privacy perspective, should be
performed by the data controller before processing if such personal data processing is likely to result in a high
risk to the rights and freedoms of natural persons.
When defining processes, procedures, and technical measures for data transfer, consider data transfer within the
organization and externally.
Personal data transfer in transit must be protected by strong encryption or similar techniques to prevent
unauthorized access by eavesdropping or data transfer interception.
The data subject should be able to access, view, rectify, or delete personal data in the system or by logging a
request with the service provider. The service provider should respond to such requests in alignment with the
relevant data protection laws.
Implement and maintain processes, procedures, and technical measures to ensure the following:
a. The data subject is made aware of the nature and purpose of information collection.
b. The information is relevant and limited to processing requirements.
c. Processing is performed in a reasonable manner that does not infringe upon the data subject's privacy.
d. Processing is for a specific, explicitly defined, and lawful purpose related to a function or activity of the
responsible party.
e. Where the controller intends to further process the personal data for an alternative purpose to which the
personal data were collected, the data subject should be informed of the purpose and provide consent before
additional processing.
f. Information is stored only as long as required.
The CSP should identify subcontractors and sub-processors that participate in the data processing, along with the
chain of accountabilities and responsibilities used to ensure that data protection requirements are fulfilled.
The CSP should inform the cloud customer of any intended changes concerning the addition or replacement of
subcontractors or sub-processors and allow the cloud customer to object to such changes or terminate the
contract.
The data protection obligations agreed upon between the CSP and the cloud customer should be supported by any
subcontractors or sub-processors used by the CSP.
The CSP remains liable to the cloud customer for data protection, regardless of whether the CSP uses
subcontractors or not.
The CSP should document and notify the data owner of the data that will be accessed by sub-processors.
Information may include, but are not limited to, categories of data, special categories of data, and processing
operations.
Before replicating data or using data in non-production systems copied from the production system, perform a
risk analysis and obtain data owner approval. Then, implement privacy risk mitigating techniques such as
anonymization, pseudonymization, etc. (if required).
Organizational data retention and deletion practices encompassing both physical and electronic data should be
established and implemented.
Information rights management technology should be used and applied (when applicable) to all sensitive data.
This technology can add a security layer that will help protect files from unauthorized copying, viewing, printing,
forwarding, deleting, and editing.
The CSP should have a process that describes how to respond to requests by law enforcement authorities, such as
a subpoena, official investigations, or legal proceedings initiated by governmental and/or law enforcement
officials. This process should be transparent to the interested CSCs unless otherwise prohibited.
The CSP should track where data is stored, processed, and backed up to ensure it is in line with the laws and
regulations applicable to the CSP and ensure those locations are not prohibited. In addition, the physical
locations’ registry should be kept up to date and shareable with CSC (if requested).
Organizational leadership should govern the program. The program should include—but is not limited to—
policies and procedures regarding legal matters, industry-specific regulations, regional requirements, compliance
mandates, security and privacy requirements, and information governance. Management of each business area
should include the implementation of all applicable governance policies and procedures. Policies and procedures
should be reviewed and updated at least annually.
The enterprise risk management (ERM) program should consider—and not be limited to—cloud-related
information security and data privacy risks. The program should include risk management elements such as risk
identification, risk assessment, risk treatment, and risk reporting. Management of each business area should
consist of the implementation of the applicable ERM program policies and procedures.
The ERM program should also feature a formal statement of risk appetite and may include creating and
maintaining a risk register that reflects the likelihood of occurrence, potential business impacts, risk levels, and
proposed mitigation actions for each risk.
Management-approved defined policies and procedures should be communicated to all employees for adherence.
Evaluate policies, procedures, and assigned responsibilities for accuracy and efficacy at least annually and when
there are significant internal changes or alterations in the external operating environment.
The exception process should be defined and approved by the management team and communicated across the
organization to promote adherence. Integrate exemptions with the information security risk management process,
and review organizational risks whenever a deviation from an established policy occurs.
The program should identify and assign roles, responsibilities, and management commitment.
The CCM domains to address within the information security governance program include, but are not limited to:
a. Audit and assurance
b. Application and interface security
c. Business continuity management and operational resilience
d. Change control and configuration management
e. Cryptography, encryption, and key management
f. Datacenter security
g. Data security and privacy lifecycle management
h. Governance, risk management, and compliance
i. Human resources
j. Identity and access management
k. Interoperability and portability
l. Infrastructure and virtualization security
m. Logging and monitoring
n. Security incident management, e-discovery, and cloud forensics
o. Supply chain management, transparency, and accountability
p. Threat and vulnerability management
q. Universal endpoint management
Management should promote coordination among organizational entities responsible for the different aspects of
cloud security and privacy risks. Review the program as required to address threat landscape changes and
substantial organization changes.
RACI charts (responsible, accountable, consulted, and informed) charts may be used to document roles and
responsibilities. Specific people or teams should be assigned for each documented role in the governance
program, policies, and procedures. Roles and responsibilities should be reviewed and updated periodically.
Documentation should reflect the requirements relevant to the organization and be updated regularly to reflect
changes in the internal and external operational environments. Communicate requirement changes to management
and other personnel, and implement them promptly.
Management should establish and maintain contact with special interest groups or professional associations to
receive early warnings and advice regarding new threats, vulnerabilities, and regulatory updates.
Personnel working under organizational control—including full-time employees, part-time employees,
consultants, and temporary staff—should undergo a screening process appropriate for their role and
responsibilities before granting access to the corporate network or systems.
Depending on the applicable legislation, inform candidates beforehand about screening activities. Personnel
screening should consider all relevant privacy, PII protection, and employment-based legislation and should
(when permitted) include the following:
a. Availability of satisfactory references.
b. Verification of the applicant’s curriculum vitae, including claimed academic and professional qualifications.
c. Independent identity verification (passports or similar documents).
d. Additional role-specific verifications, such as a credit review if the person will have fiscal responsibilities.
The organization should consider rescreening individuals at regular intervals. Rescreening may also occur if the
employee’s responsibilities or access to confidential data have increased since their last screening.
The organization should have policies to determine who can screen personnel, how, when, and why the screening
is required, where data is stored, and what the retention period constitutes.
All relevant data about personnel should be considered PII and managed accordingly. If the screening is done by
an external entity or another organizational department, sensitive information like historic remuneration details
should be redacted if irrelevant to the screening process.
The organization should establish a policy on acceptable use requirements and standards for protecting and
handling the organizational assets and communicate them as sufficient to personnel. In addition, the policy should
provide clear direction on how individuals should utilize these assets.
Personnel should acknowledge their understanding and accept responsibility to use information processing
resources.
The policy should include, but is not limited to:
a. Expected security behaviors of individuals.
b. Unacceptable behavior of individuals.
c. Permitted use of the organization's assets.
d. Prohibited use of the organization’s assets.
e. Organizational monitoring activities.
Policies and procedures should be reviewed and updated at least annually or whenever there are significant
changes in the environment, and personnel should be retrained when these changes occur
The organization should establish and communicate a “clean desk” policy to guide personnel on reducing the risk
of unauthorized access to information.
The following guidelines should be considered:

a. Sensitive or critical business information (e.g., on paper or electronic storage media) should be locked away—
ideally in a safe, cabinet, or other security furniture—when not required.
b. User endpoint devices should be protected by key locks or other physical security means when not in use.
c. Documents containing sensitive information from multi-function devices (such as printers and other
reproduction technologies) should be stored securely. When these documents are no longer required, they should
be discarded using secure disposal methods.
d. Whiteboard and other types of displays should be cleared when not required.
e. Computers should be configured to automatically lock the computer screen after an idle period (screen lock
timeout).
f. Users should be trained to log out of systems or lock computer screens when not at workstations.
The organization should have procedures to vacate facilities, including conducting a final sweep before leaving to
validate the organization's assets are not left behind (e.g., documents fallen behind drawers or furniture)
Organizations allowing remote working activities should issue a policy that defines the conditions and restrictions
of working away from a regular office.
The following matters should be considered:

a. The use of lockable filing cabinets
b. Secure transportation between locations
c. Remote access
d. Clean desk
e. Remote printing
f. Information disposal
Secure communications should take the following into account:

g. The need for remote access to the organization’s internal systems.
h. The sensitivity of the information that will be accessed and passed over the communication link.
i. The need to connect to internal systems.
j. The use of remote access (such as virtual desktop access) that prevents processing and information storage on
privately-owned equipment.
k. The threat of unauthorized access to information or resources from others at the remote working site (i.e.,
family, friends, and others in a public environment).
l. The use of home and public networks.
m. The requirements or restrictions on the configuration of wireless network services.
n. Protection against malware and firewall requirements.
o. The use of multi-factor authentication mechanisms when remote access to the organization’s network is
allowed.
The guidelines should also include:

p. Where the use of privately owned equipment not under the organizational control is not allowed.
q. Revocation of authority and access rights and the return of the equipment when the remote-working activities
are terminated
The organization should establish and communicate a policy and procedure for the return of assets owned or
controlled by the organization upon the termination of a personnel contract.
The organization should identify and document all information and other associated assets to be returned or
disabled.
Information and assets can include:

a. User endpoint devices
b. Portable storage devices
c. Specialist equipment
d. Authentication hardware (e.g., mechanical keys, physical tokens, and smartcards) for information systems,
sites, and physical archives
e. Physical copies of information
The organization should prevent the unauthorized copying of information (e.g., intellectual property) by
personnel under a notice of termination.
The organization should establish and communicate a ‘termination of employment’ policy that defines the
responsibilities and duties that should remain valid after termination of employment or a change in employment
status. This may include guidelines on information confidentiality, intellectual property, and other knowledge
obtained while personnel was employed under the organization’s control, and responsibilities contained within
any additional confidentiality agreements. These responsibilities should be included in employment terms and
conditions.
The process for termination or change of employment should also be applied to external personnel (i.e., suppliers)
when contract or job termination occurs or there is a role change within the organization
Employees should not be granted access to systems or information unless they have signed the employment
agreement featuring terms and conditions concerning information security. The terms and conditions of
employment should be appropriate to the employee based on their role. Additionally, roles and responsibilities
should be communicated during the hiring process.
The terms and conditions concerning information security should be reviewed and updated if relevant laws,
regulations, or information security policies change. Furthermore, personnel may be asked to acknowledge and
agree to such changes
The agreement between the employee and organization should include—but is not limited to—a confidentiality or
non-disclosure agreement if the employee will have access to confidential data.
Policy statements relevant to the employee/contractor should be communicated through training.
Employee legal responsibilities regarding their rights as an employee of the organization (i.e., whistleblower, data
protection regulations, etc.) should include guidance on how to handle both physical and digital assets.
The organization should take appropriate and proportionate action if an employee is in breach of an agreement
The organization should identify and document information asset protection responsibilities and carry out specific
information security processes. Responsibilities for information security risk management activities— and
especially accepting residual risks—should be defined.
These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites
and information processing facilities.
The non-disclosure agreement should address requirements to protect confidential information using legally
binding terms. Agreement terms should be based on the organization’s information security requirements.
The type of information covered should define permissible access and information handling protocols. The
agreement should include, but is not limited to:
a. What information is protected.
b. The length of the agreement.
c. Interested parties to the agreement.
d. The responsibilities of each party in the agreement.
e. Terms for the destruction of data once the agreement has ended.
f. Expected actions if a breach of agreement terms occurs.
Security awareness training should educate personnel about their responsibilities and the necessary means for
securing corporate assets.
Security awareness training should consider the roles and responsibilities of organizational members.
Training may include a test to measure personnel’s understanding of the responsibilities and protections required
to secure corporate assets. This evaluation may be used to improve training and verify that relevant knowledge
transfer occurs. Additionally, a training attendance registry should be maintained.
Security awareness training should educate personnel on their responsibilities and the necessary means for
securing personal and sensitive data.
Training should include the various regulatory and legal requirements that impact personal and sensitive data
handling.
Furthermore, training should occur regularly to incorporate changes in organizational procedures, processes, and
policies.
The organization should maintain a training and awareness program that regularly reminds personnel of their
responsibilities. These responsibilities include maintaining awareness and compliance with policies, procedures,
and applicable legal, statutory, and/or regulatory obligations.
The training and awareness program may include several awareness-raising activities via appropriate physical or
virtual channels, such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-
learning modules, and emails.
Organizations should document access control policies for the registration, management, and removal of digital
identities. Additionally, the guidelines should be communicated within the organization.
The policy should:

a. Include, but not be limited to, roles and responsibilities concerning creation, changes, and deletion of access
controls (including a regular review of access).
b. Conduct reviews regularly (at least annually).
The organization should leverage the identity and access management policy to establish a security baseline.
Organizations should establish a clear policy on strong password usage for different technical areas.
Organizations should also have a monitoring mechanism to evaluate the effectiveness of policy implementation.
The policy should be reviewed periodically (at least annually) based on business requirements. In addition, the
policy should clearly describe its applicability and scope, and management should promote effective
communication to ensure effective implementation within the organization.
Organizations should also have policies and procedures for all personnel (employees, vendors, or other third
parties) who have access to organizational data. Additionally, control-testing strategies should be employed to
test these policies and be maintained regularly.
Organizations should maintain a database of all system identities having access to different cloud environments
and assets. The database should illustrate a correlation between digital identities, assets where the access is
provisioned, and the type of access being provisioned (i.e., business users, system users, privilege users, etc.). In
addition, the database should be regularly reviewed to ensure access is revoked or changed based on job role
changes.
The identity and access management database should incorporate single sign-on and multi-factor authentication
for user access.
Database access should be based on need-to-know and least-privilege principles and should follow best practices
(such as role-based access control and segregation of duties). Finally, all access (especially privileged access)
should be logged and monitored for anomalies and unauthorized use and linked to alerting systems as
appropriate.
Access control policy should provide instruction on separation of environment and separation of duties, and cover
the following:
a. Maintain separation of duties between the production, testing, and development environments while limiting
read/write access to all environments (such as production, development, and testing).
b. Maintain separation of duties should and require multiple layers of approval (e.g., business approval, system
owner approval) to ensure the integrity of access to different systems.
User and service account access should leverage access control methods, such as role-based access control
(RBAC) and attribute-based access control (ABAC). In addition, conduct regular reviews of access processes
(including auditing, when appropriate) to identify non-adherence to the principle of least privilege.
Restrict privileged access and access to administrative accounts should be via the principle of least privilege and a
need-to-know basis. Furthermore, access should be set to “deny all“ unless specifically allowed.
The organizations should address any changes to the identity and access controls using the pre-established
baseline. These changes could be from the proactive management of exploits via vulnerability scanning or
reactive management of issues via incident management.
Deprovisioning should automatically remove associated authorizations. For systems not integrated into automated
processes, deprovisioning processes should be manually carried out by system owners. De-provisions to customer
data should be made known to cloud customers where applicable.
The principle of separation of duties should also be considered when conducting user access reviews.
Access should be reviewed when users resign, are terminated, change roles, and/or no longer need the
authorization to carry out duties for any other reason.
Processes and procedures should be communicated within the organization for adherence and enforcement and
regularly reviewed (at least annually).
Separation of duties should be established and implemented between development/test and production
environments. With this control, a developer may use an administrator-level account with elevated privileges in
the development environment and a separate account with user-level access to the production environment. In
addition, appropriate levels of logs should be gathered from the production systems for further monitoring and
analysis via security operations.
These operations should be managed using split knowledge and dual control where key management operations
are used.
Administrators should be allowed to log in as themselves and elevate privilege by systematically requesting a
new role assignment to obtain the rights they need to perform tasks. This can be accomplished by establishing
temporary, time-bound privileged access for both on-premises and cloud-based infrastructure. The duration of
approval validity should be automatically limited. Only authorized users/roles should be pre-approved to request
elevation of privileged access.
The privileged access roles and rights should be reviewed periodically. Additionally, all the privilege access
rights should be assigned based on multiple approval approaches (i.e., system owner, manager of user, etc.).
All privileged accounts and elevation of privileges should be monitored for suspicious activity, such as login
failures or attempts to escalate permissions using a security information and event management (SIEM) solution.
Processes and procedures should include the following:

• Access to privileged user IDs should be restricted to least privilege and business need to know.
• Require documented approval by authorized parties specifying required privileges.
• All actions taken by any individual with root or administrative privileges should be logged.
• Use of and changes to privileged accounts, including elevation of privileges should be monitored for suspicious
activity such as logon failures or attempts to escalate permissions using a SIEM solution.
The organization should consider the following for the control's implementation:
a. Logs should be stored in a centralized log management solution with separation of duties maintained by an
independent team if possible.
b. Logs should be integrated with a SIEM-type solution for real-time monitoring to raise alerts in case of any
violation.
All users should be assigned a unique ID before allowing access to system components or applications.
Allocating a unique ID to each person with access ensures each individual is uniquely accountable for their
actions. When such accountability occurs, actions taken on critical data and systems can be traced to known,
authorized users and processes.
The organization should have a process to detect any creation of non -individual accounts in any
infrastructure/application (either in the cloud or on-premises).
All individual, non-console administrative access and remote access to the systems and applications should be
secured using multi-factor authentication. Multi-factor authentication should contain a minimum of two of the
three authentication methods:
a. Something you know, such as a password or passphrase.
b. Something you have, such as a token device or smart card or digital certification*.
c. Something you are, such as a biometric.
* Note: a digital certificate is a valid option for “something you have” as long as it is unique for a particular user)
The organization should adopt the following guidelines for the secure management of passwords:
• Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a
network system.
• Αll non-console administrative access should be encrypted using strong cryptography.
• Using strong cryptography, all authentication credentials (such as passwords or phrases) should be rendered
unreadable during transmission and storage on all system components.
• Verify user identity before modifying any authentication credential (i.e., performing password resets,
provisioning new tokens, or generating new keys).
• Passwords/passphrases should meet the criteria of industry best practices.
• Alternatively, the password/passphrases should have complexity and strength at least equivalent to the
parameters specified above.
• Change user passwords/passphrases per the organization password standard.
• Limit password reuse per the organization password standard.
• Set passwords/passphrases for first-time use and upon reset to a unique value for each user and change
immediately after the first use.
Document and communicate authentication policies and procedures to all users, including the following concepts:
a. Guidance on selecting strong authentication credentials.
b. Guidance for how users should protect their authentication credentials.
c. Generic user IDs are disabled or removed.
d. Shared user IDs do not exist for system administration and other critical functions.
e. Shared and generic user IDs are not used to administer any system components.
Guidance on selecting strong passwords may include suggestions to help personnel select hard-to-guess
passwords that don’t contain:
f. Dictionary words
g. Information about the user (such as the user ID)
h. Names of family members, date of birth, etc.
Guidance for protecting authentication credentials may include not writing down passwords or saving them in
insecure files and being alert for malicious individuals who may attempt to exploit their passwords (see NIST
800:53 password controls for details).
The information system should require approvals for authorizations to access the system resources and follow
communicated and approved applicable policies.
The organization should adopt multiple authorization concepts (i.e., user manager, system/information owner).
The organization should leverage security testing of interoperability and portability policies and procedures.
These APIs should support interoperability between components and facilitate the secure migration of
applications and data between environments. Documentation supports API functionality, being updated regularly
and given to customers alongside new API versions. Furthermore, security issues should be considered during
development and updates.
Evidence of executed and planned security tests upon all interoperability and portability systems should be
provided per contractual agreements or upon request.
N/A (This field is intentionally left blank)

Infrastructure Virtualization Security Policy and Procedures should include, but are not limited to:
a. Governance and control VM lifecycle management.
b. Storage restriction of VM images and snapshots.
c. Backup and failover systems.
d. Tagging for the VM based on sensitivity / risk level.
e. A formal change management process for creation, storage, and use of VM images. Approve changes only
when necessary.
f. Consistent security policy and configuration across the physical/virtual network.
g. Implementation of security technologies that span physical and virtual environments with a consistent policy
management and enforcement framework.
To implement security technologies that span physical and virtual environments with a consistent policy
management and enforcement framework.
h. Firewalls, whether physical or virtual, to isolate groups of VMs from other hosted groups.
i. Design and implementation access from each trust level to physical and virtual management and security
systems.
Projections of future capacity requirements should be made regularly (at least annually—with proactive actions
taken—to mitigate risks of system overload or downtime due to overwhelming demand or increased workloads.
Cloud service providers should maximize resource utilization and optimize resource allocation to ensure adequate
performance is delivered in line with the promised capacity.
Cloud service consumers should specify performance and resource requirements in line with the business
objectives.
Network communications justified by the business should be allowed, encrypted, and require authorization.
Conversely, unjustified network communications should be disallowed.
Container application-aware network monitoring tools should be leveraged for:

a. Automated determination of proper container networking surfaces, including both inbound ports and process-
port bindings.
b. Detection of traffic flows between containers and other network entities over both wire traffic and encapsulated
traffic.
c. Detection of network anomalies—such as unexpected traffic flows within the organization’s network, port
scanning, or outbound access to potentially dangerous destinations.
d. Detection of invalid or unexpected malicious processes—and data they introduce into the environment.
Supporting technical controls should aid situations when only the ports, protocols, and services necessary to meet
business needs are provided. Such controls should be based on benchmarks (e.g., CIS).
Implement anti-malware, file integrity monitoring, and logging, and utilize hardware rooted trust in virtual trusted
platform modules (vTPMs).
Whenever possible, organizations should use minimalistic, container-specific host operating systems (OSs), with
all other services and functionality disabled—and with read-only file systems and other hardening practices
employed to reduce attack surfaces.
a. Hosts that run containers should only run containers and not other apps—such as web servers or databases—
outside of containers.
b. Hosts that run containers should be continuously scanned for vulnerabilities and updated promptly.
c. The host OS should not run unnecessary system services.
d. Access to the container host should be based on the need-to-know and least privilege principles.
e. File integrity monitoring and host intrusion detection should be leveraged for containers.
Separation of the environments may include:
• Stateful inspection firewalls
• Domain/realm authentication sources
• Clear segregation of duties for personnel accessing these environments as part of their job duties
Apply sanitization routines on data before loading into non-production, and define environmental boundaries.
Production workloads should be isolated from the lower environments (e.g., development, testing) when possible.
The following should be considered for control implementation:

a. Established policies, procedures, and best-practices
b. Possible definitions of segmentation should range from “total isolation” to “partial logical separation of
business-critical assets and/or personal data/sensitive user data, and sessions”.
c. Compliance with legal, statutory, and regulatory compliance obligations in-scope for particular use-cases or
scenarios
Workloads between tenants and business lines should be segmented per the least privilege concept to reduce the
attack surface. In addition, workload tagging, resource names, and identification should be used for workloads.
Secure communication—when migrating physical servers, services, applications, or data to virtualized
environments—could use a combination of confidentiality, integrity, authentication, source authentication,
authorization, and non-repudiation.
Building a secure channel of information transmission can be implemented at various network layers. Secure
information transmission channels (ports and protocol) should be used such as : SSL, SSH, TLS operates at the
application level, IPsec, ICMP at the network level, and PPTP, ARP are at the link layer.
Only up-to-date versions for these protocols should be used (deprecated versions should not be used).
Furthermore, only a secure port (e.g., 443) should be used.
The documents or diagrams should include, but are not limited to, the details below:
a. Architecture diagrams, security zone descriptions, and related policies
b. All components (physical, logical)
c. Hypervisors, workloads, hosts, and networks (physical, virtual), etc.
d. Physical site details for each workload
e. Traffic flow between various components
f. All communication channels, including out-of-band communication channels
g. Defined roles and responsibilities
h. Security zones, workloads on each host, security levels for the workloads, etc.,
i. Identify and document dependencies between the different environments and how they impact the risk
assessment.
Vulnerabilities in a physical environment also apply in a virtual environment. Configuration flaws/vulnerabilities
in the applications, firewalls, or networks will be vulnerable to exploits. Defense-in-depth techniques should be
leveraged for both physical, logical, and administrative, etc., controls.
Defense-in-depth techniques/insights that should be considered include:

a. Deep packet analysis, traffic throttling, and black-holing.
b. Ingress/egress traffic patterns may include media access control (MAC) spoofing and ARP poisoning attacks
and/or distributed denial-of-service (DDoS) attacks.
c. Perimeter firewalls implemented and configured to restrict unauthorized traffic.
d. Security settings enabled with strong encryption for authentication and transmission, replacing vendor default
settings (e.g., encryption keys, passwords, and SNMP community strings).
e. Develop capabilities to detect unauthorized (rogue) network devices in the network and disconnect quickly.
The policies and procedures should include considerations regarding:
a. The purpose, scope, roles, responsibilities, and coordination among organizational entities and training.
b. How are incidents handled during a security incident?
c. What information should be logged and monitored, and for how long?
d. Who is notified in the event of an incident?
Logging and monitoring policies and procedures should capture the following events:
c. Individual user accesses to systems.
d. Actions taken by any individual with root or administrative privileges.
e. Access to all audit logs should be restricted based on need-to-know and least privilege principles.
f. Invalid access attempts.
g. Changes, additions, or deletions to accounts with root or administrative privileges.
h. Use of and changes to identification and authentication mechanisms, including elevation of privilege.
i. Initializing, stopping, or pausing of the audit logs.
j. Creation and deletion of system-level objects.
Log protection methodology should be applied in adherence to any applicable legal, statutory or regulatory
compliance obligations. In the absence of those requirements, they should adhere to any standards established as
appropriate for the business.
Implementation of application security monitoring should include the following components:
a. Generation of alerts from metrics indicating risks beyond established thresholds.
b. Categorization of risks based on business impact analysis and prioritized monitoring of high-impact risks.
c. Consideration of automation capabilities (when applicable) to streamline application security monitoring.
d. Reporting and/or dashboard to provide real-time visibility to security and business stakeholders on application
security statuses.
e. Periodic review of monitoring capabilities and processes by a combined group of security, IT and, business
stakeholders.
Audit logs should track access to aid upon detection of suspicious activity and contain sufficient data to support
investigative needs for security breaches.
Access to all audit logs should be restricted based on need-to-know and least privilege principles. Additionally,
monitor all relevant actions taken. In the case of unintended or unauthorized actions, alerts should occur.
Failure response capabilities should be in place. Also, consider infrastructure layers (e.g., network, container
orchestration, hypervisor, endpoint, control plane, and data plane).
Monitor failures and alerts should they occur.

Synchronizing system clocks enables proper coordination between systems and facilitates tracing and the
reconstitution of activity timelines.
Potential implementation guidance can be derived from the NIST Internet Time Servers overview (see
https://tf.nist.gov/tf-cgi/servers.cgi).
Also, the following concepts should be considered:

a. Critical systems have the correct and consistent time.
b. Time is synchronized across all systems.
c. Time data is protected.
d. Time settings are received from industry-accepted time sources.
Examples of events that should be logged include:

a. Successful and unsuccessful account login events
b. Account management events
c. Object access
d. Policy change
e. Privilege functions
f. Process tracking and system events
g. All administrator activity
h. Authentication checks
i. Authorization checks
j. Data deletions
k. Data access
l. Data changes
m. Permission changes
Relevant security log information should include but is not limited to:
• The event type
• The event time
• The event location
• The event source
• The event outcome
• The identities of any individuals or systems associated with the event
Access to audit records should be granted based on a least-privilege basis and only to authorized individuals.
Changes to logs, including deletions, should be tracked and approved by authorized individuals. Logs should be
backed up per organizational policies.
Compliance breaches and deviations from standard operations should be reported as defined in the organization’s
incident management process (as outlined in SEF-01). In addition, file-integrity monitoring or change-detection
software should be used to prevent changes in existing log data.
Logging of key lifecycle events should include but are not limited to the following events: key generation, key
usage, key storage (including backup), and archiving and key deletion. In addition, only authorized personnel
should have access to key materials, and all access attempts should be logged and reviewed.
Document and implement all key-management processes and procedures for cryptographic keys, including:
a. Generation of strong cryptographic keys
b. Secure cryptographic key distribution
c. Secure cryptographic key storage
d. Key revocation after expiry
e. Split knowledge and dual control as needed for manual key management operations
f. Prevention of unauthorized substitution of cryptographic keys
The organization should monitor and log all physical access via the following means:
a. Verifying physical access of individuals when they enter secure areas.
b. Maintaining physical access logs for the facilities
c. Escorting visitors at all times.
d. Reviewing access control logs regularly.
The organization should use either video cameras or access control mechanisms (or both) to monitor individual
physical access to sensitive areas. Review collected data, correlate with other entries, and store the data for at
least three months (unless otherwise restricted by law.)
The organization should implement physical and/or logical controls to restrict access to publicly accessible
network jacks. For example, limit physical access to wireless access points, gateways, handheld devices,
networking/communications hardware, and telecommunication lines.
The organization should develop procedures to distinguish between onsite personnel and visitors with an
emphasis on the following considerations:
e. Identifying onsite personnel and visitors (for example, assigning badges)
f. Changing access requirements
g. Revoking or terminating onsite personnel and expired visitor identification
The organization should develop procedures to control physical access for onsite personnel to sensitive areas as
follows:
h. Access should be authorized and based on individual job functions.
i. Access should be revoked immediately upon termination. Furthermore, all physical access mechanisms, such as
keys, access cards, etc., must be returned or disabled.
The organization should define which actions are taken depending on the type of logging and monitoring failure.
Anomalies can include software errors, failures to capture some or all logs, failure to backup audit logs, or
storage exceeded notifications. This guidance should apply to all information system logs.
Organizations must implement a process for the timely detection and reporting of failures of critical security
control systems, such as (but limited to):
a. Firewalls
b. Intrusion detection systems (IDS)/intrusion prevention systems (IPS)
c. File integrity monitoring (FIM)
d. Anti-virus
e. Physical access controls
f. Logical access controls
g. Audit logging mechanisms
Management-approved policies and procedures for organizations and personnel who manage incidents should
incorporate clearly defined roles and responsibilities—including guidelines on managing the “chain of custody”
for forensic evidence collected from affected systems, devices, cloud services, applications, and personnel. These
policies, procedures, and supporting systems should result in legally admissible evidence.
Policies should require establishing a core, qualified, and standing incident response team that holds the
capability to assess, respond, learn, and communicate appropriately.
Appropriate reporting standards and procedures shall include lessons learned and key performance indicators
(KPIs), which should be defined and implemented for incident response processes and training.
Appropriate information should be shared with affected third parties (including customers) promptly.
Policies and procedures should address personnel involved in the entire incident and event management lifecycle
— which includes prevention, identification, investigation, and resolution—as well as periodic training for this
personnel.
Incident response plans should provide a roadmap for handling incidents involving the organization’s cloud
services and the products and services upon which those services rely. These plans should apply whether those
dependencies are internal (such as IT, operations, support, and legal) or external (suppliers, vendors, partners,
customers, and other third parties).
Periodically test, update, and verify the effectiveness of incident response plans using various event scenarios.
For critical operations, plans should be tested at least annually. Test results should be documented and
communicated—with follow-up action plans developed as appropriate.
Incident response plans should be reconciled with the organization's business continuity and disaster recovery
plans.
Organizations should also test, update, and improve incident response plans after:
a. Significant organizational changes.
b. External supply chain disruptions and natural disasters.
c. Security attacks, particularly those resulting in security breaches.
Organizations should define, implement and monitor metrics associated with events and incidents to detect any
weaknesses in the operational processes or technical controls which support effective incident management.
Metrics may quantify:
a. Volume of events and ratio of events to incidents.
b. Incidents by type, product, department, severity, etc.
c. Timeliness of procedural execution for identification, investigation, and resolution.
d. Variances from documented procedures.
Processes, procedures, and technical measures should be defined and implemented to support the investigation
and evaluation of security-related events that allow the organization to prioritize events by severity and impact.
The objective for these measures is to prioritize the timely analysis of event information and rapid engagement of
the incident response process.
Methodologies—including processes, tools, or machine learning algorithms used in incident handling—should

periodically be reviewed for efficacy and accuracy in the current operating environment.
Security breach notification processes and procedures should reflect legal and regulatory requirements, which
may be applicable based on data types processed, organizational geography, or customer geography, etc.
Organizational procedures should also reflect contractual customer and partner commitments regarding breach
notifications. Security breach governance should include document procedures and instructions as well as training
to familiarize personnel with their respective roles and responsibilities.
Accurately and promptly report information security breaches to affected, relevant parties through predefined
communication channels, per applicable legal, statutory, and regulatory obligations. Clearly describe the event
which occurred and its result, and identify any required or recommended actions for the affected parties. Where
applicable, notifications should be sent to relevant parties in a timely manner.
Maintain points of contact by establishing liaisons and preparing them for any investigations requiring rapid
engagement with law enforcement.
Document and update security incident contact information regularly. Additionally, processes and responsibilities
should be documented and maintained for information accuracy that reflects organizational changes to internal
operations and external regulatory environments. Personnel sending security notifications should use these
identified contacts.
Cloud service implementations involve a shared security responsibility model (SSRM) between the CSP and the
CSC. Although specific details vary from service to service (e.g., depending on the cloud service model and the
particular implementation), both CSPs and CSCs should have organizational policies and procedures that
delineate how the SSRM should be documented, implemented, managed, communicated, enforced, and audited.
The SSRM must explicitly detail each specific service based on the cloud service model and implementation
specifics. Accordingly, each party in the supply chain must document, implement and manage their SSRM
responsibilities for their specific service. This includes supporting service providers such as infrastructure as a
service (IaaS) providers engaged by primary software as a service (SaaS) CSPs and specialized CSPs (e.g.,
IDaaS, CASB, DDOS/CDN/DNS services) employed by the CSP and/or the CSC.
Shared security responsibility model guidance should include references describing SSRM applicability
throughout the supply chain.
Cloud service implementations involve an SSRM between the CSP and the CSC, which varies from service to
service depending on the cloud service model and the specific implementation. Accordingly, CSPs should
provide comprehensive SSRM guidance to facilitate secure CSC service implementations.
Any CSP control responses should identify control applicability and ownership for their specific service.
a. Cloud service provider-owned: CSP is fully responsible.
b. Cloud service customer-owned: CSC is fully responsible.
c. Third-party outsourced: The CSP has fully outsourced this control to a third party (e.g., a supporting CSP), but
the CSP is fully accountable to the CSC for the third party's performance from a supply chain perspective.
d. Shared CSP and CSC: Both the CSP and CSC have responsibilities (independent or dependent). If the CSP has
partially outsourced control to a third party, that should be noted in the CSP implementation description.
e. Shared CSP and third party: The CSP has partially outsourced control to a third party (e.g., a supporting CSP).
Hence, the CSP and the third party have responsibilities—but the CSC has no responsibilities. The CSP is fully
accountable to the CSC for the third party's performance from a supply-chain perspective.
f. N/A: Not applicable to this specific cloud service offering (no SSRM responsibilities).
Cloud service providers should also describe the following for each control (as appropriate) for its service and the
specific ownership classification:
g. Cloud service provider implementation description: How the CSP meets (or doesn't meet) the controls they are
responsible for, wholly or partially. This should explain why N/A controls are not applicable for the specific
service and describe the extent to which responsibility for particular controls is outsourced to third parties.
h. Cloud service customer responsibilities: A detailed description of CSC security responsibilities for the controls
the customer is responsible for, wholly or partially, with references and external links (as appropriate).
The CSA's Consensus Assessments Initiative Questionnaire (CAIQ) should be used by CSPs to provide SSRM
ownership and guidance to current and prospective CSCs. In cases where the CAIQ has multiple questions
associated with a single control, CSPs should delineate SSRM ownership and describe how they meet their
control requirements at the question level, aligned with the scope of the CSP CAIQ answer.
The CSC should engage with the CSP to address any issues identified as a part of this review, and SSRM changes
should be incorporated into the CSC's implementation plans. In addition, any CSC changes to the finalized SSRM
documentation should be shared with the CSP as enhancement feedback, as appropriate. Following this
communication and any preceding adjustments to the SSRM, CSCs should then implement the finalized SSRM
controls and test the controls to validate the proper operation of CSC security controls (including CSP integration
where there are dependencies). This implementation and testing should occur during production readiness
assessments and transitions.
Both the CSP and CSC should implement the finalized SSRM and then thoroughly document and test it to
validate proper operation of security control implementations—including integration testing where there are
interdependencies. Once implemented, both the CSP and CSC should operate, monitor and audit, and/or assess
their service performance according to the finalized SSRM and remain engaged with their supply chain and
customers to understand, implement and manage SSRM changes over time.
Particular areas that require proactive supply chain SSRM engagement with corresponding levels of (secure)
transparency include:
a. Incident and vulnerability management
b. Change and configuration management
c. Periodic SSRM-aligned audit reviews and security assessments with appropriate risk management
Both the CSP and CSC should develop, manage and maintain a comprehensive inventory of all supply chain
relationships (i.e., third-party product and service providers) involved in implementing, operating, and securing
their respective cloud service implementations. This process should include assembling, tracking, and
maintaining key organizational roles, contracts, contacts, and risk-related information about each third party in
the supply chain regularly (and when significant changes occur) to facilitate supply chain risk management
practices.
Both the CSP and CSC should follow applicable local and international third-party risk management (TPRM)
best practices in managing supply chain risks, including periodic reviews of organizational and technical risk
factors, contract requirements, environmental changes, and security incident response capabilities for all supply
chain organizations. There may also be applicable regulatory requirements and standards to consider.
Service agreement content should include, but is not limited to the following:
a. Scope, characteristics and location of business relationship and services offered: (e.g., service level agreements,
customer (tenant) data acquisition, exchange and usage -including data processing restrictions, feature sets and
functionality-, personnel and infrastructure components and supporting services for service delivery and support,
roles and responsibilities of provider and customer (tenant) and any subcontractor or outsourced business
relationships, geographical location of hosted data, backups and services, and any known regulatory compliance
considerations). Refer to STA-08 for CSP management of supply chain applicability (Relevant control domains
include particularly DSP, BCR, HRS).
b. Information security requirements (including SSRM): provider and customer (tenant) primary points of contact
for the duration of the business relationship, and references to detailed supporting and relevant business
processes, acceptable use policies and technical measures implemented to enable effectively governance, risk
management, assurance and legal, statutory and regulatory compliance obligations by all impacted business
relationships, including legal obligations of the CSP to allow government access to customer data. Relevant
control domains include particularly DSP, GRM.
c. Change management process: Notification and/or pre-authorization of any changes controlled by the provider
with customer (tenant) impacts.
d. Monitoring capabilities and controls implemented by the cloud service provider and made available to the
cloud customer so as to monitor aspects of the cloud service for which the cloud customer is responsible.
e. Incident management and communication procedures: Timely notification of a security incident (or confirmed
breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted
supply chain) complying with SEF’s domain control requirements.
f. Right to audit and third party assessment: Assessment and independent verification of compliance with
agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent
forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed
g. Service termination: Expiration of the business relationship and treatment of customer (tenant) data impacted
h. Interoperability and portability requirements: Customer (tenant) service-to-service application (API) and data
interoperability and portability requirements for application development and information exchange, usage, and
integrity persistence
i. Data Privacy (refer to DSP domain)
Reviews should include activities to identify non-conformance with contractual requirements and SLAs for
services a CSP provides. If non-conformance issues are identified, the parties involved should negotiate and
remediate the problems.
The scope of assessments should include STA-related policies and procedures while validating adherence to STA
controls and SLA requirements. Applicability includes assessing conformance and effectiveness across the supply
chain, including the total cloud service technology stack (as appropriate).
Refer to A&A-02.
Contracts throughout the supply chain should include requirements for all third- and fourth-party service
providers and personnel with access to CSP and/or CSC systems and information.
Personnel policies should include employment agreements inclusive of information security requirements,
security awareness training, and insider risk management.
Reviews should validate alignment with applicable industry standards as well as service and contract
requirements.
Assessments should validate alignment with applicable industry standards as well as service and contract
requirements.
A policy on threat and vulnerability management (TVM) should be established that includes the intent, purpose,
and governance of how a CSP or CSC must address threats and vulnerabilities for their respective scope under
the SSRM.
At a minimum, the policy should specify:

a. What should be covered under the scope, especially the need to comply with applicable laws, regulations, and
contractual requirements.
b. The frequency of assessments.
c. The methods that should be used.
d. How and when assessments and significant vulnerabilities should be reported, including when it’s appropriate
to share vulnerability information with customers and business partners.
e. How reports should be reviewed.
f. How actions to address relevant risks and opportunities should be tracked to closure.
g. Approval of CSP native and (where applicable) third-party data/asset protection capabilities and relevant
services for use by appropriate CSC authorities.
h. A well-defined incident response process aligned with an organization's risk tolerance, accompanied by
appropriate communication and notifications.
i. Acceptable periods of remediation of threats in order of severity and criticality of computing infrastructure.
j. Log review and correlation procedures with appropriate threat intelligence capabilities for log, events, metrics,
and incidents (preferably through a centralized service).
Malware protection policies should focus on inspecting both inbound and outbound traffic and implementing
controls to detect, prevent, block, and remove malware. Include expectations of time objectives for remediation
programs that seek to ensure systems are free of infection when they connect to enterprise computing resources.
Malware protection should be integrated across all computing infrastructure, including compute, network,
endpoints, and secure access gateways.
Organizations should centrally manage malware protection mechanisms, including planning, implementing,
assessing, authorizing, and monitoring organizational-defined malware protection security controls. This process
will help to cohesively address malware within predefined timeframes.
Threat and vulnerability management policy should include the ability to address malware as a specific threat
element. This should provide the organization with a guideline to handle malware using appropriate tools,
relevant automation, and operational frameworks to meet their risk tolerance.
If malware is identified by antivirus or anti-malware applications using a signature- or behavior-based detection

process, malware removal should be updated according to applicable contractual agreements and organizational
standards. Additionally, prevention software and associated signatures should be deployed centrally by the
service provider throughout their environment.
An integrated TVM system should be implemented that can maintain records of threats and vulnerabilities found
over time and the result of their mitigation actions. The Integrated TVM system should be used to mitigate all
future risks, by leveraging the previous experiences of the mitigation activities.
A full remediation schedule should be considered. The schedule should classify and prioritize vulnerabilities in
order of their severity and threat to the environment, aligned to the expectations of TVM Policy.
Vulnerability remediation schedules should be approved and communicated to all relevant stakeholders (and
included in SLA's).
A rolling schedule of detection, reporting, and mitigation should be established so that all actions to address
threats and non-conformance are performed on time and reported to the integrated TVM system for monitoring
and oversight. In addition, where applicable, implement automation so that threats and non-conformance are
mitigated on time.
Where a CSC or a CSP uses third party or open source libraries, these should be tracked, scanned and reported on
in the integrated TVM system. Installed or used packages, libraries and/or runtimes that are part of their solution
with their running version should be included. TVM scans can be performed automatically and the findings
should be promptly reported to the integrated TVM system. This activity should be monitored to avoid
operational gaps.
The organization should leverage global threat intelligence about threat signatures and vulnerability databases
that may contain indicators of attack and compromise. It should also consider implementing automated &
recurring processes so that human errors can be avoided.
A formal schedule of red team exercises interspersed with risk assessments, remediation, and penetration testing
aligned to the applicable service model (I-P-SaaS, and XaaS) should be established. Penetration testing should
comply with all applicable laws and regulations.
A written and signed authorization should be obtained and verified before and after services are rendered.
Penetration test schedules should be published on the integrated TVM system to ensure tactics, techniques, and
test procedures adhere to documented policies.
The integrated TVM system should track vulnerabilities to closure and report them to build oversight of residual
risks. Furthermore, the system should retain information that can be reused in future remediation activities.
Organizations should consider establishing an external-facing vulnerability disclosure program to allow external
parties to communicate detected vulnerabilities.
Vulnerabilities should be prioritized in terms of their relative risk, importance, organizational impact, and
urgency. When evaluating impact, consider exposure levels to applicable threats from the organization’s specific
usage and/or implementation. When evaluating importance, consider the criticality and value of the affected
assets. Finally, when assessing urgency, consider the Common Vulnerability Scoring System (CVSS) ratings and
timeframes, the relevance to current and ongoing threats, and the effort required for remediation.
The integrated TVM system should have comprehensive vulnerability tracking capabilities. Capabilities should
include when discoveries were made and remediated, systems impacted, reasons for the delay (where applicable),
and any communications that may have been made to stakeholders.
The integrated TVM system should be used to collect and report metrics about the vulnerability management
program. Metrics should demonstrate the coverage, efficacy, and efficiency of operational TVM activities.
Policies and procedures for both managed and unmanaged endpoints (including BYOD) should include the
following components:
a. Definition of endpoints and the acceptable-use policy requirements for all endpoints (mobile devices, virtual,
desktop, etc.). Note: Physical and virtual servers, containers, and similar "endpoints" are addressed in the DCS
and IVS domains, while application and interface "endpoints" are discussed in the AIS domain.
b. List the approved systems, servers, applications, application stores, application extensions, and plugins that
may be allowed for managed endpoint access and usage and/or enforced through enterprise management tools.
c. Policy and procedures related to installing non-approved applications or approved applications not obtained
through a pre-identified application store.
d. Prohibit the circumvention of vendor-supported and integrated (built-in) security controls on endpoints (i.e.,
jailbreaking or rooting). Enforce these restrictions through detective and preventive controls on the endpoint,
managed through a centralized system (e.g., an endpoint, system configuration control, or mobile device
management system).
e. Policies regarding privacy expectations and requirements for remote location identification, litigation, e-
discovery, and legal holds (especially for personally-owned devices).
f. Policies and procedures related to non-company data loss if a full or partial wipe of a device is required.
g. Performing policy reviews at planned intervals or upon significant organizational or environmental changes.
Policies and procedures should also integrate the following concepts (which may have applicable controls in
other domains to consider):
h. Passcodes, biometric authentication, idle/no-use screen locks, and logouts.
i. The use of anti-malware software.
j. The use of encryption for the entire device or data identified as non-public on all endpoints (enforced through
technology controls).
k. Each endpoint device should be assigned to a named person who is responsible for it. Such devices may be
shared (e.g., in shared work areas), but a single individual should still be assigned responsibility for it.
l. Non-device endpoints should also have "owners" responsible for assessing risks and ensuring appropriate
controls.
m. Endpoints should be vetted for policy compliance before being provisioned for organizational use.
For managed endpoints, universally enforce policies through one or more centralized configuration management
tools.
Use risk assessment to determine what (if any) information or systems may be accessed or stored using
unmanaged endpoints.
The company should have a documented application validation process to test for compatibility issues regarding
mobile devices, operating systems, and applications.
Misconfigured endpoints will not only impact operations but will also introduce attack vectors. Poor
configuration settings could involve open ports, outdated exceptions, insecure protocols allowed, etc. Any
configuration changes once in production should follow change management guidelines (why, what, how) and
require appropriate approvals.
All organizational endpoint systems should be identified and protected. In addition, a policy against the inventory
should be established and documented (including scan type, number of scans, schedule, and
exceptions/exclusions).
An inventory of all mobile devices used to store and access company data should be kept and maintained. Include
all device status changes (i.e., operating system, patch levels, lost/decommissioned status, and to whom the
device is assigned or approved for usage [BYOD]) in the inventory.
A documented list of approved application stores should be defined as acceptable for mobile devices accessing or
storing provider-managed data.
For managed endpoints, universal policy enforcement through one or more centralized configuration management
tools is essential. Note: "Universal" enforcement is not necessarily "unified." Some vendors claim to offer
"unified endpoint management" systems, but none are truly capable of managing all security features of all
endpoint types.
For unmanaged endpoints, guidance should be provided but will not be enforced (by definition).
Based on risk assessment, different configurations may be acceptable for systems access and/or information
storage—resulting in various degrees of end-points management with different access requirements. These may
include using container technology for sensitive data isolation. For example, an organization that prohibits using
electronic mail for sensitive information may determine that access to company electronic mail using a
personally-owned device requires only limited controls (such as an acceptable passcode, a lock screen, reasonably
up-to-date software, and no circumvention of vendor security controls [such as jailbreaking or rooting]).
The organization should implement this requirement through technical controls for all interactive-use endpoints.
The organization should consider the following points:
a. Changes should be managed strictly and consistently.
b. Formal management responsibilities and procedures should facilitate satisfactory control of all changes to
endpoint operating systems, patch levels, and/or applications, including:
1. The identification and recording of significant changes.
2. The planning and testing of changes.
3. The assessment of the potential impacts (including security impacts) of such changes.
4. The formal approval for proposed changes.
5. The communication of change details to all respective stakeholders.
Fallback procedures and responsibilities should be defined and implemented, including guidelines for aborting
and recovering from unsuccessful changes and unforeseen events.
To minimize data leak risks and protect data stored on the endpoint device, use encryption. Encryption
capabilities could be part of common endpoint solutions such as DLP, endpoint firewalls, and PAM.
Additionally, they could be standalone (e.g., device container technology, file encryption, and full-disk
encryption). The encryption strength should be based on the sensitivity of the data being protected.
Endpoint device policies should use encryption for the entire device or data identified as sensitive on all mobile
devices (potentially using container technology). This policy should be enforced through technology controls.
Organizations should consider the following:
a. Managed endpoints should be protected through anti-malware software, security awareness, appropriate system
access, and change management controls.
b. Organizations should have formal policies and technologies implemented to install and upgrade protective
measures promptly. These measures include installing and regularly updating anti-malware software and virus
definitions (automatically) and whenever updates are available. Additionally, organizations should periodically
review and scan installed software and system data content to identify and remove unauthorized software (when
possible).
c. Wherever possible, organizations should also:
1. Disable universal serial bus (USB) ports.
2. Prohibit writable media use (e.g., DVD-R).
3. Restrict read-only media (e.g., DVD-ROM) used to legitimate commercial sources for legitimate
business reasons (e.g., Linux installation disks) and allow only whitelisted software to run on the endpoint.
d. Employ anti-malware software that offers a centralized infrastructure that compiles information on file
reputations or has administrators manually push updates to all machines. After updating, automated systems
should verify that each system has received its signature update.
e. Define procedures to respond to malicious code or unauthorized software identification. Checking antivirus or
anti-spyware software generates audit logs of checks performed. Malicious code detection and repair software
checks to scan computers and media include:
1. Checking files on electronic or optical media and files received over networks for malicious code
before use.
2. Checking electronic mail attachments and downloads for malicious code or file types that are
unnecessary for organizational business before use. This check occurs at different places (e.g., electronic mail
servers, desktop computers, and when entering the organization’s network).
3. Checking web traffic—such as hypertext markup language (HTML), JavaScript, and hypertext transfer
protocol (HTTP)—for malicious code.
4. Checking removable media (e.g., USB tokens and hard drives, CDs/DVDs, FireWire devices, and
external serial advanced technology attachment devices) when inserted.
f. Have formal policies to prohibit using or installing unauthorized software, including restricting on obtaining
data and software from external networks. User awareness and training on these policies and methods should be
provided for all users regularly.
g. Bring your own device (BYOD) users should use anti-malware software (where supported).
All managed endpoints should properly configure endpoint firewalls to inspect traffic, apply rules, and perform
behavioral monitoring. These firewalls will protect the endpoint from malware and attacks originating from inside
or outside the corporate network. For example, a web application firewall (WAF) should be used to protect web
services from malicious attacks (e.g., structured query language (SQL) injection).
The organization should have a DLP program to discover, monitor, and protect data with regulatory or
compliance implications in transit and at rest across the network, storage, and endpoint systems.
The DLP solution should monitor and control the data flow. Furthermore, any anomalies that exceed normal
traffic patterns should be noted, and appropriate action should be taken to address them.
The DLP solution should also be used to monitor for sensitive information (e.g., personally identifiable
information), keywords, and metadata in order to discover unauthorized attempts for their disclosure across
network boundaries and block such transfers by alerting information security personnel.
The organization should configure the DLP solution to enforce ACLs even when data is copied off a server.
Remote management controls—such as remote data wipe, anti-tampering, and geotracking—should be
implemented around endpoint devices to protect if a device is lost or stolen.
All mobile devices (permitted through the company BYOD program or a company-assigned mobile device)
should allow for remote wipe by the company's corporate IT—or have all company-provided data wiped by its
corporate IT.
Define, implement and evaluate processes, procedures, and technical measures to enable the deletion of company
data remotely on managed endpoint devices, such as when a device is lost or stolen. Only rarely should the
network administrator or device owner issue the remote wipe command since it is potentially destructive and
removes all content until the device returns to its factory state.
The organization should perform due diligence before granting third party access to the organization's data or
establishing connectivity (and periodically thereafter, commensurate with the risk level of the third-party
relationship).
Written agreements (contracts) should be maintained and include an acknowledgment that the third party is
responsible for the security of the data the third party possesses or otherwise stores, processes, or transmits on the
organization’s behalf. In addition, agreements should include requirements to address the information security
risks associated with information and communications technology services (e.g., cloud computing services) and
the product supply chain. These requirements are subsequently applicable to relevant, third-party (i.e., fourth
parties) subcontractors (and so on) throughout the supply chain.
Personnel security requirements should be established and documented—including security roles and
responsibilities for third-party providers coordinated and aligned with internal security roles and responsibilities.
Monitor providers for compliance.
Additionally, the organization should have a screening process for contractors and third-party users. When
organizations provide contractors, the contract should specify the organization's responsibilities for screening and
relevant notification procedures if screening has not been completed (or if the results cause doubts or concerns).
Similarly, third-party agreements should specify all responsibilities and notification procedures for screening.
Third-party providers should notify a designated individual or role (e.g., a member of the contracting or supply
chain function) of any personnel transfers or terminations of third-party personnel who possess organizational
credentials, badges, or have information system privileges.
Formal contracts should be employed that, at a minimum, specify:

a. The covered information’s confidential nature and value.
b. The security measures to be implemented and/or complied with. These include the organization's information
security requirements and appropriate controls required by applicable federal laws, executive orders, directives,
policies, regulations, standards and guidance, and third-party access limitations.
c. The service levels to be achieved in the services provided.
d. The format and frequency of reporting to the organization's information security management forum.
e. The arrangement for representation of the third party in appropriate organizational meetings and working
groups.
f. The arrangements for third-party compliance auditing.
g. The penalties exacted if any of the preceding specifications fail.
Mutually agreed-upon provisions and/or terms should be established to satisfy customer (tenant) requirements for
service-to-service application (API), information processing interoperability, portability for application
development and information exchange, usage, and integrity persistence.
v4.0.6

Procedures



AIS-01
AIS-02

Security

AIS-04

AIS-05
Security Testing
AIS-06
Security Deployment

Security
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Change Control and

Procedures
Management
Change Control and

Management
Change Control and
Management
Change Control and

Management
Change Control and

Management
Change Control and
Management
Change Control and

Management
Change Control and

Management
Change Control and
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Analysis
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management

and Procedures

and Procedures

and Procedures


Training


Data Security and
Procedures
Management
Data Security and
Management
Data Security and
Management
Data Security and
Management
Data Security and
Management
Data Security and
Management
Data Security and
Management
Data Security and
Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and
Processing
Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and
Management
Data Security and
Management

GRC-01

Compliance

Compliance
Compliance

Compliance

Compliance
GRC-07
Compliance Mapping

Compliance

Procedures

and Procedures

Procedures



and Training

IAM-01
Identity & Access

Management
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management
Identity & Access

Management
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management

IAM-10
Management Roles
IAM-11
Identity & Access

Management
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management
Identity & Access

Management

IPY-01
Interoperability &
Portability

IPY-03
IPY-04

IVS-01
Infrastructure &
Infrastructure &
Infrastructure &

IVS-05
Infrastructure &
Infrastructure &
Infrastructure &
Infrastructure &

Procedures



Security Incident
SEF-01
Forensics
Security Incident
SEF-02
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics

Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-09
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-12
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-14
Accountability

TVM-01

TVM-02

Management
Management

Management

Management

Management
Management

Management

Management

UEM-01
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Management
End of Guidelines
Control Specification





annually.


the organization.



and capabilities.





for resiliency.


standards.


outsourced).







changes.


encryption keys.

security event(s).

used.



requirements.



requirements.

requirements.



at least annually.

areas.


egress attempts.

offices and rooms.



least annually.

best practices.





at least annually.

risks.







least annually.
at least annually.



policies.







level of access.
system access.

system access.









requirements for:
d. Information/Data exchange, usage, portability, integrity, and persistence


a. Data format


by the business.









systems.



system.







at least annually.



• Data privacy






identifications,


third parties.

at least monthly.





data.

lock screen.





devices.

End of Guidelines
Auditing Guidelines
1. Examine policy and procedures to confirm content adequacy in terms of purpose, authority and accountability,
responsibilities, planning, communication, reporting, and follow-up.
2. Examine audit charter and determine if independence, impartiality, and objectivity are guaranteed.
3. Examine policy and procedures for evidence of review at least annually.
1. Examine the process to determine standards and regulations applicable to the organization's systems and
environments.
2. Determine if the organization maintains and reviews a list of such standards and regulations.
3. Determine if senior management exercises oversight over the independence of the assessment process.
4. Determine if the audit plan is informed by previous assessments, and is scheduled on an annual basis.
1. Examine the process for determining the risks applicable to the organization's systems and environments.
2. Determine if a list of such risks is maintained and reviewed.
3. Determine if senior management exercises oversight over the applicable risks.
4. Determine if the audit plan is risk-based, and is scheduled on an annual basis.
1. Examine the process for determining the standards and regulations applicable to the organization's systems and
environments.
2. Examine the process to determine contractual, legal, and technical requirements applicable to the organization's
systems and environments.
3. Determine if the organization maintains and reviews a list of relevant standards, regulations, legal/contractual,
and statutory requirements.
4. Determine if senior management exercises oversight over this control specification.
5. Determine if the audit plan is informed by the list of the organization's requirements.
1. Examine policy related to the establishment and conduct of audits.

2. Determine if audit programs are established and aligned to the requirements of the organization, including the
audit charter.
3. Determine if the organization upholds the independence of the audit program.
4. Determine if the conduct of audits is defined, approved at the appropriate level, and reviewed for effectiveness.
1. Examine if the outputs of audits are defined by the policy.
2. Determine if the audit findings are reviewed and if appropriate reports are made available to users and senior
management.
3. Determine if the identification of risks from audit findings, or changes to them, are made available to users.
4. Determine if corrective actions proposed are planned to align with the organization's risk profile.
5. Determine if a process exists to track changes in risk rating and is used to update risk registers, particularly
with regard to residual risk.
6. Examine a sample of proposed corrective actions and determine if they were followed-up in a manner
consistent with the organization's policy.
7. Examine audit programs to determine if they are subject to continuous improvement through feedback, review
and revisions.
8. Examine if a process exists to review the audit program in light of current and past audits.
1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to
planning, delivery, and support of the organization's application security capabilities.
1. Examine policy and procedures for adequacy and effectiveness.
2. Determine if security baseline requirements of respective applications are clearly defined.
3. Examine the process to determine the baseline for an application.
1. Examine policy and procedures for definition of operational metrics, security, and compliance requirements.
1. Examine policy and procedures for definition of SDLC (Software Development Lifecycle), security, and
compliance requirements.
2. Examine the state of implementation of the SDLC process.
3. Verify that the SDLC implementation is in accordance with requirements.
1. Examine policy and procedures for definition of testing strategies, automation of security testing, and change
management.
2. Determine security assurance and acceptance criteria for the new information system(s).
3. Determine if the software release process is automated where applicable.
1. Examine policy and procedures for implementation of application deployment.
2. Determine if segregation of duties (role and responsibilities) is clearly defined among security and application
teams.
3. Determine if Identification and integration process is defined and verified for application deployment
processes.
4. Evaluate the extent of automation deployed, and criteria used.
1. Examine the policy and procedures to remediate application security vulnerabilities and automating
remediation.
2. Evaluate whether roles and responsibilities, including escalation paths for application security incident
response and remediation, are defined and effective.
3. Determine if the organization leverages automation when possible and if this automation increases remediation
efficiency.
business continuity and resilience.
1. Examine the policy to determine business impact and the criteria for developing business continuity.
2. Evaluate the process to review and approve the policy.
1. Determine if the organization has established a risk appetite.

2. Determine if the organization has established strategies to reduce impact of business disruptions, within the
organization’s risk appetite.
1. Examine the policy for adequacy, approval, communication, and effectiveness as applicable to planning,
delivery, and support of the organization's application security capabilities.
2. Evaluate if the organization’s operational resilience strategies and capabilities are used as an input for the
policy and implementation.
3. Examine policy and procedures for evidence of review.
1. Examine the process for determining the documentation required to support business continuity and
operational resilience.
2. Examine the process for developing or acquiring such documentation and maintaining its currency.
3. Evaluate the process and implementation of identifying stakeholders and making documentation available.
4. Examine the policy and procedures for evidence of review.
1. Examine the plans for business continuity and operational resilience tests, with reference to their intended
outputs.
2. Examine the schedules of such tests and their periodicity.
3. Evaluate if the plans are tested upon significant changes, or at least annually.
1. Examine the policy for determining stakeholders and participants.

2. Determine if the organization has identified stakeholders and participants.
3. Examine the procedures for communication with identified stakeholders and participants.
1. Examine the policy for identifying data for which a backup is required.
2. Examine the requirements for the security of such backups.
3. Evaluate the effectiveness of the backup and restore.
1. Examine the policy and procedures for adequacy, approval, communication, and effectiveness as applicable to
a disaster response plan.
2. Examine the policy and procedures for evidence of review, upon significant changes, or at least annually.
1. Examine the policy for planning and scheduling disaster response exercises, and involving local emergency
authorities, if possible.
2. Evaluate if plans are tested upon significant changes, or at least annually.
1. Examine the process to identify business-critical equipment and any redundant equipment.
2. Examine the process to identify applicable industry standards.
3. Evaluate if the redundant business-critical equipment is independently located at a reasonable distance.
1. Examine policy and procedures to determine if they cover necessary parts of change management, including
scope, documentation, testing, approval, and emergency changes.
2. Examine a sample record of changes to information assets, including systems, networks, and network services
to determine if compliance is met with the organization's change management policy and procedures.
3. Examine if the policy and procedures are reviewed and updated at least annually.
1. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), relevant
stakeholders, for change management and determine if the policy control requirements provided in the policy
have been implemented.
2. Examine measures that evaluate(s) the organization's compliance with the change and configuration
management policy and determine if these measures are implemented according to policy control requirements.
1. Examine policy related to the change management of assets.
2. Examine the policy for the identification of risks arising from these changes being applied.
3. Determine if assets are classified based on their management responsibility, and if these have specific risk
profiles.
1. Examine the policy relating to the authorisation of changes in assets.

2. Examine the implementation of such policy, technical controls, and their effectiveness.
1. Examine policy and/or procedures related to change management to determine whether provisions are included
for limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests
within service level agreements between CSPs and CSCs.
2. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or
relevant stakeholders, as needed, for change agreements and determine if the policy control requirements
stipulated in the policy have been implemented.
3. Examine measures that evaluate the organization's change agreement policy and determine if these measures
are implemented according to policy control requirements.
1. Examine policy and/or standards related to change management to determine if changes are formally
controlled, documented and enforced to minimize the corruption of information systems.
2. Determine if the introduction of new systems and major changes to existing systems are formally documented,
specified, tested, quality controlled, and the implementation managed.
1. Examine measures that evaluate the organization's compliance with the change management policy and
determine if these measures are implemented according to policy control requirements.
1. Verify that the organization establishes and documents mandatory configuration settings for information
technology products employed within the information system, as determined by adoption of the latest suitable
security configuration baselines.
2. Confirm that the process identifies, documents, and approves exceptions from the mandatory established
configuration settings for individual components based on explicit operational requirements.
3. Determine that the organization monitors and controls changes to the configuration settings in accordance with
organizational policy and procedures.
1. Examine policy and/or procedures related to change management and determine if roll back procedures are
defined and implemented, including procedures and responsibilities for aborting and recovering from
unsuccessful changes and unforeseen events.
2. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s) and/or
relevant stakeholders, as needed to ensure that roll back procedures are defined and implemented and determine if
the policy control requirements stipulated in the policy have been implemented. Select a sample of changes and
examine the change management record to confirm that the change was assessed and included appropriate
fallback procedures in the event of a failed change.
3. Examine measure(s) that evaluate(s) the organization's compliance with the change management policy and
determine if these measures are implemented according to policy control requirements.
4. Obtain and examine supporting documentation maintained as evidence of these metrics, measures, tests, or
audits to determine if the office or individual responsible reviews the information and, if issues were identified,
they were investigated and corrected.
1. Review cryptography, encryption, and key management policy and procedures and confirm that these have
been approved by appropriate management.
2. Confirm that the policy and procedures are reviewed at least annually.
1. Obtain cryptographic, encryption policy, and key management procedures.
2. Verify, by interviews or otherwise, that employees and stakeholders are aware of their roles and
responsibilities, and obtain supporting documentation evidencing that the responsibilities are being managed in-
line with policy and procedures.
1. Identify data flows within the organization that are in-transit.

2. Identify data storages within the organization that are at-rest.
3. Confirm that the identified data flows and data storages have been protected by an appropriate cryptographic
algorithm aligned to cryptography, encryption, and key management policy and procedures.
1. Identify the encryption algorithms in use.

2. Confirm that identified encryption algorithms have been reviewed and approved by appropriate management.
3. Confirm that the encryption algorithm approval process includes assessment of the appropriateness of the
algorithm for the data it is protecting, any associated risks, and the algorithm's usability.
1. Examine policy and procedures and obtain evidence that these include the change management process.
2. Obtain representative samples of recent changes relating to cryptographic, encryption, and key management
technology.
3. Confirm that sample changes have followed the organization change management procedures, including
approval by appropriate individuals, communication of changes to relevant stakeholders, and assessment of the
success of implementing changes with any required remediation actions being tracked.
1. Obtain a copy of the change management policy and procedures. Confirm that these documents include
assessment of impact on downstream effects, including residual risk, cost, and benefit analysis.
2. Examine recent changes made to cryptography-, encryption-, and key management-related systems (including
policy and procedures), and confirm that these changes include an account of downstream effects of proposed
changes, including residual risk, cost, and benefits analysis.
3. Confirm that the changes have been reviewed and approved by appropriate management.
1. Identify and confirm the existence of the organization's risk assessment process and obtain the risk register.
2. Confirm that the risk register includes as part of a regular process or control review encryption and key
management.
3. Obtain evidence that demonstrates that a risk assessment is performed of the encryption and key management
program and process.
1. Identity CSC's data key encryption policy and standards.
2. Review the implementation of the CSP key broker and key management services (KMS) and the cloud
hardware security modules (HSMs).
3. Confirm that the configuration enables appropriate management of the key, e.g., customer-managed master
key, CSP-managed master key, and CSP-owned master key.
4. Confirm that HSM meets internal compliance standards, e.g., FIPS 140-2.
1. Examine the master audit plan to confirm that audits of encryption and key management systems, policy and
processes are included in the plan.
2. Review previously completed audits and confirm that audits of encryption and key management systems,
policy and processes have been completed and that any issues raised have been included in issue logs and tracked
appropriately.
1. Confirm that the organization has an approved process for the generation of cryptographic keys.
2. Identify the keys being used.
3. Observe the generation of an encryption key in a production-like sandbox or as a test tenant in production and
confirm the keys have been generated according to the appropriate procedure and technical specifications.
1. Obtain copies of the policy and procedures detailing the management of secret and private cryptographic keys.
2. Identify cryptographic secret and private keys that have been provisioned for a unique purpose.
3. Ascertain that these keys are being managed in accordance with policy and procedures.
Consider the symmetric vs. asymmetric key rotation capabilities of CSPs and an appropriate rotation process
adopted.
1. Confirm that policy and procedures include a requirement for regular key rotation.
2. Identify keys used within the organization. Confirm that these keys are part of the rotation process.
3. Review the key rotation process to confirm logging and monitoring of key rotation, tracking of date, time,
encryption algorithm used, and authorization process used.
1. Examine the organization procedures and confirm the existence of a key revocation process.
2. Identify a population of keys and confirm that they are captured within the key revocation process.
3. Confirm that a list of entities no longer part of the organization is maintained.
1. Confirm the existence of key destruction processes and procedures.
2. Review the access permissions for the destruction and restoration of keys and confirm that only appropriate
individuals have access to these capabilities.
3. Review keys that have been destroyed and ascertain the appropriate process and procedure have been followed.
4. Establish documented criteria that determine when it is appropriate for a cryptographic key to be stored outside
a secure environment.
1. Confirm the existence of processes and procedures to generate keys.

2. Confirm that the access and permissions around the key creation process is restricted to appropriate
individuals.
3. Identify the key management server and the key storage database.
4. Review the key attributes and confirm that these are appropriate for the key, e.g., activation data, instance,
deletion ability, rollover, etc.
5. Confirm the key activation process, e.g., manual, on creation, at a future time.
6. Review the pre-activated keys.
1. Confirm the existence of processes and procedures to manage the transition state of keys.
2. Review the access and permissions regarding the transition state of keys and confirm that these are restricted to
appropriate individuals.
3. Verify that it is possible to modify a key state and suspend/disable keys when required.
1. Confirm the existence of processes and procedures to deactivate keys.
2. Review the access and permissions around the key deactivation process and confirm this is restricted to
appropriate individuals.
3. Review key deactivation process and configurations. Confirm that they are in line with internal and external
requirements.
4. Confirm the key deactivation process e.g. manual, on expiration, at a defined future time.
1. Confirm the existence of a documented and valid process for key archival.
2. Verify that the key archival process implements least privilege throughout the key archival cycle.
3. Establish whether the storage medium is secure, as per internal and external requirements.
1. Examine if the organization has defined processes, procedures and technical measures for secure handling of
compromised keys.
2. Review if the process for secure usage of compromised keys fulfills the organization and external business /
operational continuity requirements.
3. Evaluate the significance of technical and organizational measures defined and implemented for usage of
compromised keys in a secure environment.
1. Examine if the organization has defined processes and procedures for handling the operational risk of
compromised keys.
2. Determine if the key recovery process fulfills the organization and external business / operational continuity
requirements.
3. Evaluate the significance of technical and organizational measures as per the key management lifecycle.
1. Examine if the organization has defined the key management processes.

2. Review the processes for key lifecycle management (creation, rotation, storage, disposal) with respect to
organization and external (regulatory) requirements.
3. Evaluate if the processes and procedures for change management of key management systems provide an
overall traceability of lifecycle steps.
1. Examine the organization's policy and procedures related to data destruction.
2. Determine if the policy has been approved, communicated, and reviewed.
3. Determine if a policy exists that addresses the secure destruction of data and for conditions when equipment is
reused as opposed to when equipment is destroyed.
1. Examine the organization's policy and procedures related to relocation, transfer or retirement of assets.
2. Determine if policy has been approved, communicated, and reviewed.
3. Determine if the policy requires recorded authorisation of movements.
1. Examine the organization's policy and procedures related to physical areas under the organization's control.
1. Examine the organization's policy and procedures for secure transportation of physical media.
1. Examine the policy relating to defining the organization's business risk.

2. Confirm that the physical and logical assets are being classified in accordance with defined policy and
procedures.
3. Review the asset Inventory to determine if assets are catalogued and tagged according to the organization's
business risk classification criteria.
1. Examine the policy relating to defining asset location and disposition.

2. Examine the asset registers and determine if they are stored and accessed securely.
1. Examine the policy relating to physical security perimeters.

2. Examine the lists of types of areas in the organization, and the classification of each.
3. Determine if there are appropriate physical security barriers and if monitoring exists between areas.
1. Examine the policy relating to equipment classification and identification.
2. Determine if appropriate methods are implemented.
3. Confirm the existence of a process or procedure to track and maintain a list of appropriate equipment permitted
for authorised connections.
1. Examine the policy and procedures relating to access to secure areas.

2. Determine if the policy includes ingress and egress points to service and delivery areas.
3. Determine if procedures include activities and actions against unauthorized personnel in the premises.
4. Confirm that existence, review, and retention of Access logs for secure areas are aligned with policy and
procedures.
1. Examine the policy relating to data center surveillance.

2. Determine if the policy includes ingress, egress and external perimeter to detect unauthorized access.
3. Determine if procedures include activities and actions against unauthorized personnel in the premises.
4. Review and determine if items identified in surveillance system logs for the premises have been actioned in
accordance with policy and procedures.
5. Determine if logs are maintained and reviewed appropriately.
1. Examine the policy and procedures relating to activities and actions to perform in case of unauthorized access.
2. Examine the policy and procedures related to datacenter’s personnel training.
3. Determine if the training content is appropriate and approved by the organization.
4. Ascertain that appropriate datacenter personnel have completed all relevant training through review of training
plans and records. Confirm that these have been completed in accordance with policy and procedures.
1. Examine the policy and procedures relating to cabling Infrastructure.

2. Determine if risk registers are maintained for cabling (For plant and ancillary equipment).
1. Confirm the existence of policy and procedures relating to environmental control in the datacenter.
2. Verify that the environment control systems are documented and operational in accordance with policy and
procedures.
3. Determine if testing for operational control effectiveness is conducted at regular intervals.
4. Determine if environment system logs (e.g., temperature and humidity) are generated and if related monitoring
controls are maintained.
5. Confirm that the system logs are reviewed on a periodic basis and items are disposed of in accordance with
policy and procedures.
1. Confirm the existence of the policy and procedures relating to utilities services.
2. Confirm that the control effectiveness of utilities services is conducted at periodic intervals.
3. Determine if utility services logs are maintained and reviewed periodically.
4. Determine if testing of the utilities services is included in the CSP contract with the customer.
1. Examine the policy relating to environmental risk.

2. Determine if locations are assessed and classified for probability of environmental risk.
3. Determine if business-critical equipment is identified.
1. Examine the organization's policy and procedures related to data privacy. Determine if a framework exists to
ensure that the organization monitors the regulatory and legislative environment for changes applicable to the
organization. Confirm whether the organization has documented the roles and responsibilities that support the
management of its policy.
2. Determine whether policy and procedure content is sufficient to direct the compliant and lawful management
of personal data and to address non-compliance.
3. Confirm whether policy addresses the requirement that the organization's data is used only for authorized
purposes and in compliance with legislation and regulation.
4. Examine if the policy and procedures are reviewed on an appropriate basis.
5. Examine the measure(s) that evaluate(s) compliance with the organization's data privacy and security policy
and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated.
6. Examine documentation to determine if the function responsible for data privacy compliance reviews the
information to determine whether the organization is compliant with current legislation and regulation.
7. Confirm that the procedure exists for follow-up on deviation to current legislation and regulations and is up to
date.
1. Examine the organization's procedures and technical requirements related to the secure disposal of data from
storage media. Establish that this process and key controls comply with the organization's data privacy and
security policy. Establish whether the organization has documented the roles and responsibilities for this process.
2. Select a sample of disposal requests and assess whether they have followed the process through to completion.
Confirm that all evidence was formally documented and recorded.
3. Examine measure(s) that evaluate(s) this process and determine if the measure(s) address(es) implementation
of the process/control requirement(s) as stipulated. Reviews, tests, or audits should be completed periodically by
the organization to measure the effectiveness of the implemented controls and to verify that non-compliance and
opportunities for improvement are identified, evaluated for risk, reported, and corrected in a timely manner.
4. Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the
office or individual responsible reviews the information and if identified issues were investigated and corrected.
Determine if the individual or office is able to correct issues without the need to routinely escalate the issues to
the next level of management. Examine related records to determine if the individual or office conducted any
follow-ups on the deviations to verify they were corrected as intended.
1. Examine the organization's procedures and technical requirements for the population and management of its
data inventory. Establish that this process and key controls comply with the organization's data privacy and
security policy. Establish whether the organization has documented the roles and responsibilities for this process.
2. Select a sample of entries to ensure they have been recorded correctly on the inventory. The sample must
include a proportion of sensitive and personal data entries.
3. Assess whether management of the data inventory meets the organization's expectations.
1. Examine the organization's procedures and technical requirements for classifying data. Establish that this
process and key controls comply with the organization's data privacy and security policy. Establish whether the
organization has documented the roles and responsibilities for this process.
2. Establish if the organization's data classification matrix is aligned with the organization's data classification
requirements.
3. Select a sample of data to confirm that each item has been classified appropriately.
1. Examine the organization's procedures and technical requirements for recording data flows and that a review is
carried out at least annually. Establish that this process and key controls comply with the organization's data
privacy and security policy. Establish whether the organization has documented the roles and responsibilities for
this process.
2. Select a sample of documents to check that they have been completed to the correct specifications and
reviewed.
3. Review if data flow documentation includes assessment for accuracy, completeness, timeliness, and
sustainability of data (flow).
1. Examine the organization's data owner process and roles and responsibilities documentation. Establish that
this process and key controls comply with the organization's data privacy and security policy. Establish whether
the organization has documented the roles and responsibilities for this process.
2. Establish that the organization maintains a source(s) of record of data owners and the records for which they
are responsible. Establish that this must include personal data and sensitive data.
3. In the absence of a documented procedure, interview control owner(s) responsible for key staff involved
in/with, and/or other relevant stakeholders impacted by the process/control requirement(s) and determine if the
requirement(s) is/are understood. Evidence may be provided by observing individuals, systems and/or processes
associated with data management to determine if the process requirements are generally understood and
implemented consistently.
4. Select a range of entries to establish the information recorded is correct.
5. Assess whether oversight of the data ownership process meets the organization's expectations.
6. Examine if the documentation is reviewed on an annual basis.
1. Examine whether the organization's policy, standards, and procedures create a framework which fosters a
culture and expectation of “security through design.” Determine whether this content addresses the directive of
the organization's culture and whether practices reflect security through design.
2. Examine whether the organization's governance framework, documents, controls, and metrics satisfy the
organization and if its sub-processors comply with this requirement. Establish whether the organization has
documented the roles and responsibilities involved.
3. Review the organization's data breaches log, the security incidents log, and project change failure records for
examples where this requirement was not followed correctly. Further, confirm that action plans were identified
and carried out.
4. Examine the measures that evaluate this organizational requirement and determine if the measures address
implementation of process and control requirements as stipulated.
office or individual responsible reviews the information and if identified issues were investigated and remediated
appropriately.
1. Examine whether the organization's policy, standards, processes, and controls create a framework that fosters a
culture and expectation of “data privacy through design.” Determine whether this content addresses the directive
of the organization's culture and if practices reflect data privacy through design.
2. Examine whether the organization's governance framework, documents, controls, and metrics satisfy the
organization and whether its sub-processors comply with this requirement. Establish whether the organization
has documented the roles and responsibilities involved.
3. Review the organization's data breaches log, the security incidents log, and project change failure records for
examples where this requirement was not followed correctly. Further, confirm that action plans were identified
and carried out appropriately.
1. Examine procedures related to DPIA risk assessment and determine if once a requirement has been established,
the organization identifies and grades the associated risks and reports and prioritizes the remediation of risks and
non-compliance activities. Examine whether the DPIA process and templates align to the organization's risk
methodology and taxonomy.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a sample of DPIAs and examine evidence to confirm that each assessment was performed to identify
associated risks. Further, confirm that any action plans were identified and carried out appropriately. Confirm
that all relevant evidence was formally documented.
1. Examine the organization's procedures and technical requirements for the secure and lawful transfer of
personal data and sensitive data. Establish that this process and key controls comply with the organization's data
privacy and security policy.
3. Select a range of personal data transfers and a range of sensitive data transfers to confirm that each transfer
adhered to the organization's policy, procedures, and controls. Confirm that all relevant evidence was formally
documented.
1. Examine whether the organization's policy and procedures related to data privacy addresses the requirement
that authorized users must be able to access, modify, or delete personal data. Establish whether the organization
has processes in place to manage and respond to data access requests from data subjects. Establish whether the
organization has documented the roles and responsibilities for this process.
2. Select a range of data changes to confirm that only authorized users are able to successfully access, modify and
delete personal data. Select a sample of data access requests to establish that these were completed correctly
following the organization's processes. Confirm that all relevant evidence was formally documented.
1. Examine whether the organization's policy and procedures related to data privacy address the requirement that
data the organization is responsible for is processed lawfully and used only for the purposes stated to data
subjects.
3. Review the organization's data breaches and confirm that action plans were identified and carried out
appropriately. Confirm that all supporting evidence was formally documented.
4. Review the organization's processes that inform data subjects why the organization requests this data and what
it will be used for. Confirm that any organization documentation (including web page content) is subject to
formal periodic review for relevance and compliance to legislation and regulation.
1. Examine the organization's contractual terms, procedures, roles and responsibility documents and technical
requirements for the transfer of personal data and sensitive data to sub-processors and how sub-processors are to
treat this data.
3. Select a sample of data transfers to sub-processors to establish that the controls and reporting the sub-processor
are in place and ensure that these comply with the organization's data privacy and security policy.
4. Examine the organization's contractual requirements for sub-processor compliance, reporting and non-
compliance sanctions, and the organization's right to audit. Establish sub-processors' processes, controls and
metrics to comply with those of the organization.
1. Examine the organization's contractual requirements and procedures whereby sub-processors will disclose all
occasions when personal or sensitive data was accessible by sub-processors prior to initiation of that processing.
3. Select a sample of data transfers to sub-processors to establish that the controls and reporting the sub-processor
are in place and ensure that these comply with the organization's data privacy and security policy.
Note: A real-life case will be rare. Should it not be possible to follow a real-life case, a theoretical case should be
tested to establish that systems, processes, and controls are operating as designed and as agreed with the sub-
processor.
1. Examine the organization's procedures and technical requirements related to the use of production data in non-
production environments or requests to replicate production data for use in non-production environments.
3. Select a sample of requests and assess whether such requests have followed the approval and secure
deployment processes through to completion. Confirm that all relevant evidence was formally documented and
recorded.
4. Review the organization's data breaches for examples in which this requirement was not followed correctly.
Further, confirm that any appropriate action plans were identified and carried out.
1. Examine the organization's procedures, technical requirements and other documentation for the retention,
archiving and deletion of data.
3. Establish that the organization maintains a source(s) of record of data types, owners, and retention periods.
Select a range of entries to establish that the information recorded is correct.
4. Establish how the organization determines that its retention records are accurate and complete. Establish that
the organization has documented its understanding of the extent of its remit in terms of its role as a supplier and
the extent of its own supplier's obligations to this requirement.
5. Confirm that the data retention process meets the organization's requirements as detailed in policy and
procedures.
1. Examine whether the organization's policy and procedures related to data privacy address the requirement to
manage and protect sensitive data throughout its lifecycle.
3. Select a sample of sensitive data types to establish the systems, processes, and controls operating to manage
sensitive data throughout its lifecycle. Select a sample to establish the examples following the organization's
processes.
4. Review the organization's data breaches for examples for which this requirement was not followed correctly.
Further, confirm that any relevant action plans were identified and carried out. Confirm that all relevant evidence
was formally documented.
1. Examine the organization's procedures and technical requirements related to personal data requests from law
enforcement authorities.
2. Establish that processes and controls comply with the organization's data privacy and security policy.
4. Select a sample of requests and assess whether such requests have followed the approvals and secure
communication processes through to completion. Confirm that all evidence was formally documented.
5. Review the organization's data breaches for examples for which this requirement was not followed correctly.
Further, confirm that relevant action plans were identified and carried out.
1. Examine the organization's procedures, technical requirements, and other documentation to direct, manage and
review the records of the organization's data physical storage locations.
3. Confirm that the organization’s policy and procedures include details of guidelines for the storage and
processing of data within the designated countries/regions/zones/jurisdictions.
4. Establish that the organization maintains a source(s) of record of its physical data storage locations and is able
to trace data lineage. Select a range of entries to establish that the information is recorded appropriately.
5. Confirm that the data storage records are accurate and complete as detailed in policy and procedures.
6. Establish that the organization has documented its understanding of the extent of its remit in terms of its role as
a supplier and the extent of its own supplier's obligations to this requirement.
7. Confirm that the data storage process meets the organization's requirements as detailed in policy and
procedures.
1. Examine the policy and/or procedures related to information governance programs to determine whether the
organization has developed a comprehensive strategy for information governance.
2. Examine policies and procedures for evidence of review at least annually.
1. Examine the policy and/or procedures related to the Enterprise Risk Management (ERM) program to determine
whether the organization has developed a comprehensive strategy to manage risk to organizational operations and
assets, and individuals.
2. Review ERM documentation, processes, and supporting evidence to confirm if the ERM program includes
provisions for cloud security and privacy risk.
3. Examine measure(s) that evaluate(s) the organization's compliance with the risk management policy and
determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the
policy level.
4. Obtain and examine supporting evidence to determine if the office or individual responsible reviews the
information and, if issues were identified, if they were investigated and remediated appropriately.
1. Examine the policy and/or procedures related to the Enterprise Risk Management (ERM) program to determine
if the organization reviews these documents at least annually or when a substantial change occurs within the
organization.
2. Confirm that Policy reviews have taken place in compliance with the organization's review requirements and
that any exceptions identified are investigated and remediated.
1.Examine the policy and/or procedures to determine if the policy exception process has been established.
2.Identify and confirm that exceptions to policies are tracked, authorised, and evidenced.
3.Confirm a review of policy exceptions takes place on a periodic basis by appropriate management.
1. Examine the policy and/or procedures related to the Information Security Program to determine whether the
organization has developed and implemented a comprehensive strategy to manage Information Security across
the organization.
2. Review the details of the information security program and establish if this covers the CCMv4 relevant
domains.
3. Confirm that identified gaps/issues are being tracked, monitored, and remediated with appropriate escalation
where required.
1. Confirm the organization has established a governance framework which details roles, responsibilities, and
accountability.
2. Evidence that governance meetings are reported and documented appropriately.
3. Confirm that individuals/groups responsible for governance are tracking and monitoring progress against the
governance program.
1. Confirm that policy and procedures include provisions to identify and document all relevant standards,
regulations, legal/contractual, and statutory requirements.
2. Establish that the organization maintains an inventory of CCM controls and relevant regulatory information is
mapped across to the CCM inventory.
3. Identify and examine any metrics and supporting evidence to provide assurance that the information system
regulatory mapping is reviewed on a periodic basis, and that any gaps in the mapping are appropriately actioned.
1. Examine the organization's policy and procedures related to contact with cloud-related special interest groups
to determine if membership is required and actively maintained.
2. Identify relevant individuals responsible for contacting cloud-related special interest groups and determine if
the policy requirements stipulated in the policy level have been implemented.
1. Examine policy for adequacy, currency, communication, and effectiveness.
2. Examine the process for selection of local laws, regulations, ethics, and contractual constraints, and for review
of its output.
3. Verify that the background verification required is mapped to the risks and data classification.
4. Examine the policy and procedures for evidence of review at least annually.
5. Examine Human Resources tickets upon hire which trigger background review and final confirmation from
third party conducting background reviews showing it has been completed and how exceptions or failed checks
have been addressed.

2. Verify that a definition of organizationally-owned or managed assets exists, and is implemented.
3. Verify, via Interviews or otherwise, that the policy is communicated to users.

2. Verify that secure and unsecure work areas are defined and demarcated.
3. Verify that confidential data is classified appropriately, and that the classification is available at point-of-use.
4. Verify, via Interviews or otherwise, that the policy is communicated to users.
2. Verify, via Interviews or otherwise, that remote sites and locations, especially those not under the control of the
organization, are defined and demarcated.
3. Verify, via Interviews or otherwise, that the policy and procedures are communicated to users.
4. Examine policy and procedures for evidence of review or at least annually.

2. Verify that a definition of organizationally-owned assets exists, and is implemented.
3. Verify that a definition of terminated employees exists, and is implemented.

2. Verify that organization charts are maintained and available as appropriate.
3. Verify that a definition of terminated employees exists, and is implemented.
4. Examine policy and procedures for notification of stakeholders upon changes in employment, or of roles, and
the appropriate activities are triggered, i.e. access changes, asset return, etc.
1. Verify that the organization has defined formats and templates of employment agreements.
2. Verify, if more than one Agreement is used, that they are mapped to appropriate roles and job descriptions.
3. Examine the policy and procedures that mandate the signing of such Agreement before access is granted.
1. Verify that the organization has defined formats and templates of Employment Agreements.
2. Verify that the Agreements include references to the organization's Information Security Management System
(ISMS), and that they mandate compliance.
1. Verify that organization charts are maintained and available as appropriate.

2. Verify that the Role or Job Descriptions refer to the appropriate ISMS requirements.
3. Verify, by Interviews or otherwise, that employees and stakeholders are aware of the roles or job descriptions,
and that these are reviewed.
1. Examine if the organization has identified its requirements for non-disclosure and confidentiality.
2. Determine the planned interval for review.
3. Verify that the requirements are reviewed at such planned intervals.
1. Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
2. Verify, by Interviews or otherwise, that the training program has been implemented.
3. Verify that the scope of the training program extends to all employees.
1. Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
2. Verify that a definition of sensitive organizational and personal data exists, and is implemented.
3. Verify, by Interviews or otherwise, that the training program has been implemented.
4. Verify that the scope of the training program extends to all employees with access to such data.
1. Examine the process for selection of applicable legal, statutory, or regulatory compliance obligations, and for
review of its output.
2. Verify, by Interviews or otherwise, that employees are aware of their roles and responsibilities with respect to
such obligations.
1. Examine policy and/or procedures related to identity and access management to determine if policy and/or
procedure content:
a. addresses the provisioning, modification and deprovisioning of logical access.
b. establishes password complexity and management requirements.
c. addresses authorization concept following separation of duties and least privilege.
d. addresses privileged access management and access reviews.
e. includes roles and responsibilities for provisioning, modifying and deprovisioning of logical access.
f. understands the delineation of identity and access management control responsibility in relation to the shared
responsibility model.
2. Determine if the policy is clearly communicated and available to stakeholders.
3. Examine if policy and procedures are reviewed and updated at least annually.
1. Examine policy and/or procedures related to passwords to determine if minimum password complexity
requirements are defined.
2. Determine if the organization enforces minimum password complexity requirements as defined in policy.
1. Determine if the organization has defined acceptable storage methods and locations of system identities.
2. Evaluate if the organization is consistently utilizing approved methods and locations to store system identities.
3. Evaluate if access to stored identities is managed following established processes.
1. Determine if divisions of responsibility and separation of duties are defined and documented.
2. Determine if information system access authorizations are established to support separation of duties.
1.Examine the policy to determine the least privilege required for each role or user.
2.Evaluate the effectiveness of the implementation and review of policy.
1. Determine if personnel required to approve system access requests are identified and documented.
2. Evaluate if access requests are documented and approved by required personnel prior to access provisioning.
1. Determine if a process is established for removing logical access when users leave the organization or when
access is no longer appropriate.
2. Determine if a timeframe for access removal and access modification is defined.
3. Verify that a process is established for removing existing system access and assigning appropriate access or for
modifying existing access after internal transfer or change of job functions.
4. Determine if established processes for access removal and modification, within the defined time frame, are
followed in practice.
1. Determine if the required frequency for review of accounts is established.
2. Determine if accounts are reviewed for compliance, including the level of access and conflicting access,
following the principle of least privilege and consideration of separation of duties.
3. Determine if accounts are reviewed at the organization-defined frequency.
1. Determine if processes, procedures and technical measures for the separation of privileged access are defined
and include requirements for separation of administrative access to data, encryption, key management and
logging capabilities.
2. Evaluate if established processes, procedures and technical measures for the separation of privileged access are
implemented and followed in practice.
1. Determine if an access process, that includes requirements for limiting the time period of privileged access
roles and rights, is defined.
2. Determine if procedures address the prevention of culmination of segregated privileged access.
3. Evaluate if an access process, that includes requirements for limiting the time period of privileged access roles
and rights, is implemented and consistently followed in practice.
4. Evaluate if procedures that address the prevention of culmination of segregated privileged access is
implemented and consistently followed in practice.
1. Determine if processes and procedures for customers to participate, where applicable, in the granting of access
for agreed, high risk (as defined by the organizational risk assessment) privileged access roles are defined,
1. Determine if processes, procedures and technical measures are defined for log management.
2. Determine if processes, procedures and technical measures for log management include the following two
requirements:
a. the logging infrastructure is read-only for all with write access, including privileged access roles.
b. the ability to disable and/or modify logs is controlled following separation of duties and established break
glass procedures.
3. Evaluate if the processes, procedures and technical measures for log management are implemented and
consistently followed in practice.
1. Determine if processes, procedures and technical measures are defined and require that users are identifiable
through unique IDs or by association of individuals to the usage of user IDs.
2. Determine if the established processes, procedures and technical measures are implemented and consistently
followed in practice.
1. Determine if processes, procedures and technical measures for authenticating access to systems, applications
and sensitive data are defined and maintained.
and sensitive data include organization-defined requirements for specific use cases of multifactor authentication,
digital certificates and/or alternative security measures.
and sensitive data are implemented and consistently followed in practice.
1. Determine if processes, procedures and technical measures for the secure management of passwords are
defined.
2. Determine if processes, procedures and technical measures for the secure management of passwords are
1. Determine if processes, procedures and technical measures, for verification of access authorization to data and
system functions, are defined.
2. Determine if processes, procedures and technical measures, for verification of access authorization to data and
system functions, are implemented and consistently followed in practice.
2. Examine the inventory of documentation that establishes the requirements and communication of this control.
1. Examine the list of Application Programming Interfaces (API) available to Cloud Service Consumers.
2. Determine if such list and usable documentation is made available to Cloud Service Consumers.
1. Examine the policy for the secure transmission of requests and data.
2. Inspect the requirements, with respect to any security domains defined.
3. Examine the policy that specifies protocols for transmission, with respect to standardization.
1. Examine the standard form of contract for offboarding the Cloud Service Consumers.
2. Determine if non-standard clauses allow the Cloud Service Consumers to waive such rights.
3. Determine if there are requests for data in unsupported formats.
4. Examine the policy regarding deletion of resources no longer in the control of a client, and determine if such
policy corresponds to the contractual data retention.
1. Interview the team to determine if policy and procedures have been documented.
2. Evaluate the documented policy to determine if it has been approved and communicated to the relevant internal
and external teams.
3. Determine if the policy has been applied to the infrastructure and virtualization security operations and if
relevant procedures have been drafted.
4. Determine if the procedures are periodically evaluated and if they are maintained, up to date, and relevant.
5. Determine if policy and procedures are reviewed and updated on an annual basis. Policy may contain
segregation of environments and roles, change management requirements and continuous exercising.
1. Determine if the business requirements for system performance are available.

2. Determine if evidence exists that points to planning and monitoring of the availability, quality and capacity of
resources.
3. Determine if evidence exists that establishes that the plan is appropriate and adequate to meet the expectations
of the business requirements established in the first guideline.
1. Examine the policy for communication between environments.
2. Examine the criteria for business justification of communication, and reviews.
3. Determine if the inventory of allowed communication has been reviewed, at least annually.
4. Evaluate the effectiveness of the monitoring and encryption of such communication.
5. Evaluate the details of business justification, and its review.
1. Determine if the host and the guest OS has been hardened as per best practices.
2. Determine if the hypervisor or infrastructure control planes are hardened as per best practices.
3. Determine if appropriate technical controls exist that ensure that the hardening is done.
4. Determine if a security baseline has been set up.
5. Determine if the security baseline contains information about the hardening done.
1. Verify if production and non-production environments are appropriately segregated.

2. Verify if the segregation is reviewed and managed during change management.
3. Verify the classification of data contained in each environment.
1. Review evidence to verify that the design and development of applications and infrastructure ensure
appropriate best practices such as hardening, segmentation, and segregation is incorporated and the shared
responsibility model between the CSP and CSC is maintained.
2. Review evidence to verify that the deployment and configuration of applications and infrastructure follow
appropriate hardening, segmentation, and segregation is incorporated and the shared responsibility model
between the CSP and CSC is maintained.
3. Review evidence to determine that segmentation and segregation is monitored.
4. Review evidence to determine that the tenants are isolated from each other.
1. Examine the list of environments that will be the target of migrations.

2. Examine the criteria for maintaining a list of approved protocols.
3. Examine the records of migrations.
1. Examine the criteria for identifying high-risk environments.

2. Examine the inventory of high-risk environments, and periodicity of review.
1. Interview the team to evaluate if they have defined processes and procedures for protection, detection and
timely response to address network based attacks.
2. Review evidence to establish that the defined processes and procedures have been implemented.
3. Review evidence to establish that the processes and procedures are evaluated and validated periodically.
4. Review evidence to establish that the processes and procedures are based upon a defense-in-depth.
5. Review evidence to support the effective activation of incident response plans when necessary including the
associated communication protocols.
planning, delivery and support of the organization's logging and monitoring requirements.
1. Examine the organization’s log retention requirements.

2. Evaluate the policy and technical measures with respect to effectiveness.
1. Examine policy related to the security monitoring and alerting, and determine if security-related events within
applications and the underlying infrastructure are identified.
2. Examine processes related to identifying responsible stakeholders for the purpose of alerting.
3. Evaluate the implementation with respect to effectiveness, and conduct a review of metrics.
1. Examine policy related to the protection of log information.

2. Determine if the control requirements stipulated in the policy have been implemented.
3. Examine policy related to the maintenance of access records.
1. Examine policy for the monitoring of audit logs.

2. Determine if policy and patterns have been established for anomalous activities.
3. Examine policy for the review of, and timely action on anomalies.
1. Examine policy that establishes the time scale and epoch, or traceability, of time across systems.
2. Evaluate the process that ensures synchronization of time on relevant systems.
1. Examine policy for the identification of loggable events, applications, or systems.
2. Examine the outputs of such identification, with respect to review and approval.
3. Examine scope for evidence of review at least annually.
1. Examine policy related to audit logging and determine if it includes requirements to generate audit records
containing relevant security information.
2. Examine audit records and determine if they adequately reflect the policy.
1. Examine policy for the protection of audit records.

2. Evaluate the use of technical measures in the protection of audit records.
1. Examine policy related to the monitoring and reporting of operations of cryptographic policy.
2. Examine the process to identify such a policy.
3. Evaluate the effectiveness of such reporting capability.
1. Examine policy for logging and monitoring usage of cryptographic key usage lifecycle events.
2. Examine the process to identify such events.
3. Evaluate the review of these logs.
1. Examine policy for logging and monitoring physical access.
2. Examine the process to identify such events.
3. Evaluate the review of these logs.
1. Examine the policy for reporting of anomalies and failures of the monitoring system.
2. Examine the process for identifying accountable parties.
1. Examine policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery
and support of the organization’s Security Incident Management, E-Discovery and Cloud Forensics.
delivery and support of the organization’s Security Incident Management, with respect to timely management.
2. Examine the policy and procedures for evidence of review at least annually.
delivery and support of the organization’s Security Incident Management, with respect to timely management.
2. Examine the processes to identify impacted stakeholders.
3. Determine if this plan meets stakeholder requirements.
1. Verify if there is a calendar of exercises available, if exercises are performed at planned intervals and when
there are significant changes within the organization or the context in which it operates.
2. Verify if the organization has reviewed and acted upon the results of its exercising and testing to implement
changes and improvements.
1. Verify that metrics have been established to measure information security incidents.
2. Verify that metrics together demonstrate the efficacy, effectiveness and success of the information security
incident response plan to address incidents as they happen.
3. Verify that the metrics are measured and reported to stakeholders.
1. Verify if operational processes that help the organization to prepare for, identify, detect, protect, respond to and
recover from information security incidents in a step-by-step manner exist.
2. Verify if tools that support these organizational procedures to triage security related events complement the
ability of the teams to detect, review, monitor and quickly decide upon the context and the possible impact of the
incident as it happens and over time.
1. Examine policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery
and support of the organization’s Security Breach Notification management.
2. Verify if there is a formal program that documents the breach notification requirements for all regulatory or
contractual domains that the organization asserts adherence to.
3. Verify if there is a periodic awareness program to ensure all those associated with information security incident
response are aware of the procedures involved for their roles, responsibilities and authorities.
4. Determine if the organization has established breach notification Time Objectives for information security
breaches that meet the minimum expectation of the applicable regulation and verify if those time objectives are
reflected in all internal and external service level expectations.
1. Examine the process used to determine applicable points of contact, and the procedure for reviewing the
list/documentation that contains them.
2. Verify if the organization has updated the list of points of contact for applicable regulation authorities, national
and local law enforcement, and other legal jurisdictional authorities.
3. Examine when the last updates were done and if there is a schedule for reviewing and updating these contacts.
1. Examine policy for adequacy, approval, communication, currency, and effectiveness.
1. Examine the policy for provisions related to service delivery.

2. Evaluate the process for communication of requirements and service levels to vendors and other third-parties.
3. Determine if a review of effectiveness is in place, especially with respect to contractual requirements.
1. Examine whether SSRM guidance documentation has been approved by management and communicated to
CSCs.
2. Examine the process for review of SSRM Guidance if required.
(Note: This control applies to an Organization that is in the role of a CSP).
1. Examine the policy for assessing, demarcating, and documenting the interfaces at the edges of the
organization’s responsibility.
2. Determine if the delineation has been done, and is current.
3. Examine the process for communicating the security responsibility boundaries to third-parties.
1. Examine the policy for assessing, demarcating, and documenting the interfaces at the edges of the
Organization’s responsibility.
2. Examine the process for validating the boundaries for cloud services used.
3. Examine the process for validating the seamlessness of controls for cloud services used.
(Note: This control applies to an Organization that is in the role of a CSC).
1. Examine the policy related to addressing security in third-party agreements and determine if organizations
employ formal contracts.
2. Determine if written procedures exist for addressing security in third-party agreements and whether or not the
procedure(s) address(es) each element of the policy/control requirement(s) stipulated in the policy level.
3. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or
relevant stakeholders, as needed, for addressing security in third-party agreements and determine if the
policy/control requirements stipulated in the policy level have been implemented.
4. Examine measure(s) that evaluate(s) the organization's compliance with the third-party management policy and
determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the
policy level.
1. Determine if there is an inventory maintained of all supply chain relationships.
2. Establish ownership for maintaining this inventory.
3. Examine the inventory's records to establish whether CSP/CSC relationships are maintained in this inventory.
4. Determine whether this inventory is subject to review.
1. Examine the policy related to identification of risks related to external parties and determine if the organization
conducts due diligence of the external party.
2. Determine if the policy/control requirements stipulated in the policy level have been implemented.
3. Determine the periodicity of review of risk factors.
1. Examine the policy for inclusion of the Control in third party agreements.
2. Examine the policy related to the review of third-party services to determine if the organization incorporates
compliance by third parties.
1. Determine if a documented review schedule of CSP-CSC supply chain agreements exists on an annual basis
and is operating.
2. Examine the organization's implementation of its third-party management policy.
1. Examine the process for determining the standards and policy that service level agreements must conform to.
2. Examine the process to determine contractual, legal, and technical requirements applicable to service level
agreements.
3. Determine if internal assessments are defined, planned, and executed, at least annually.
1. Examine the policy for incorporation of requirements into contractual documents throughout the CSP’s supply
chain.
2. Determine if requirements have been incorporated in contracts.
3. Evaluate if the right to audit is protected, where required.
1. Examine the policy for review of supply chain partners governance of IT.
2. Determine if the right to review is incorporated contractually.
3. Evaluate whether such a review cycle is operating within the organization.
1. Examine the policy related to the security assessments of the supply chain.
2. Examine the policy related to identification of risks related to external parties.
3. Determine if procedures exist for identification of risks related to external parties
4. Evaluate evidence of the conduct of assessments of organizations within the supply chain, periodically as
required by the policy.


1. Examine policy for adequacy, currency, and effectiveness.

2. Determine if technical measures are evaluated for effectiveness.
2. Determine if technical measures are evaluated for effectiveness.
3. Determine if updates and reviews of indicators are conducted at least weekly.

2. Determine if a process exists to identify third-party libraries, and to evaluate their impact on the organization’s
vulnerability management.

2. Determine if the process for defining frequency of penetration testing is defined.
3. Determine if the process for selection of independent third parties is defined, and evaluated.

2. Determine if vulnerability detection is undertaken as required, and at least monthly.
1. Examine policy and procedures related to prioritization of vulnerabilities detected.
2. Determine if an industry recognized or widely used framework is implemented.
3. Examine how the output of risk assessment of the vulnerabilities is used to inform prioritization of
remediation.
4. Determine if the process is evaluated for effectiveness.
1. Examine policy and procedures related to tracking and reporting of vulnerabilities.

2. Examine the process to identify stakeholders.
3. Determine if the process is implemented.
1. Verify that metrics have been established to measure vulnerabilities.

2. Examine the process for reporting metrics, including identification of recipients.
3. Determine if reports are sent at the defined intervals.

2. Examine policy and procedures for evidence of review, at least annually.
1. Determine if a list of approved services, applications and sources of applications (stores) acceptable for use by
endpoints when accessing or storing organization-managed data have been identified and documented.
2. Determine if the identified and documented list of approved services, applications and sources of applications
(stores) acceptable for use by endpoints when accessing or storing organization-managed data have been
enforced.
3. Examine how endpoints are monitored for unauthorized services and the process to remove or terminate use of
non-sanctioned resources.
1. Examine the process for endpoint compatibility validation.

2. Determine if the process produces a published compatibility matrix.
1. Examine the asset register, with reference to endpoints.

2. Determine if endpoints that store and access company data are tagged and included in the asset inventory.
1. Examine procedures for adequacy, currency, communication, and effectiveness.

2. Determine the extent and applicability of the processes, procedures, and technical measures over applicable
endpoints, as identified.
3. Examine policy and procedures for evidence of review, with respect to effectiveness.
1. Determine the organization's definition of interactive-use endpoints.
2. Examine the processes and technical measures in place to enforce automatic lock screens.
1. Examine the organization's change management policy for controls related to changes on endpoints.
2. Determine if such controls are in place for making changes to production and infrastructure systems and if the
controls are evaluated as effective.
1. Examine the organization's asset disposal policy for end-of-life security requirements.
2. Examine the organization's policy on encryption or otherwise protection of data at rest on endpoints.
3. Determine if such controls are in place and evaluated as effective.
1. Examine the organization's anti-malware policy.

1. Examine the organization's software firewall and other endpoint network protection policy.
2. Examine the policy on configuration of such controls.
1. Examine the organization's data loss policy.
2. Examine the policies on configuration of such controls.
3. Determine if such controls are driven by risk assessments.
1. Examine the organization's remote geo-location for managed mobile endpoints policy.
2. Determine if such controls are in place.

2. Determine the extent and applicability of the processes, procedures, and technical measures over managed
endpoints, as identified.

2. Determine the organization's definition of third-party endpoints.
3. Determine the extent and applicability of the processes, procedures, and technical measures over third-party
endpoints.
v4.0.6

Procedures



AIS-01

AIS-02
Security

AIS-04
AIS-05
Security Testing

AIS-06
Security Deployment

Security
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity
Business Continuity

Change Control and
Procedures
Management
Change Control and

Management
Change Control and
Management
Change Control and
Management
Change Control and

Management
Change Control and
Management
Change Control and

Management
Change Control and

Management
Change Control and
Management

Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Analysis
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management
Cryptography,
Management

and Procedures
and Procedures
and Procedures



Training

Data Security and

Procedures
Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and
Management
Data Security and
Management
Data Security and

Management
Data Security and
Management
Data Security and
Management
Data Security and
Processing
Management
Data Security and
Management
Data Security and

Management
Data Security and

Management
Data Security and
Management
Data Security and

Management
Data Security and

Management
Data Security and
Management

GRC-01

Compliance
Compliance

Compliance

Compliance
Compliance

GRC-07
Compliance Mapping

Compliance

Procedures

and Procedures
Procedures



and Training

IAM-01
Identity & Access
Management
Identity & Access
Management
Identity & Access

Management
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management
Identity & Access
Management
Identity & Access

Management
IAM-10
Management Roles
IAM-11
Identity & Access

Management
Identity & Access
Management
Identity & Access
Management
Identity & Access
Management
Identity & Access
Management

IPY-01
Interoperability &
Portability

IPY-03

IPY-04

IVS-01
Infrastructure &
Infrastructure &
Infrastructure &

IVS-05
Infrastructure &
Infrastructure &
Infrastructure &
Infrastructure &

Procedures



Security Incident
SEF-01
Forensics
Security Incident
SEF-02
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics

Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-09
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-12
Accountability
Supply Chain
Management,
Transparency, and
Accountability
Supply Chain
STA-14
Accountability

TVM-01
TVM-02
Management

Management
Management

Management
Management

Management
Management

Management

UEM-01
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Management
End of Standard
Control Specification Control Mapping

the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.2
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37

27001: A.5.35
27001: A.5.36
risk-based plans and policies. 27001: 9.3.2
27001: A.5.35
27001: A.5.36

and statutory requirements applicable to the audit. 27001: 9.3.2
27001: A.5.31
27001: A.5.32
27001: A.5.33
27001: A.5.34
27001: A.5.36

planning, risk analysis, security control assessment, conclusion, remediation 27001: 9.2
schedules, report generation, and review of past reports and supporting evidence. 27001: 9.3
27001: A.5.36

27001: 7.3
27001: 7.4
27001: 7.5
27001: 8.2
27001: 8.3
27001: 9.3.2.d
27001: 10
27001: A.5.36
27001: A.5.37
27002: 5.36
security capabilities. Review and update the policies and procedures at least 27001: 5.1
annually. 27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.8.25
27001: A.8.27
27001: A.8.28
27001: A.8.29

27001: A.5.1
27001: A.8.25
27001: A.8.26
27002: 5.1 (l)
27002: 8.25 (c)
with business objectives, security requirements, and compliance obligations. 27001: 9.1
27001: A.8.25
27001: A.5.36
27002: 8.25 (d)

the organization.
27001: A.5.8
27001: A.8.25
27001: A.8.26
27001: A.8.28
of delivery goals. Automate when applicable and possible. 27001: A.8.25
27001: A.8.29
27001: A.8.32
27002: 8.25 (e)
27002: 8.32 (d)

27001: A.8.25
27001: A.8.32
27002: 8.32 (e)

27001: A.5.26
27001: A.8.8
27002: 5.26 (j)
Review and update the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.29
27001: A.5.30
27001: A.5.36
27001: A.5.37
27002: 5.29
27002: 5.30

criteria for developing business continuity and operational resilience strategies 27001: 4.2
and capabilities. 27001: 6.1.2
27001: 6.1.3
27001: 8.2
27001: 8.3
27001: A.5.29
27001: A.5.30
27002: 5.29
27002: 5.30
27001: 6.1.1
27001: A.5.29
27001: A.5.30
27002: 5.29
27002: 5.30

a business continuity plan based on the results of the operational resilience 27001: 5.2
strategies and capabilities. 27001: 7.3
27001: 7.4
27001: 7.5
27001: A.5.29
27001: A.5.30
27002: 5.29
27002: 5.30

support the business continuity and operational resilience programs. Make the 27001: 7.4
documentation available to authorized stakeholders and review periodically. 27001: 7.5
27001: A.5.37
27002: 5.37
27001: A.5.30
27002: 5.30

course of business continuity and resilience procedures. 27001: 7.4
27001: A.5.30
27002: 5.30 other information (c)

for resiliency.
27001: A.8.13
27001: A.5.23
27001: A.5.30
27002: 8.13
27002: 5.23 2nd (i)
27001: A.5.29
27001: A.5.30
27002: 5.29
27002: 5.30

27001: A.5.5
27001: A.5.30
27002: 5.30 (b)(1)
standards.
27001: A.5.20
27001: A.7.11
27001: A.8.14
27002: 5.20 (t)
27002: 8.14 (c)

(i.e., outsourced). Review and update the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 8.1
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.8.9
27001: A.8.32

27001: A.8.32
27001: A.8.29
outsourced).
27001: A.5.22
27001: A.8.9
27001: A.8.29
27001: A.8.31
27001: A.8.32
27001: A.8.3
27001: A.8.4
27001: A.8.15
27001: A.8.31
27001: A.8.32

agreements between CSPs and CSCs. 27001: A.5.22
27001: A.5.23
27002: A.5.23 (7th paragraph,a,b,c)
27001: A.8.9
27001: A.8.32
27002: 8.32 (a-i)

27001: A.8.9
27001: A.8.15
27002: 8.9

emergencies, in the change and configuration process. Align the procedure with 27001: A.5.1
the requirements of GRC-04: Policy Exception Process.' 27001: A.8.9
27001: A.8.15
27001: A.5.37
27002: 5.1 (g)
27002: 5.37 (f)
27001: A.8.19
27001: A.8.32
27002: 8.19 (f)
27002: 8.32 (f)

27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.8.24
27002: A.5.1 (i)
27002: 8.24 (a)
27001: 5.3
27001: A.5.2
27001: A.8.24
27002: 8.24 (e)
27001: A.5.14
27001: A.8.24
27002: 8.24 Other Information (a)
27001: 6.1.2
27001: 6.1.3
27001: A.8.24
27001: A.5.12
27001: A.5.13
27002: 8.24 General (b)

changes.
27001: A.8.24
27001: A.8.32

27001: 8
27001: A.8.24
27001: A.8.32
27001: 8
27001: A.8.24
encryption keys.
27001: A.5.23
27001: A.8.24

security event(s). 27001: 9.2
27001: A.8.24
27001: A.8.34
27001: A.5.35
27001: A.5.36
used.
27001: A.8.24
27002: 8.24 (d), Key management (a)

27001: A.5.10
27001: A.8.24

27001: A.5.31
27001: A.8.24
27002: 5.31 Cryptography
27002: 8.24 Key management (e,m)

27001: A.5.31
27001: A.8.24
27002: 8.24 Key management (g,m)
include provisions for legal and regulatory requirements. 27001: A.5.31
27001: A.8.24
27002: 8.24 Key management (j,m)

27001: A.5.31
27001: A.8.24
requirements.
27002: 8.24 Key management (l,m)

suspension, which include provisions for legal and regulatory requirements. 27001: A.5.31
27001: A.8.24

27001: A.5.31
27001: A.8.24
27002: 8.24 Key management (l,m)
27001: A.5.31
27001: A.8.24
27002: 8.24 Key management
(c,d,i,m)

which include provisions for legal and regulatory requirements. 27001: A.5.31
27001: A.8.24
27002: 8.24 Key management (f,m)

measures to assess the risk to operational continuity versus the risk of the 27001: 8.2
keying material and the information it protects being exposed if control of 27001: 8.3
the keying material is lost, which include provisions for legal and regulatory 27001: A.5.31
requirements. 27001: A.8.24
27002: 8.24 (d), Key management
(h,m)
measures in order for the key management system to track and report all cryptographic 27001: A.5.9
materials and changes in status, which include provisions for legal and regulatory 27001: A.5.31
requirements. 27001: A.8.24
27001: A.8.32
27002: 8.24 Key management (m)

organization's premises. If the equipment is not physically destroyed a data 27001: 5.1
destruction procedure that renders recovery of information impossible must be 27001: 5.2
applied. Review and update the policies and procedures at least annually. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.7.10
27001: A.7.14
27001: A.8.10
27002: 5.1 (b,c)
27002: 7.10 (a)
or data/information to an offsite or alternate location. The relocation or transfer 27001: 5.1
request requires the written or cryptographically verifiable authorization. 27001: 5.2
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.14
27001: A.5.37
27001: A.7.1
27002: 5.1
27002: 5.14
27002: 5.1 (b,c)
27002: 7.1
in offices, rooms, and facilities. Review and update the policies and procedures 27001: 5.1
at least annually. 27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.14
27001: A.5.37
27001: A.7.3
27001: A.7.6
27002: 5.1 (b,c)
27002: 7.3
27002: 7.6
and update the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.14
27001: A.5.37
27001: A.7.10
27002: 5.1
27002: 5.14
27002: 5.1 (b,c)
27002: 7.10 (a)
27001: A.5.12
27001: A.5.37
27001: A.5.9

areas.
27001: A.7.1
27002: 7.1 Other Information
No Mapping
27001: A.7.2
27002: 7.2 (a,b)

at the external perimeter and at all the ingress and egress points to detect 27001: A.7.4
unauthorized ingress and egress attempts. 27002: 7.4 (a)

egress attempts. 27001: 7.2
27001: A.5.24
27001: A.6.3
27001: A.6.8
27002: 5.24 (d,e)
27002: 6.8 (e)
offices and rooms. 27001: A.7.12

27001: A.7.8
27001: A.7.9
27002: 7.8 (c, e)
27002: 7.9 (b)

effectiveness at planned intervals. 27001: A.7.11
27002: 7.11 (a - g)

27001: A.7.5
27001: A.7.8
least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.10
27001: A.5.12
27001: A.5.34
27001: A.5.37
27002: 5.1 (j)
27001: A.7.10
27001: A.7.14
27001: A.8.10
27002: 7.10 (Secure reuse or disposal)
27001: A.5.9
27001: A.8.12
27001: A.5.12
No Mapping

27001: A.5.9
27001: A.8.27
27001: A.8.28
27001: A.8.29
27002: 5.8 (Information security
requirements a-i)
27001: A.8.11

best practices. 27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
27001: A.5.34
27001: A.5.14
27001: A.7.10
27001: A.5.34
27001: A.5.34
27001: A.5.14
27001: A.5.20

27001: A.5.20

27001: A.8.31
27001: A.8.33
27001: A.5.33
27001: A.8.10
27002: 5.33 (b)

27001: A.8.11
27001: A.8.12
special attention to the notification procedure to interested CSCs, unless otherwise 27001: A.5.34
prohibited, such as a prohibition under criminal law to preserve confidentiality 27001: A.6.8
of a law enforcement investigation. 27002: 6.8
27001: A.5.9
27001: A.8.12
27001: A.8.13

at least annually.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37

risks. 27001: 6.1
27001: 6.2
27001: A.5.23
27001: 7.5.2 (c)

27001: A.5.1

the governance program whenever a deviation from an established policy occurs. 27001: A.5.1
27002: 5.1 (g)

27001: 4.3
27001: 5.1
27001: 5.3
27001: A.5.1
27001: A.5.2
27001: A.5.4
27002: 5.1 (f)

and statutory requirements, which are applicable to your organization. 27001: 4.2
27001: A.5.31
27001: A.5.32
27001: A.5.33
27001: A.5.34

groups and other relevant entities in line with business context. 27001: A.5.6

but not limited to remote employees, contractors, and third parties) according 27001: 5.1
to local laws, regulations, ethics, and contractual constraints and proportional 27001: 5.2
to the data classification to be accessed, the business requirements, and acceptable 27001: 7.3
risk. Review and update the policies and procedures at least annually. 27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.6.1

use of organizationally-owned or managed assets. Review and update the policies 27001: 5.1
and procedures at least annually. 27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.10
27001: A.5.37
least annually.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.7.7
at remote sites and locations. Review and update the policies and procedures 27001: 5.1
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.6.7
27001: A.7.9

27001: A.5.11
27001: A.6.5

27001: A.6.2
27002: 6.2 (a)

policies.
27001: 7.3
27001: A.6.2
27001: 7.4
27001: A.5.2

27001: A.6.2
27001: A.6.6

and provide regular training updates. 27001: 7.3
27001: 7.4
27001: A.5.37
27001: A.6.3
27001: 7.3
27001: A.6.3

27001: 5.1
27001: 7.3
27001: A.5.4
27001: A.6.2

27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.15
27001: A.5.16
27001: A.5.17
27001: A.5.18
27001: A.5.37
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.17
27001: A.6.3
27001: A.8.5
27001: A.5.37
level of access.
27001: 9.2 (c)

27001: A.5.15
27001: A.5.16
27001: A.5.18
27001: A.7.4
27001: A.8.15
27001: A.8.2
27001: A.8.3

system access.
27001: A.5.15
27001: A.5.18
27001: A.5.3
27001: A.8.2

system access.
27001: A.5.15
27001: A.8.2
27002: 5.15 (Other information 2nd
(a))
27001: A.5.15
27001: A.5.16
27001: A.5.18

27001: A.5.15
27001: A.5.18
27001: A.5.3
27001: A.5.18
27001: A.8.3

27001: A.8.2
27001: A.8.18
27002: 8.2 (j)
27001: A.8.2
27001: A.8.18
27002: 8.2 (i)
27001: A.5.19
27001: A.5.22

27001: A.8.15
27001: A.8.18
27002: 8.15 Protection of Logs
27001: A.5.16
27001: A.5.15
27001: A.5.17
27001: A.8.5
27001: A.8.24
27002: 8.5
27002: 8.24 other information (d)
27001: A.5.17
27001: A.5.18
requirements for:
b. Information processing interoperability 27001: 5.1
c. Application development portability 27001: 5.2
d. Information/Data exchange, usage, portability, integrity, and persistence 27001: 7.3
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.23
27001: A.8.25
27001: A.8.26
27001: A.8.27
27001: A.5.37
27001: A.5.23
27001: A.8.26

for the management, import and export of data. 27001: A.5.19
27001: A.5.23
27001: A.5.31
27001: A.5.32
27001: A.5.33
27001: A.5.34

a. Data format
d. Data deletion policy 27001: A.5.9
27001: A.5.20
27001: A.5.23
and update the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.23
27001: A.5.37

by the business. 27001: 5.3 (b)
27001: 6.1
27001: 9.1
27001: A.8.6
27001: A.8.14
Review these configurations at least annually, and support them by a documented 27001: 7.5
justification of all allowed services, protocols, ports, and compensating controls. 27001: 9.1
27001: A.5.15
27001: A.5.37
27001: A.8.5
27001: A.8.9
27001: A.8.16
27001: A.8.20
27001: A.8.21
27001: A.8.22
27001: A.8.24
27002: A.5.15 2nd c)
27002: 8.20
27002: 8.21
27002: 8.22
27002: 8.24
as part of a security baseline. 27001: 7.5
27001: 9.1
27001: A.5.37
27001: A.8.5
27001: A.8.9
27001: A.8.16
27001: A.8.20
27001: A.8.22
27001: A.8.24
27002: 8.20
27002: 8.22
27002: 8.24
27001: 8.1
27001: A.8.22
27001: A.8.31
27001: 9.1
27001: A.5.15
27001: A.5.20
27001: A.8.3
27001: A.8.9
27001: A.8.16
27001: A.8.22
27002: 5.15 (b)
27002: 8.3 (b)
27002: 8.16 (b)
27001: A.5.14
27001: A.8.20
27001: A.8.24
27002: 8.20 (e)
27002: 8.24 Guidance (b,f), other
information (a)
27001: 6.1.2
27001: 7.5
27001: A.5.37
27001: A.8.20
27001: A.8.22
27002: 8.20 (c)

27001: 6.1
27001: 6.2
27001: A.5.24
27001: A.5.26
27001: A.8.8
27001: A.8.16
27001: A.8.20
27001: A.8.21
27001: A.8.22
27001: A.8.26
27002: 8.8 (i)

and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.8.15

measures to ensure the security and retention of audit logs. 27001: A.5.28
27001: A.5.33
27001: A.8.15

and the underlying infrastructure. Define and implement a system to generate 27001: A.5.28
alerts to responsible stakeholders based on such events and corresponding metrics. 27001: A.8.15

27001: A.5.33
27001: A.8.15
or expected patterns. Establish and follow a defined process to review and take 27001: A.8.15
appropriate and timely actions on detected anomalies. 27001: A.8.16

systems.
27001: A.8.17

there is a change in the threat environment. 27001: 7.5.3
27001: A.8.15
27001: A.8.15
27001: A.8.15

27001: A.8.24

27001: A.8.24

system. 27001: A.7.2
27001: A.7.4
27001: A.5.24
27001: A.6.8
27002: 6.8 (g)

Forensics. Review and update the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.6.8
27001: A.5.24
27001: A.5.25
27001: A.5.26
27001: A.5.27
27001: A.5.28
27001: A.5.37
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.26
27001: A.5.37
27001: A.6.8
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: A.5.26
27002: 5.26 (e,f)

27001: A.5.36
27002: 5.36
27001: A.5.24
27002: 5.24 (b)

27001: A.5.25
laws and regulations. 27001: A.5.19
27001: A.5.22
27001: A.5.23
27001: A.5.24
27001: A.5.26
27001: A.6.8
27002: 5.19 (f)
27002: 5.22 (f,g,h,i)
27002: 5.23 (h)
27002: 5.26 (e)

27001: A.5.5
27001: A.5.24
27002: 5.24 Incident management
procedure (d)

Model (SSRM) within the organization. Review and update the policies and procedures 27001: 5.1
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.23
27001: A.5.37
27002: 5.23 (d)
27001: A.5.20
27001: A.5.22
27001: A 5.23
27002: 5.23 (d)
SSRM applicability throughout the supply chain. 27001: 7.4
27001: 9.1
27001: A.5.20
27001: A.5.21
27001: A.5.23
27002: 5.20 (a-z)
27002: 5.21 (a-m)
27002: 5.23 (d)
27001: A.5.23
27002: 5.23 (d)
the organization uses. 27001: 9.1
27001: 9.3
27001: A.5.20
27001: A.5.23
27002: 5.23 (d)

27001: 8.1
27001: A.5.20
27001: A.5.21
27001: A.5.22
27001: A.5.23
27002: 5.23 (d)
27001: A.5.20
27001: A.5.21
27002: 5.20 Guidance last paragraph
27002: 5.21 (g-h)

within their supply chain. 27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
27001: 6.2
27001: 8.1
27001: A.5.20
27001: A.5.21
27001: A.5.23
27002: 5.21 (f)
• Logging and monitoring capability 27001: A.5.19
• Incident management and communication procedures 27001: A.5.20
• Right to audit and third party assessment 27002: 5.19 (m4)
• Service termination 27002: 5.20 (a-d,u,e,j,o,p,x,y,z)
• Data privacy
27001: A.5.20

27001: A.5.22

to comply with information security, confidentiality, access control, privacy, 27001: 5.2
audit, personnel policy and service level requirements and standards. 27001: A.5.19
27001: A.5.20
27001: A.5.21
27001: A.5.22

governance policies and procedures. 27001: 8.1
27001: 9.2
27001: 9.3
27001: A.5.19
27001: A.5.21
27001: A.5.22
27002: 5.19 (g)
27002: 5.21 (f)
27001: 6.1.1
27001: 6.1.2
27001: 8.1
27001: 8.2
27001: A.5.19
27001: A.5.20
27001: A.5.21
27001: A.5.23
27002: 5.19 (g)
27002: 5.20 (q)
27002: 5.21 (f)
27002: 5.23 (f,i)

vulnerabilities, in order to protect systems against vulnerability exploitation. 27001: 5.1
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27002: 5.1 (k)
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.7
27001: A.5.37
27001: A.8.7
27002: 5.7 (b)
identifications, 27001: 6.1.3
based on the identified risk. 27001: A.8.7
27001: A.8.8
27001: A.8.32
27002: 8.7
27002: 8.8
27002: 8.32

27001: 6.1.3
27001: A.5.1
27001: A.8.8
27001: A.8.15
27001: A.8.16
27002: 5.1
27002: 5.37
27002: 8.8
27002: 8.15 (d)
27002: 8.16 (d,e)
27002: 8.31 2nd (a)
source libraries according to the organization's vulnerability management policy. 27001: 6.1.3
27001: A 5.6
27001: A.8.19
27001: A.8.8
27001: A.8.28
27001: A.8.31
27002: 5.6 (c)
27001: 8.19
27001: 8.8
27001: 8.28
27001: 8.31

measures for the periodic performance of penetration testing by independent 27001: A.8.8
third parties. 27001: A.8.16
27001:A. 8.25
27001: A.8.29
27002: 8.8 (e)
27002: 8.16 3rd (d)
27002: 8.25 (e)
27002: 8.29 3rd (c)
at least monthly.
27001: A.8.8
27002: 8.8

27001: 8.2
27001: 8.3
27001: A.8.8
27001: A.8.19
27002: 8.8
27002: 8.19
27001: 7.4
27001: A.6.8
27002: 6.8

27001: 5.3
27001: 9.1
27001: A.6.8
27001: A.8.8
27002: 6.8 (i)
27002: 8.8

procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.8.1
27001: A.5.37
27002: A.5.1 (e)

27001: A.5.9
27001: A.8.1
27001: A.8.3
27001: A.8.19
27001: A.8.27
27002: A.8.1 (d)
27001: A.8.19
27001: A.8.29
27001: A.8.32

data. 27001: A.5.9
27001: A.8.1
27002: A.8.1 (b)

27001: A.8.3
27001: A.8.19

lock screen. 27001: A.7.7
27001: A.8.1
27002: A.8.1 (j)
27001: A.8.1
27001: A.8.32
27002: A.8.1 (e)

27001: A.8.1
27002: 8.1 (h)

technology and services. 27001: A.8.1
27001: A.8.7
27002: A.8.1 (i)
27002: 8.7 (f)
27001: A.8.1
27001: A.8.20
27002: 8.20 (i)
27002: 8.1 (f)

27001: A.5.12
27001: A.8.3

27001: A.8.1

devices. 27001: A.8.1
27002: 8.1 (j)
27001: A.8.1
27001: A.5.14
27001: A.5.21
27001: A.5.22
End of Standard
ISO/IEC 27001:2022, 27002:2022
Gap Level Addendum
Missing specification(s) in ISOs:

'at least annually (Review)'.
Partial Gap

'at least annually'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap

'baseline requirements (for securing applications)'.
Partial Gap
'Define and implement technical and operational metrics'.
Partial Gap
N/A
No Gap
N/A
No Gap

'compliant application deployment'.
'Automate where possible'.
Partial Gap
N/A
No Gap
Partial Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'that fully account for downstream effects of proposed changes, including residual risk, cost, and
benefits analysis'.
Partial Gap
N/A
No Gap
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Gap
N/A
No Gap

'from any state to/from suspension'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Partial Gap
Partial Gap
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full CCM control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
N/A
No Gap

'datacenter personnel' (training)'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full CCM control specification is missing from the ISOs and has to be used to close the gap.
Full Gap

Partial Gap
N/A
No Gap
Partial Gap

'Conduct a Data Protection Impact Assessment (DPIA)'.
Partial Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'includes programs for all the relevant domains of the CCM'.
(Note: CSA's STAR level-2 certification covers the missing CCM requirement)
Partial Gap
Missing in ISOs:
'planning, operating, assessing and improving governance programs'.
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap

Partial Gap
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
'policies and procedures for virtualization security'.
Partial Gap
N/A
No Gap
Partial Gap
Partial Gap
N/A
No Gap
'CSP and CSC (tenant) and intra-tenant access is appropriately segmented and segregated'.
Partial Gap
'(secure and encrypted communication channels when) migrating servers, services, applications, or
data to cloud environments'.
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
Missing specification(s) in CISv8:

'Define and implement a system to generate alerts to responsible stakeholders based on such events
No Gap and corresponding metrics'.
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'Establish and maintain a monitoring and internal reporting capability (for crypto operations)'.
Partial Gap
No Gap
No Gap
N/A
No Gap

Partial Gap
Partial Gap
N/A
No Gap

'incident response plans'.
Partial Gap
'incident metrics'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'interoperability requirements' (In SLAs).
Partial Gap
Partial Gap

Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Partial Gap
Partial Gap
N/A
No Gap

'on a weekly, or more frequent basis'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
No Gap
N/A
No Gap
N/A
No Gap
CIS v8.0
Control Mapping Gap Level
8.1 Partial Gap
No Mapping Full Gap

7.2 Partial Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

16.1 Partial Gap
16.7 No Gap
16.2 Partial Gap
16.1 No Gap
16.12
Partial Gap
16.13
No Mapping Full Gap
16.2
Partial Gap
16.6
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
11.1
11.2
11.3 Partial Gap
11.4
11.5
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
4.1 Partial Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
3.6
3.1
3.11 Partial Gap
11.3
16.11
16.11 Partial Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

16.11 Partial Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
3.1
Partial Gap
3.5
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

1.1
No Gap
2.1
No Mapping Full Gap
1.3
No Gap
1.5
No Mapping Full Gap
No Mapping Full Gap
14.6 Partial Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

3.1 No Gap
3.5 Partial Gap

3.2 No Gap
3.7 No Gap
3.8 No Gap
3.1 No Gap
16.1 Partial Gap
No Mapping Full Gap
No Mapping Full Gap

3.1
3.12 Partial Gap
3.13
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

3.4
Partial Gap
3.5
3.1
3.1 No Gap
3.14
No Mapping Full Gap

No Mapping Full Gap
3.1 Partial Gap
No Mapping Full Gap

3.1
3.8
4.1
4.2
7.1
8.1 Partial Gap
9.1
11.1
12.4
16.1
16.2
No Mapping Full Gap
14.1 Partial Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap

14.4 Partial Gap
13.5
Partial Gap
14.8
No Mapping Full Gap

6.1
Partial Gap
6.2
No Mapping Full Gap
No Mapping Full Gap

14.1
14.2
14.3
14.4
14.5 No Gap
14.6
14.7
14.8
14.9
No Mapping Full Gap
14 No Gap
14.1
Partial Gap
14.9
No Mapping Full Gap

6.1
6.2 Partial Gap
6.6
5.2 No Gap
5.1
No Gap
5.2
6.8 No Gap
6.8 No Gap
6.1 No Gap
5.3
No Gap
6.2
5.1 Partial Gap
5.4 Partial Gap

5.1
Partial Gap
6.5
No Mapping Full Gap
3.3 Partial Gap

No Mapping Full Gap
6.3
6.5
Partial Gap
12.5
12.7
No Mapping Full Gap
5.1 No Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap

3.8
3.1
12.2 No Gap
13.6
13.9
4.1
No Gap
4.2
16.8 No Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
13.3
Partial Gap
13.8
8.1 Partial Gap
8.1
8.9 Partial Gap
8.1
8.5 Partial Gap
3.14 Partial Gap

8.8
No Gap
8.11
8.4 No Gap
8.1 No Gap
8.2 No Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
17.4 Partial Gap

17.4 No Gap
17.2
No Gap
17.4
17.7 Partial Gap

17.9 No Gap
No Mapping Full Gap

17.2
17.3 Partial Gap
17.4
17.2 No Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

15.1 No Gap
15.3 No Gap
15.4 Partial Gap

15.4 No Gap
No Mapping Full Gap
15.5 Partial Gap
15.5 No Gap
15.6 No Gap
7.1 No Gap
9.7
Partial Gap
10.1
7.2
7.7 No Gap
17.9
10.2 No Gap
2.6 Partial Gap
18.1
No Gap
18.2
7.1
7.5 No Gap
7.6
7.2
18.3 No Gap
16.6
7.1 Partial Gap
7.2 Partial Gap

No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
1.1 No Gap
1.3
1.4 Partial Gap
1.5
4.3 No Gap
No Mapping Full Gap
3.6 No Gap
9.7
No Gap
10.1
4.4
No Gap
4.5
3.13 No Gap
No Mapping Full Gap
4.11 No Gap
15.4 Partial Gap
CIS v8.0
Addendum Control Mapping
Recommend the full V4 control specification to be used to close the gap.

Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(8.1) 'Establish and maintain an audit log management process',
'Review and update documentation annually'.
12.1
12.1.1
12.11
No Mapping
is, covering in part the V4 control: (7.2) 'Establish and maintain No Mapping
a risk-based remediation strategy'.
No Mapping
No Mapping
No Mapping
policies and procedures for application security'.
6.7
12.1
12.1.1
12.11
N/A
6.3
11.4
'metrics in alignment with business objectives'.
No Mapping
N/A
6.3
(16.12) 'Implement Code-Level Security Checks' (as part of AIS-05 testing
strategy) A.3.2.2
(16.13) 'Conduct Application Penetration Testing' (as part of AIS-05 A.3.2.2.1
testing strategy). 6.6
A.3.2.2
A.3.2.2.1
6.6

'Automating remediation when possible'.
6.2
6.5
6.5.1-10
12.1
12.1.1
12.11
12.2
No Mapping
No Mapping
No Mapping
No Mapping
No Mapping

'Periodically backup data stored in the cloud'
9.5.1
12.10.1
No Mapping
No Mapping
No Mapping
(4.1) 'Establish and maintain a secure configuration process for
enterprise assets', 'Review and update documentation annually'.
2.5
6.4
6.4.5
6.4.6
12.1
12.1.1
12.11
A3.2.2.1
6.4.5.3
12.2
6.4.5.2
No Mapping
No Mapping
6.4.5.3
6.4.5.4
11.5
11.5.1
No Mapping
6.4.5.4
3.5
3.6
3.7
4.3
12.1
12.1.1
12.11
1.15
3.6.8
12.4
A3.1.3
'using cryptographic libraries certified to approved standards.'
Requirement 3
2.2.3
2.3
3.4
3.5.3
4.1
8.2.1
PCI Glossary - Strong Cryptography
'considering the classification of data, associated risks, and usability A2
of the encryption technology.' Requirement 3
2.3
2.2.3
3.4
3.5.3
4.1
8.2.1
PCI Glossary - Strong Cryptography
No Mapping
No Mapping
No Mapping
No Mapping
No Mapping
'libraries specifying the algorithm strength and the random number
generator used.'
2.2.3
3.6.1
PCI Glossary - Cryptographic Key
Generation
3.6.2
No Mapping
3.6.4
3.6.5
3.6.4
3.6.5
No Mapping
No Mapping
No Mapping
3.6.4
3.6.5
3.6.4
3.6.5
No Mapping
3.5.1
3.6.3
PCI Glossary - Cryptographic Key
Management
Missing specifications in CISv8.0:

"Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure disposal of equipment used outside
the organization's premises".
3.1
12.1
12.1.1
12.11
4.1
12.1
12.1.1
12.11
9.1
12.1
12.1.1
12.11
9.6
9.6.2
9.6.2.a
9.6.2.b
9.6.3
12.1
12.1.1
12.11
2.4
2.4a
2.4b
N/A
2.4
9.7.1
9.9.1
9.9.1.a
9.9.1.b
9.9.1.c
12.3.3
12.3.4
3.7
9.1
N/A
12.3.2
9.1
9.1.3
9.3
9.3.a
9.3.b
9.3.c
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.4.4.a
9.4.4.b
9.4.4.c
9.1.1
9.1.1a
9.1.1b

'Train datacenter personnel.'
9.9.3
9.1.3
No Mapping
No Mapping
No Mapping
N/A
12.1
12.1.1
12.11
12.3

'data is not recoverable by any forensic means.'
3.1
9.8
9.8.1
9.8.2
N/A
No Mapping
N/A
9.6.1
N/A
1.1.3
N/A
No Mapping
(16.1) 'Establish and maintain a secure application development process.
In the process, address such items as: secure application design
standards, secure coding practices'.
No Mapping
No Mapping
A.3.2.2
Missing specification(s) in CISv8.0:
'transfer of personal data is protected'.
4.1
No Mapping
No Mapping
No Mapping
No Mapping
6.3.1
6.4.3
'in accordance with applicable laws and regulations'.
3.1
N/A
3.0 (including all subsections)

4.0 (including all subsections)
12.10.1
No Mapping
(3.1) 'Establish and maintain a data management process'.
12.1
12.1.1
12.11
12.4.1
A.3.1
12.2
'Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard' (3.1, 3.8, 4.1, 4.2, 7.1,
8.1, 9.1, 11.1, 12.4, 16.1, 16.2).
12.1.1
12.11
No Mapping

(14.1) 'Establish and maintain a security awareness program'. 12.4.1
A.3.1
No Mapping
No Mapping
No Mapping
12.1
12.1.1
12.7
A3.1.2
12.4.1
12.1
12.1.1
12.3
12.3.5
policies and procedures' 'Review and update the policies and procedures
at least annually'.
9.5
12.1
12.1.1
(13.5) 'Manage access control for assets remotely connecting to
enterprise resources.' (14.8) 'all users securely configure their home
network infrastructure'.
12.1
12.1.1
12.3.10
9.3
(6.1) 'Establish and follow a process, preferably automated, for granting
access to enterprise assets upon new hire, rights grant, or role change
of a user.' (6.2) 'revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or
role change of a user'. 12.5
No Mapping
12.6.2
N/A
12.5
No Mapping
N/A
12.6
12.6.1
12.6.1a
12.6.1b
12.6.1c
12.6.2
'Provide all employees with access to personal data with appropriate
security awareness training'
12.6.1c
A3.1.4
12.6
12.4.1.a
6.1 'Establish an Access Granting Process'
6.2 'Establish an Access Revoking Process'
6.6 'Establish and Maintain an Inventory of Authentication and
Authorization Systems'. 7.1
7.3
8.1
8.4
8.5
8.8
12.1
12.1.1
12.11
12.5.4
N/A
8.4
12.1
12.1.1
12.11
N/A
2.4.a
N/A
6.4
6.4.2
N/A
7.1
7.1.1
7.1.2
N/A
7.1.3
7.1.4
8.1.1
N/A
8.1.2
8.1.3
'Review and revalidate user access for separation of duties'.
12.5.5

Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control:
(5.4) 'Restrict Administrator Privileges to Dedicated Administrator 2.3
Accounts: Restrict administrator privileges to dedicated administrator 3.5.2
accounts on enterprise assets'. 7.1.2
7.1.1
'roles and rights are granted for a time limited period'
7.1
No Mapping

(3.3) 'Configure Data Access Control Lists'.
10.5
8.1
8.2
8.6
'Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities'.
8.1.2
8.1.3
8.1.6
8.2
8.3
8.3.2
12.3.2
8.2
8.2.1-6
N/A
5.3
7.1.4
12.1
12.1.1
12.11
No Mapping
No Mapping
No Mapping
12.1
12.1.1
12.11
No Mapping
N/A
1.1.6
1.2
1.2.3
2.2
4.1.1
10.2
N/A
2.2
N/A
6.4.1
2.6
8.3.1
10.8
11.3
A3.2.1
A3.3.1
No Mapping
6.1
12.2

'protection and timely response to network-based attacks'.
6.6
1.1
1.2
1.3
1.5
12.10.5
'approve, communicate, apply, evaluate'.
10.6.1
10.6.2
10.6.3
10.8
10.8.1
10.9
12.1
12.1.1
12.11

'Define, technical measures to ensure the security of audit logs'. 10.5
10.7

'Define and implement a system to generate alerts to responsible
stakeholders based on such events and corresponding metrics'. 10.2

'maintain records that provide unique access accountability'. 10.1
10.2.1
10.2.3
10.5.1
10.5.2
N/A
10.6
10.6.1
N/A
10.4
N/A
10.3
N/A
10.3
10.5
10.5.1
10.5.2
No Mapping
No Mapping
9.1
10.6

policies and procedures for E-Discovery, and Cloud Forensics.'
12.1
12.1.1
12.11
N/A
12.1
12.1.1
12.5.3
12.11
N/A
12.1
12.10.1

'(Test) upon significant organizational or environmental changes for
effectiveness.'
12.10.2
12.10.6
N/A
No Mapping
12.5.2
'Report security breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws and
regulations'
12.5.2
12.5.3
N/A
No Mapping
12.1
12.1.1
12.4.1
12.8.2
12.11
12.8.2
12.9
12.4.1
12.5.1
12.4.1
12.8.2
12.9
12.1.1
12.8.4
12.8.5
12.5
12.6
12.7
12.8
12.9
12.1
N/A
2.4
12.8.1
N/A
12.2b
12.8.3

• Scope, characteristics and location of business relationship and
services offered
• SSRM requirements
• Right to audit and third party assessment 12.8
• Service termination 12.8.2
• Interoperability and portability requirements 12.9
N/A
12.8.2
12.8.
12.8.4
12.1.1
12.2
12.4
12.4.1
12.8
12.9
12.11

12.1
control:
12.3
(15.5) 'Assess Service Providers'
12.4
12.4.1
N/A
12.1.1
12.2
12.8.3
12.8.4
12.8.5
N/A
12.8.4
N/A
5.2.a
5.4
6.1
6.1.a
6.7
12.1
12.1.1
12.3.1
12.5.1
12.11
'Review and update the policies and procedures at least annually.'
5.4
12.1
12.1.1
12.3.1
12.5.1
12.11
N/A
6.1
6.1.a
6.1.b
N/A
5.2
5.2a
5.2b
5.2c
'Define, implement and evaluate processes, procedures and technical
measures to identify updates'
6.1
6.2
6.3.2
N/A
11.3
11.3.1
11.3.2
11.3.3
11.3.4
N/A
6.1
11.2
11.2.1
N/A
6.1
6.5.6
'reporting vulnerability identification and remediation activities that
12.5.3
includes stakeholder notification.'
12.1
12.10.1
12.10.3

'report metrics for vulnerability identification'
No Mapping
12.1
12.1.1
12.11
No Mapping
No Mapping
N/A
2.4
12.3.3

(1.3) 'Utilize an Active Discovery Tool'
(1.4) 'Use Dynamic Host Configuration Protocol (DHCP) Logging to Update No Mapping
Enterprise Asset Inventory'
(1.5) 'Use a Passive Asset Discovery Tool'
N/A
8.1.6
8.1.7
N/A
6.4.6
12.11
N/A
3.4
3.6
N/A
5.1
N/A
1.4
N/A
A3.2.6
No Mapping
N/A
No Mapping
(15.4) 'Ensure Service Provider Contracts Include Security Requirements'
8.3.1
9.3.3
12.1
PCI DSS v3.2.1
Gap Level Addendum
Missing specification(s) in PCI DSS:

'approve audit and assurance policies and procedures and standards'.
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
'approve policies and procedures for application security'.
Partial Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'approve business continuity management and operational resilience policies and procedures'.
Partial Gap

control: 12.2 'Identifies critical assets, threats, and vulnerabilities, and results in a formal,
documented analysis of risk'.
Partial Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap

'Periodically backup data stored in the cloud'
'verify data restoration from backup for resiliency'.
Partial Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
'approve policies and procedures for managing the risks associated with applying changes to
organization assets'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
'approve policies and procedures for Cryptography, Encryption and Key Management'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap

'approve policies and procedures for the secure disposal of equipment used outside the organization's
premises'
'If the equipment is not physically destroyed a data destruction procedure that renders recovery of
information impossible must be applied'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'Establish physical security perimeters between the administrative and business areas and the data
storage and processing facilities areas'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'Train datacenter personnel'.
Partial Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
'approve policies and procedures for the classification, protection and handling of data throughout its
lifecycle'.
Partial Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap

'Obtain authorization from data owners and manage associated risk'.
Partial Gap
N/A
No Gap
N/A
No Gap

control:
12.10.1: 'Analysis of legal requirements for reporting compromises'.
Partial Gap
gap.
Full Gap
'approve policies and procedures for an information governance program, which is sponsored by the
leadership of the organization'.
Partial Gap

control:
(12.2) 'Implement a risk-assessment process that identifies critical assets, threats, and vulnerabilities,
Partial Gap and results in a formal, documented analysis of risk'.
N/A
No Gap
gap.
Full Gap

'all the relevant domains of the CCM'.
Partial Gap
gap.
Full Gap
gap.
Full Gap
Full Gap gap.
'approve policies and procedures for background verification of all new employees'
'according to local laws, regulations, ethics, and contractual constraints'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap

'within the employment agreements'.
Partial Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'approve policies and procedures for identity and access management'.
Partial Gap
'approve strong password policies and procedures'.
Partial Gap
'system identities level of access'.
Partial Gap
N/A
No Gap
N/A
No Gap
'authorizes, records, and communicates access changes to data and assets'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'approve policies and procedures for interoperability and portability'
'a. Communications between application interfaces,
b. Information processing interoperability,
c. Application development portability,
d. Information/Data exchange, usage, portability, integrity, and persistence'.
Partial Gap
gap.
Full Gap
gap.
Full Gap
gap.
Full Gap
'approve, policies and procedures for infrastructure and virtualization security'.
Partial Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
'approve policies and procedures for logging and monitoring'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap

'approve policies and procedures for Security Incident Management, E-Discovery, and Cloud
Forensics'.
Partial Gap
'approve policies and procedures for the timely management of security incidents'.
Partial Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
gap.
Full Gap
'approve policies and procedures for the application of the Shared Security Responsibility Model
(SSRM) within the organization'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'and indicators of compromise on a weekly, or more frequent basis'.
Partial Gap
'identify updates for applications which use third party or open source libraries'.
Partial Gap
N/A
No Gap
'organizationally managed assets at least monthly'.
Partial Gap
N/A
No Gap
'process for tracking' and 'stakeholder notification'.
Partial Gap
gap.
Full Gap
'approve policies and procedures for all endpoints'.
Partial Gap
gap.
Full Gap
gap.
Full Gap
N/A
No Gap
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Full Gap gap.
gap.
Full Gap
N/A
No Gap
AICPA TSC 2017
CC2.2
CC2.3
Partial Gap
CC3.2
CC5.3
CC4.1 Partial Gap

CC4.1 No Gap
CC3.1 No Gap
CC3.1
Partial Gap
CC3.2
CC3.2 Partial Gap

CC2.2
CC2.3
Partial Gap
CC5.3
CC7.3
CC8.1
CC4.1 Partial Gap
CC5.3
No Mapping Full Gap
CC6.8
Partial Gap
CC8.1
CC6.8
Partial Gap
CC8.1
No Mapping Full Gap
CC7.1
CC7.4 No Gap
CC8.1
CC5.3
CC9.1 Partial Gap
A1.2
CC3.1
CC3.2
A1.2
No Gap
CC7.3
CC7.4
CC7.5
CC7.3
CC7.4
Partial Gap
CC7.5
A1.2
CC7.5
A1.2 Partial Gap
A1.3
CC2.1
Partial Gap
PI1.1
A1.3
Partial Gap
CC7.5
CC2.3
CC7.5 Partial Gap
CC9.1
A1.2
No Gap
A1.3
A1.2
Partial Gap
CC3.2
A1.3 No Gap
A1.2
No Gap
CC3.2
CC8.1
No Gap
CC5.3
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC7.4
CC7.5
Partial Gap
CC8.1
CC9.2
CC8.1 No Gap
CC5.3
CC6.1 Partial Gap
CC6.7
No Mapping Full Gap
CC6.1
Partial Gap
CC6.7
CC6.1
Partial Gap
CC6.7
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
P5.1
CC5.3
CC6.5
CC3.3 Partial Gap
P1.1
P2.1
P4.0
A1.2
CC5.3 No Gap
CC6.1
CC3.4
CC5.3
CC6.4 Partial Gap
CC6.5
CC6.7
CC5.3 Partial Gap
CC6.1 Partial Gap

CC6.1 Partial Gap
CC3.4
CC6.4
Partial Gap
CC6.5
CC6.7
CC6.1 Partial Gap

CC3.4
CC6.4 Partial Gap
CC6.5
No Mapping Full Gap
CC1.4
Partial Gap
CC6.4
A1.2 Full Gap
A1.2 Partial Gap
No Mapping Full Gap
A1.2
Partial Gap
CC3.2
PI1.1
PI1.5
P4.1
Partial Gap
P4.2
P4.3
CC5.3
CC6.1
CC6.2
CC6.3
CC6.4 Partial Gap
CC6.5
CC6.7
P4.3
CC6.1 No Gap
CC6.1
No Gap
C1.1
No Mapping Full Gap
CC1.1
CC1.3
CC1.5
No Gap
P2.1
P3.2
P6.7
PI1.2
Partial Gap
PI1.3
P1.1 Partial Gap
CC3.2 Partial Gap

CC6.7 Partial Gap
P2.1 Partial Gap
P2.1 No Gap
P2.1 No Gap
P6.1 No Gap
No Mapping Full Gap

C1.1
C1.2
No Gap
CC3.1
P4.2
CC2.1
CC6.1
CC6.3
CC6.7
CC8.1
C1.1 No Gap
P2.0
P3.0
P4.0
P5.0
P6.0
P4.1 No Gap
A1.2 Partial Gap
CC1.3
CC1.4 No Gap
CC5.3
CC3.1
CC3.2
No Gap
CC5.1
A1.2
CC5.3 No Gap
CC1.1
Partial Gap
CC9.2
No Mapping Full Gap

CC1.3
No Gap
CC1.4
CC3.4
No Gap
CC7.4
No Mapping Full Gap

CC1.4
CC9.2 Partial Gap
CC5.3
CC5.3 Partial Gap

CC2.2
Partial Gap
CC5.3
CC2.2
CC6.1 Partial Gap
CC5.3
No Mapping Full Gap

CC2.2 No Gap
CC1.1
CC1.4
CC2.2 No Gap
CC5.2
CC5.3
CC1.1
CC1.4
CC2.2 No Gap
CC5.2
CC5.3
CC1.3
CC1.4
No Gap
CC1.5
CC2.2
CC9.2
No Gap
P6.4
CC2.2 Partial Gap

CC2.2 Partial Gap
CC1.3
CC1.5 No Gap
CC2.2
CC5.3
CC6.1
No Gap
CC6.2
CC6.3
No Mapping Full Gap
CC6.1
No Gap
CC6.3
CC1.3
CC5.1 No Gap
CC6.3
CC6.3 No Gap
CC6.3
No Gap
CC8.1
CC5.3
No Gap
CC6.3
CC6.2
Partial Gap
CC6.3
CC5.1
CC6.1 Partial Gap
CC6.3
CC6.1
CC6.2 Partial Gap
CC6.3
CC3.2
CC6.1 Partial Gap
CC6.3
No Mapping Full Gap

CC6.1 Partial Gap
CC6.1
Partial Gap
CC6.2
CC6.1
No Gap
CC6.2
CC6.1
CC6.2 No Gap
CC6.3
CC5.3 Partial Gap
PI1.1
PI1.2 Partial Gap
PI1.3
CC6.7 No Gap
PI1.1
PI1.2 Partial Gap
PI1.3
CC3.1
CC5.2 Partial Gap
CC5.3
A1.1 No Gap
CC6.1
Partial Gap
CC6.7
CC6.1
CC6.8 Partial Gap
CC7.1
No Mapping Full Gap

No Mapping Full Gap
CC6.1
Partial Gap
CC6.7
CC3.2
CC6.1
CC7.1 No Gap
CC7.2
CC7.3
CC6.6
CC6.8
CC7.1 No Gap
CC7.2
CC7.5
CC5.3
Partial Gap
CC7.2
No Mapping Full Gap
CC6.8
Partial Gap
CC7.3
No Mapping Full Gap

CC7.2 No Gap
No Mapping Full Gap
CC7.2 No Gap
CC7.2 No Gap
No Mapping Full Gap
CC6.1
Partial Gap
CC7.2
CC6.1
Partial Gap
CC7.2
CC6.4
No Gap
CC7.2
CC2.3
No Gap
CC7.3
CC5.3
CC7.3
Partial Gap
CC7.4
CC7.5
CC5.3
CC7.3 Partial Gap
CC7.4
CC7.2
CC7.3 Partial Gap
CC7.4
CC7.5 No Gap
CC7.2 No Gap
CC7.3 No Gap
CC7.4
Partial Gap
CC7.5
CC2.3 No Gap
No Mapping Full Gap
No Mapping Full Gap

CC2.3
Partial Gap
CC9.2
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
CC9.2 No Gap
CC9.2 Partial Gap

No Mapping Full Gap
No Mapping Full Gap
CC9.2 No Gap
CC3.2 No Gap
CC3.2 No Gap
CC3.2
CC5.3
CC6.6 No Gap
CC7.1
CC7.4
CC5.3
No Gap
CC6.8
CC5.3
CC7.1 Partial Gap
CC7.4
CC7.2 Partial Gap

CC3.2 Partial Gap
CC4.1
Partial Gap
CC7.1
CC7.1 Partial Gap
No Mapping Full Gap

CC2.2
CC7.3
No Gap
CC7.4
CC7.5
No Mapping Full Gap

CC5.3
Partial Gap
CC6.7
No Mapping Full Gap

No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap

CC3.4
Partial Gap
CC8.1
CC6.1
Partial Gap
CC6.7
CC6.8 Partial Gap

CC6.6 Partial Gap
CC6.7 Partial Gap
No Mapping Full Gap
No Mapping Full Gap

No Mapping Full Gap
AICPA TSC 2017 I
Missing specification(s) in TSC 2017:

'Review and update the policies and procedures at least annually'.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.2
27001: 9.3
27001: A.5
27002: 5

27001: A.18.2.1
27002: 18.2.1
N/A
27001: 9.3.2
27001: A.18.2.1
27002: 18.2.1
27018: 18.2.1
N/A
27001: 9.3.2
27001: A.18.2.2
27002: 18.2.2
27001: A.18.2.3
27002: 18.2.3

'audit planning, security control assessment, conclusion, 27001: 9.2
remediation schedules, report generation, and review of past reports and 27001: 9.3
supporting evidence'. 27001: A.18.2.2
27002: 18.2.2

is, covering in part the V4 control: 27001: 7.3
(CC3.2) 'Determines How to Respond to Risks'. 27001: 7.4
27001: 7.5
27001: 8.2
27001: 8.3
27001: 9.3.2.d
27001: 10
27001: A.18.2.2
27002: 18.2.2
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.14.2.1
27002: 14.2.1
27017: 14.2.1
27001: A.14.2.5
27001: 14.2.5
27017: 14.2.5

Requirements to 'document baseline requirements for securing different
applications'.
27001: A.5.1.1
27017: 5.1.1
27001: A.7.2.2
27002: 7.2.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 9.1
27001: A.18.2.2
27002: 18.2.2

Requirement 'at least annually' is not covered.
27001: A.14.1.1
27002: 14.1.1
27017: 14.1.1
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
27001: A.14.2.1
27002: 14.2.1
27017: 14.2.1
'criteria for acceptance of new information systems, upgrades and new 27001: A.14.2.8
versions' 27001: A.14.2.9
'application security assurance and (testing strategy) maintains 27001: A.12.1.2
compliance' 27002: 12.1.2
'Automate when applicable and possible'. 27001: A.14.1.1
27002: 14.1.1
27001: A.14.2.2
27002: 14.2.2
No mapping
N/A
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27001: A.12.6.1
27002: 12.6.1
27017: 12.6.1
27018: 12.6.1
policies and procedures'
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.7.2.1
27001: A.17.1.2
N/A
27001: 4.2
27001: 6.1.2
27001: 6.1.3
27001: 8.2
27001: 8.3
27001: A.16.1.6
27001: A.17.1
'Establish strategies', 'risk appetite'.
27001: 6.1.1
27001: A.17.1.1
27001: A.17.1.2

'operational resilience strategies'.
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: A.17.1.1
27001: A.17.1.3

'documentation to support business continuity and operational resilience
programs'. 27001: 7.4
27001: 7.5
'Exercise and test operational resilience plans'
Requirement of testing the plans 'at least annually'.
27001: A.17.1.3

'Establish communication in the course of business continuity'.
27001: 7.4
N/A
27001: A.12.3
27017: 12.3
27018: 12.3.1
'to recover from man-made disasters'.
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 8.1
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.12.1.1
27001: A.12.1.2
27002: 12.1.2
27017: 12.1.2
27001: A.14.2.2
27001: A.14.2.3
N/A
27001: A.14.2.2
27002: 14.2.2
27017: 14.2.2
N/A
27001:A.5.1.1
27017: 5.1.1
27001: A.12.1.2
27002: 12.1.2
27001: A.12.1.4
27001: A.14.2.3
27001: A.15.2.2
27002: 15.2.2
27001: A.14.2.6
27002: 14.2.6
N/A
27001: A.12.1.4
27002: 12.1.4
27001: A.12.4.2
27002: 12.4.2
27001: A.14.2.2
27017: 14.2.2
N/A
27001: A.15.2.2
27001: A.14.2.2
27002: 14.2.2
27001: A.12.1.2
27017: 12.1.2
N/A
27001: A.12.1.1
27002: 12.1.1
27001: 14.2.2
27002: 14.2.2
N/A
27001: A.14.2.2
27001: A.14.2.4
27001: A.12.4.1
27002: 12.4.1 (g)
27001: A.5.1.1
27017: 5.1.1

'Implement a procedure for the management of exceptions'.
27001: A.12.1.2
27002: 12.1.2 (h)
27017: 12.1.2
N/A
27001: A.12.1.2
27002: 12.1.2 (g)
27001: A.12.5.1
27002: 12.5.1 (e)
27001: A.12.3.1
27017: 12.3.1
(CC6.1) 'Protects Encryption Keys', 'Uses Encryption to Protect Data'
(CC6.7) 'Uses Encryption Technologies or Secure Communication Channels to
Protect Data' 27001: 5.1
(CC5.3) 'Establishes Policies and Procedures to Support Deployment of 27001: 5.2
Management’s Directives', 'Reassesses Policies and Procedures'. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.6.1.1
27002 6.1.1
27001: A.6.1.2
27002: 6.1.2
27001: A.16
27002: 16
27001: A.16.1
27001: A.10
27002: 10
27001: A.10.1.1
27001: A.10.1.2
27017: 10.1.2
27001: A.12.4
27002: 12.4
27001: A.12.7
27002: 12.7
27017: 12.7
27001: A.18.1.1-to-5
27001: A.12.1.2
27002: 12.1.2
27001: A.12.3.1
27017: 12.3.1
27001: A.15.1.2
27017: 15.1.2
27001: A.18.1.1
27017: 18.1.1
27001: A.18.1.5
27001: 5.3
27001: A.5.1.1
27002: 5.1.1
27001: A.6.1.1
27002: 6.1.1
27017: 6.1.1
27001: A.6.1.2
27017: 6.1.2
27001: A.9.1
27002: 9.1
27001: A.10.1.1
27002: 10.1.1
27001: A.15.1.2
27017: 15.1.2
27001: A.13.1.3
27017: 13.1.3
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27017: CLD 6.3
'Cryptographic libraries certified to approved standards'.
27001: A.18.1.1
27001: A.18.1.2
27001: A.18.1.3
27001: A.18.1.4
27001: A.18.1.5
27001: A.10.1
27002: 10.1
27001: A.13.2.1
27002: 13.2.1
27001: A.18
27002: 18
27001: A.14.1.2
27002: 14.1.2
27001: A.14.1.3
27002 14.1.3 c)
27001 - A.10.1.1
27017 - 10.1.1
27001 - A.10.1.2
27017 - 10.1.2
'considering the classification of data', 'usability of encryption 27001: 6.1.2
technology'. 27001: 6.1.3
27001: A.8.2
27002: 8.2
27001: A.8.3
27001: A.10.1.1
27002: 10.1.1 (b)
27001: A.10.1.2
27002: 10.1.2
27001: A.12.1.2
27002: 12.1.2
27017: 12.1.2
27001: A.10.1.2
27002: 10.1.2 e)
27001: A.14.2.2
27002: 14.2.2
27001: 8
27001: A.12.1.2
27002: 12.1.2
27001: A.10.1.2
27002: 10.1.2 e)
27017: 10.1.2
27001: A.10.1.1
27002: 10.1.1
27017: 10.1.1
27001: 8
27001: A.10.1.1
27002: 10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27001: A.10.1
27017: 10.1
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27001: 9.2
27001: A.18.2.1
27001: A.18.2.2
27001: A.12.7
27002: 12.7
27017: 12.7
27001: A.10.1.2
27001: A.10.1.2
27002: 10.1.2 k)
27001: A.10.1.1
27002: 10.1.1 (e)
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27002: 10.1.2 (a)
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 (c)
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 e)
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 (g),(f)
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27017: 10.1.2
27001: A.10.1.2
27002: 10.1.2 (j)
27001: A.18.1.3
27002: 18.1.3
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 a)
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27002: 10.1.2 (i)
27001: 9.0
27002: 9.0
27017: 9.0
27001: A.10.1.1
27002: 10.1.1 (d)
27001: A.10.1.2
27002: 10.1.2 (f),(g)
27001: A.18.1.5
27001: A.18.1.3
27002: 18.1.3
27001: 8.2
27001: 8.3
27001: A.10.1.2
27002: 10.1.2 (h)
27001: A.18.1.5
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27001: A.18.1.5

policies and procedures'
'If the equipment is not physically destroyed a data destruction
procedure that renders recovery of information impossible must be 27001: 5.1
applied' 27001: 5.2
'Review and update the policies and procedures at least annually'. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.11.2.7
27002: 11.2.7
27017: 11.2.7
'policies and procedures for the relocation or transfer of hardware,
software, or data/information to an offsite or alternate location'
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.11.2.5
'policies and procedures for maintaining a safe and secure working
environment in offices, rooms, and facilities'
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.11.1.3
27002: 11.1.3
27017: 11.1.3
27001: A.11.1.5
27002: 11.1.5
27017: 11.1.5
'policies and procedures for the secure transportation of physical media'
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.8.3.3
27002: 8.3.3
27017: 8.3.3

'document the physical and logical assets'
'based on the organizational business risk'.
27001: A.8.2.1
27002: 8.2.1
27017: 8.2.1
'track the physical and logical assets'
'located at all of the CSPs sites'.
27001: A.8.1.1
27002: 8.1.1
27017: 8.1.1

'Establish physical security perimeters between the administrative and
business areas and the data storage and processing facilities areas'.
27001: A.11.1.1
27002: 11.1.1
27017: 11.1.1

'Use equipment identification as a method for connection authentication'.
No Mapping
'retain access control records on a periodic basis as deemed appropriate
by the organization'.
27001: A.11.1.2
No Mapping

(CC1.4) 'Provides Training to Maintain Technical Competencies' 27001: A.16.1.1
(CC6.4) 'Creates or Modifies Physical Access'. 27001: A.16.1.2
27001: A.16.1.3
27001: A.7.2.2
(A1.2) 'Identifies Environmental Threats', 'Implements and Maintains 27001: A.11.2.3
Environmental Protection Mechanisms'.

'temperature and humidity conditions within accepted industry standards'.
27001: A.11
27001: A.17.1.3
27001: A.11.2.1
27001: A.11.2.2

(A1.2) 'Identifying Environmental Threats'
(CC3.2) 'Analyzes Internal and External Factors', 'Identifies and 27001: A.11.2.1
Assesses Criticality of Information Assets and Identifies Threats and 27002: 11.2.1
Vulnerabilities'.
'data classification policies and procedures'
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.8.2.1
27001: A.12.1
27002: 12.1

'disposal of data from storage media is not recoverable by any forensic
means'.
27001: A.8.3.2
27002: 8.3.2
27001: A.11.2.7
27002: 11.2.7
N/A
27001: A.8.1.1
27002: 8.1.1
N/A
27001: A.8.2.1
27002: 8.2.1
No Mapping
N/A
27001: A.8.1.2
'security by design'.
27001: A.14.1.1
27002:14.1.1
27001: A.14.2.5
27002:14.2.5
'privacy settings are configured by default'.
No Mapping

'Data Protection Impact Assessment (DPIA)'.
27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
27001: A.18.1.4
'transfer of personal data is protected'.
27001: A.13.2.1
27002: 13.2.1
27001: A.8.3.3
27002: 8.3.3
27001: A.13.2.3
27002: 13.2.3
'according to any applicable laws and regulations'.
No Mapping
N/A
27001: A.18.1.4
27002: 18.1.4
N/A
No Mapping
N/A
27018: A.6.2
27001: A.14.3.1
27002: 14.3.1
27001: A.12.1.4
27002: 12.1.4
N/A
27001: A.18.1.3
N/A
27001: A.18.1.3
27002: 18.1.3
27001:A.18.1.4
27002:18.1.4
N/A
27018: A.6.1
'document the physical locations of data'.
27001: A.8.1.1
27002: 8.1.1
27017: 8.1.1
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: 5.1
27001: 5.2
27001: 5.3
27001: A.5
27002: 5
N/A
27001: 6.1
27001: 6.2
27001: A.6.1.2
N/A
27001: 7.5.2 (c)

'deviation from an established policy' (There is no reference to handling 27001: A.5.1.1
exceptions/deviations related to policies). 27002: 5.1.1 (c)
27001: 4.3
N/A
27001: 5.1
27001: 5.3
27001: A.6.1.1
27002: 6.1.1
27001: A.7.2.1
27002: 7.2.1
27018: 5.1.1
N/A
27001: 4.2
27001: A.18.1
27001: A.18.2.2
27018: A.18.1
27018: A.18.2.2
27001: A.6.1.4
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.7.1.1
27002: 7.1.1
27017: 7.1.1

'policies and procedures for defining allowances and conditions for the
acceptable use of organizationally-owned or managed assets.' 27001: 5.1
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.8.1.3
27002: 8.1.3
27017: 8.1.3
'policies and procedures that require unattended workspaces to not have
openly visible confidential data' 27001: 5.1
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.11.2.8
27002: 11.2.8
27017: 11.2.8
27001: A.11.2.9
27002: 11.2.9
27017: 11.2.9
'information processed or stored at remote locations.'
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.6.2.2
27002: 6.2.2
27001: A.11.2.6
27002: 11.2.6
27001: A.8.1.4
27002: 8.1.4
27017: 8.1.4
N/A
27001: A.7.3.1
27002: 7.3.1
27017: 7.3.1
N/A
No Mapping
N/A
27001: 7.3
27001: A.7.1.2
27002: 7.1.2
27017: 7.1.2
N/A
27001: 7.4
27001: A.6.1.1
27002: 6.1.1
27017: 6.1.1
N/A
27001: A.7.1.2
27002: 7.1.2
27017: 7.1.2
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4

'provide regular training updates'.
27001: 7.3
27001: 7.4
27001: A.7.2.2
27002: 7.2.2
27017: 7.2.2
'sensitive organizational and personal data with appropriate security
awareness training'.
27001: 7.3
27001: A.7.2.2
27002: 7.2.2
27017: 7.2.2
N/A
27001: 5.1
27001: 7.3
27001: A.7.2.1
27002: 7.2.1
27017: 7.2.1
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.9.1.1
27002: 9.1.1
27001: A.5
27002: 5
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.9.4.3
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27001: A.7.2.2
27002: 7.2.2
27001: A.9.2.6
27002: 9.2.6
27001: A.9.2.3
27002: 9.2.3
N/A
27001: 9.2 (c)

27001: A.8.1.1
27002: 8.1.1
27001: A.9.4.1
27002: 9.4.1
N/A
27001: A.6.1.2
27002: 6.1.2
N/A
27001: A.9.1.1
27002: 9.1.1
27001: A.9.1.2
27002: 9.1.2
27001: A.9.2.3
27002: 9.2.3
N/A
No Mapping
N/A
No Mapping
'for least privilege and separation of duties with a frequency that is 27001: A.9.2.5
commensurate with organizational risk tolerance'. 27001: A.9.2.6
27001: A.9.4.1
27017: 9.4.1
27001: A.6.1.2
27001: A 9.2.5

'segregation of privileged access roles pertaining to administrative
access to data, encryption and key management capabilities and logging
capabilities'. 27001: A.9.2.3
27002: 9.2.3
27017: 9.2.3
27018: 9.2.3
'privileged access roles and rights are granted for a time limited
period'.
27001: A.9.2.3
27002: 9.2.3
27017: 9.2.3
27018: 9.2.3
27001: A.9.4.4
27002: 9.4.4
27017: 9.4.4
(CC3.2) 'Identifies and Assesses Criticality of Information Assets and
Identifies Threats and Vulnerabilities', 'Analyzes Threats and
Vulnerabilities From Vendors, Business Partners, and Other Parties',
'Considers the Significance of the Risk'
(CC6.1) 'Restricts Logical Access'
(CC6.3) 'Reviews Access Roles and Rules'. No Mapping
27001: A.12.4.1
27002: 12.4.1
27017: 12.4.1
27018: 12.4.1
27001: A.12.4.2
27002: 12.4.2
27017: 12.4.2
27018: 12.4.2
27001: A.12.4.3
27002: 12.4.3
27017: 12.4.3
27018: 12.4.3
'unique IDs or which can associate individuals to the usage of user IDs'.
27001: A.9.2.1
27002: 9.2.1
'multi-factor authentication'.
27001: A.9.1.2
27002: 9.1.2
27017: 9.1.2
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27001: A.9.4.2
27002: 9.4.2
27017: 9.4.2
27018: 9.4.2
N/A
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27018: 9.2.4
27001: A.9.3.1
27002: 9.3.1
27017: 9.3.1
27018: 9.3.1
27001: A.9.4.3
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
N/A
27001: A.9.2.5
27002: 9.2.5
27017: 9.2.5
27018: 9.2.5
(CC5.3) 'Establishes Policies and Procedures to Support Deployment of 27001: 5.2
Management’s Directives', 'Reassesses Policies and Procedures'. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.14.1.1
27017: 14.1.1
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
27001: A.14.2
27002: 14.2
27001: A.14.2.1
27017: 14.2.1
27001: A.14.2.5
(PI1.1) All points of focus
(PI1.3) 'Defines Processing Specifications'.
No Mapping
N/A
27001: A.18.1
27001: A.15.1.1
27002: 15.1.1
27017: 15.1.1

'a. Data format
d. Data deletion policy'.
No Mapping
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27017: 5
27018: 5
N/A
27001: 5.3
27001: 6.1
27001: 9.1
27001: A.12.1.3
27002: 12.1.3
'Review these configurations at least annually, and support them by
a documented justification of all allowed services, protocols, ports, and
compensating controls'.
27001: 7.5
27001: 9.1
27001: A.13.1.1
27002: 13.1.1
27001: A.13.1.2
27002: 13.1.2
27001: A.13.1.3
27002: 13.1.3
'security baseline'.
27001: 7.5
27001: 9.1
27001: A.14.2.2
27002: 14.2.2
27001: A.14.2.3
27001 A.14.2.4
27018: 12.1.2
27001: 8.1
27001 A.12.1.4
27002 12.1.4
27017 12.1.4
27018 12.1.4
27001: 9.1
27001: A.13.1.3
27002: 13.1.3
27017: 13.1.3
(CC6.1) 'Uses Encryption to Protect Data' 27001: A.13.1.1
(CC6.7) 'Uses Encryption Technologies or Secure Communication Channels to 27002: 13.1.1
Protect Data'. 27017: 13.1.1
27018: 13.1.1
27001: A.13.1.2
27002: 13.1.2
27017: 13.1.2
27018: 13.1.2
27001: A.13.1.3
27002: 13.1.3
27017: 13.1.3
27018: 13.1.3
27001: A.13.2.1
27002: 13.2.1
27017: 13.2.1
27018: 13.2.1
27001: A.13.2.2
27002: 13.2.2
27017: 13.2.2
27018: 13.2.2
27001: A.13.2.3
27002: 13.2.3
27017: 13.2.3
27018: 13.2.3
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
27018: 13.2.4
N/A
27001: 6.1.2
27001: 7.5
27001: A.9.1.2
27002: 9.1.2
27017: 9.1.2
27001: A.9.4.2
27002: 9.4.2
27017: 9.4.2
27018: 9.4.2
27001: A.14.2.5
27002: 14.2.5
27017: 14.2.5
N/A
27001: 6.1
27001: 6.2
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
27001: A.11.1.4
27002: 11.1.4
27017: 11.1.4
27018: 16.1.1
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.12.4.1
27001: A.12.4.2
27001: A.12.4.3
27001: A.18.1.3
27002: 18.1.3

'generate alerts to responsible stakeholders based on corresponding 27001: A.12.4.1
metrics'. 27002: 12.4.1
27001: A.12.4.2
27001: A.12.4.1
27002: 12.4.2
N/A
27001: A.12.4.3
27002: 12.4.3
27001: A.12.4.4
27002: 12.4.4
27017: 12.4.4
N/A
27001: 7.5.3
27001: A.12.4.1
27002: 12.4.1
27017: 12.4.1
N/A
27001: A.12.4.1
27002: 12.4.1
27017: 12.4.1
27001: A.12.4.2
27002: 12.4.2

is, covering in part the V4 control: 27001: A.10.1
(CC6.1) 'Uses Encryption to Protect Data' 27002: 10.1
(CC7.2) ''Implements Detection Policies, Procedures, and Tools', 27001: A.10.1.2
'Monitors Detection Tools for Effective Operation'. 27017: 10.1.2

(CC6.1) 'Uses Encryption to Protect Data' 27001: A.10.1.2
(CC7.2) ''Implements Detection Policies, Procedures, and Tools', 27017: 10.1.2
'Monitors Detection Tools for Effective Operation'.
N/A
27001: A.11.1.2
27002: 11.1.2
N/A
27001: A.16.1.1
27002: 16.1.1
27001: A.16.1.2
27017: 16.1.2

'Cloud Forensics'
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.16.1
27002: 16.1
27017: 16.1
27018: 16.1
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.16.1.2
27002: 16.1.2
27017: 16.1.2
27018: 16.1.2
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
'business critical relationships (such as supply-chain) that may be
impacted'.
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27017: CLD.12.1.5
27018: 16.1.5
N/A
27001: A.18.2.3
N/A
No Mapping
N/A
27001: A.16.1.4
27002: 16.1.4
27017: 16.1.4
27018: 16.1.4
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
is, covering in part the V4 control: 27001: A.16.1.1
(CC7.4) 'Develops and Implements Communication Protocols for Security 27002: 16.1.1
Incidents' 27017: 16.1.1
(CC7.5) 'Communicates Information About the Event'. 27018: 16.1.1
27001: A.16.1.2
27002: 16.1.2
27017: 16.1.2
27018: 16.1.2
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
N/A
27001: 4.2
27001: A.6.1.3
27002: 6.1.3
27017: 6.1.3
27018: 6.1.3
27001: A.16.1.1
27002: 16.1.1
27001: A.18.1.1
27002: 18.1.1
27017: 18.1.1
27018: 18.1.1
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.15.1.1
27001: 6.2
27001: 7.1
27001: 8.1
27001: 8.2
27001: 9.1
27001: 9.3
27001: A.15.1
27001: A.15.2
'SSRM' (Mapped controls don't specifically call out SSRM).
27001: 7.4
27001: 9.1
27001: A.15.1.2
27001: A.15.1.3
27001: 6.2
27001: 7.4
27001: 9.1
27001: A.15.1.2
27001: A.15.2
27001: 9.1
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
27001: 8.1
27001: A.15.1.2
27001: A.15.1.3
27001: 8.1
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
27001: 6.2
27001: 8.1
27001: A.15.1.2
27001: A.15.1.3

• Scope, characteristics and location of business relationship and
services offered
• Incident management and communication procedures 27001: 8.1
• Right to audit and third party assessment 27001: A.15.1.2
• Service termination 27001: A.15.1.3
• Data privacy.
27001: A.15.1
27001: A.15.2
27001: A.15.2
N/A
27001: 5.2
27001: A.5.1
27001: A.7.2.1
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 8.1
27001: 9.2
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 6.1.1
27001: 6.1.2
27001: 8.1
27001: 8.2
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.12.2.1
27001: A.6.2.1
27002: 6.2.1 (h)
27001: A.6.2.2
27002: 6.2.2 (j)
27001: A.7.2.2
27002: 7.2.2 (d)
27001: A.10.1.1
27002: 10.1.1 (g)
27001: A.13.2.1
27002: 13.2.1 (b)
27001: A.15.1.2
27017: 15.1.2
27001: A.12.2.1
27002: 12.2.1 (a),(d)
27017: CLD.9.5.2
'responses to vulnerability identifications, based on the identified
risk'.
27001: 6.1.3
27001: A.12.2.1
27001: A.12.6.1
27002: 12.6.1(c)(d)(j)
27018: 12.6.1(k)(i)

'on a weekly. or more frequent basis'.
27001: 6.1.3
27001: A.5.1.1
27002: 5.1.1 (h)
27001: A.12.6.1
27002: 12.6.1 (b),(c)
"third party or open source libraries" and "according to the
organization's vulnerability management policy".
27001: 6.1.3
27001: A.12.6.2
27002: 12.6.2

(CC4.1) 'Considers Different Types of Ongoing and Separate Evaluations'
- 'including penetration testing'
(CC 7.1) 'Conducts Vulnerability Scans' - 'The entity conducts No Mapping
vulnerability scans designed to identify potential vulnerabilities'.
'at least monthly'.
27001: A.12.6
27001: A.12.6.1
27002: 12.6.1
27001: 8.2
27001: 8.3
27001: A.12.5.1
27001: A.12.6.1
27001: A.12.6.1
27001: A.18.2.3
N/A
27001: 7.4
27001: A.16.1.2
27002: 16.1.2
27001: A.16.1.3
27002: 16.1.3
27001: 5.3
27001: 9.1
Requirement on 'endpoint' systems (AICPA TSC CC6.7 has reference to
"Protect Mobile Devices" only whereas CCM control refers to endpoint 27001: 5.1
devices such as: mobile devices, servers, desktops, IoT, virtual etc.) 27001: 5.2
'Review the policies and procedures at least annually'. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.6.2.1
27002: 6.2.1
27017: 6.2.1
27018: 6.2.1
27001: A.9.1.1
27002: 9.1.1
27001: A.9.2.2
27002: 9.2.2
27001: A.12.1.2
27002: 12.1.2
27001: A.12.5
27002: 12.5
27001: A.13.2.3
27002: 13.2.3
27001: A.14.2.2
27002:14.2.2
27001: A.14.2.4
27002: 14.2.4
27001: A.8.1.1
27002: 8.1.1
27017: 8.1.1
27001: A.12.6.2
27002:12.6.2
No Mapping
Requirement on 'endpoint' systems.
27001: A.14.2
27001: A.14.2.2
27002: 14.2.2
27001: A.14.2.3
27001: A.14.2.4
27018: 12.1.2

Requirement on 'endpoint' systems. 27001: A.11.2.7
27002: 11.2.7
27001: A.18.1.1
27017: 18.1.1
27001: A.12.3.1
27017: 12.3.1
27018: A.11.4
27018: A.11.5

Requirement on 'endpoint' systems. 27001: A.12.2
27002: 12.2
27017: 12.2
27018: 12.2
Requirement on 'endpoint' systems. 27001: A.12.6.1
27002: 12.6.1
27001: A.13.1.2
27002: 13.1.2
27001: A.6.2.2
27002: 6.2.2
27018: 16.1

Requirement on 'endpoint' systems.
27001: A.12.3
27002: 12.3
27001: A.8.3.1
27002: 8.3.1
27001: A.12.2
27002: 12.2
27001: A.18.1.3
27002: 18.1.3
27001: A.6.1.1
27017: 6.1.1
27018: 12.3.1
27018: 10.1
27001: A.6.2.1
27002: 6.2.1
27001: A.6.2.1
27002: 6.2.1
27001: A.15.1.1
27002: 15.1.1
27001: A.14.1.2
27002: 14.1.2
27001: A.6.1.1
27017: 6.1.1
27001: A.9.2.2
27017: 9.2.2
27001: A.9.2.4
27017: 9.2.4
ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019
Gap Level Addendum

Requirement of 'at least annually' in last sentence.
Partial Gap

Terms 'audit and assurance' and 'at least annually' are not specifically called out.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective
action plan to remediate audit findings'.
Partial Gap
'to review and update the policies and procedures at least annually.'
Partial Gap

ISO does not explicitly stipulate baseline requirements for securing different applications.
Partial Gap
ISO does not explicitly specify the need to implement technical and operational metrics in alignment
Partial Gap with business objectives, security requirements, and compliance obligations.
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
The requirement to provide a framework for setting business continuity objectives.
Partial Gap

The specific references to a BIA.
Partial Gap
No reference to Business Continuity Strategies
Partial Gap

Partial Gap

Partial Gap
'Table Top Exercises'
Partial Gap
Partial Gap

ISO does not specify the need to verify data restoration from backup for resiliency.
Partial Gap
Full Gap
Full Gap
Full Gap
Partial Gap

'Quality and baselines'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'Establish change management baselines'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'The cloud service provider should provide capabilities to permit the cloud service customer to
independently store and manage encryption keys used for protection of any data owned or managed
by the cloud service customer'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'Keys Rotation' requirement not mentioned
Partial Gap
N/A
No Gap
N/A
No Gap

'Keys Pre-Activation' requirement not mentioned
Partial Gap

'Keys Suspension' requirement not mentioned
Partial Gap
N/A
No Gap
'secure repository requiring least privileged access'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'Apply and maintain policies and procedures for the relocation or transfer of hardware, software, or
data/information to an offsite or alternate location'
'relocation requires the cryptographically verifiable authorization.'
Partial Gap
N/A
No Gap
N/A
No Gap

'classify physical assets'
Partial Gap
'classify physical assets'
Partial Gap
N/A
No Gap
Full Gap
N/A
No Gap
Full Gap

'datacenter personnel' (training)'
Partial Gap
N/A
No Gap
N/A
No Gap

No requirements to exercise environmental controls
Partial Gap
N/A
No Gap
Requirement to review and update the policies and procedures at least annually.
Partial Gap

Requirement to ensure that data is not recoverable by any forensic means.
Partial Gap
Requirement for maintaining an inventory for personal data
Partial Gap
N/A
No Gap
Full Gap

Requirement to perform a review at least annually.
Partial Gap
incorporating security requirements at the design stage
Partial Gap
Full Gap

'Conduct a Data Protection Impact Assessment (DPIA)'.
Partial Gap
Requirement to ensure information is only processed within scope as permitted by the respective
Partial Gap
Full Gap
Processing personal data as per the purpose declared to the data subject
Partial Gap
Full Gap

Requirement to disclose the details of any personal or sensitive data access by sub-processors to the
data owner prior to initiation of that processing.
Partial Gap

Obtain explicit authorization from data owners
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing in the ISOs:
'policies and procedures for an information governance program'
Partial Gap
N/A
No Gap
Requirement of 'at least annually'
Partial Gap
N/A
No Gap

'domains of the CCMv4.0' missing from ISOs
Partial Gap
Missing in the ISOs:
'for planning, implementing, operating, assessing, and improving governance programs.'
'document roles and responsibilities'
Partial Gap
N/A
No Gap
N/A
No Gap
requirement to review and update the policies and procedures at least annually.
Partial Gap

Partial Gap
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Requirement to focus training on 'sensitive organizational and personal data'
Partial Gap

requirement to focus on 'applicable legal, statutory, or regulatory compliance obligations.'
Partial Gap
N/A
No Gap
Partial Gap
ISO partially addressed Identity Inventory under asset management
Partial Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from ISOs and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from ISOs and has to be used to close the gap.
Full Gap
Requirement of separation of duties in reviewing of user access rights.
Partial Gap
N/A
No Gap
Requirement to prevent the culmination of segregated privileged access.
Partial Gap
N/A
Full Gap

Requirement to control the ability to disable logs through a procedure that ensures the segregation of
duties and break glass procedures.
Partial Gap
N/A
No Gap
Requirement to include multifactor authentication for at least privileged user and sensitive data
access.
Partial Gap
N/A
No Gap
N/A
No Gap
Requirement of communications between application services (APIs)
Partial Gap
Full Gap
N/A
No Gap
Full Gap
Requirement of 'Infrastructure & Virtualization Security'
Partial Gap

Partial Gap
Partial Gap
Partial Gap

Partial Gap
'Design, develop, deploy and configure applications and infrastructures'
'monitored and restricted from other tenants.'
Partial Gap
Partial Gap
Partial Gap

Requirement of Infrastructure & Virtualization Security
Requirement for defense-in-depth approach
Partial Gap
Partial Gap

Requirement for the review and update of policies and procedures.
Partial Gap

Requirement to generate alerts to responsible stakeholders.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Partial Gap
Partial Gap
N/A
No Gap

'incident response plans'.
Partial Gap
Full Gap
N/A
No Gap
Requirement to report relevant supply chain breaches.
Requirement to report as per applicable SLAs, laws and regulations.
Partial Gap
N/A
No Gap
Requirement of a Shared Security Responsibility Model (SSRM).
Partial Gap

Partial Gap
Partial Gap

Partial Gap

Partial Gap

Partial Gap
Partial Gap

Partial Gap

Partial Gap
Partial Gap

Partial Gap

Partial Gap

Partial Gap
Partial Gap
N/A
No Gap
Requirement of 'malware policy and procedures'
Partial Gap
N/A
No Gap

Requirement of 'detection tools and or a specific time frame for updates as well as no mention of
IOC's'
Partial Gap
Requirement of 'for applications which use...open source libraries according to the organization's
vulnerability management standard.'
Partial Gap
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Requirement of 'vulnerability remediation'
Partial Gap
Term 'endpoint' device
Partial Gap

Partial Gap
Partial Gap

Partial Gap

Partial Gap
Full Gap
Partial Gap

Partial Gap

Partial Gap
Partial Gap

Partial Gap

Partial Gap Term 'endpoint' device

Partial Gap
Partial Gap
NIST 800-53 rev 5
CA-1 No Gap
CA-2
CA-2(1)
CA-2(2) No Gap
CA-7
CA-7(1)
CA-2
CA-2(1)-(3)
No Gap
PL-10
PL-11
CA-1 No Gap
CA-1
CA-2 No Gap
PM-4
CA-5
CA-5(1) No Gap
PM-4
CM-3
CM-3(2)
PM-20
PM-20(1)
SA-1 No Gap
SA-4
SA-8
SA-8(29)-(33)
SI-17
CM-2
CM-2(2)
CM-2(3)
SA-8
SA-8(8) No Gap
SA-8(14)
SA-8(23)
SA-8(29)
SA-8(31)
SA-15
No Gap
SA-15(1)
PL-2
PL-8
PL-8(1)
SA-3
SA-3(1)
SA-4
SA-4(2)
SA-4(3)
SA-4(8)
SA-4(9)
No Gap
SA-5
SA-8
SA-8(1)-(7)
SA-8(9)-(13)
SA-8(15)-(20)
SA-8(22)
SA-8(24)-(28)
SA-8(30)-(33)
SA-17
SA-17(1)-(9)
SA-11
SA-11(1)-(9)
SI-6
SI-6(2) No Gap
SI-6(3)
SI-10
SI-10(1)-(6)
SA-3
SA-3(2)
SA-3(3)
SA-4
SA-4(3)
No Gap
SA-8
SA-8(31)
SA-16
SR-9
SR 9(1)
SI-2
SI-2(2)-(6)
SA-11
SA-11(2)
No Gap
SA-15
SA-15(1)-(3)
SA-15(5)-(8)
SA-15(10)-(12)
CP-1
CP-2 No Gap
PL-2
CP-2
PM-8 No Gap
PM-9
CP-1
CP-2
CP-2(1)
No Gap
CP-2(2)
CP-2(5)
CP-2(7)
CP-2
CP-4 No Gap
PM-8
CP-1
CP-2 No Gap
CP-4
AT-3
AT-3(3)
CP-3
CP-3(1)
No Gap
CP-4
CP-4(4)
IR-4
IR-4(3)
CP-2
No Gap
CP-2(1)
CP-4
CP-4(4)
CP-6
CP-6(1)-(3)
CP-9
No Gap
CP-9(1)
CP-9(2)
CP-10
CP-10(2)
CP-10(4)
CP-2(1)
CP-2(2)
CP-2(3)
CP-2(5)
CP-2(6)
CP-2(7) No Gap
CP-2(8)
PE-13
PE-13(1)
PE-13(2)
PE-13(4)
AT-2
AT-2(1)
AT-3
AT-3(3)
AT-4
CP-3
No Gap
CP-3(1)
IR-3
IR-3(2)
IR-3(3)
IR-9
IR-9(2)
NCP-2
CP-2(2)
CP-4(3)
CP-6
CP-6(1)
No Gap
CP-7
CP-8
CP-8(1)-(3)
CP-9
CP-9(6)
CM-1
CM-9
CM-9(1)
CM-10
CM-10(1)
CM-11
No Gap
PM-9
PS-8
SA-8
SA-8(1)
SA-8(24)
SI-12
CM-2
CM-2(2)
CM-2(6)
CM-3
CM-3(2) No Gap
CM-3(7)
CM-4
CM-4(1)
CM-4(2)
CM-2
CM-2(2)
CM-2(3)
CM-2(7)
CM-3
CM-3(2)
CM-3(3)
CM-3(5)
CM-3(6)
CM-4
CM-4(1)
CM-5 No Gap
CM-5(5)
CM-5(6)
CM-7
CM-7(2)-(7)
CM-11
CM-11(2)
CM-14
SA-10
SA-10(7)
SA-11
SA-11(9)
CA-7
CA-7(4)
CM-3
CM-3(1)
CM-3(5)
CM-3(7)
CM-3(8)
CM-5
CM-5(1)
CM-5(4) No Gap
CM-5(5)
CM-6
CM-6(1)
CM-6(2)
CM-7
CM-7(1)
CM-7(4)
CM-7(5)
CM-7(9)
CM-3
CM-3(1) No Gap
CM-3(2)
CM-2
CM-2(3)
CM-5
CM-5(6)
CM-8 No Gap
CM-8(1)-(9)
CM-9
CM-9(1)
CM-14
CM-6
CM-6(2)
No Gap
SI-2
SI-2(2)-(6)
CM-3
No Gap
CM-3(1)
CM-2
CM-2(3)
CM-3
CM-3(3) No Gap
CM-3(7)
SA-8
SA-8(24)
SC-1
SA-9
SA-9(6)
No Gap
SC-12
SC-12(2)
SC-12(3)
IA-7
IA-8
IA-8(5)
SA-9
SA-9(1) No Gap
SA-9(6)
SC-12
SC-12(6)
SC-13
AC-19
AC-19(5)
SC-8
SC-8(1)
SC-8(3)
SC-8(4)
SC-12
SC-12(2) No Gap
SC-12(3)
SC-28
SC-28(1)-(3)
SI-4
SI-4(10)
SI-7
SI-7(6)
SC-12
SC-12(2)
SC-12(3) No Gap
SC-28
SC-28(1)
CM-3
CM-3(6)
No Gap
SI-7
SI-7(6)
CM-3
CM-3(6) No Gap
PL-2
CM-3
CM-3(6)
PM-31
No Gap
SC-28
SC-28(1)
SC-28(3)
CP-9
CP-9(8)
SA-9
No Gap
SA-9(6)
SC-12
SC-12(6)
AU-9
AU-9(3) No Gap
PM-31
SC-12
SC-12(2)
No Gap
SC-12(3)
SC-13
IA-5
IA-5(2)
PM-32
SC-12 No Gap
SC-12(2)
SC-12(3)
SC-13
SC-12
SC-12(2)
No Gap
SC-12(3)
SC-13
SC-12
SC-12(2) No Gap
SC-12(3)
SC-12
SC-12(2) No Gap
SC-12(3)
SC-12
SC-12(2)
No Gap
SC-12(3)
SC-13
PM-31
SC-12
SC-12(2) No Gap
SC-12(3)
SC-13
SC-12
SC-12(2) No Gap
SC-12(3)
SC-12
SC-12(1)-(3)
No Gap
SC-28
SC-28(3)
SC-12
No Gap
SC-12(1)-(3)
CM-3
CM-3(6)
CP-9
No Gap
CP-9(8)
SC-12
SC-12(1)-(3)
SC-12
SC-12(1)-(3) No Gap
SC-12(6)
MP6
MP-6(1)-(3)
MP-6(8) No Gap
MP-7(2)
MP-8
AC-1
AC-4
CA-3
MP-5 Partial Gap
MP-5(3)
SC-4
SC-4(2)
PE-1
PE-6
PE-6(1)-(4)
SC-15 No Gap
SC-15(1)
SC-15(3)
SC-15(4)
MP-1
MP-5 No Gap
MP-5(3)
CM-8
CM-8(1)
CM-8(2)
CM-8(4)
CM-8(6)
No Gap
CM-8(7)
CM-8(9)
PM-5
PM-5(1)
PE-20
CM-8
CM-8(1)
CM-8(2)
No Gap
CM-8(4)
CM-8(7)
CM-8(8)
AT-3(2)
PE-2
PE-2(1)
PE-2(3)
PE-3
PE-3(2)-(5)
No Gap
PE-3(7)
PE-3(8)
PE-6
PE-6(1)-(4)
PE-8
PE-8(1)
AC-18
AC-18(1)
IA-3 No Gap
IA-3(3)
IA-3(4)
MP-4(2)
PE-3
PE-3(8)
PE-5
No Gap
PE-6
PE-6(1)-(4)
PE-18
SC-42
PE-6
No Gap
PE-6(1)-(3)
AT-3
AT-3(2)
No Gap
IR-2
IR-2(1)-(3)
PE-9
PE-9(1)
PE-9(2) No Gap
PE-19
PE-19(1)
MA-6
MA-6(1)
MA-6(2)
PE-13
PE-13(1)
No Gap
PE-13(4)
PE-14
PE-14(1)
PE-15
PE-15(1)
MA-6
MA-6(1) No Gap
MA-6(2)
PE-18
No Gap
PE-23
PL-2
PL-7
PM-17
PM-18
PM-19
PM-20
PM-20(1)
PM-23
PM-24 No Gap
PM-26
PT-1
PT-5
PT-5(2)
PT-6
PT-6(1)
PT-7
PT-7(2)
PM-22
SI-12
SI-12(3)
SI-18 No Gap
SI-18(1)
SI-18(4)
SI-18(5)
CM-12
CM-12(1)
PM-5
PM-5(1)
SI-12 No Gap
SI-12(1)
SI-19
SI-19(1)
SI-19(2)
AC-16
AC-16(9)
PM-22
PM-23
PT-2
No Gap
PT-2(1)
SI-18
SI-18(2)
SI-19
SI-19(6)
AC-4
AC-4(1)-(3)
AC-4(5)-(8)
AC-4(10)
AC-4(12)
AC-16
AC-16(3)
AC-16(7)
No Gap
AC-16(8)
AC-4(13)
AC-4(19)
SA-5
SA-17
SA-17(3)
SC-7
SC-7(24)
PM-18
PM-19
PM-22
PT-2
PT-2(1) No Gap
PS-6
PS-6(2)
SI-12
SI-12(1)
PM-17
PM-24
PM-25
PT-2
PT-2(2)
SA-3
SA-4
SA-5
SA-8
SA-8(9)
SA-8(13)
SA-8(18)
SA-8(20)
SA-8(22)
No Gap
SA-8(23)
SA-8(33)
SA-15
SA-15(12)
SC-3
SC-3(3)
SC-7
SC-7(24)
SC-8
SC-8(1)-(4)
SC-28
SC-28(1)
SI-12
SI-12(1)-(3)
PM-22
PM-24
PT-1
PT-2
PT-2(1)
PT-5
PT-5(1)
PT-5(2)
PT-6
PT-8 No Gap
SA-11
SA-11(3)
SI-18
SI-18(3)
SA-19
SI-19(1)
SI-19(5)
SI-19(6)
SI-19(8)
CM-4
CM-4(1)
CM-4(2)
PT-3
No Gap
RA-8
SA-4
SA-9
SA-9(1)
AC-4
AC-4(23)-(25)
CA-3
CA-3(6)
CA-6
CA-6(1)
CA-6(2)
SC-4
No Gap
SC-4(2)
SC-7
SC-7(10)
SC-7(24)
SC-8
SC-8(1)-(5)
SC-16
SC-16(1)-(3)
PM-22
PM-24
PT-2
PT-2(1)
PT-4
PT-4(1)
PT-4(3)
PT-6
No Gap
PT-6(2)
PT-7
PT-7(2)
SI-12
SI-12(1)
SI-19
SI-19(1)
SI-19(7)
PM-23
PM-27
PM-32
PT-2
PT-2(1)
PT-3
PT-3(1)
PT-3(2)
PT-4
No Gap
PT-4(2)
PT-4(3)
PT-6
PT-6(1)
PT-6(2)
SI-12
SI-12(1)
SI-19
SI-19(1)
CM-13
PT-3
PT-3(1)
SA-9
SA-9(1)
SA-9(3) No Gap
SA-9(5)
SR-3
SR-3(3)
SR-4
SR-4(1)
PM-22
PT-6
PT-6(1)
PT-6(2) No Gap
PT-8
SR-4
SR-4(1)
SA-3
SA-3(2)
No Gap
SI-19
SI-19(3)
SI-12
SI-12(1)-(3)
SI-18
SI-18(1)
No Gap
SI-18(4)
SI-18(5)
SI-19
SI-19(2)
PL-2
PM-22
PM-24
PT-7
PT-7(1)
PT-7(2) No Gap
PT-8
SC-8
SC-8(1)-(5)
SC-28
SC-28(1)
IR-6
IR-6(3)
No Gap
PM-21
SR-8
CA-3
CA-3(6)
CM-8
CM-8(8)
CM-12
CM-12(1)
PM-5 No Gap
PM-5(1)
PM-22
PM-24
SA-9
SA-9(5)
SA-9(8)
PL-1
PM-1
PM-17
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IR-1 No Gap
MA-1
MP-1
PE-1
PS-1
PT-1
RA-1
SA-1
SC-1
SI-1
SR-1
PL-1
PL-2
PM-4
No Gap
PM-9
PM-10
PM-28
PL-1
PM-1
No Gap
PM-14
PM-17
CM-6 No Gap
PM-1
PM-3
PM-14
No Gap
PL-2
PM-18
PM-31
PM-29 No Gap
PL-1 No Gap
PM-15 No Gap
IA-12
IA-12(2)
IA-12(3)
MA-5
MA-5(2)-(4)
PS-1 No Gap
PS-2
PS-3
PS-3(1)
PS-3(2)
PS-3(4)
PL-4
PL-4(1)
PS-1 No Gap
PS-6
PS-6(2)
AC-11
AC-11(1)
No Gap
MP-4
PS-1
AC-17
AC-17(6)
AC-17(9)
AC-20
AC-20(1)-(5) No Gap
PE-17
PS-1
SC-7
SC-7(7)
PS-1
PS-4
PS-4(1) No Gap
PS-6
PS-6(3)
AC-17
AC-17(9)
PS-1
PS-4
PS-4(1)
PS-4(2)
No Gap
PS-5
PS-6
PS-6(3)
SI-4
SI-4(19)
SI-4(21)
PE-3
PE-3(1)
PS-6 No Gap
PS-6(2)
PS-9
PL-4
PL-4(1)
PS-6
No Gap
PS-6(2)
PS-6(3)
PS-7
AC-1
AT-1 No Gap
PS-1
PL-4
PS-6 No Gap
PS-6(2)
AT-1
AT-2
AT-2(1)-(6) No Gap
AT-4
AT-6
AT-3
AT-3(1)
AT-3(2)
AT-3(3)
AT-3(5)
AT-4
AT-6 No Gap
IR-9
IR-9(2)
PM-12
PM-16
SR-11
SR-11(1)
PL-4
PL-4(1)
PS-1 No Gap
PS-6
PS-6(2)
AC-1
AC-2
AC-2(3)
AC-2(9)
AC-2(11)
AC-16
AC-16(1)
AC-16(6)
IA-4 No Gap
IA-4(5)
IA-4(6)
IA-5
IA-5(16)
IA-8
IA-8(4)
IA-12
IA-12(2)-(6)
AC-2
AC-2(3)
AC-2(11)
AC-3
AC-3(3)
AC-12
No Gap
AC-12(1)
IA-2
IA-2(10)
IA-5
IA-5(1)
IA-5(18)
AU-10
AU-10(1)
AU-10(2)
AU-16
AU-16(1)
IA-4
IA-4(8)
IA-4(9) No Gap
IA-5
IA-5(5)
IA-8
IA-8(4)
PM-5(1)
SA-8
SA-8(22)
AC-2
AC-2(3)
AC-2(11) No Gap
AC-6
AC-6(1)-(10)
AC-6
AC-6(4)
IA-12 No Gap
IA-12(2)
IA-12(3)
AC-3
AC-16
AC-16(2)
AC-16(4) No Gap
AC-16(10)
IA-12
IA-12(1)
AC-2
AC-2(1)
AC-2(2)
AC-2(6)
AC-2(8)
AC-3
AC-3(8)
AC-6 No Gap
AC-6(7)
AU-10
AU-10(4)
AU-16
AU-16(1)
CM-7
CM-7(1)
AC-6
AC-6(4)
AC-6(8) No Gap
IA-8
IA-8(4)
AC-6
AC-3(7)
AC-6(4)
AC-6(8)
No Gap
IA-5
IA-5(6)
IA-8
IA-8(4)
AC-2
AC-2(7)
AC-3
AC-3(4)
AC-3(11)
AC-3(13)
AC-3(14)
AC-6
AC-6(4) No Gap
AC-6(5)
AC-6(8)
AC-12
AC-12(3)
AC-17
AC-17(4)
IA-8
IA-8(4)
AC-6
AC-6(4)
AC-6(6)
AU-10
AU-10(4)
CA-6
CA-6(2)
No Gap
IA-2
IA-2(1)
IA-2(2)
IA-2(12)
IA-12
IA-12(2)
IA-12(4)
AC-2
AC-2(11)
AC-2(12)
IA-8
IA-8(4)
SA-8
SA-8(22) No Gap
SC-34
SC-34(1)
SC-34(2)
SC-36
SI-4
SI-4(5)
AC-3
AC-3(14)
AC-24
AC-24(2)
AU-10
AU-10(1)
IA-2
IA-2(1)
IA-2(2) No Gap
IA-2(12)
IA-4
IA-4(1)
SA-8
SA-8(22)
SC-23
SC-23(3)
SC-40(4)
AC-6
AC-6(5)
AC-7
AC-7(4)
AU-10
AU-10(2)
IA-2
IA-2(1)
IA-2(2)
IA-2(8)
IA-2(12)
IA-3
IA-3(1) No Gap
IA-5
IA-5(2)
IA-5(7)
IA-5(9)
IA-5(10)
IA-5(12)
IA-5(14)-(16)
IA-8
IA-8(1)
IA-8(6)
SC-23
SC-23(3)
IA-4
IA-4(8)
IA-5
No Gap
IA-5(1)
IA-5(8)
IA-5(18)
AC-3
AC-3(5)
AC-4
AC-4(17)
AC-4(21)
AC-4(22)
AC-6
AC-6(8)
AC-6(9)
AC-12
AC-12(1)
AC-20
AC-20(1)
AU-10
AU-10(1)
AU-10(2) No Gap
IA-2
IA-2(1)
IA-2(2)
IA-2(12)
IA-3
IA-3(1)
IA-5(1)
IA-5(2)
IA-5(5)
IA-5(8)
IA-5(10)
IA-5(12)
IA-8
IA-8(1)
IA-8(2)
PT-2
PT-2(1)
PT-3
PT-3(1)
SC-1
No Gap
SA-8
SA-8(8)
SC-27
SC-29
SC-29(1)
CM-13
PT-2
PT-2(1)
PT-2(2)
PT-3 Νο Gap
PT-3(1)
PT-3(2)
SA-8
SA-8(20)
PT-2
PT-2(2)
SA-4 Νο Gap
SC-16
SC-16(3)
PT-2
PT-2(1)
PT-3
PT-3(1)
PT-4(3)
Partial Gap
SA-4
SA-4(11)
SA-4(12)
SI-12
SI-12(3)
AC-1
CM-1
IA-1
RA-1
SA-1
Partial Gap
SC-1
SI-1
SC-46
SC-49
SC-50
CP-2
CP-2(2)
SC-5
No Gap
SC-5(2)
SC-4
SI-4
SC-1
SC-4
SC-7
SC-7(4)
SC-7(5)
SC-7(8)
SC-7(9)
SC-7(11)
No Gap
SC-8
SC-8(1)
SC-11
SC-12
SC-16
SC-23
SC-29
SC-29(1)
CM-6
CM-6(1)
SC-29
SC-29(1)
SC-2
SC-7
No Gap
SC-7(12)
SC-30
SC-34
SC-35
SC-39
SC-44
CM-2
CM-2(6)
CM-5
CM-5(5)
SA-3
SA-3(1)
SA-8 No Gap
SA-8(1)
SA-8(2)
SA-8(3)
SA-8(6)
SC-3
SC-3(2)
SC-3
SC-7 No Gap
SC-7(20)
AC-17
AC-20
SC-7
SC-7(28)
SC-8
SC-8(1)
SC-12 No Gap
SC-23
SC-29
SI-7
SI-7(1)-(3)
SI-7(5)-(10)
SI-7(12)
PL-8
PL-8(1)
SA-8 No Gap
SA-8(3)
SA-8(17)
PL-8
PL-8(1)
SC-5
SC-5(1) No Gap
SC-5(3)
SC-7
SC-7(13)
AU-1 No Gap
AU-4
No Gap
AU-11
AU-5
AU-5(2) No Gap
AU-13
AU-9
AU-9(4)
No Gap
AU-9(6)
AU-10
AU-6
AU-6(1) No Gap
AU-6(5)
AU-8 No Gap
AU-1
AU-14 No Gap
AU-16
AU-3
AU-3(1)
AU-3(3)
AU-6
AU-6(8) No Gap
AU-12
AU-12(1)
AU-12(2)
AU-12(3)
AU-9
AU-9(2)
AU-9(3)
No Gap
AU-9(4)
AU-12(3)
AU-12(3)
AU-1
AU-9 No Gap
AU-9(3)
AU-9
No Gap
AU-9(3)
AU-6
AU-6(6) No Gap
AU-14
AU-5
AU-5(2)
AU-6
AU-6(3) No Gap
AU-6(4)
AU-6(5)
AU-16
IR-1
IR-2
IR-2(1)
IR-4
Partial Gap
IR-4(12)
IR-4(14)
PM-1
PM-12
PM-1
PM-6
IR-4
No Gap
IR-4(6)
IR-4(9)
IR-4(14)
IR-1
IR-2
IR-2(1)-(3)
IR-3
IR-3(1)-(3)
IR-4
IR-4(1)-(15)
IR-5
IR-5(1)
IR-6 No Gap
IR-6(1)-(3)
IR-7
IR-7(1)
IR-7(2)
IR-8
IR-8(1)
IR-9
IR-9(1)-(4)
PM-12
IR-2
IR-2(1)-(3)
IR-3
IR-3(1)-(3) No Gap
IR-8
IR-9
IR-9(2)
CA-7
CA-7(3)
CA-7(4)
IR-5
IR-4
No Gap
IR-6
IR-6(2)
IR-6(3)
PM-6
PM-31
CA-7
CA-7(3)
CA-7(4)
CA-7(5)
CA-7(6) No Gap
IR-4
IR-4(1)
IR-4(3)
IR-4(4)
AU-13
AU-13(1)-(3)
IR-4
IR-4(15)
No Gap
IR-6
IR-6(1)-(3)
PM-21
PM-23
IR-4
IR-4(8)
IR-6
IR-6(3)
IR-7 No Gap
IR-7(2)
PM-21
PM-23
PM-26
SR-1
SR-2
SR-3
SR-5
SA-4
SA-4(1) Partial Gap
SA-4(2)
SA-4(5)
SA-4(9)
SA-4(10)
PM-30
SR-1
SR-2
SR-3
Partial Gap
SR-3(1)-(3)
SR-5
PM-30
No Mapping Full Gap
No Mapping Full Gap
SR-1
SR-2
SR-3 Partial Gap
SR-6
SR-6(1)
SA-4
SA-4(11)
SR-1
SR-2 Partial Gap
SR-3
SR-5
SR-6
CM-8
CM-8(4)
No Gap
SR-4
SR-4(1)-(4)
SR-2
SR-2(1)
SR-4
SR-5 No Gap
SR-5(1)
SR-5(2)
SR-6
SA-4
SA-4(1)
SA-4(2)
SA-4(5) Partial Gap
SA-4(9)
SA-4(10)
SR-8
PM-30
PM-30(1)
No Gap
SR-2
SR-6
PM-30
PM-30(1)
No Gap
SR-6
SR-6(1)
SA-9
SA-9(5) No Gap
SR-6
SA-9
SA-9(1)-(8)
No Gap
SR-2
SR-2(1)
SA-9
SA-9(2)
SR-4
SR-4(3)
SR-6
SR-6(1)
SR-7
No Gap
SR-9
SR-9(1)
SR-11
SR-11(1)
SR-11(3)
PM-23
PM-30
PM-16
PM-16(1)
PM-31
RA-5
SA-11
No Gap
SA-11(2)
SA-11(5)
SA-15
SA-15(5)
SA-15(8)
RA-3
RA-3(3)
RA-5
RA-5(3)
No Gap
RA-5(5)
SI-3
SI-3(4)
SI-3(10)
PM-31
RA-3
RA-3(1)
RA-5
No Gap
RA-5(2)-(4)
RA-5(6)
SI-3
SI-3(10)
CM-7
CM-7(4)
RA-3
RA-3(3)
RA-5(2)
SA-10
SA-10(5)
SA-11
SA-11(2)
SI-2 No Gap
SI-2(4)
SI-3
SI-3(4)
SI-4
SI-4(9)
SI-4(24)
SI-8
SI-8(2)
SI-8(3)
RA-5
RA-5(3)
SA-11 No Gap
SA-11(2)
SA-11(5)
CA-8
CA-8(1)-(3)
No Gap
SA-11
SA-11(5)
RA-5
RA-5(4)
RA-5(5)
SA-11
SA-11(5)
SA-15(5)
No Gap
SC-7
SC-7(10)
SI-3(8)
SI-3(10)
SI-7
SI-7(9)1
RA-2
RA-2(1)
SA-11
SA-11(1)
SA-15
No Gap
SA-15(8)
SI-2
SI-2(2)
SI-3
SI-3(10)
RA-5
RA-5(8)
RA-5(11) No Gap
SA-15
SA-15(1)
PM-31
RA-5
RA-5(6)
RA-5(8)
RA-5(10) No Gap
SA-15
SA-15(1)
SI-2
SI-2(3)
CM-1
CM-11 No Gap
AC-19
CM-7
CM-7(6)
CM-8(3)
CM-11 No Gap
SC-18
SC-18(2)
SC-18(3)
AC-19
CM-1
CM-2
CM-2(2) No Gap
CM-6
CM-8(3)
SI-7
CM-8
No Gap
CM-8(7)
AU-6
AC-19
AC-24
CM-2 No Gap
CM-2(2)
CM-8(3)
SC-1
AC-11
No Gap
AC-11(1)
CM-1
CM-3
CM-4
CM-8
CM-8(3) No Gap
CM-9
CM-9(1)
CM-11
SI-7
AC-19(5)
SC-28 No Gap
SC-28(1)
IR-1
SI-17 No Gap
SI-7(17)
SC-7
SC-7(12) No Gap
SC-7(17)
SC-7
No Gap
SC-7(10)
CM-8
No Gap
CM-8(8)
AC-7
AC-7(2)
No Gap
MP-6
MP-6(8)
SR-5
SR-5(2)
No Gap
SR-6
SR-6(1)
NIST 800-53 rev 5
N/A
GRM-06
GRM-09
N/A
AAC-02
N/A
AAC-01
AAC-02
N/A
GRM-01
GRM-03
N/A
AAC-01
N/A
GRM-10
GRM-11
N/A
AIS-01
AIS-04
N/A
AIS-01
N/A
No Mapping
N/A
AIS-01
AIS-03
N/A
AIS-01
AIS-03
N/A
AIS-01
AIS-03
N/A
TVM-02
N/A
BCR-07
BCR-10
BCR-11
GRM-06
GRM-09
N/A
BCR-09
N/A
BCR-04
BCR-06
BCR-08
BCR-09
BCR-10
N/A
BCR-01
N/A
BCR-01
BCR-04
N/A
BCR-02
N/A
BCR-01
BCR-02
N/A
BCR-11
N/A
No Mapping
N/A
No Mapping
N/A
BCR-06
N/A
CCC-05
GRM-06
GRM-09
N/A
CCC-03
N/A
CCC-05
N/A
CCC-04
N/A
CCC-05
N/A
No Mapping
N/A
GRM-01
N/A
No Mapping
N/A
No Mapping
N/A
EKM-01
EKM-02
EKM-03
GRM-06
GRM-09
N/A
No Mapping
N/A
EKM-03
EKM-04
N/A
EKM-04
N/A
EKM-02
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
EKM-04
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
DCS-05
GRM-06
GRM-09
Missing specification(s) in NIST 800-53:
'The relocation or transfer request requires the written or cryptographically verifiable authorization'.
DCS-04
GRM-06
GRM-09
N/A
DCS-06
GRM-06
GRM-09
N/A
GRM-06
GRM-09

'based on the organizational business risk'.
DCS - 01
N/A
DCS - 01
N/A
DCS-02
DCS-08
N/A
DCS - 03
N/A
DCS-07
DCS-09
N/A
DCS-02
DCS-07
DCS-08
N/A
HRS-09
N/A
BCR - 03
N/A
BCR - 03
N/A
BCR - 03
N/A
BCR - 06
N/A
DSI-04
GRM-06
GRM-09
N/A
DSI-07
N/A
No Mapping
N/A
DSI-01
N/A
DSI-02
N/A
DSI-06
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
GRM-02
EKM-03
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
DSI-05
N/A
GRM-02
BCR-11
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
GRM-06
GRM-09
N/A
GRM-08
GRM-10
GRM-11
N/A
GRM-09
N/A
GRM-01
N/A
GRM-04
N/A
No Mapping
N/A
AAC-03

'cloud-related special interest groups'. No Mapping
N/A
HRS-02
GRM-06
GRM-09
N/A
HRS-08
GRM-06
GRM-09
N/A
HRS-11
GRM-06
GRM-09
N/A
GRM-06
GRM-09
N/A
HRS-01
N/A
HRS-04
N/A
HRS-03
N/A
HRS-03
N/A
HRS-07
HRS-10
N/A
HRS-06
N/A
HRS-09
HRS-10
N/A
HRS-09
HRS-10
N/A
HRS-10
N/A
IAM-02
GRM-06
GRM-09
N/A
IAM-02
IAM-12
GRM-06
GRM-09
N/A
IAM-04
IAM-08
IAM-10
N/A
IAM-05
N/A
IAM-02
IAM-06
IVS-11
N/A
IAM-09
N/A
IAM-11
N/A
IAM-10
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
IAM-02
IAM-05
N/A
No Mapping
N/A
IAM-02
N/A
IPY-03
GRM-06
GRM-09
Ν/Α
No Mapping
Ν/Α
IPY-04
Recommend adding the full V4 control specification to the NIST 800-53r5 addendum.
No Mapping
'policies and procedures for virtualization security'.
GRM-06
GRM-09
N/A
IVS-04
N/A
IVS-06
N/A
IVS-07
IVS-11
N/A
IVS-08
N/A
IVS-09
N/A
IVS-10
N/A
IVS-13
N/A
IVS-13
N/A
GRM-06
GRM-09
N/A
IVS-01
N/A
SEF-03
SEF-05
N/A
IVS-01
N/A
No Mapping
N/A
IVS-03
N/A
No Mapping
N/A
No Mapping
N/A
GRM-04
IVS-01
N/A
EKM-02
EKM-03
N/A
EKM-02
N/A
DCS-08
N/A
SEF-03

'policies and procedures for E-Discovery'.
SEF-02
GRM-06
GRM-09
N/A
SEF-02
GRM-06
GRM-09
N/A
BCR-02
N/A
BCR-02
N/A
SEF-05
N/A
SEF-02
N/A
SEF-04
STA-05
N/A
SEF-01
'policies and procedures for the application of the Shared Security Responsibility Model (SSRM)
within the organization'.
No Mapping

'SSRM'.
No Mapping
The full V4 control specification is missing from NIST 800-53r5 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from NIST 800-53r5 and has to be used to close the gap.
No Mapping

'SSRM'.
No Mapping

'SSRM'.
No Mapping
N/A
No Mapping
N/A
STA-06
STA-08

'Information security requirements (including SSRM)'
STA-05
N/A
STA-07
N/A
STA-04
N/A
STA-01
STA-09
N/A
STA-06
N/A
STA-08
N/A
TVM-02
GRM-06
GRM-09
N/A
TVM-01
GRM-06
GRM-09
N/A
TVM-02
N/A
No mapping
N/A
No mapping
N/A
TVM-02
N/A
TVM-02
N/A
TVM-02
N/A
TVM-02
N/A
No mapping
N/A
GRM-06
GRM-09
MOS-03
MOS-04
MOS-05
MOS-08
MOS-11
MOS-12
MOS-13
MOS-16
MOS-17
MOS-20
N/A
MOS-02
MOS-03
MOS-04
MOS-06
N/A
MOS-07
N/A
MOS-09
N/A
MOS-10
N/A
MOS-14
N/A
MOS-15
MOS-19
N/A
MOS-11
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
MOS-18
N/A
No Mapping
CCM v3.0.1
Gap Level Addendum
Missing specification(s) in CCMv3.0.1:

'apply and evaluate audit and assurance policies, procedures and standards'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

Partial Gap control: (AAC-01) 'Audit plans shall be developed' and 'Auditing plans shall focus on reviewing the
effectiveness of the implementation of security operations'.

'Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective
action plan'
Partial Gap
'apply, evaluate, maintain policies and procedures for application security'
Partial Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
control: (AIS-01) 'Applications and programming interfaces (APIs) shall be designed, developed,
deployed, and tested in accordance with leading industry standards'
Partial Gap
'Automate when applicable and possible.'
Partial Gap

'Automate where possible.'
Partial Gap

'Automating remediation when possible.'
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'at least annually'
Partial Gap
N/A
No Gap

'Ensure the confidentiality, integrity and availability of the backup'
Partial Gap
Full Gap
Full Gap
N/A
No Gap
'apply, evaluate policies and procedures for managing the risks associated with applying changes to
organization assets'
'regardless of whether the assets are managed internally or externally (i.e., outsourced)'
Partial Gap
N/A
No Gap
'regardless of whether the assets are managed internally or externally (i.e., outsourced)'
Partial Gap
'removal, update, and management of organization assets'
Partial Gap
N/A
No Gap
Full Gap

'detection measures with proactive notification'
Partial Gap
Full Gap
Full Gap
'Apply and evaluate the policies and procedures for Cryptography, Encryption and Key Management'
Partial Gap
Full Gap
N/A
No Gap
'considering the classification of data, associated risks, and usability of the encryption technology.'
Partial Gap

control: (EKM-02) 'lifecycle management/replacement' and 'changes within the cryptosystem'
Partial Gap
Full Gap
Full Gap
Full Gap
Full Gap
control: (EKM-04) 'open/validated formats and standard algorithms shall be required'.
Partial Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap

'apply and evaluate policies and procedures for the secure disposal of equipment used outside the
organization's premises'
Partial Gap
'apply and evaluate policies and procedures for the relocation or transfer of hardware, software, or
data/information to an offsite or alternate location'
'or cryptographically verifiable authorization'
Partial Gap
'evaluate (implementation of) policies and procedures'
Partial Gap
'apply and evaluate policies and procedures for the secure transportation of physical media.'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'all ingress and egress points (are) documented'
'Retain access control records on a periodic basis as deemed appropriate by the organization.'
Partial Gap

'maintain datacenter surveillance systems'
Partial Gap

control: (HRS-09) 'All individuals with access to organizational data shall receive appropriate
awareness training relating to their professional function relative to the organization.'
Partial Gap
'Define, implement and evaluate processes, procedures and technical measures that ensure a risk-
based protection of telecommunication cables'
Partial Gap

'within accepted industry standards'
Partial Gap
N/A
No Gap
N/A
No Gap
'apply and evaluate policies and procedures for the classification, protection and handling of data
throughout its lifecycle and according to all applicable laws and regulations, standards, and risk
level.'
Partial Gap

'Apply industry accepted methods for the secure disposal of data'
Partial Gap
Full Gap
N/A
No Gap
'Review data flow documentation at defined intervals, at least annually, and after any change.'
Partial Gap

'Document ownership'
'all relevant documented personal data'
'Perform review at least annually'
Partial Gap
Full Gap
Full Gap
Full Gap
The reference to personal data: 'transfer of personal data is protected from unauthorized access and
only processed within scope as permitted by the respective laws and regulations'
Partial Gap
Full Gap
Full Gap
Full Gap
Full Gap
N/A
No Gap
N/A
No Gap
Full Gap
Full Gap
Full Gap
'apply and evaluate policies and procedures for an information governance program'
Partial Gap

'Enterprise Risk Management (ERM) program (as it includes information security risks but is not
limited to only those)'
'(ERM) program that includes policies and procedures for identification, evaluation, ownership,
Partial Gap treatment, and acceptance of privacy risks' (focus is on missing requirement for risk management on
privacy)
N/A
No Gap

'deviation from an established policy'
Partial Gap

'all the domains of the CCM' (i.e., reference to CCMv4.0)
Partial Gap
Full Gap
N/A
No Gap
Full Gap
'apply, evaluate, policies and procedures for background verification of all new employees'
Partial Gap

Partial Gap
'apply, evaluate, policies and procedures that require unattended workspaces to not have openly
visible confidential data'
Partial Gap
'apply, evaluate, policies and procedures to protect information accessed, processed or stored at
remote sites and locations'
Partial Gap

'Establish and document procedures'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap

'approve, evaluate and maintain a security awareness training program'
Partial Gap
'Provide all employees with access to sensitive organizational and personal data with appropriate
security
awareness training'
Partial Gap
N/A
No Gap
Partial Gap
(If Password is equal to "authentication secrets" then)
Partial Gap
'system identities'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'Review and revalidate user access for separation of duties'
'a frequency that is commensurate with organizational risk tolerance'
Partial Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
'Adopt digital certificates or alternatives which achieve an equivalent level of security for system
identities'
Partial Gap
Full Gap
N/A
No Gap
'apply and evaluate policies and procedures for interoperability and portability.'
Partial Gap
Full Gap
N/A
No Gap
Full Gap
'apply and evaluate policies and procedures for infrastructure and virtualization security.'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'Such channels must include only up-to-date and approved protocols'.
Partial Gap
N/A
No Gap
N/A
No Gap
'apply and evaluate policies and procedures for logging and monitoring'
Partial Gap

'Define, implement and evaluate processes, procedures and technical measures'
Partial Gap

'Define and implement a system to generate alerts to responsible stakeholders based on such events
Partial Gap and corresponding metrics.'

'Restrict audit logs access to authorized personnel'
Partial Gap
Full Gap
N/A
No Gap
Full Gap
Full Gap
control: (IVS-01) 'Higher levels of assurance are required for protection of audit logs', (GRM-04) 'to
Partial Gap protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and
destruction'.
control: (EKM-02) 'Policies and procedures shall be established for the management of
Partial Gap cryptographic keys', (EKM-03) 'Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for the use of encryption protocols'.
control: (EKM-02) 'management of cryptographic keys in the service's cryptosystem'.
Partial Gap

'log physical access using an auditable access control system.'
Partial Gap
'Define, implement and evaluate processes, procedures and technical measures for the reporting of
anomalies and failures of the monitoring system'
Partial Gap

'policies and procedures for E-Discovery and Cloud Forensics'.
Partial Gap
Partial Gap
'Establish, document, approve, communicate, apply, a security incident response plan, which
Include relevant internal departments'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
'Define and implement, processes, procedures and technical measures for security breach
notifications'
'Report assumed security breaches'
Partial Gap
N/A
No Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
N/A
No Gap

'Logging and monitoring capability'
'Data Privacy'
Partial Gap
N/A
No Gap
N/A
No Gap

'to comply with privacy, personnel policy.'
Partial Gap
N/A
No Gap
N/A
No Gap

Partial Gap
Partial Gap
N/A
No Gap
Full Gap
Full Gap
control: (TVM-02) 'supporting processes and technical measures implemented, for timely detection
of vulnerabilities within organizationally-owned or managed applications, infrastructure network and
Partial Gap system components (e.g., penetration testing)'
Requirement of 'at least monthly'.
Partial Gap

'vulnerability remediation using an industry recognized framework'.
Partial Gap
N/A
No Gap
Full Gap
'endpoints' (The term is missing from CCMv3.0.1 and MOS domain. Mobile device policies are a
subset of endpoint devices policy).
'apply, evaluate policies and procedures for all endpoints'.
Partial Gap

'endpoint'.
'Define, apply and evaluate a list'
Partial Gap
'endpoint'.
'Define and implement a process'.
Partial Gap

'endpoints'.
Partial Gap

'endpoints'.
'Define, implement and evaluate processes, procedures and technical measures to enforce policies
and controls for all endpoints'.
Partial Gap

'endpoint'.
Partial Gap
'endpoint'.
Partial Gap

'endpoint'.
Partial Gap
Full Gap
Full Gap
Full Gap
Full Gap

'endpoint'.
Partial Gap 'Define, implement and evaluate processes, procedures and technical measures'.
Full Gap
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE
v4.0.2

A&A-01
Procedures
Independent Assessments A&A-02
Audit & Assurance

Risk Based Planning Assessment A&A-03
Audit & Assurance

Requirements Compliance A&A-04
Audit Management Process A&A-05
Remediation A&A-06
Application and Interface Security

AIS-01
Application Security Baseline

AIS-02
Requirements
Secure Application Design and

AIS-04
Development
Security
Automated Application Security

AIS-05
Testing
Automated Secure Application
AIS-06
Deployment

BCR-01
BCR-01
Risk Assessment and Impact Analysis BCR-02
Business Continuity Strategy BCR-03
Business Continuity Planning BCR-04

Documentation BCR-05
Business Continuity Business Continuity Exercises BCR-06

Management and
Business Continuity
Management and
Communication BCR-07
Backup BCR-08
Disaster Response Plan BCR-09
Response Plan Exercise BCR-10
Equipment Redundancy BCR-11


CCC-01
Procedures
Quality Testing CCC-02

Change Management Technology CCC-03
Change Control and

Configuration
Management
Unauthorized Change Protection CCC-04
Change Agreements CCC-05
Change Management Baseline CCC-06
Detection of Baseline Deviation CCC-07

Exception Management CCC-08
Change Restoration CCC-09

CEK-01
CEK-01
CEK Roles and Responsibilities CEK-02
Data Encryption CEK-03
Encryption Algorithm CEK-04

Encryption Change Management CEK-05

CEK-06
Analysis
Encryption Risk Management CEK-07
CSC Key Management Capability CEK-08

Encryption and Key Management Audit CEK-09
Key Generation CEK-10
Cryptography, Key Purpose CEK-11

Encryption & Key
Management
Cryptography,
Encryption & Key
Management
Key Rotation CEK-12
Key Revocation CEK-13
Key Destruction CEK-14

Key Activation CEK-15
Key Suspension CEK-16
Key Deactivation CEK-17
Key Archival CEK-18

Key Compromise CEK-19
Key Recovery CEK-20
Key Inventory Management CEK-21

DCS-01
and Procedures
DCS-02
and Procedures
DCS-02
and Procedures
Secure Area Policy and Procedures DCS-03

Secure Area Policy and Procedures DCS-03

DCS-04
and Procedures
Datacenter Security
Assets Classification DCS-05

Assets Cataloguing and Tracking DCS-06
Controlled Access Points DCS-07
Equipment Identification DCS-08

Secure Area Authorization DCS-09
Surveillance System DCS-10

DCS-11
Training
Cabling Security DCS-12
Environmental Systems DCS-13
Secure Utilities DCS-14
Equipment Location DCS-15

DSP-01
Procedures
Secure Disposal DSP-02

Data Inventory DSP-03
Data Classification DSP-04
Data Flow Documentation DSP-05
Data Ownership and Stewardship DSP-06

Data Protection by Design and Default DSP-07
Data Privacy by Design and Default DSP-08
Data Protection Impact Assessment DSP-09
Data Security and

Privacy Lifecycle
Management
Data Security and
Privacy Lifecycle
Management
Sensitive Data Transfer DSP-10

DSP-11

DSP-12
Processing
Personal Data Sub-processing DSP-13
Disclosure of Data Sub-processors DSP-14
Limitation of Production Data Use DSP-15
Data Retention and Deletion DSP-16
Sensitive Data Protection DSP-17

Disclosure Notification DSP-18
Data Location DSP-19
Governance Program Policy and

GRC-01
Procedures

Compliance Organizational Policy Reviews GRC-03

Information System Regulatory
GRC-07
Mapping

HRS-01
Procedures
HRS-01
Procedures
HRS-02
and Procedures
Clean Desk Policy and Procedures HRS-03

Clean Desk Policy and Procedures HRS-03
Human Resources Remote and Home Working Policy and

HRS-04
Procedures
Asset returns HRS-05

Employment Termination HRS-06
Employment Agreement Process HRS-07
Employment Agreement Content HRS-08
Personnel Roles and Responsibilities HRS-09
Non-Disclosure Agreements HRS-10

Security Awareness Training HRS-11

HRS-12
and Training
Compliance User Responsibility HRS-13
Identity and Access Management

IAM-01


Identity & Access

Management Management of Privileged Access
IAM-10
Roles
Identity & Access
Management Management of Privileged Access
IAM-10
Roles
CSCs Approval for Agreed Privileged

IAM-11
Access Roles



Interoperability and Portability Policy
IPY-01
and Procedures
Interoperability and Portability Policy
IPY-01
and Procedures
Interoperability &
Portability
Secure Interoperability and Portability

IPY-03
Management
Data Portability Contractual

IPY-04
Obligations
Infrastructure and Virtualization

IVS-01

Infrastructure &
Production and Non-Production

IVS-05
Environments


LOG-01
Procedures
LOG-01
Procedures
Audit Logs Protection LOG-02
Security Monitoring and Alerting LOG-03

Audit Logs Access and Accountability LOG-04
Audit Logs Monitoring and Response LOG-05
Clock Synchronization LOG-06

Logging and Monitoring
Logging Scope LOG-07

Logging Scope LOG-07
Log Records LOG-08
Log Protection LOG-09
Encryption Monitoring and Reporting LOG-10
Transaction/Activity Logging LOG-11

Access Control Logs LOG-12
Failures and Anomalies Reporting LOG-13
Security Incident Management Policy

SEF-01
and Procedures
Security Incident Management Policy
SEF-01
and Procedures
Service Management Policy and

SEF-02
Procedures
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics




Supply Chain
Management,
Transparency, and
Accountability
Primary Service and Contractual

STA-09
Agreement
Supply Chain Service Agreement

STA-12
Compliance
Supply Chain Data Security

STA-14
Assessment

Threat and Vulnerability Management
TVM-01
Malware Protection Policy and

TVM-02
Procedures

Management Detection Updates TVM-04

Endpoint Devices Policy and

UEM-01
Procedures
Endpoint Devices Policy and
UEM-01
Procedures

Universal Endpoint
Management

Remote Wipe UEM-13
End of Standard
TIVE QUESTIONNAIRE
Control Specification Question ID

A&A-01.1
A&A-01.2

A&A-02.1
A&A-03.1

A&A-04.1

A&A-05.1

A&A-06.1
A&A-06.2
annually.
AIS-01.1
AIS-01.2

AIS-02.1
AIS-03.1

the organization.
AIS-04.1

AIS-05.1
AIS-05.2
AIS-06.1
AIS-06.2

AIS-07.1
AIS-07.2

BCR-01.1
BCR-01.2

and capabilities.
BCR-02.1

BCR-03.1

BCR-04.1
BCR-05.1
BCR-05.2
BCR-05.3

BCR-06.1
BCR-07.1

for resiliency.
BCR-08.1
BCR-08.2
BCR-08.3
BCR-09.1
BCR-09.2

BCR-10.1
BCR-10.2

standards.
BCR-11.1
CCC-01.1
CCC-01.2

CCC-02.1
outsourced).
CCC-03.1

CCC-04.1

CCC-05.1

CCC-06.1

CCC-07.1
CCC-08.1
CCC-08.2

CCC-09.1

CEK-01.1
CEK-01.2

CEK-02.1

CEK-03.1

CEK-04.1
changes.
CEK-05.1

CEK-06.1

CEK-07.1
encryption keys.
CEK-08.1
security event(s).
CEK-09.1
CEK-09.2

used.
CEK-10.1

CEK-11.1
CEK-12.1

CEK-13.1

CEK-14.1
requirements.
CEK-15.1

CEK-16.1

CEK-17.1

CEK-18.1
CEK-19.1

requirements.
CEK-20.1

requirements.
CEK-21.1

DCS-01.1
DCS-01.2
DCS-01.3

DCS-02.1
DCS-02.2
DCS-02.3

at least annually.
DCS-03.1
DCS-03.2

DCS-04.1
DCS-04.2
DCS-05.1
DCS-06.1

areas.
DCS-07.1
DCS-07.2
DCS-08.1
DCS-09.1
DCS-09.2

DCS-10.1

egress attempts.
DCS-11.1
offices and rooms.
DCS-12.1

DCS-13.1

DCS-14.1

DCS-15.1

least annually.
DSP-01.1
DSP-01.2
DSP-02.1
DSP-03.1

DSP-04.1

DSP-05.1
DSP-05.2

DSP-06.1
DSP-06.2
DSP-07.1

DSP-08.1
DSP-08.2

best practices.
DSP-09.1
DSP-10.1

DSP-11.1

DSP-12.1
DSP-13.1

DSP-14.1

DSP-15.1

DSP-16.1

DSP-17.1
DSP-18.1
DSP-18.2
DSP-19.1

at least annually.
GRC-01.1
GRC-01.2
risks.
GRC-02.1

GRC-03.1

GRC-04.1

GRC-05.1

GRC-06.1
GRC-07.1

GRC-08.1

HRS-01.1
HRS-01.2
HRS-01.3
HRS-02.1
HRS-02.2

least annually.
HRS-03.1
HRS-03.2

at least annually.
HRS-04.1
HRS-04.2

HRS-05.1
HRS-06.1

HRS-07.1

policies.
HRS-08.1

HRS-09.1

HRS-10.1
HRS-11.1
HRS-11.2

HRS-12.1
HRS-12.2
HRS-13.1

IAM-01.1
IAM-01.2

IAM-02.1
IAM-02.2

level of access.
IAM-03.1

system access.
IAM-04.1

system access.
IAM-05.1

IAM-06.1
IAM-07.1
IAM-08.1

IAM-09.1

IAM-10.1
IAM-10.2

IAM-11.1

IAM-12.1
IAM-12.2

IAM-13.1

IAM-14.1
IAM-14.2

IAM-15.1

IAM-16.1

requirements for:
d. Information/Data exchange, usage, portability, integrity, and persistence IPY-01.1
IPY-01.2
IPY-01.3
IPY-01.4
IPY-01.5

IPY-02.1

IPY-03.1

a. Data format
c. Scope of the data retained and made available to the CSCs IPY-04.1
IVS-01.1
IVS-01.2

by the business.
IVS-02.1

IVS-03.1
IVS-03.2
IVS-03.3
IVS-03.4
IVS-03.5

IVS-04.1

IVS-05.1

IVS-06.1
IVS-07.1

IVS-08.1

IVS-09.1

LOG-01.1
LOG-01.2

LOG-02.1

LOG-03.1
LOG-03.2
LOG-04.1

LOG-05.1
LOG-05.2

systems.
LOG-06.1

LOG-07.1
LOG-07.2
LOG-08.1

LOG-09.1

LOG-10.1

LOG-11.1
system.
LOG-12.1

LOG-13.1
LOG-13.2

SEF-01.1
SEF-01.2

SEF-02.1
SEF-02.2

SEF-03.1
SEF-04.1

SEF-05.1

SEF-06.1

SEF-07.1
SEF-07.2

SEF-08.1

at least annually.
STA-01.1
STA-01.2
STA-02.1

STA-03.1
STA-04.1
STA-05.1
STA-06.1
STA-07.1

STA-08.1
• Service termination STA-09.1
• Data privacy
STA-10.1

STA-11.1

STA-12.1

STA-13.1

STA-14.1

TVM-01.1
TVM-01.2

TVM-02.1
TVM-02.2
identifications,
TVM-03.1

TVM-04.1

TVM-05.1

third parties.
TVM-06.1
at least monthly.
TVM-07.1

TVM-08.1

TVM-09.1

TVM-10.1

UEM-01.1
UEM-01.2

UEM-02.1

UEM-03.1

data.
UEM-04.1
UEM-05.1

lock screen.
UEM-06.1

UEM-07.1

UEM-08.1

UEM-09.1
UEM-10.1

UEM-11.1
UEM-12.1

devices.
UEM-13.1

UEM-14.1
End of Standard
Consensus Assessments Question
Are audit and assurance policies, procedures, and standards established, documented,
approved, communicated, applied, evaluated, and maintained?
Are audit and assurance policies, procedures, and standards reviewed and updated
at least annually?
Are independent audit and assurance assessments conducted according to relevant

standards at least annually?
Are independent audit and assurance assessments performed according to risk-based
plans and policies?
Is compliance verified regarding all relevant standards, regulations, legal/contractual,

and statutory requirements applicable to the audit?
Is an audit management process defined and implemented to support audit planning,

risk analysis, security control assessments, conclusions, remediation schedules,
report generation, and reviews of past reports and supporting evidence?
Is a risk-based corrective action plan to remediate audit findings established,

documented, approved, communicated, applied, evaluated, and maintained?
Is the remediation status of audit findings reviewed and reported to relevant

stakeholders?
Are application security policies and procedures established, documented,
approved, communicated, applied, evaluated, and maintained to guide appropriate
planning, delivery, and support of the organization's application security capabilities?
Are application security policies and procedures reviewed and updated at least
annually?
Are baseline requirements to secure different applications established, documented,

and maintained?
Are technical and operational metrics defined and implemented according to
business objectives, security requirements, and compliance obligations?
Is an SDLC process defined and implemented for application design, development,

deployment, and operation per organizationally designed security requirements?
Does the testing strategy outline criteria to accept new information systems,
upgrades, and new versions while ensuring application security, compliance adherence,
and organizational speed of delivery goals?
Is testing automated when applicable and possible?

Are strategies and capabilities established and implemented to deploy application
code in a secure, standardized, and compliant manner?
Is the deployment and integration of application code automated where possible?
Are application security vulnerabilities remediated following defined processes?
Is the remediation of application security vulnerabilities automated when

possible?
Are business continuity management and operational resilience policies and

procedures established, documented, approved, communicated, applied, evaluated,
and maintained?
Are the policies and procedures reviewed and updated at least annually?
Are criteria for developing business continuity and operational resiliency

strategies and capabilities established based on business disruption and risk
impacts?
Are strategies developed to reduce the impact of, withstand, and recover from
business disruptions in accordance with risk appetite?
Are operational resilience strategies and capability results incorporated

to establish, document, approve, communicate, apply, evaluate, and maintain a
business continuity plan?
Is relevant documentation developed, identified, and acquired to support business
continuity and operational resilience plans?
Is business continuity and operational resilience documentation available

to authorized stakeholders?
Is business continuity and operational resilience documentation reviewed periodically?
Are the business continuity and operational resilience plans exercised and
tested at least annually and when significant changes occur?
Do business continuity and resilience procedures establish communication with
stakeholders and participants?
Is cloud data periodically backed up?
Is the confidentiality, integrity, and availability of backup data ensured?
Can backups be restored appropriately for resiliency?

Is a disaster response plan established, documented, approved, applied, evaluated,
and maintained to ensure recovery from natural and man-made disasters?
Is the disaster response plan updated at least annually, and when significant
changes occur?
Is the disaster response plan exercised annually or when significant changes

occur?
Are local emergency authorities included, if possible, in the exercise?
Is business-critical equipment supplemented with redundant equipment independently

standards?
Are risk management policies and procedures associated with changing organizational
assets including applications, systems, infrastructure, configuration, etc., established,
documented, approved, communicated, applied, evaluated and maintained (regardless
of whether asset management is internal or external)?
Is a defined quality change control, approval and testing process (with established
baselines, testing, and release standards) followed?
Are risks associated with changing organizational assets (including applications,
systems, infrastructure, configuration, etc.) managed, regardless of whether asset
management occurs internally or externally (i.e., outsourced)?
Is the unauthorized addition, removal, update, and management of organization

assets restricted?
Are provisions to limit changes that directly impact CSC-owned environments

and require tenants to authorize requests explicitly included within the service
level agreements (SLAs) between CSPs and CSCs?
Are change management baselines established for all relevant authorized changes
on organizational assets?
Are detection measures implemented with proactive notification if changes

deviate from established baselines?
Is a procedure implemented to manage exceptions, including emergencies, in
the change and configuration process?
'Is the procedure aligned with the requirements of the GRC-04: Policy Exception
Process?'
Is a process to proactively roll back changes to a previously known "good

state" defined and implemented in case of errors or security concerns?
Are cryptography, encryption, and key management policies and procedures established,
Are cryptography, encryption, and key management policies and procedures reviewed
and updated at least annually?
Are cryptography, encryption, and key management roles and responsibilities

defined and implemented?
Are data at-rest and in-transit cryptographically protected using cryptographic

libraries certified to approved standards?
Are appropriate data protection encryption algorithms used that consider data
classification, associated risks, and encryption technology usability?
Are standard change management procedures established to review, approve,
implement and communicate cryptography, encryption, and key management technology
changes that accommodate internal and external sources?
Are changes to cryptography-, encryption- and key management-related systems,

policies, and procedures, managed and adopted in a manner that fully accounts
for downstream effects of proposed changes, including residual risk, cost, and
benefits analysis?
Is a cryptography, encryption, and key management risk program established

and maintained that includes risk assessment, risk treatment, risk context, monitoring,
and feedback provisions?
Are CSPs providing CSCs with the capacity to manage their own data encryption
keys?
Are encryption and key management systems, policies, and processes audited
with a frequency proportional to the system's risk exposure, and after any security
event?
Are encryption and key management systems, policies, and processes audited
(preferably continuously but at least annually)?
Are cryptographic keys generated using industry-accepted and approved cryptographic

libraries that specify algorithm strength and random number generator specifications?
Are private keys provisioned for a unique purpose managed, and is cryptography
secret?
Are cryptographic keys rotated based on a cryptoperiod calculated while considering
information disclosure risks and legal and regulatory requirements?
Are cryptographic keys revoked and removed before the end of the established
cryptoperiod (when a key is compromised, or an entity is no longer part of the
organization) per defined, implemented, and evaluated processes, procedures, and
technical measures to include legal and regulatory requirement provisions?
Are processes, procedures and technical measures to destroy unneeded keys

defined, implemented and evaluated to address key destruction outside secure environments,
revocation of keys stored in hardware security modules (HSMs), and include applicable
legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to create keys in a pre-activated
state (i.e., when they have been generated but not authorized for use) being defined,
implemented, and evaluated to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to monitor, review and approve
key transitions (e.g., from any state to/from suspension) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to deactivate keys (at the
time of their expiration date) being defined, implemented, and evaluated to include
legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to manage archived keys

in a secure repository (requiring least privilege access) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to encrypt information in
specific scenarios (e.g., only in controlled circumstances and thereafter only
for data decryption and never for encryption) being defined, implemented, and
evaluated to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to assess operational continuity

risks (versus the risk of losing control of keying material and exposing protected
data) being defined, implemented, and evaluated to include legal and regulatory
requirement provisions?
Are key management system processes, procedures, and technical measures being
defined, implemented, and evaluated to track and report all cryptographic materials
and status changes that include legal and regulatory requirements provisions?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises established, documented, approved, communicated, enforced,
and maintained?
Is a data destruction procedure applied that renders information recovery

information impossible if equipment is not physically destroyed?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises reviewed and updated at least annually?
Are policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location established, documented,
approved, communicated, implemented, enforced, maintained?
Does a relocation or transfer request require written or cryptographically
verifiable authorization?
Are policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location reviewed and updated at
least annually?
Are policies and procedures for maintaining a safe and secure working environment
(in offices, rooms, and facilities) established, documented, approved, communicated,
enforced, and maintained?
Are policies and procedures for maintaining safe, secure working environments
(e.g., offices, rooms) reviewed and updated at least annually?
Are policies and procedures for the secure transportation of physical media
established, documented, approved, communicated, enforced, evaluated, and maintained?
Are policies and procedures for the secure transportation of physical media
reviewed and updated at least annually?
Is the classification and documentation of physical and logical assets based

on the organizational business risk?
Are all relevant physical and logical assets at all CSP sites cataloged and
tracked within a secured system?
Are physical security perimeters implemented to safeguard personnel, data,

and information systems?
Are physical security perimeters established between administrative and business

areas, data storage, and processing facilities?
Is equipment identification used as a method for connection authentication?

Are solely authorized personnel able to access secure areas, with all ingress
and egress areas restricted, documented, and monitored by physical access control
mechanisms?
Are access control records retained periodically, as deemed appropriate by

the organization?
Are external perimeter datacenter surveillance systems and surveillance systems

at all ingress and egress points implemented, maintained, and operated?
Are datacenter personnel trained to respond to unauthorized access or egress

attempts?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to ensure risk-based protection of power and telecommunication cables
from interception, interference, or damage threats at all facilities, offices,
and rooms?
Are data center environmental control systems designed to monitor, maintain,

and test that on-site temperature and humidity conditions fall within accepted
industry standards effectively implemented and maintained?
Are utility services secured, monitored, maintained, and tested at planned

intervals for continual effectiveness?
Is business-critical equipment segregated from locations subject to a high

probability of environmental risk events?
Are policies and procedures established, documented, approved, communicated,
enforced, evaluated, and maintained for the classification, protection, and handling
of data throughout its lifecycle according to all applicable laws and regulations,
standards, and risk level?
Are data security and privacy policies and procedures reviewed and updated
at least annually?
Are industry-accepted methods applied for secure data disposal from storage
media so information is not recoverable by any forensic means?
Is a data inventory created and maintained for sensitive and personal information
(at a minimum)?
Is data classified according to type and sensitivity levels?
Is data flow documentation created to identify what data is processed and

where it is stored and transmitted?
Is data flow documentation reviewed at defined intervals, at least annually,

and after any change?
Is the ownership and stewardship of all relevant personal and sensitive data
documented?
Is data ownership and stewardship documentation reviewed at least annually?

Are systems, products, and business practices based on security principles
by design and per industry best practices?
Are systems, products, and business practices based on privacy principles

by design and according to industry best practices?
Are systems' privacy settings configured by default and according to all applicable
laws and regulations?
Is a data protection impact assessment (DPIA) conducted when processing personal

data and evaluating the origin, nature, particularity, and severity of risks according
to any applicable laws, regulations and industry best practices?
evaluated to ensure any transfer of personal or sensitive data is protected from
unauthorized access and only processed within scope (as permitted by respective
laws and regulations)?

evaluated to enable data subjects to request access to, modify, or delete personal
data (per applicable laws and regulations)?

evaluated to ensure personal data is processed (per applicable laws and regulations
and for the purposes declared to the data subject)?
evaluated for the transfer and sub-processing of personal data within the service
supply chain (according to any applicable laws and regulations)?

evaluated to disclose details to the data owner of any personal or sensitive data
access by sub-processors before processing initiation?
Is authorization from data owners obtained, and the associated risk managed,
before replicating or using production data in non-production environments?
Do data retention, archiving, and deletion practices follow business requirements,

applicable laws, and regulations?
Are processes, procedures, and technical measures defined and implemented

to protect sensitive data throughout its lifecycle?
Does the CSP have in place, and describe to CSCs, the procedure to manage
and respond to requests for disclosure of Personal Data by Law Enforcement Authorities
according to applicable laws and regulations?
Does the CSP give special attention to the notification procedure to interested
CSCs, unless otherwise prohibited, such as a prohibition under criminal law to
preserve confidentiality of a law enforcement investigation?
Are processes, procedures, and technical measures defined and implemented
to specify and document physical data locations, including locales where data
is processed or backed up?
Are information governance program policies and procedures sponsored by organizational

leadership established, documented, approved, communicated, applied, evaluated,
and maintained?
Is there an established formal, documented, and leadership-sponsored enterprise
risk management (ERM) program that includes policies and procedures for identification,
risks?
Are all relevant organizational policies and associated procedures reviewed

at least annually, or when a substantial organizational change occurs?
Is an approved exception process mandated by the governance program established

and followed whenever a deviation from an established policy occurs?
Has an information security program (including programs of all relevant CCM

domains) been developed and implemented?
Are roles and responsibilities for planning, implementing, operating, assessing,

and improving governance programs defined and documented?
Are all relevant standards, regulations, legal/contractual, and statutory
requirements applicable to your organization identified and documented?
Is contact established and maintained with cloud-related special interest

groups and other relevant entities?
Are background verification policies and procedures of all new employees (including
but not limited to remote employees, contractors, and third parties) established,
Are background verification policies and procedures designed according to
local laws, regulations, ethics, and contractual constraints and proportional
to the data classification to be accessed, business requirements, and acceptable
risk?
Are background verification policies and procedures reviewed and updated at

least annually?
Are policies and procedures for defining allowances and conditions for the
acceptable use of organizationally-owned or managed assets established, documented,
Are the policies and procedures for defining allowances and conditions for
the acceptable use of organizationally-owned or managed assets reviewed and updated
at least annually?
Are policies and procedures requiring unattended workspaces to conceal confidential

data established, documented, approved, communicated, applied, evaluated, and
maintained?
Are policies and procedures requiring unattended workspaces to conceal confidential
data reviewed and updated at least annually?
Are policies and procedures to protect information accessed, processed, or

stored at remote sites and locations established, documented, approved, communicated,
applied, evaluated, and maintained?
Are policies and procedures to protect information accessed, processed, or

stored at remote sites and locations reviewed and updated at least annually?
Are return procedures of organizationally-owned assets by terminated employees

established and documented?
Are procedures outlining the roles and responsibilities concerning changes
in employment established, documented, and communicated to all personnel?
Are employees required to sign an employment agreement before gaining access

to organizational information systems, resources, and assets?
Are provisions and/or terms for adherence to established information governance

and security policies included within employment agreements?
Are employee roles and responsibilities relating to information assets and

security documented and communicated?
Are requirements for non-disclosure/confidentiality agreements reflecting

organizational data protection needs and operational details identified, documented,
and reviewed at planned intervals?
Is a security awareness training program for all employees of the organization
established, documented, approved, communicated, applied, evaluated and maintained?
Are regular security awareness training updates provided?
Are all employees granted access to sensitive organizational and personal

data provided with appropriate security awareness training?
Are all employees granted access to sensitive organizational and personal

data provided with regular updates in procedures, processes, and policies relating
to their professional function?
Are employees notified of their roles and responsibilities to maintain awareness
and compliance with established policies, procedures, and applicable legal, statutory,
or regulatory compliance obligations?
Are identity and access management policies and procedures established, documented,
approved, communicated, implemented, applied, evaluated, and maintained?
Are identity and access management policies and procedures reviewed and updated
at least annually?
Are strong password policies and procedures established, documented, approved,

communicated, implemented, applied, evaluated, and maintained?
Are strong password policies and procedures reviewed and updated at least
annually?
Is system identity information and levels of access managed, stored, and reviewed?
Is the separation of duties principle employed when implementing information

system access?
Is the least privilege principle employed when implementing information system

access?
Is a user access provisioning process defined and implemented which authorizes,

records, and communicates data and assets access changes?
Is a process in place to de-provision or modify the access, in a timely manner,
of movers / leavers or system identity changes, to effectively adopt and communicate
identity and access management policies?
Are reviews and revalidation of user access for least privilege and separation
of duties completed with a frequency commensurate with organizational risk tolerance?
Are processes, procedures, and technical measures for the segregation of privileged
access roles defined, implemented, and evaluated such that administrative data
access, encryption, key management capabilities, and logging capabilities are
distinct and separate?
Is an access process defined and implemented to ensure privileged access roles

and rights are granted for a limited period?
Are procedures implemented to prevent the culmination of segregated privileged
access?
Are processes and procedures for customers to participate, where applicable,

in granting access for agreed, high risk as (defined by the organizational risk
assessment) privileged access roles defined, implemented and evaluated?
Are processes, procedures, and technical measures to ensure the logging infrastructure
is "read-only" for all with write access (including privileged access roles) defined,
implemented, and evaluated?
Is the ability to disable the "read-only" configuration of logging infrastructure
controlled through a procedure that ensures the segregation of duties and break
glass procedures?
Are processes, procedures, and technical measures that ensure users are identifiable
through unique identification (or can associate individuals with user identification
usage) defined, implemented, and evaluated?
Are processes, procedures, and technical measures for authenticating access

to systems, application, and data assets including multifactor authentication
for a least-privileged user and sensitive data access defined, implemented, and
evaluated?
Are digital certificates or alternatives that achieve an equivalent security
level for system identities adopted?
Are processes, procedures, and technical measures for the secure management
of passwords defined, implemented, and evaluated?
Are processes, procedures, and technical measures to verify access to data

and system functions authorized, defined, implemented, and evaluated?
applied, evaluated, and maintained for communications between application services
(e.g., APIs)?

applied, evaluated, and maintained for information processing interoperability?
applied, evaluated, and maintained for application development portability?

applied, evaluated, and maintained for information/data exchange, usage, portability,
integrity, and persistence?
Are interoperability and portability policies and procedures reviewed and
updated at least annually?
Are CSCs able to programmatically retrieve their data via an application interface(s)
to enable interoperability and portability?
Are cryptographically secure and standardized network protocols implemented

for the management, import, and export of data?
Do agreements include provisions specifying CSC data access upon contract termination, and
have the following?
a. Data format
b. Duration data will be stored
Are infrastructure and virtualization security policies and procedures established,
Are infrastructure and virtualization security policies and procedures reviewed

Is resource availability, quality, and capacity planned and monitored in a

way that delivers required system performance, as determined by the business?
Are communications between environments monitored?

Are communications between environments encrypted?
Are communications between environments restricted to only authenticated and

authorized connections, as justified by the business?
Are network configurations reviewed at least annually?

Are network configurations supported by the documented justification of all
allowed services, protocols, ports, and compensating controls?
Is every host and guest OS, hypervisor, or infrastructure control plane hardened
(according to their respective best practices) and supported by technical controls
as part of a security baseline?
Are production and non-production environments separated?
Are applications and infrastructures designed, developed, deployed, and configured

segmented, segregated, monitored, and restricted from other tenants?
Are secure and encrypted communication channels including only up-to-date
and approved protocols used when migrating servers, services, applications, or
data to cloud environments?
Are high-risk environments identified and documented?
Are processes, procedures, and defense-in-depth techniques defined, implemented,

and evaluated for protection, detection, and timely response to network-based
attacks?
Are logging and monitoring policies and procedures established, documented,

Are policies and procedures reviewed and updated at least annually?

evaluated to ensure audit log security and retention?
Are security-related events identified and monitored within applications and

the underlying infrastructure?
Is a system defined and implemented to generate alerts to responsible stakeholders

based on security events and their corresponding metrics?
Is access to audit logs restricted to authorized personnel, and are records
maintained to provide unique access accountability?
Are security audit logs monitored to detect activity outside of typical or

expected patterns?
Is a process established and followed to review and take appropriate and timely
actions on detected anomalies?
Is a reliable time source being used across all relevant information processing
systems?
Are logging requirements for information meta/data system events established,

documented, and implemented?
Is the scope reviewed and updated at least annually, or whenever there is
a change in the threat environment?
Are audit records generated, and do they contain relevant security information?
Does the information system protect audit records from unauthorized access,
modification, and deletion?
Are monitoring and internal reporting capabilities established to report on

cryptographic operations, encryption, and key management policies, processes,
procedures, and controls?
Are key lifecycle management events logged and monitored to enable auditing
and reporting on cryptographic keys' usage?
Is physical access logged and monitored using an auditable access control
system?
Are processes and technical measures for reporting monitoring system anomalies
and failures defined, implemented, and evaluated?
Are accountable parties immediately notified about anomalies and failures?
Are policies and procedures for security incident management, e-discovery,

and cloud forensics established, documented, approved, communicated, applied,
evaluated, and maintained?
Are policies and procedures reviewed and updated annually?
Are policies and procedures for timely management of security incidents established,
Are policies and procedures for timely management of security incidents reviewed
Is a security incident response plan that includes relevant internal departments,

impacted CSCs, and other business-critical relationships (such as supply-chain)
established, documented, approved, communicated, applied, evaluated, and maintained?
Is the security incident response plan tested and updated for effectiveness,
as necessary, at planned intervals or upon significant organizational or environmental
changes?
Are information security incident metrics established and monitored?
Are processes, procedures, and technical measures supporting business processes

to triage security-related events defined, implemented, and evaluated?
Are processes, procedures, and technical measures for security breach notifications
defined and implemented?
Are security breaches and assumed security breaches reported (including any
relevant supply chain breaches) as per applicable SLAs, laws, and regulations?
Are points of contact maintained for applicable regulation authorities, national

and local law enforcement, and other legal jurisdictional authorities?
Are policies and procedures implementing the shared security responsibility

model (SSRM) within the organization established, documented, approved, communicated,
applied, evaluated, and maintained?
Are the policies and procedures that apply the SSRM reviewed and updated annually?
Is the SSRM applied, documented, implemented, and managed throughout the supply
chain for the cloud service offering?
Is the CSC given SSRM guidance detailing information about SSRM applicability
throughout the supply chain?
Is the shared ownership and applicability of all CSA CCM controls delineated
according to the SSRM for the cloud service offering?
Is SSRM documentation for all cloud services the organization uses reviewed
and validated?
Are the portions of the SSRM the organization is responsible for implemented,
operated, audited, or assessed?
Is an inventory of all supply chain relationships developed and maintained?
Are risk factors associated with all organizations within the supply chain
periodically reviewed by CSPs?
Do service agreements between CSPs and CSCs (tenants) incorporate at least the following
mutually agreed upon provisions and/or terms?
• Scope, characteristics, and location of business relationship and services offered
• Right to audit and third-party assessment
• Data privacy
Are supply chain agreements between CSPs and CSCs reviewed at least annually?
Is there a process for conducting internal assessments at least annually to

confirm the conformance and effectiveness of standards, policies, procedures,
and SLA activities?
Are policies that require all supply chain CSPs to comply with information
security, confidentiality, access control, privacy, audit, personnel policy, and
service level requirements and standards implemented?
Are supply chain partner IT governance policies and procedures reviewed periodically?
Is a process to conduct periodic security assessments for all supply chain

organizations defined and implemented?
applied, evaluated, and maintained to identify, report, and prioritize the remediation
of vulnerabilities to protect systems against vulnerability exploitation?
Are threat and vulnerability management policies and procedures reviewed and
updated at least annually?
Are policies and procedures to protect against malware on managed assets established,
Are asset management and malware protection policies and procedures reviewed
evaluated to enable scheduled and emergency responses to vulnerability identifications
(based on the identified risk)?

evaluated to update detection tools, threat signatures, and compromise indicators
weekly (or more frequent) basis?

evaluated to identify updates for applications that use third-party or open-source
libraries (according to the organization's vulnerability management policy)?

evaluated for periodic, independent, third-party penetration testing?
evaluated for vulnerability detection on organizationally managed assets at least
monthly?
Is vulnerability remediation prioritized using a risk-based model from an

industry-recognized framework?
Is a process defined and implemented to track and report vulnerability identification

and remediation activities that include stakeholder notification?
Are metrics for vulnerability identification and remediation established,

monitored, and reported at defined intervals?

applied, evaluated, and maintained for all endpoints?
Are universal endpoint management policies and procedures reviewed and updated
at least annually?
Is there a defined, documented, applicable and evaluated list containing approved

services, applications, and the sources of applications (stores) acceptable for
use by endpoints when accessing or storing organization-managed data?
Is a process defined and implemented to validate endpoint device compatibility

with operating systems and applications?
Is an inventory of all endpoints used and maintained to store and access company
data?
Are processes, procedures, and technical measures defined, implemented and
evaluated, to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data?
Are all relevant interactive-use endpoints configured to require an automatic

lock screen?
Are changes to endpoint operating systems, patch levels, and/or applications

managed through the organizational change management process?
Is information protected from unauthorized disclosure on managed endpoints

with storage encryption?
Are anti-malware detection and prevention technology services configured on

managed endpoints?
Are software firewalls configured on managed endpoints?
Are managed endpoints configured with data loss prevention (DLP) technologies
and rules per a risk assessment?
Are remote geolocation capabilities enabled for all managed mobile endpoints?

evaluated to enable remote company data deletion on managed endpoint devices?
Are processes, procedures, and technical and/or contractual measures defined,

implemented, and evaluated to maintain proper security of third-party endpoints
with access to organizational assets?
v4.0.6
CCM v4.0 CCM v4.0 Implementation Guidelines
Authors Authors
Martin Acherman
John Britton
Ricky Arora
Bobbie-Lynn Burton
Christian Banse
Daniele Catteddu
Rolf Becker
Aradhna Chetal
John Britton
Peter Dickman
Jon-Michael Brook
Angell Duran
Bobbie-Lynn Burton
Rajeev Gupta
Daniele Catteddu
Shawn Harris
Sean Cordero
Roberto Hernandez
Peter Dickman
Matthew Hoerig
Sean Estrada
Erik Johnson
Tom Follo
Harry Lu
Shawn Harris
Claus Matzke
Matthew Hoerig
Vani Murthy
Erik Johnson
Johan Olivier
Harry Lu
Bala Kaundinya
Maksym Nowak
Nancy Kramer
Surinder S. Rait
Surinder Singh Rait
Michael Roza
Michael Roza
Agnidipta Sarkar
Agnidipta Sarkar
Chris Shull
Lefteris Skoutaris
Lefteris Skoutaris
Ashish Vashishtha
Tony Snook
Contributors Contributors
Kai Axford
Darin Blank
Kevin Burgin
Martin Capuder
Vishal Chaudhary
Aradhna Chetal
Jeff Cook
Angela Dogan
Doug Egan
Andreas von Grebmer
Mohin Gulzar
Sandra Ackland
Frank Jaramillo
Geoff Bird
Gaurav Khanna
Madhav Chablani
Keri Kusznir
Ramon Codina
Jens Laundrup
Mamane Ibrahim
Robin Lyons
Joel John
Loredana Mancini
Giovanni Massard
Julien Mauvieux
Jean-Sebastien Mine
Bill Marriott
Chirag Sheth
Claus Matzke
Matthew Meersman
David Nance
Christine Peters
Lisa Peterson
Paul Rich
Max Simakov
Tima Soni
Luke Synnestvedt
Eric Tierling
Raj Tuliani
Editorial Team
Darin Blank (Team Lead)

Bobbie-Lynn Burton
Martin Capuder
Lisa Peterson
Luke Synnestvedt
CCM Leadership
Daniele Catteddu (CSA)

Sean Cordero
Sean Estrada
Shawn Harris
Harry Lu
David Nickles
Lefteris Skoutaris (CSA)
End of acknowledgments
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the
Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud
Controls Matrix v4.0.6 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be
modified or altered in any way; (c) the Cloud Controls Matrix v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may
not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as permitted by the Fair Use provisions of the United States Copyright
Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.6. If you are interested in obtaining a
license to this #material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
ntation Guidelines CCM v4.0 Auditing Guidelines CCM v4.0 - ISO/IEC 27001:2022, 2
ors Authors Contributors

ritton
nn Burton
Robin Basham
atteddu
Michael Bayere
Chetal
Geoff Bird
ckman
Hyunho Chang
Duran
Sanjeev Gupta (Team Lead) Elastos Chimwanda
Gupta
Parminder Bawa Angela Dogan
Harris
Renu Bedi Phil Garrelhas
ernandez
Damian Heal Mohin Gulzar
Hoerig
Jan Jacobsen Alana James-Aikins
hnson
Bilal Khattak Joel John
Lu
David Nickles Erik Johnson
Matzke
Agnidipta Sarkar Jason Lutz
urthy
Steve Sparkes Krishna Das Manghat
Olivier
Tanya Tipper-Luster Claus Matzke
ndinya
Ashish Vashishtha Deb Mukherjee
Kramer
Johan Olivier
ngh Rait
Tim Pasaribu
Roza
Gina Rodriguez
Sarkar
Alex Stezycki
koutaris
shishtha
utors Contributors
ckland
Bird Brian Dorsey
Chablani Angell Duran
Codina Joel John
Ibrahim Erik Johnson
ohn Michael Roza
Massard Claus Matzke
ien Mine Vani Murthy
Sheth
omputer, view, print, and link to the
bject to the following: (a) the Cloud
ntrols Matrix v4.0.6 may not be
k, copyright or other notices may
ns of the United States Copyright
you are interested in obtaining a
iance.org.
CM v4.0 - ISO/IEC 27001:2022, 27002:2022 CCM v4.0 - CIS v8.0 Mapping
Robin Basham
Michael Bayere Renu Bedi
Geoff Bird Geoff Bird
Hyunho Chang Ramon Codina
Elastos Chimwanda Angell Duran
Angela Dogan David Friedenberg
Phil Garrelhas Yogesh Gupta
Mohin Gulzar Frank Jaramillo
Alana James-Aikins Joel John
Joel John Bala Kaundinya
Erik Johnson Claus Matzke
Jason Lutz Vani Murthy
Krishna Das Manghat Johan Olivier
Claus Matzke Michael Roza
Deb Mukherjee Thomas Sager
Johan Olivier Keith Stocks
Tim Pasaribu Ashish Vashishtha
Gina Rodriguez Dimitri Vekris
Alex Stezycki
CCM v4.0 - PCI DSS v3.2.1 Mapping CCM v4.0 - AICPA TSC 2017 Mapping
Renu Bedi
Madhav Chablani
Renu Bedi
Angela Dogan
Geoff Bird
Angell Duran
Madhav Chablani
Odutola Ekundayo
Vishal Chaudhary
Roberto Hernandez
Angell Duran
Frank Jaramillo
Frank Jaramillo
Joel John
Joel John
Audrey Katcher
Bala Kaundinya
Bala Kaundinya
Claus Matzke
Giovanni Massard
Vani Murthy
Vani Murthy
Johan Olivier
Johan Olivier
Michael Roza
Michael Roza
Tanya Tipper-Luster
Agnidipta Sarkar
Thomas Sager
Chirag Sheth
Ashish Vashishtha
Ashish Vashishtha
Dimitri Vekris
Dimitri Vekris
Surya Vinjamuri
TSC 2017 Mapping CCM v4.0 - ISO27001/02/17/18 Mapping CCM v4.0 - NIST 800-53r5 Ma
utors Contributors Contributors

Sandra Ackland
Renu Bedi Robin Basham (Team Lead)
Bedi
Anders Brännfors Geoff Bird
Chablani
Ramon Codina Madhav Chablani
Dogan
Angela Dogan Denny Dean
Duran
Brian Dorsey Angela Dogan
kundayo
Angell Duran Angell Duran
ernandez
Odutola Ekundayo Mayank Garg
ramillo
Roberto Hernandez Alana James
ohn
Frank Jaramillo Frank Jaramillo
Katcher
Bala Kaundinya Joel John
ndinya
Nancy Kramer Erik Johnson
Massard
Vani Murthy Evan Jones
urthy
Johan Olivier Bala Kaundinya
Olivier
Surinder Singh Rait Kimberley Laris
Roza
Michael Roza Claus Matzke
Sarkar
Agnidipta Sarkar Michelle Moore
Sheth
Chirag Sheth Vani Murthy
shishtha
Chris Shull Johan Olivier
Vekris
Ashish Vashishtha Michael Roza
njamuri
Dimitri Vekris Thomas Sager
Surya Vinjamuri
CCM v4.0 - NIST 800-53r5 Mapping CCM v4.0 - CCM v3.0.1 Mapping
Robin Basham (Team Lead)
Sandra Ackland
Geoff Bird
Renu Bedi
Madhav Chablani
Glenn Bluff
Denny Dean
Anders Brännfors
Angela Dogan
Madhav Chablani
Angell Duran
Aislin Cole
Mayank Garg
Brian Dorsey
Alana James
Angell Duran
Frank Jaramillo
Rajeev Gupta
Joel John
Frank Jaramillo
Erik Johnson
Bala Kaundinya
Evan Jones
Nancy Kramer
Bala Kaundinya
Claus Matzke
Kimberley Laris
Vani Murthy
Claus Matzke
Johan Olivier
Michelle Moore
Michael Roza
Vani Murthy
Surinder Singh Rait
Johan Olivier
Ashish Vashishtha
Michael Roza
Dimitri Vekris
Thomas Sager
CAIQ v4.0
Contributors
Tony Snook (Team Lead)
Renu Bedi
Geoff Bird
John Britton
Jon-Michael Brook
Bobbie-Lynn Burton
Hannah Day
Angela Dogan
Brian Dorsey
Angell Duran
Odutola Ekundayo
Rajeev Gupta
Roberto Hernandez
Frank Jaramillo
Erik Johnson
Bala Kaundinya
Johan Olivier
Michael Roza
Lefteris Skoutaris
Luis Urena
Ashish Vashishtha
Casey Wood
v4.0.6
Change Log
Version Date Component
CCM v4.0.6 2022/12/14 Mapping
CCM v4.0.5 2021/02/10 Mapping

CCM v4.0.4 2021/12/08 Guidelines
CCM v4.0.3 2021/09/14 Guidelines
CCM v4.0.2 2021/07/13 Mapping
CCM v4.0.1 2021/06/07 CAIQ
CCM v4.0.1 2021/06/07 Mapping
CCM v4.0.0 2021/01/21 Mapping
CCM v4.0.0 2021/01/21 Control

End of Change Log
“Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may
your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Control
not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 a
Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version
interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
Change Log
Description of Change
The mapping of CCM v4.0 to ISO/IEC 27001:2022 and 27002:2022 is included in the
standard.
Others changes that are applied:

Alignment of requirements mappings between ISO/IEC 27001/02:2022 and ISO/IEC
27001/02/17/18 mappings established.
The CCMv4.0 to ISO/IEC 27001/02/17/18 is updated. Changes applied:

ISO/IEC 27001:A.9.4.4 is mapped to IAM-10 (CCMv4.0).
Fixed typos.
The CCMv4.0 to CCMv3.0.1 mapping is updated. Changes applied:

IVS-11 (CCMv3.0.1) is mapped to IVS-04 (CCMv4.0).
The mappings of CCM v4.0 to PCI DSS v3.2.1 and NIST 800-53 rev. 5 are included in the
standard.
The CCM v4.0 Auditing Guidelines component is released.
The CCM v4.0 Implementation Guidelines component is released.
The mappings of CCM v4.0 to AICPA TSC 2017 and CIS v8.0 are included in the
standard.
The Consensus Assessment Initiative Questionnaire version 4 (CAIQ v4.0) is released.
The CCMv4.0 to CCMv3.0.1 mapping is updated. Changes that are applied:

MOS-19 (CCMv3.0.1) is mapped to UEM-07 (CCMv4.0).
MOS-05 (CCMv3.0.1) is mapped to UEM-01 (CCMv4.0).
IVS-11 (CCMv3.0.1) is mapped to IAM-05 (CCMv4.0).
IAM-08 (CCMv3.0.1) is mapped to IAM-03 (CCMv4.0).
STA-01 (CCMv3.0.1) is mapped to STA-12 (CCMv4.0).
The mappings of CCM v4.0 to CCM v3.0.1 and ISO/IEC 27001/02/17/18 are included in
the first release of the standard.
The Cloud Control Matrix version 4 (CCM v4.0) is released (including the controls
applicability matrix).
End of Change Log
u may download, store, display on your computer, view, print, and link to the Cloud Security Alliance
yalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used solely for
Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.6 may
not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as permitted by the Fair
ute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.6. If you are
sses in the copyright notice, please contact info@cloudsecurityalliance.org.

CCMv4.0.6 - Generated at - 2022 12 14

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCMv4.0.6 - Generated at - 2022 12 14

Uploaded by

Copyright:

Available Formats

CLOUD CONTROLS MATRIX v4.0.

• CCM Implementation Guidelines.

• CCM Auditing Guidelines.

• CCM Scope Applicability (Mappings).

• Consensus Assessments Initiative Questionnaire (CAIQ).

Each control is described by a:

• Control Title: the title of the control.

• Control ID: the control identifier.

• Control Specification: the requirement(s) description of the control.

In addition, this tab includes the following sections (groups of columns)

Typical Control Applicability and Ownership:

Architectural Relevance - Cloud Stack Components:

The guidelines can be downloaded in PDF format here

c. CCM Auditing Guidelines:

The guidelines can be downloaded in PDF format here

• No Gap: In case of full correspondence.

• Question ID: the questions identifier.

• Question: the description of the question.

UE” if the control is relevant to a component and “FALSE” if it is not.

UE” if the control is relevant to a component and “FALSE” if it is not.

c. CCM Auditing Guidelines:

) corresponds to the CCM control.

y the corresponding CCM control’s requirements.

sponding CCM control’s requirements.

Control Domain Control Title Control ID

Audit & Assurance - A&A

Audit and Assurance Policy and

Audit & Assurance Independent Assessments A&A-02

Audit & Assurance Risk Based Planning Assessment A&A-03

Audit & Assurance Audit Management Process A&A-05

Audit & Assurance Remediation A&A-06

Application & Interface Security - AIS

Application & Interface Application Security Baseline

Application & Interface

Application & Interface Secure Application Design and

Application & Interface Automated Secure Application

Application & Interface

Business Continuity Management and Operational Resilience - BCR

Change Control and

Change Control and

Change Control and

Change Control and

Change Control and

Change Control and

Change Control and

Change Control and

Cryptography, Encryption & Key Management - CEK

Datacenter Security - DCS

Off-Site Equipment Disposal Policy

Datacenter Security Secure Area Policy and Procedures DCS-03

Secure Media Transportation Policy

Datacenter Security Assets Classification DCS-05

Datacenter Security Controlled Access Points DCS-07

Datacenter Security Equipment Identification DCS-08

Datacenter Security Secure Area Authorization DCS-09

Datacenter Security Surveillance System DCS-10

Datacenter Security Cabling Security DCS-12

Datacenter Security Environmental Systems DCS-13

Datacenter Security Secure Utilities DCS-14

Datacenter Security Equipment Location DCS-15

Data Security and Privacy Lifecycle Management - DSP

Data Security and

Data Security and