Professional Documents
Culture Documents
6
v4.0.6
Introduction
This section explains the CCM V4 spreadsheet structure and describes its components.
I. Structure
The CCM V4 spreadsheet includes five tabs:
• Introduction.
• CCM Controls.
• Acknowledgments.
II. Components Description
a. CCM Controls
This is the core of the CCM V4. It includes 197 controls structured in 17 domains.
• Control Domain: the name of the domain to which the control pertains.
This group of columns describes the typical applicability of controls for the three main cloud delivery models: infrastructure-as-a-service (IaaS), platform-
and software-as-a-service (SaaS). Additionally, the section explores the typical SSRM-based (Shared Security Responsibility Model) allocation of respons
implementation of a given CCM control between a cloud service provider (CSP) and a cloud service customer (CSC). The matrix clarifies if a control’s re
be “CSP-Owned”, “CSC-Owned”, or “Shared”.
IMPORTANT NOTE: Both the control applicability to IaaS, PaaS, and SaaS models—and the control ownership attributions—are meant to represent a hi
simplification. The CCM user should revise those attributions depending on the contractually agreed SSRM for the specific cloud environment.
This group of columns indicates the architectural relevance of each CCM control per cloud stack component from the perspective of the CSA Cloud Refer
section focuses on components, including physical, network, compute, storage, application, and data.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The architectural relevance is meant to represent a high-level simplification. The CCM user should revise those attributions depend
cloud environment and technologies used.
Organizational Relevance:
This group of columns indicates the relevance between each CCM control and its implementation by the respective cloud relevant functions within an orga
functions included are: Cybersecurity, Internal Audit, Architecture Team, Software Development Team, Operations, Legal/Privacy, Governance/Risk/Con
Management, and Human.
The “relevance box” associated with each component is marked as “TRUE” if the control is relevant to a component and “FALSE” if it is not.
IMPORTANT NOTE: The organizational relevance is meant to represent a high-level simplification. The user of the CCM should revise those attributions
specific cloud environment and organizational structure.
b. CCM Implementation Guidelines:
This tab includes the CCM V4 Implementation Guidelines that are tailored to the security and privacy control specifications of the 17 cloud security doma
with their main goal being to provide guidance and recommendations in support to the controls’ proper implementation.
IMPORTANT NOTE:
The implementation guidelines are not exhaustive and neither prescriptive in nature, but rather represent a generic guide in form of recommendations. The
will largely depend on the nature of the IT/service architecture, the type of technology used and risks faced, applicable regulations, organizational policies
significant factors.
IMPORTANT NOTE:
The auditing guidelines are not exhaustive or prescriptive by nature but rather represent a generic guide in form of recommendations for CCM controls im
assessment. Auditors must customize the descriptions, procedures, risks, controls, and documentation to organizational specific audit work programs and s
scope of the assessment to address the specific audit objectives.
.
d. CCM Scope Applicability (Mappings):
This tab includes the mappings between CCM V4 and numerous standards (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud com
For each standard, CCM V4 is mapped to include the following three columns:
Control Mapping
The indication of which control(s) in the target standard (e.g., ISO27001) corresponds to the CCM control.
Gap Level
The level of gap a control (or controls) in the target standard has when compared with the CCM control. The gap levels used are:
• Partial Gap: If the control(s) in the target standard does not fully satisfy the corresponding CCM control’s requirements.
• Full Gap: If there is no control in the target standard to fulfill the corresponding CCM control’s requirements.
Addendum
The column describes the suggested compensating control that organizations must implement to cover the gap between the control in the target standard an
CCM control.
e. Consensus Assessments Initiative Questionnaire (CAIQ):
This tab includes the questionnaire associated with CCM V4 controls, commonly known as CAIQ. The CAIQ consists of 261 questions structured in the 1
CCM. Each question is described in the following manner:
IMPORTANT NOTE: The CAIQ version in this spreadsheet is NOT meant to be used in lieu of submitting self-assessments (STAR Level 1) into the STA
separate submission form has been created for that purpose:
Download it here
f. Acknowledgments:
This tab acknowledges the volunteers who contributed to the CCM V4’s development.
End of Introduction
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
Introduction
s components.
I. Structure
II. Components Description
a. CCM Controls
7 domains.
the three main cloud delivery models: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS),
typical SSRM-based (Shared Security Responsibility Model) allocation of responsibilities for the
er (CSP) and a cloud service customer (CSC). The matrix clarifies if a control’s responsibility should
SaaS models—and the control ownership attributions—are meant to represent a high-level
g on the contractually agreed SSRM for the specific cloud environment.
M control per cloud stack component from the perspective of the CSA Cloud Reference Model. The
torage, application, and data.
a high-level simplification. The CCM user should revise those attributions depending on its specific
ol and its implementation by the respective cloud relevant functions within an organization. The
m, Software Development Team, Operations, Legal/Privacy, Governance/Risk/Control, Supply Chain
nt a high-level simplification. The user of the CCM should revise those attributions depending on the
CM Implementation Guidelines:
ed to the security and privacy control specifications of the 17 cloud security domains of the CCM,
support to the controls’ proper implementation.
ve in nature, but rather represent a generic guide in form of recommendations. Their operationalization
of technology used and risks faced, applicable regulations, organizational policies and other
rather represent a generic guide in form of recommendations for CCM controls implementations’
controls, and documentation to organizational specific audit work programs and service(s) in the
M Scope Applicability (Mappings):
ds (ISO 27001/2/17) and best practices (CIS V8) control sets relevant to cloud computing.
lumns:
ompared with the CCM control. The gap levels used are:
ions must implement to cover the gap between the control in the target standard and the corresponding
ssessments Initiative Questionnaire (CAIQ):
ommonly known as CAIQ. The CAIQ consists of 261 questions structured in the 17 domains of the
eant to be used in lieu of submitting self-assessments (STAR Level 1) into the STAR Registry. A
f. Acknowledgments:
development.
End of Introduction
You may download, store, display on your computer, view, print, and link to the Cloud Security
loudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used
ud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix
r notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as
provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix
al for other usages not addresses in the copyright notice, please contact
CLOUD CONTROLS MATRIX v4.0.6
v4.0.6
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Operational Resilience
Business Continuity
Management and Business Continuity Strategy BCR-03
Operational Resilience
Business Continuity
Management and Business Continuity Planning BCR-04
Operational Resilience
Business Continuity
Management and Documentation BCR-05
Operational Resilience
Business Continuity
Management and Business Continuity Exercises BCR-06
Operational Resilience
Business Continuity
Management and Communication BCR-07
Operational Resilience
Business Continuity
Management and Backup BCR-08
Operational Resilience
Business Continuity
Management and Disaster Response Plan BCR-09
Operational Resilience
Business Continuity
Management and Response Plan Exercise BCR-10
Operational Resilience
Business Continuity
Management and Equipment Redundancy BCR-11
Operational Resilience
Change Control and Configuration Management - CCC
Cryptography,
Encryption & Key CEK Roles and Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Encryption & Key CEK-06
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Interoperability &
Application Interface Availability IPY-02
Portability
Infrastructure &
Capacity and Resource Planning IVS-02
Virtualization Security
Infrastructure &
Network Security IVS-03
Virtualization Security
Infrastructure &
OS Hardening and Base Controls IVS-04
Virtualization Security
Infrastructure &
Segmentation and Segregation IVS-06
Virtualization Security
Infrastructure &
Migration to Cloud Environments IVS-07
Virtualization Security
Infrastructure &
Network Architecture Documentation IVS-08
Virtualization Security
Infrastructure &
Network Defense IVS-09
Virtualization Security
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency, and
Accountability
Supply Chain
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
Typical Control Applicability and Ownershi
Shared Shared
Shared Shared
CSPs must provide the capability for CSCs to manage their own data
encryption keys.
Shared Shared
Shared Shared
Define, implement and evaluate processes, procedures and technical
measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements.
Shared Shared
CSP-Owned CSP-Owned
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually.
CSP-Owned CSP-Owned
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
Shared Shared
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
CSP-Owned CSP-Owned
Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
Shared Shared
CSP-Owned CSP-Owned
CSP-Owned CSP-Owned
Shared Shared
Establish and monitor information security incident metrics.
Shared Shared
Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
Shared Shared
Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
CSP-Owned CSP-Owned
Review and validate SSRM documentation for all cloud services offerings
the organization uses.
Shared Shared
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
• Service termination Shared Shared
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
Shared Shared
Define and implement a process for conducting internal assessments
to confirm conformance and effectiveness of standards, policies, procedures,
and service level agreement activities at least annually.
Shared Shared
CSC-Owned CSC-Owned
End of Standard
You may download, store, display on your computer, view, print, and link to the Cloud Security
loudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used
ud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix
r notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as
provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix
al for other usages not addresses in the copyright notice, please contact
ability and Ownership Architectural Relevance - Cloud Stack Components
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 0 0 0 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 0 0 0 0
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 0 0 0
Shared 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 0 0 0
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSC-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
Shared 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 1 1 0
CSC-Owned 0 0 0 0
CSC-Owned 1 1 1 1
CSC-Owned 1 1 1 1
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 0
CSC-Owned 0 0 0 1
CSC-Owned 0 0 0 0
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
Shared 0 1 0 1
Shared 1 1 1 1
Shared 1 0 0 0
Shared 1 1 1 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 1 0 0 1
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 0 0 0 0
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 0 0 0 0
CSP-Owned 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 0 0
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
Shared 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 1 1 1 1
CSP-Owned 0 1 1 0
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
CSC-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
CSP-Owned 0 1 1 1
Shared 0 1 1 1
Shared 0 1 1 1
CSP-Owned 0 1 1 1
k Components Org
1 1 0 0 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 0 1 1
0 0 0 1 0
1 1 0 1 1
1 1 1 0 0
0 0 0 0 0
1 1 1 0 1
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 0 0 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 1 0 1
0 1 0 0 1
1 1 0 0 1
1 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 1
0 1 0 0 0
1 1 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 0
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 1
1 1 0 1 1
0 0 0 0 1
0 0 0 0 1
0 0 1 0 1
0 0 0 0 1
1 0 0 0 1
0 0 0 0 1
1 1 1 0 1
1 0 0 0 1
0 0 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 0 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
1 1 1 0 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 0 1
1 1 1 0 1
1 1 1 0 1
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 1
1 0 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
Organizational Relevance
Supply Chain
SW Development Operations Legal/Privacy GRC Team
Management
1 1 1 1 1
0 0 0 1 0
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 0 0 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 0 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 1
0 0 0 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 0 1
0 0 1 1 0
1 1 1 1 1
1 1 0 0 1
0 0 0 1 0
0 0 0 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 0 0 0
0 1 0 0 1
1 1 0 0 0
0 1 0 0 1
0 1 0 0 1
0 1 0 1 0
0 1 0 0 1
0 1 0 1 1
0 1 0 1 1
0 1 1 1 0
0 0 0 1 1
0 0 0 1 1
0 1 1 0 0
0 1 0 1 0
0 0 0 0 0
0 1 0 0 0
1 0 0 0 0
1 0 1 0 0
0 1 1 0 0
0 1 0 1 0
0 1 1 0 0
1 0 1 1 0
1 0 1 1 1
1 1 1 1 1
1 1 0 0 0
0 1 1 1 0
1 1 0 0 0
0 0 1 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 0 1 1 0
0 0 0 0 0
1 0 0 0 1
0 0 1 1 0
0 0 0 1 0
0 1 0 0 0
1 1 0 1 1
1 1 0 0 0
1 1 0 0 0
1 1 0 0 1
1 1 0 1 1
0 0 0 0 0
0 1 0 0 0
1 1 1 1 1
1 1 1 1 0
1 1 1 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 1 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 1 0
0 1 1 1 0
0 1 1 0 0
0 1 1 0 0
0 0 1 1 0
0 1 1 1 1
0 1 0 1 1
0 0 1 1 1
0 0 1 1 1
0 0 1 1 1
0 1 0 1 1
0 0 0 0 1
0 0 0 1 1
0 1 1 0 1
0 0 1 0 1
0 0 0 1 1
0 1 1 0 1
0 0 0 1 1
0 0 0 0 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
1 1 1 1 1
0 1 0 1 0
0 1 0 1 0
0 1 0 1 0
0 1 1 1 0
0 1 1 1 0
1 1 1 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 1
1 1 1 1 1
1 1 0 1 1
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 0 1 0
1 1 1 1 0
HR
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
TRUE
FALSE
FALSE
TRUE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
TRUE
TRUE
TRUE
TRUE
TRUE
FALSE
FALSE
FALSE
TRUE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
FALSE
CLOUD CONTROLS MATRIX v4.0.6
v4.0.6
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Operational Resilience
Business Continuity
Management and Business Continuity Strategy BCR-03
Operational Resilience
Business Continuity
Management and Business Continuity Planning BCR-04
Operational Resilience
Business Continuity
Management and Documentation BCR-05
Operational Resilience
Business Continuity
Management and Business Continuity Exercises BCR-06
Operational Resilience
Business Continuity
Management and Communication BCR-07
Operational Resilience
Business Continuity
Management and Backup BCR-08
Operational Resilience
Business Continuity
Management and Disaster Response Plan BCR-09
Operational Resilience
Business Continuity
Management and Response Plan Exercise BCR-10
Operational Resilience
Business Continuity
Management and Equipment Redundancy BCR-11
Operational Resilience
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Encryption & Key CEK-06
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Interoperability &
Application Interface Availability IPY-02
Portability
Interoperability & Secure Interoperability and Portability
IPY-03
Portability Management
Infrastructure &
Network Security IVS-03
Virtualization Security
Infrastructure &
OS Hardening and Base Controls IVS-04
Virtualization Security
Infrastructure & Production and Non-Production
IVS-05
Virtualization Security Environments
Infrastructure &
Segmentation and Segregation IVS-06
Virtualization Security
Infrastructure &
Migration to Cloud Environments IVS-07
Virtualization Security
Infrastructure &
Network Architecture Documentation IVS-08
Virtualization Security
Infrastructure &
Network Defense IVS-09
Virtualization Security
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency, and
Accountability
Supply Chain
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Threat & Vulnerability Management - TVM
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Guidelines
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
Control Specification
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
The CSP must have in place, and describe to CSCs the procedure to
manage and respond to requests for disclosure of Personal Data by Law Enforcement
Authorities according to applicable laws and regulations. The CSP must give
special attention to the notification procedure to interested CSCs, unless otherwise
prohibited, such as a prohibition under criminal law to preserve confidentiality
of a law enforcement investigation.
Review and revalidate user access for least privilege and separation
of duties with a frequency that is commensurate with organizational risk tolerance.
Define, implement and evaluate processes, procedures and technical
measures for the segregation of privileged access roles such that administrative
access to data, encryption and key management capabilities and logging capabilities
are distinct and separated.
Define and implement an access process to ensure privileged access
roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access.
Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
Both the cloud service provider (CSP) and cloud service customer (CSC) should develop a "customized
integrated framework" of audit and assurance policies and procedures. This framework should
incorporate/demonstrate compliance to leading industry standards and self-imposed business requirements while
providing appropriate coverage of controls to assess the respective cloud environment and corresponding
services.
At a minimum, audit and assurance policies and procedures should include:
The frequency of audit and assurance evaluations should comply with applicable standards, regulations,
legal/contractual obligations, and statutory requirements.
The audit and assurance process should assess all applicable CCM domains.
Independent audit and assurance assessments should be based on risk-based plans that define audit objectives,
scope, resources, timeline and deliverables, documentation and reporting requirements, use of relevant
technology and data analysis techniques, costs, communication, and escalation protocols.
Both CSPs and CSCs may take guidance from industry standards like the Committee of Sponsoring
Organizations (COSO) or the International Organization for Standardization (ISO) 31000 for risk management
and risk-based planning.
Verify compliance with all relevant standards applicable to the audit, such as:
a. Country regulations
b. Standards and certifications
c. Industry sector regulations
d. International applicable regulations such as those regarding privacy and cybersecurity
Audit management process security should include:
a. Secure role-based access and authorization and secure communication and storage.
b. Controls to protect audit data confidentiality, integrity, and availability.
c. Periodic reporting, including issues and remediation plans per organizational requirements.
The organization should document, communicate, and enforce change management best practices to address audit
findings based on a risk-based approach.
The policy should:
Reporting:
Reporting should be designed with various users in mind. For example, security professionals, engineering teams,
business stakeholders, and executives will often have different interests requiring specialized views, filtering, and
delivery mechanisms.
To successfully enable SSDLC security, roles and expectations should be clearly defined and published, and an
inventory of applications and their metadata should exist in an easily accessible format.
Appropriate security practice examples for the common stages of an SSDLC are provided below to include the
following categories: training, requirements, design, development, testing, and release and response.
A. Training:
a. Role-based secure development training should be required at multiple stages of employment (or other
contractual relationships), including on-boarding and role changes.
b. Refresher training should be delivered throughout one's career, regardless of position or movement in their
organization.
c. Targeted, specialty training should be created and made available as the organization adopts new technologies.
d. Progressively advanced training should be made available to relevant employees (and contractors whenever
applicable) as they transition through technical roles and/or champion program participants.
B. Requirements:
a. Generic and specialized security requirements should be defined, published, organized, and easily accessible to
all organizational roles.
b. Every application, during each iteration, should review existing requirements and research if additional
requirements are necessary. It is beneficial for the engineering teams to consult with a security professional at this
time.
C. Design:
a. Security-focused design reviews are conducted.
b. Threat models are developed or modified.
c. The design of new or enhanced security controls, required by the application design, is developed.
D. Development:
a. Develop, as per design specifications.
b. Abuse cases are used to develop a security-focused unit and integration tests during development.
c. Secure coding practices are implemented and enforced through automation and manual peer code reviews.
E. Security Testing:
Note: The implementation guidelines of AIS-05 should be interpreted as further guidance in addition to what is
specified in AIS-03 and AIS-04.
Automation of security testing should be implemented to reduce risks and errors and enable the scaling of
security practices to meet organizational demands. Multiple test types and integration points will likely be needed
to provide the appropriate level of assurance throughout the SDLC. Criteria should be developed for use when
assessing the automation required by an application, as not all systems will benefit equally.
Strategy:
a. Identify the goals and requirements of the automation implementation.
Example goals:
• Security requirements are not relaxed to improve speed.
• All developers can leverage tools to detect security weaknesses while developing software.
• All third-party libraries are scanned for known vulnerabilities.
• All authentication and authorization functions “pass” abuse case unit tests before deployment.
• All website security headers are verified to meet security requirements when deployed.
Example requirements:
• Applicable programming languages should be supported by static analysis tools.
• Python and C# should be supported by select static analysis tools.
• Automation should not require infrastructure support.
• All automation tools should offer an application programming interface (API).
• All website security headers are verified to meet security requirements when deployed.
Considerations:
e. Security requirements
f. Risk, business, and compliance requirements
g. Development methodology
h. Lifecycle
i. Metrics establishment
Example:
• Count or percentage of (test type) adoption among applications requiring (test type) SAST, DAST, SCA, etc.
The strategies should include:
a. Defined security and automation requirements based on an organization's application deployment needs and
standards.
b. Defined roles and responsibilities between security, application teams, and other stakeholder groups.
c. Identification and integration with existing application deployment processes.
d. Customization of secure application deployment for deployment types such as operating systems, network
connections, configuration, etc.
e. Logging and monitoring of secure application deployment so that data issues can be promptly addressed by the
appropriate people (incident or forensics).
f. Metrics to effectively measure deployment success.
The capabilities should be based on the organization's SSDLC and should include, for instance:
g. Defined and approved list of deployment and automation technologies.
h. Enablement for team members (e.g., developers, administrators, etc.) to dynamically address security issues
when needed.
Processes, roles, responsibilities, and documentation established for application security remediation should be
reviewed periodically by management.
Example:
• GitOps-based remediation of application vulnerabilities.
• Automated remediation efficacy metric: total number of remediations of active critical/high vulnerabilities
performed through Git for the given period.
• Total number of active critical/ high vulnerabilities identified for the given period.
The policies should include defined roles and responsibilities supported by regular workforce training.
The business impact analysis (BIA) should incorporate the following components:
a. Identification of critical products and services with their inherent risks.
b. The likelihood and impact of each risk.
c. The organization's risk appetite and tolerance.
d. The identification of risk dependencies.
e. The identification of appropriate and relevant countermeasures to prevent, detect, and react to the identified
risks.
Business continuity plans should be accessible and available to those with the need-to-know and include the
following elements:
a. Defined purpose and scope, aligned with relevant dependencies.
b. Assigned roles and responsibilities (i.e., review, update, and approval).
c. Defined lines of communication, roles, and responsibilities.
d. Detailed recovery procedures, manual workaround, and reference information.
e. Method for plan invocation.
The plans should be tested and reviewed at planned intervals (e.g., annually or upon significant organizational or
environmental changes).
The documentation should include but is not limited to:
a. Administrator and user guides
b. Database backup and replication guidelines
c. Architecture diagrams
d. Incident playbooks
Exercises and tests should include but are not limited to:
a. Processes established in the business continuity plan.
b Alignment with business continuity policies.
c. Critical systems and equipment relevant to the business continuity plan.
d. Roles and responsibilities of the various parties involved in the exercises.
e. The use of CSP support mechanisms in CSC exercises.
f. A review and update of communication templates.
g. Lessons learned from previous events and exercises.
h. Tabletop exercises.
Depending on the level of CSP maturity, the CSP’s practices may include automated chaos testing.
A business continuity and resilience program should:
a. Communicate the importance of effective business continuity and the consequences of disruptions to all
relevant stakeholders.
b. Communicate the business continuity and resilience policy, objectives, and plans to all relevant stakeholders.
c. Communicate the roles, responsibilities, authorities, and expected competencies to all relevant stakeholders.
d. Establish the criteria, thresholds, and indicators to demonstrate when and how business continuity-related
communications should be sent, who should send them, and to whom they should be sent.
e. Establish templates for common communications during a disruption regarding the activation, operation,
coordination, and communication of a business continuity response.
f. Establish the people, technology, and processes required for business continuity communications.
g. Establish a response structure that will enable timely warnings and communication to relevant stakeholders.
Clear and effective communication channels should remain available to disseminate information to participants
and stakeholders, assess and relay damage, and coordinate a recovery strategy. Failed communication often
results in failed business continuity efforts. Thorough planning, testing, and exercising communication
procedures within the following four phases are essential to support effective business continuity and the viability
of critical business operations.
Implementation of backups and/or other means of data preservation (e.g., replication) should follow the following
guidelines.
a. The scope, frequency, and duration of cloud data retention should comply with:
Applicable laws
Contractual agreements with the cloud customers
The cloud provider’s business requirements
b. The backup approach, including the physical location of backup files, should comply with the privacy and data
protection laws and regulations applicable to the data collected.
c. The data backup process should be monitored by employing technical and organizational safeguards. At a
minimum, malfunctions should be examined and eliminated promptly by qualified employees to support
compliance with the retention’s scope, frequency, and duration.
d. Backup and restoration procedures should be periodically tested and the results documented to ensure data can
be successfully restored. Tests should be designed so that the reliability of the backup media and the restoration
time (RPO, RTO) can be established with sufficient certainty. Any errors and identified improvements (corrective
and preventive actions) should be addressed promptly.
e. Restorations should be carried out only after they have been approved by authorized persons (according to
contractual agreements with cloud customers or the internal policies of the cloud provider).
f. The cloud service provider, when appropriate, should be able to disclose the exercise results to the cloud
services customer as part of the assurance of business continuity and resilience.
Additional guidance is also available in the NIST Special Publication 800-53 (Rev. 4) CP-9 INFORMATION
SYSTEM BACKUP (latest revision).
The response plan should include the ability to protect systems—including the physical environment when
possible—from inadvertent unauthorized access during an emergency.
The response plan should include the following when describing environmental threats/natural disasters: fires,
medical emergencies, tornadoes, hurricanes, flooding, earthquakes, and other natural disasters.
Civil disturbances can include disgruntled employees/contractors/customers, terrorist attacks, biological attacks,
and airborne agents.
Emergency authorities can include first responders and other law enforcement entities.
The plan should be executed at regular intervals based on the organization’s BIA. It should be performed as a
tabletop exercise and incorporate an annual live event with local authorities (e.g., fire departments, health
officials, police departments, anti-terrorist organizations, and anti-cybercrime groups).
Depending on regulatory requirements, the business, and the industry, a disaster recovery (DR) exercise might be
required. For example, financial institutions may consider running live on DR for extended periods or simulate
component or partial failures to test overall organizational resiliency and recovery abilities.
The minimum distance between mirrored or redundant physical systems should support compliance with the
organization's defined continuity and availability within contractual agreements or service-level agreements
(SLAs).
A documented and approved change management policy (and associated process documentation) should:
a. Ensure that changes are tested, documented, risk assessed, and authorized in a consistent and timely manner.
All changes (e.g., major, minor, and emergency and the qualifying criteria) in organization assets, applications,
system software, and informational technology (IT) infrastructure (e.g., hardware, operating systems,
communications equipment, and software) and associated configurations should be under the scope of the change
management policy.
b. Be communicated and made accessible to all employees and interested parties involved within the change
management process (e.g., service/application owners, project leaders, IT, operating systems staff, contractors,
etc.).
c. Include the management of emergency changes.
A plan to test and review during the development process should be prepared. This plan should include (but is not
limited to) relevant activities and test inputs, and expected outputs regarding various conditions that may impact
the outcome. For internal organizational developments, the team that oversees development efforts initially can
perform such tests. Independent acceptance testing can then be performed (both for internal and external
development sources) to determine whether the system functions as intended. Testing should be proportionate to
the system’s relevance based on its nature.
Testing record(s) should be documented before implementing all planned changes to organization assets
(including applications, systems, infrastructure, configuration, etc.), regardless of whether the assets are managed
internally or externally (i.e., outsourced).
The record(s) should comprise a test plan, configuration baseline before the change, the test result, and the new
configuration baseline.
The quality testing plan might align with relevant standards or guidelines (i.e., ITIL or ISO 20000, etc.)
The organization should:
Collaborate with relevant internal and external parties involved in the change management process.
Assess the impact and type of change to determine the risk of the change before it is applied.
Adopt Change Management Technologies to manage the change management workflow.
These tools should help adequately manage the authorization process, including activity logging. In addition, real-
time reporting/monitoring capabilities should be implemented to monitor change progress so that quick decisions
can be made to manage the risks of unforeseen issues due to the change implementation.
Understanding how those relevant components impact the security and usability of the supply chain that supports
organizational environments should be one aspect of such collaboration.
The organization should establish procedures and implement technical measures to prevent and/or detect any
unwanted/unauthorized changes (e.g., additions, removals, and updates) to organizational assets production,
including applications, systems, infrastructure, configuration, etc.
Processes and procedures established by both the CSP and CSC should reflect respective change management
responsibilities with respect to the scope of services being provided and/or consumed. There should be
acknowledgement of each party's responsibility, where applicable and it should be part of a written change
management agreement between CSC and CSP. The acknowledgment should include a reference to limitations
related to changes impacting CSC-owned environments/tenants.
NOTE: The CSP may need to apply changes that impact CSC-owned environments/tenants without the explicit
authorization of the CSC (in case those changes would be required for the overall security of the CSP system). If
those types of changes are applied, the CSC should be consulted promptly.
A change management baseline reflects the minimum policies, procedures and technical measures established to
achieve organizational objectives, and requirements (i.e., CCC-02 implementation guidelines).
The organization should establish a policy and procedures to detect deviations from the established control
baseline. When a deviation is detected, the organization should follow the incidence management policies and
procedures defined in SEF-01.
The procedure for exceptions’ management should include, but is not limited to:
a. Change management baselines
b. Unauthorized assets
c. Evidence collection and management
Rollback procedures should be created and tested with each change request.
Policies and procedures on the use, protection, and lifetime of cryptographic keys should be developed and
implemented through their full lifecycle.
Policies and procedures include but are not limited to the following considerations:
Key change management is the process of managing all changes to key management governance, organization,
infrastructure, and activities.
a. Changes to the key management system and its policies and procedures should be analyzed and approved
before implementation.
b. Changes should be documented to show the reasoning behind the changes and include a path to rollback to the
previous status.
c. If unauthorized changes are made to the software, the software should be recovered.
d. There should be security audits after every significant change to the key management system.
e. All audit results should be reported to the system authority.
Encryption change cost-benefit analysis is the process of comparing the benefit of encryption changes to its cost.
a. Key change management cost-benefit analysis/return on investment (ROI) should be calculated for all key
management-related changes.
b. Every analysis should fully account for downstream effects of proposed changes, including residual risks.
c. Every analysis should be reviewed and approved.
d. Six months after a change, compare the anticipated ROI to the actual ROI.
e. Significant deviation from the planned ROI should be audited.
f. Report all audit results to the system authority.
Key risk management is the process of managing the risks to key management governance, organization,
infrastructure, and activities.
a. Assess the risks of unauthorized disclosure, modification, destruction, or information loss.
b. Cryptoperiod selections should consider the risk and consequences of information exposure.
c. Evaluate the tradeoffs of manual versus automated key distribution.
d. Reduce compromised key risks by (1) not using such keys for new encryption activities and (2) only using
keys to decrypt material previously decrypted under this key.
e. Adjust the audit scope and frequency to align with the risk assessment.
f. Apply algorithm strength in proportion to the risk of information exposure.
g. Assess risks to operational continuity versus the risks of key material data exposure when considering key
recovery.
Key management capability is the process of CSPs providing CSCs the capability to manage CSC-owned or
generated encryption keys.
a. The CSC and CSP should agree on the definition and scope of CSC-managed keys and document this (shared
responsibility) in the SLA, applicable contracts, policies, and procedures.
b. The CSP should allow the CSC to manage policies, procedures, and processes.
c. The CSP should empower the CSC to manage keys and data encryption keys.
d. The CSP should enable the CSC to manage key encryption keys or master keys used to encrypt data keys.
e. The CSP should allow the CSC to use the key management system (e.g., transactions, reporting, etc.).
f. Optionally, the CSC should supply CSC-generated master encryption keys using bring-your-own-key (BYOK)
mechanisms per the SLA.
Key audit is the process of assessing the organization, governance, infrastructure, policies, procedures, and
activities.
a. Audits assess compliance with "key management" policies and procedures.
b. Audits assess the design and effectiveness of "key management" controls and the control environment.
c. Audits assess compliance with industry and regulatory standards (e.g., Health Insurance Portability and
Accountability Act (HIPAA), payment card industry (PCI)).
d. Audits results are reported to the key management system authority.
e. Audits are performed according to key- and risk-management policies.
f. Request third-party certification reports and review issues with the CSP and auditor.
g. At a minimum, sensitive audit information and sensitive audit tools should be cryptographically protected.
The key generation process should be cryptographically secure.
a. Keys should be generated:
using random bit generators (RBGs) and possibly other parameters, or
generated based on keys that are created in this fashion.
b. Key management technology and processes should be NIST FIPS validated or NSA-approved or comparable.
c. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Key destruction removes all traces to prevent recovery by physical or electronic means.
a. When a key is to be destroyed, all key copies should be destroyed.
b. Keys should be destroyed when they are not needed to minimize compromise risks.
c. Secret and private keys should be destroyed so they cannot be recovered by any means.
d. Public keys may be kept or destroyed.
e. Notify stakeholders in advance of key destruction.
f. Consider laws, regulations, and their retention requirements for keys and/or metadata.
g. Key recovery information (KRI) should be protected against unauthorized disclosure or destruction.
h. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Activated keys are used to protect information cryptographically.
a. Pre-activated keys are activated by entering the start date of the validity/cryptoperiod.
b. Keys which are not activated for use are not ready to encrypt data.
c. Non-activated keys should only be used to perform proof-of-possession or key confirmation.
d. If pre-activated keys are no longer needed, they should be destroyed.
e. If there are suspicions about the integrity of a given key, it should be moved to the compromised state.
f.All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
When appropriate, relevant stakeholders should be notified that keys previously used to encrypt their data have
been compromised and that those keys are no longer used for encryption.
These compromised keys should be notated in the organization’s “Compromised Key Lists (CKLs)” along with a
summary of users notified, notification timeframes, or reasons that notifications were not made to compromised
key users.
The communications between services that facilitate movements of workloads, application data, etc., should be
encrypted based on globally recognized crypto algorithms such as AES-256. Additionally, communication may
include measures such as obfuscation or de-identification to render the information in transit illegible. NIST 800-
122 (Guide to Protecting the Confidentiality of Personally Identifiable Information - PII) provides relevant and
effective techniques for obscuring sensitive data, such as personally identifiable information (PII), etc.
The CSP should identify the manageable parts of the data center and consider operational criteria, such as
effectivity, efficiency, compliance, reliability, risk management, functionality, availability, integrity, and
confidentiality. Then, the CSP should prepare and maintain policies and procedures for each part.
Policies and procedures should include provisions to restrict physical access to the facilities to prevent
unauthorized entry.
Facility areas that house, store, and transact customer data should be configured to prevent confidential
information or activities from being visible and audible from the outside.
Electromagnetic shielding should also be considered as appropriate (ISO standard; ISO_IEC_27002_2013 -
11.1.3 (c)).
In addition, the facility itself should be designed and positioned to reduce the risk of natural disasters. Systems
and infrastructure should be deployed to enhance fire prevention—typically utilizing zoned dry-pipe sprinkler
systems. These systems are intended to be deployed throughout the facility and not just within the computer
room.
Secure transportation of physical media should include secure information-handling policies and procedures for
storage, packaging by internal or external personnel (third-parties, such as couriers), internal delivery, packaging
for external mail or courier services, and shipping tracking.
The facility management should develop a naming convention for asset classification that meets legal, value, and
business requirements to protect restricted information sharing.
Datacenter personnel should utilize a solution that enables inventory tracking and managing physical locations of
servers and other data center assets while eliminating paper and manual processes. A hosted asset tracking
solution for servers, switches, data center asset tracking and racks typically uses passive radio frequency
identification (RFID), global positioning system (GPS), and/or Bluetooth Low Energy (BLE) technologies.
Physical security perimeters should be restricted to authorized personnel only. They may include (but are not
limited to): fences, walls, barriers, guards, gates, external boundary protection, bollards, fencing, guard dogs,
armed guards, physical authentication mechanisms, reception desks, and security patrols.
Where applicable, use location-aware technologies to validate connection authentication integrity based on
known equipment locations.
Monitor, control, and isolate data storage and processing facilities, including ingress and egress points to service
and delivery areas and other points where unauthorized personnel may enter the premises. Organizations should
retain access logs for authorized personnel for no less than six (6) months. Facilities owners should adopt the
ISO/IEC_27001_2013-A.11.1.2 standard. Record the dates and times of visitor entries and departures, and
supervise all visitors unless their access has been previously approved. Visitors should only be granted access for
specific, authorized purposes and issued with instructions on area security requirements and emergency
procedures. Authenticate visitor identities by any appropriate means (i.e., validation with government-issued
identification (ID), such as an official identity document, driver's license, passport, etc.).
Equip external and internal perimeters with security alarm systems and surveillance devices such as movement
sensors and cameras. Monitor these perimeters with security personnel. Retain any recordings for a defined
period.
Comprehensive training on detecting and responding to various kinds of unauthorized access attempts must be
provided to relevant data center personnel and issued periodically.
All cabling should be shielded (when possible) to protect against electromagnetic interference (EMI).
Additionally, hide cabling (i.e., under the floor, above cabinets in caged, cable-management systems, etc.) or—at
a minimum—protect with (PVC) tubing (or something similar) when possible to protect against unauthorized
physical access.
Examples of environmental systems include but are not limited to temperature and humidity systems, fire
prevention, and detection systems.
Environmental system reviews should include activities to ensure continual effectiveness, and environmental
control systems should be maintained at normal operational levels during a power outage.
Examples of utility services include but are not limited to water, power, telecommunications, and internet
connectivity.
Service reviews should include activities to protect from unauthorized interception or damage and ensure the
services are designed with automated failover or other redundancies if planned or unplanned disruptions occur.
Keep business-critical equipment away from locations subject to a high probability of environmental risks, such
as switchyards and chemical facilities. Hazards include fires, flooding (e.g., waterlogging, water pipe exposure),
dust, wind (i.e., exposure to open doors/windows), and natural disasters (earthquakes and hurricanes).
Maintain a data inventory and document data flow diagrams and associated technical measures.
Document data protection controls and third-party data sharing practices. This documentation and associated risks
should be shared with customers and data owners as needed.
The data inventory should provide visibility into the location, volume, and context of all sensitive data and PII
through data discovery activities that result in a data inventory. Continuously support the classification process
using discovery.
Implement data classification by defining organizational data categories, such as public data, confidential data,
etc. Automated tools to label files, per their sensitivity levels, may be used. Appropriate security
measures/protection should be implemented, per its categorization.
Use data classification, tagging, or metadata fields based on industry-standard frameworks such as (but not
limited to):
a. Carnegie Mellon University: Guidelines for Data Classification
b. SANS Institute: Tagging Data to Prevent Data Leakage (Forming Content Repositories)
Data protection and privacy consideration must be included by default at the design stage and throughout the
product development lifecycle. In addition, design documentation should clearly describe how data is protected.
In line with privacy considerations by design and default principles, the default/out-of-the-box settings should
align with the applicable regional privacy regulations.
Data protection impact assessment, which is essentially risk assessment from a privacy perspective, should be
performed by the data controller before processing if such personal data processing is likely to result in a high
risk to the rights and freedoms of natural persons.
When defining processes, procedures, and technical measures for data transfer, consider data transfer within the
organization and externally.
Personal data transfer in transit must be protected by strong encryption or similar techniques to prevent
unauthorized access by eavesdropping or data transfer interception.
The data subject should be able to access, view, rectify, or delete personal data in the system or by logging a
request with the service provider. The service provider should respond to such requests in alignment with the
relevant data protection laws.
Implement and maintain processes, procedures, and technical measures to ensure the following:
a. The data subject is made aware of the nature and purpose of information collection.
b. The information is relevant and limited to processing requirements.
c. Processing is performed in a reasonable manner that does not infringe upon the data subject's privacy.
d. Processing is for a specific, explicitly defined, and lawful purpose related to a function or activity of the
responsible party.
e. Where the controller intends to further process the personal data for an alternative purpose to which the
personal data were collected, the data subject should be informed of the purpose and provide consent before
additional processing.
f. Information is stored only as long as required.
The CSP should identify subcontractors and sub-processors that participate in the data processing, along with the
chain of accountabilities and responsibilities used to ensure that data protection requirements are fulfilled.
The CSP should inform the cloud customer of any intended changes concerning the addition or replacement of
subcontractors or sub-processors and allow the cloud customer to object to such changes or terminate the
contract.
The data protection obligations agreed upon between the CSP and the cloud customer should be supported by any
subcontractors or sub-processors used by the CSP.
The CSP remains liable to the cloud customer for data protection, regardless of whether the CSP uses
subcontractors or not.
The CSP should document and notify the data owner of the data that will be accessed by sub-processors.
Information may include, but are not limited to, categories of data, special categories of data, and processing
operations.
Before replicating data or using data in non-production systems copied from the production system, perform a
risk analysis and obtain data owner approval. Then, implement privacy risk mitigating techniques such as
anonymization, pseudonymization, etc. (if required).
Organizational data retention and deletion practices encompassing both physical and electronic data should be
established and implemented.
Information rights management technology should be used and applied (when applicable) to all sensitive data.
This technology can add a security layer that will help protect files from unauthorized copying, viewing, printing,
forwarding, deleting, and editing.
The CSP should have a process that describes how to respond to requests by law enforcement authorities, such as
a subpoena, official investigations, or legal proceedings initiated by governmental and/or law enforcement
officials. This process should be transparent to the interested CSCs unless otherwise prohibited.
The CSP should track where data is stored, processed, and backed up to ensure it is in line with the laws and
regulations applicable to the CSP and ensure those locations are not prohibited. In addition, the physical
locations’ registry should be kept up to date and shareable with CSC (if requested).
Organizational leadership should govern the program. The program should include—but is not limited to—
policies and procedures regarding legal matters, industry-specific regulations, regional requirements, compliance
mandates, security and privacy requirements, and information governance. Management of each business area
should include the implementation of all applicable governance policies and procedures. Policies and procedures
should be reviewed and updated at least annually.
The enterprise risk management (ERM) program should consider—and not be limited to—cloud-related
information security and data privacy risks. The program should include risk management elements such as risk
identification, risk assessment, risk treatment, and risk reporting. Management of each business area should
consist of the implementation of the applicable ERM program policies and procedures.
The ERM program should also feature a formal statement of risk appetite and may include creating and
maintaining a risk register that reflects the likelihood of occurrence, potential business impacts, risk levels, and
proposed mitigation actions for each risk.
Management-approved defined policies and procedures should be communicated to all employees for adherence.
Evaluate policies, procedures, and assigned responsibilities for accuracy and efficacy at least annually and when
there are significant internal changes or alterations in the external operating environment.
The exception process should be defined and approved by the management team and communicated across the
organization to promote adherence. Integrate exemptions with the information security risk management process,
and review organizational risks whenever a deviation from an established policy occurs.
The program should identify and assign roles, responsibilities, and management commitment.
The CCM domains to address within the information security governance program include, but are not limited to:
a. Audit and assurance
b. Application and interface security
c. Business continuity management and operational resilience
d. Change control and configuration management
e. Cryptography, encryption, and key management
f. Datacenter security
g. Data security and privacy lifecycle management
h. Governance, risk management, and compliance
i. Human resources
j. Identity and access management
k. Interoperability and portability
l. Infrastructure and virtualization security
m. Logging and monitoring
n. Security incident management, e-discovery, and cloud forensics
o. Supply chain management, transparency, and accountability
p. Threat and vulnerability management
q. Universal endpoint management
Management should promote coordination among organizational entities responsible for the different aspects of
cloud security and privacy risks. Review the program as required to address threat landscape changes and
substantial organization changes.
RACI charts (responsible, accountable, consulted, and informed) charts may be used to document roles and
responsibilities. Specific people or teams should be assigned for each documented role in the governance
program, policies, and procedures. Roles and responsibilities should be reviewed and updated periodically.
Documentation should reflect the requirements relevant to the organization and be updated regularly to reflect
changes in the internal and external operational environments. Communicate requirement changes to management
and other personnel, and implement them promptly.
Management should establish and maintain contact with special interest groups or professional associations to
receive early warnings and advice regarding new threats, vulnerabilities, and regulatory updates.
Personnel working under organizational control—including full-time employees, part-time employees,
consultants, and temporary staff—should undergo a screening process appropriate for their role and
responsibilities before granting access to the corporate network or systems.
Depending on the applicable legislation, inform candidates beforehand about screening activities. Personnel
screening should consider all relevant privacy, PII protection, and employment-based legislation and should
(when permitted) include the following:
a. Availability of satisfactory references.
b. Verification of the applicant’s curriculum vitae, including claimed academic and professional qualifications.
c. Independent identity verification (passports or similar documents).
d. Additional role-specific verifications, such as a credit review if the person will have fiscal responsibilities.
The organization should consider rescreening individuals at regular intervals. Rescreening may also occur if the
employee’s responsibilities or access to confidential data have increased since their last screening.
The organization should have policies to determine who can screen personnel, how, when, and why the screening
is required, where data is stored, and what the retention period constitutes.
All relevant data about personnel should be considered PII and managed accordingly. If the screening is done by
an external entity or another organizational department, sensitive information like historic remuneration details
should be redacted if irrelevant to the screening process.
The organization should establish a policy on acceptable use requirements and standards for protecting and
handling the organizational assets and communicate them as sufficient to personnel. In addition, the policy should
provide clear direction on how individuals should utilize these assets.
Personnel should acknowledge their understanding and accept responsibility to use information processing
resources.
The policy should include, but is not limited to:
a. Expected security behaviors of individuals.
b. Unacceptable behavior of individuals.
c. Permitted use of the organization's assets.
d. Prohibited use of the organization’s assets.
e. Organizational monitoring activities.
Policies and procedures should be reviewed and updated at least annually or whenever there are significant
changes in the environment, and personnel should be retrained when these changes occur
The organization should establish and communicate a “clean desk” policy to guide personnel on reducing the risk
of unauthorized access to information.
The organization should have procedures to vacate facilities, including conducting a final sweep before leaving to
validate the organization's assets are not left behind (e.g., documents fallen behind drawers or furniture)
Organizations allowing remote working activities should issue a policy that defines the conditions and restrictions
of working away from a regular office.
The organization should identify and document all information and other associated assets to be returned or
disabled.
The organization should prevent the unauthorized copying of information (e.g., intellectual property) by
personnel under a notice of termination.
The organization should establish and communicate a ‘termination of employment’ policy that defines the
responsibilities and duties that should remain valid after termination of employment or a change in employment
status. This may include guidelines on information confidentiality, intellectual property, and other knowledge
obtained while personnel was employed under the organization’s control, and responsibilities contained within
any additional confidentiality agreements. These responsibilities should be included in employment terms and
conditions.
The process for termination or change of employment should also be applied to external personnel (i.e., suppliers)
when contract or job termination occurs or there is a role change within the organization
Employees should not be granted access to systems or information unless they have signed the employment
agreement featuring terms and conditions concerning information security. The terms and conditions of
employment should be appropriate to the employee based on their role. Additionally, roles and responsibilities
should be communicated during the hiring process.
The terms and conditions concerning information security should be reviewed and updated if relevant laws,
regulations, or information security policies change. Furthermore, personnel may be asked to acknowledge and
agree to such changes
The agreement between the employee and organization should include—but is not limited to—a confidentiality or
non-disclosure agreement if the employee will have access to confidential data.
Employee legal responsibilities regarding their rights as an employee of the organization (i.e., whistleblower, data
protection regulations, etc.) should include guidance on how to handle both physical and digital assets.
The organization should take appropriate and proportionate action if an employee is in breach of an agreement
The organization should identify and document information asset protection responsibilities and carry out specific
information security processes. Responsibilities for information security risk management activities— and
especially accepting residual risks—should be defined.
These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites
and information processing facilities.
The non-disclosure agreement should address requirements to protect confidential information using legally
binding terms. Agreement terms should be based on the organization’s information security requirements.
The type of information covered should define permissible access and information handling protocols. The
agreement should include, but is not limited to:
a. What information is protected.
b. The length of the agreement.
c. Interested parties to the agreement.
d. The responsibilities of each party in the agreement.
e. Terms for the destruction of data once the agreement has ended.
f. Expected actions if a breach of agreement terms occurs.
Security awareness training should educate personnel about their responsibilities and the necessary means for
securing corporate assets.
Security awareness training should consider the roles and responsibilities of organizational members.
Training may include a test to measure personnel’s understanding of the responsibilities and protections required
to secure corporate assets. This evaluation may be used to improve training and verify that relevant knowledge
transfer occurs. Additionally, a training attendance registry should be maintained.
Security awareness training should educate personnel on their responsibilities and the necessary means for
securing personal and sensitive data.
Training should include the various regulatory and legal requirements that impact personal and sensitive data
handling.
Furthermore, training should occur regularly to incorporate changes in organizational procedures, processes, and
policies.
The organization should maintain a training and awareness program that regularly reminds personnel of their
responsibilities. These responsibilities include maintaining awareness and compliance with policies, procedures,
and applicable legal, statutory, and/or regulatory obligations.
The training and awareness program may include several awareness-raising activities via appropriate physical or
virtual channels, such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-
learning modules, and emails.
Organizations should document access control policies for the registration, management, and removal of digital
identities. Additionally, the guidelines should be communicated within the organization.
The organization should leverage the identity and access management policy to establish a security baseline.
Organizations should establish a clear policy on strong password usage for different technical areas.
Organizations should also have a monitoring mechanism to evaluate the effectiveness of policy implementation.
The policy should be reviewed periodically (at least annually) based on business requirements. In addition, the
policy should clearly describe its applicability and scope, and management should promote effective
communication to ensure effective implementation within the organization.
Organizations should also have policies and procedures for all personnel (employees, vendors, or other third
parties) who have access to organizational data. Additionally, control-testing strategies should be employed to
test these policies and be maintained regularly.
Organizations should maintain a database of all system identities having access to different cloud environments
and assets. The database should illustrate a correlation between digital identities, assets where the access is
provisioned, and the type of access being provisioned (i.e., business users, system users, privilege users, etc.). In
addition, the database should be regularly reviewed to ensure access is revoked or changed based on job role
changes.
The identity and access management database should incorporate single sign-on and multi-factor authentication
for user access.
Database access should be based on need-to-know and least-privilege principles and should follow best practices
(such as role-based access control and segregation of duties). Finally, all access (especially privileged access)
should be logged and monitored for anomalies and unauthorized use and linked to alerting systems as
appropriate.
Access control policy should provide instruction on separation of environment and separation of duties, and cover
the following:
a. Maintain separation of duties between the production, testing, and development environments while limiting
read/write access to all environments (such as production, development, and testing).
b. Maintain separation of duties should and require multiple layers of approval (e.g., business approval, system
owner approval) to ensure the integrity of access to different systems.
User and service account access should leverage access control methods, such as role-based access control
(RBAC) and attribute-based access control (ABAC). In addition, conduct regular reviews of access processes
(including auditing, when appropriate) to identify non-adherence to the principle of least privilege.
Restrict privileged access and access to administrative accounts should be via the principle of least privilege and a
need-to-know basis. Furthermore, access should be set to “deny all“ unless specifically allowed.
The organizations should address any changes to the identity and access controls using the pre-established
baseline. These changes could be from the proactive management of exploits via vulnerability scanning or
reactive management of issues via incident management.
Deprovisioning should automatically remove associated authorizations. For systems not integrated into automated
processes, deprovisioning processes should be manually carried out by system owners. De-provisions to customer
data should be made known to cloud customers where applicable.
The principle of separation of duties should also be considered when conducting user access reviews.
Access should be reviewed when users resign, are terminated, change roles, and/or no longer need the
authorization to carry out duties for any other reason.
Processes and procedures should be communicated within the organization for adherence and enforcement and
regularly reviewed (at least annually).
Separation of duties should be established and implemented between development/test and production
environments. With this control, a developer may use an administrator-level account with elevated privileges in
the development environment and a separate account with user-level access to the production environment. In
addition, appropriate levels of logs should be gathered from the production systems for further monitoring and
analysis via security operations.
These operations should be managed using split knowledge and dual control where key management operations
are used.
Administrators should be allowed to log in as themselves and elevate privilege by systematically requesting a
new role assignment to obtain the rights they need to perform tasks. This can be accomplished by establishing
temporary, time-bound privileged access for both on-premises and cloud-based infrastructure. The duration of
approval validity should be automatically limited. Only authorized users/roles should be pre-approved to request
elevation of privileged access.
The privileged access roles and rights should be reviewed periodically. Additionally, all the privilege access
rights should be assigned based on multiple approval approaches (i.e., system owner, manager of user, etc.).
All privileged accounts and elevation of privileges should be monitored for suspicious activity, such as login
failures or attempts to escalate permissions using a security information and event management (SIEM) solution.
All users should be assigned a unique ID before allowing access to system components or applications.
Allocating a unique ID to each person with access ensures each individual is uniquely accountable for their
actions. When such accountability occurs, actions taken on critical data and systems can be traced to known,
authorized users and processes.
The organization should have a process to detect any creation of non -individual accounts in any
infrastructure/application (either in the cloud or on-premises).
All individual, non-console administrative access and remote access to the systems and applications should be
secured using multi-factor authentication. Multi-factor authentication should contain a minimum of two of the
three authentication methods:
a. Something you know, such as a password or passphrase.
b. Something you have, such as a token device or smart card or digital certification*.
c. Something you are, such as a biometric.
* Note: a digital certificate is a valid option for “something you have” as long as it is unique for a particular user)
The organization should adopt the following guidelines for the secure management of passwords:
• Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a
network system.
• Αll non-console administrative access should be encrypted using strong cryptography.
• Using strong cryptography, all authentication credentials (such as passwords or phrases) should be rendered
unreadable during transmission and storage on all system components.
• Verify user identity before modifying any authentication credential (i.e., performing password resets,
provisioning new tokens, or generating new keys).
• Passwords/passphrases should meet the criteria of industry best practices.
• Alternatively, the password/passphrases should have complexity and strength at least equivalent to the
parameters specified above.
• Change user passwords/passphrases per the organization password standard.
• Limit password reuse per the organization password standard.
• Set passwords/passphrases for first-time use and upon reset to a unique value for each user and change
immediately after the first use.
Document and communicate authentication policies and procedures to all users, including the following concepts:
a. Guidance on selecting strong authentication credentials.
b. Guidance for how users should protect their authentication credentials.
c. Generic user IDs are disabled or removed.
d. Shared user IDs do not exist for system administration and other critical functions.
e. Shared and generic user IDs are not used to administer any system components.
Guidance on selecting strong passwords may include suggestions to help personnel select hard-to-guess
passwords that don’t contain:
f. Dictionary words
g. Information about the user (such as the user ID)
h. Names of family members, date of birth, etc.
Guidance for protecting authentication credentials may include not writing down passwords or saving them in
insecure files and being alert for malicious individuals who may attempt to exploit their passwords (see NIST
800:53 password controls for details).
The information system should require approvals for authorizations to access the system resources and follow
communicated and approved applicable policies.
The organization should adopt multiple authorization concepts (i.e., user manager, system/information owner).
The organization should leverage security testing of interoperability and portability policies and procedures.
These APIs should support interoperability between components and facilitate the secure migration of
applications and data between environments. Documentation supports API functionality, being updated regularly
and given to customers alongside new API versions. Furthermore, security issues should be considered during
development and updates.
Evidence of executed and planned security tests upon all interoperability and portability systems should be
provided per contractual agreements or upon request.
Cloud service providers should maximize resource utilization and optimize resource allocation to ensure adequate
performance is delivered in line with the promised capacity.
Cloud service consumers should specify performance and resource requirements in line with the business
objectives.
Network communications justified by the business should be allowed, encrypted, and require authorization.
Conversely, unjustified network communications should be disallowed.
Implement anti-malware, file integrity monitoring, and logging, and utilize hardware rooted trust in virtual trusted
platform modules (vTPMs).
Whenever possible, organizations should use minimalistic, container-specific host operating systems (OSs), with
all other services and functionality disabled—and with read-only file systems and other hardening practices
employed to reduce attack surfaces.
a. Hosts that run containers should only run containers and not other apps—such as web servers or databases—
outside of containers.
b. Hosts that run containers should be continuously scanned for vulnerabilities and updated promptly.
c. The host OS should not run unnecessary system services.
d. Access to the container host should be based on the need-to-know and least privilege principles.
e. File integrity monitoring and host intrusion detection should be leveraged for containers.
Separation of the environments may include:
• Stateful inspection firewalls
• Domain/realm authentication sources
• Clear segregation of duties for personnel accessing these environments as part of their job duties
Apply sanitization routines on data before loading into non-production, and define environmental boundaries.
Production workloads should be isolated from the lower environments (e.g., development, testing) when possible.
Workloads between tenants and business lines should be segmented per the least privilege concept to reduce the
attack surface. In addition, workload tagging, resource names, and identification should be used for workloads.
Secure communication—when migrating physical servers, services, applications, or data to virtualized
environments—could use a combination of confidentiality, integrity, authentication, source authentication,
authorization, and non-repudiation.
Building a secure channel of information transmission can be implemented at various network layers. Secure
information transmission channels (ports and protocol) should be used such as : SSL, SSH, TLS operates at the
application level, IPsec, ICMP at the network level, and PPTP, ARP are at the link layer.
Only up-to-date versions for these protocols should be used (deprecated versions should not be used).
Furthermore, only a secure port (e.g., 443) should be used.
The documents or diagrams should include, but are not limited to, the details below:
a. Architecture diagrams, security zone descriptions, and related policies
b. All components (physical, logical)
c. Hypervisors, workloads, hosts, and networks (physical, virtual), etc.
d. Physical site details for each workload
e. Traffic flow between various components
f. All communication channels, including out-of-band communication channels
g. Defined roles and responsibilities
h. Security zones, workloads on each host, security levels for the workloads, etc.,
i. Identify and document dependencies between the different environments and how they impact the risk
assessment.
Vulnerabilities in a physical environment also apply in a virtual environment. Configuration flaws/vulnerabilities
in the applications, firewalls, or networks will be vulnerable to exploits. Defense-in-depth techniques should be
leveraged for both physical, logical, and administrative, etc., controls.
Logging and monitoring policies and procedures should capture the following events:
c. Individual user accesses to systems.
d. Actions taken by any individual with root or administrative privileges.
e. Access to all audit logs should be restricted based on need-to-know and least privilege principles.
f. Invalid access attempts.
g. Changes, additions, or deletions to accounts with root or administrative privileges.
h. Use of and changes to identification and authentication mechanisms, including elevation of privilege.
i. Initializing, stopping, or pausing of the audit logs.
j. Creation and deletion of system-level objects.
Log protection methodology should be applied in adherence to any applicable legal, statutory or regulatory
compliance obligations. In the absence of those requirements, they should adhere to any standards established as
appropriate for the business.
Implementation of application security monitoring should include the following components:
a. Generation of alerts from metrics indicating risks beyond established thresholds.
b. Categorization of risks based on business impact analysis and prioritized monitoring of high-impact risks.
c. Consideration of automation capabilities (when applicable) to streamline application security monitoring.
d. Reporting and/or dashboard to provide real-time visibility to security and business stakeholders on application
security statuses.
e. Periodic review of monitoring capabilities and processes by a combined group of security, IT and, business
stakeholders.
Audit logs should track access to aid upon detection of suspicious activity and contain sufficient data to support
investigative needs for security breaches.
Access to all audit logs should be restricted based on need-to-know and least privilege principles. Additionally,
monitor all relevant actions taken. In the case of unintended or unauthorized actions, alerts should occur.
Failure response capabilities should be in place. Also, consider infrastructure layers (e.g., network, container
orchestration, hypervisor, endpoint, control plane, and data plane).
Potential implementation guidance can be derived from the NIST Internet Time Servers overview (see
https://tf.nist.gov/tf-cgi/servers.cgi).
Access to audit records should be granted based on a least-privilege basis and only to authorized individuals.
Changes to logs, including deletions, should be tracked and approved by authorized individuals. Logs should be
backed up per organizational policies.
Compliance breaches and deviations from standard operations should be reported as defined in the organization’s
incident management process (as outlined in SEF-01). In addition, file-integrity monitoring or change-detection
software should be used to prevent changes in existing log data.
Logging of key lifecycle events should include but are not limited to the following events: key generation, key
usage, key storage (including backup), and archiving and key deletion. In addition, only authorized personnel
should have access to key materials, and all access attempts should be logged and reviewed.
Document and implement all key-management processes and procedures for cryptographic keys, including:
a. Generation of strong cryptographic keys
b. Secure cryptographic key distribution
c. Secure cryptographic key storage
d. Key revocation after expiry
e. Split knowledge and dual control as needed for manual key management operations
f. Prevention of unauthorized substitution of cryptographic keys
The organization should monitor and log all physical access via the following means:
a. Verifying physical access of individuals when they enter secure areas.
b. Maintaining physical access logs for the facilities
c. Escorting visitors at all times.
d. Reviewing access control logs regularly.
The organization should use either video cameras or access control mechanisms (or both) to monitor individual
physical access to sensitive areas. Review collected data, correlate with other entries, and store the data for at
least three months (unless otherwise restricted by law.)
The organization should implement physical and/or logical controls to restrict access to publicly accessible
network jacks. For example, limit physical access to wireless access points, gateways, handheld devices,
networking/communications hardware, and telecommunication lines.
The organization should develop procedures to distinguish between onsite personnel and visitors with an
emphasis on the following considerations:
e. Identifying onsite personnel and visitors (for example, assigning badges)
f. Changing access requirements
g. Revoking or terminating onsite personnel and expired visitor identification
The organization should develop procedures to control physical access for onsite personnel to sensitive areas as
follows:
h. Access should be authorized and based on individual job functions.
i. Access should be revoked immediately upon termination. Furthermore, all physical access mechanisms, such as
keys, access cards, etc., must be returned or disabled.
The organization should define which actions are taken depending on the type of logging and monitoring failure.
Anomalies can include software errors, failures to capture some or all logs, failure to backup audit logs, or
storage exceeded notifications. This guidance should apply to all information system logs.
Organizations must implement a process for the timely detection and reporting of failures of critical security
control systems, such as (but limited to):
a. Firewalls
b. Intrusion detection systems (IDS)/intrusion prevention systems (IPS)
c. File integrity monitoring (FIM)
d. Anti-virus
e. Physical access controls
f. Logical access controls
g. Audit logging mechanisms
Management-approved policies and procedures for organizations and personnel who manage incidents should
incorporate clearly defined roles and responsibilities—including guidelines on managing the “chain of custody”
for forensic evidence collected from affected systems, devices, cloud services, applications, and personnel. These
policies, procedures, and supporting systems should result in legally admissible evidence.
Policies should require establishing a core, qualified, and standing incident response team that holds the
capability to assess, respond, learn, and communicate appropriately.
Appropriate reporting standards and procedures shall include lessons learned and key performance indicators
(KPIs), which should be defined and implemented for incident response processes and training.
Appropriate information should be shared with affected third parties (including customers) promptly.
Policies and procedures should address personnel involved in the entire incident and event management lifecycle
— which includes prevention, identification, investigation, and resolution—as well as periodic training for this
personnel.
Incident response plans should provide a roadmap for handling incidents involving the organization’s cloud
services and the products and services upon which those services rely. These plans should apply whether those
dependencies are internal (such as IT, operations, support, and legal) or external (suppliers, vendors, partners,
customers, and other third parties).
Periodically test, update, and verify the effectiveness of incident response plans using various event scenarios.
For critical operations, plans should be tested at least annually. Test results should be documented and
communicated—with follow-up action plans developed as appropriate.
Incident response plans should be reconciled with the organization's business continuity and disaster recovery
plans.
Organizations should also test, update, and improve incident response plans after:
a. Significant organizational changes.
b. External supply chain disruptions and natural disasters.
c. Security attacks, particularly those resulting in security breaches.
Organizations should define, implement and monitor metrics associated with events and incidents to detect any
weaknesses in the operational processes or technical controls which support effective incident management.
Metrics may quantify:
a. Volume of events and ratio of events to incidents.
b. Incidents by type, product, department, severity, etc.
c. Timeliness of procedural execution for identification, investigation, and resolution.
d. Variances from documented procedures.
Processes, procedures, and technical measures should be defined and implemented to support the investigation
and evaluation of security-related events that allow the organization to prioritize events by severity and impact.
The objective for these measures is to prioritize the timely analysis of event information and rapid engagement of
the incident response process.
Accurately and promptly report information security breaches to affected, relevant parties through predefined
communication channels, per applicable legal, statutory, and regulatory obligations. Clearly describe the event
which occurred and its result, and identify any required or recommended actions for the affected parties. Where
applicable, notifications should be sent to relevant parties in a timely manner.
Maintain points of contact by establishing liaisons and preparing them for any investigations requiring rapid
engagement with law enforcement.
Document and update security incident contact information regularly. Additionally, processes and responsibilities
should be documented and maintained for information accuracy that reflects organizational changes to internal
operations and external regulatory environments. Personnel sending security notifications should use these
identified contacts.
Cloud service implementations involve a shared security responsibility model (SSRM) between the CSP and the
CSC. Although specific details vary from service to service (e.g., depending on the cloud service model and the
particular implementation), both CSPs and CSCs should have organizational policies and procedures that
delineate how the SSRM should be documented, implemented, managed, communicated, enforced, and audited.
The SSRM must explicitly detail each specific service based on the cloud service model and implementation
specifics. Accordingly, each party in the supply chain must document, implement and manage their SSRM
responsibilities for their specific service. This includes supporting service providers such as infrastructure as a
service (IaaS) providers engaged by primary software as a service (SaaS) CSPs and specialized CSPs (e.g.,
IDaaS, CASB, DDOS/CDN/DNS services) employed by the CSP and/or the CSC.
Shared security responsibility model guidance should include references describing SSRM applicability
throughout the supply chain.
Cloud service implementations involve an SSRM between the CSP and the CSC, which varies from service to
service depending on the cloud service model and the specific implementation. Accordingly, CSPs should
provide comprehensive SSRM guidance to facilitate secure CSC service implementations.
Any CSP control responses should identify control applicability and ownership for their specific service.
a. Cloud service provider-owned: CSP is fully responsible.
b. Cloud service customer-owned: CSC is fully responsible.
c. Third-party outsourced: The CSP has fully outsourced this control to a third party (e.g., a supporting CSP), but
the CSP is fully accountable to the CSC for the third party's performance from a supply chain perspective.
d. Shared CSP and CSC: Both the CSP and CSC have responsibilities (independent or dependent). If the CSP has
partially outsourced control to a third party, that should be noted in the CSP implementation description.
e. Shared CSP and third party: The CSP has partially outsourced control to a third party (e.g., a supporting CSP).
Hence, the CSP and the third party have responsibilities—but the CSC has no responsibilities. The CSP is fully
accountable to the CSC for the third party's performance from a supply-chain perspective.
f. N/A: Not applicable to this specific cloud service offering (no SSRM responsibilities).
Cloud service providers should also describe the following for each control (as appropriate) for its service and the
specific ownership classification:
g. Cloud service provider implementation description: How the CSP meets (or doesn't meet) the controls they are
responsible for, wholly or partially. This should explain why N/A controls are not applicable for the specific
service and describe the extent to which responsibility for particular controls is outsourced to third parties.
h. Cloud service customer responsibilities: A detailed description of CSC security responsibilities for the controls
the customer is responsible for, wholly or partially, with references and external links (as appropriate).
The CSA's Consensus Assessments Initiative Questionnaire (CAIQ) should be used by CSPs to provide SSRM
ownership and guidance to current and prospective CSCs. In cases where the CAIQ has multiple questions
associated with a single control, CSPs should delineate SSRM ownership and describe how they meet their
control requirements at the question level, aligned with the scope of the CSP CAIQ answer.
The CSC should engage with the CSP to address any issues identified as a part of this review, and SSRM changes
should be incorporated into the CSC's implementation plans. In addition, any CSC changes to the finalized SSRM
documentation should be shared with the CSP as enhancement feedback, as appropriate. Following this
communication and any preceding adjustments to the SSRM, CSCs should then implement the finalized SSRM
controls and test the controls to validate the proper operation of CSC security controls (including CSP integration
where there are dependencies). This implementation and testing should occur during production readiness
assessments and transitions.
Both the CSP and CSC should implement the finalized SSRM and then thoroughly document and test it to
validate proper operation of security control implementations—including integration testing where there are
interdependencies. Once implemented, both the CSP and CSC should operate, monitor and audit, and/or assess
their service performance according to the finalized SSRM and remain engaged with their supply chain and
customers to understand, implement and manage SSRM changes over time.
Particular areas that require proactive supply chain SSRM engagement with corresponding levels of (secure)
transparency include:
a. Incident and vulnerability management
b. Change and configuration management
c. Periodic SSRM-aligned audit reviews and security assessments with appropriate risk management
Both the CSP and CSC should develop, manage and maintain a comprehensive inventory of all supply chain
relationships (i.e., third-party product and service providers) involved in implementing, operating, and securing
their respective cloud service implementations. This process should include assembling, tracking, and
maintaining key organizational roles, contracts, contacts, and risk-related information about each third party in
the supply chain regularly (and when significant changes occur) to facilitate supply chain risk management
practices.
Both the CSP and CSC should follow applicable local and international third-party risk management (TPRM)
best practices in managing supply chain risks, including periodic reviews of organizational and technical risk
factors, contract requirements, environmental changes, and security incident response capabilities for all supply
chain organizations. There may also be applicable regulatory requirements and standards to consider.
Service agreement content should include, but is not limited to the following:
a. Scope, characteristics and location of business relationship and services offered: (e.g., service level agreements,
customer (tenant) data acquisition, exchange and usage -including data processing restrictions, feature sets and
functionality-, personnel and infrastructure components and supporting services for service delivery and support,
roles and responsibilities of provider and customer (tenant) and any subcontractor or outsourced business
relationships, geographical location of hosted data, backups and services, and any known regulatory compliance
considerations). Refer to STA-08 for CSP management of supply chain applicability (Relevant control domains
include particularly DSP, BCR, HRS).
b. Information security requirements (including SSRM): provider and customer (tenant) primary points of contact
for the duration of the business relationship, and references to detailed supporting and relevant business
processes, acceptable use policies and technical measures implemented to enable effectively governance, risk
management, assurance and legal, statutory and regulatory compliance obligations by all impacted business
relationships, including legal obligations of the CSP to allow government access to customer data. Relevant
control domains include particularly DSP, GRM.
c. Change management process: Notification and/or pre-authorization of any changes controlled by the provider
with customer (tenant) impacts.
d. Monitoring capabilities and controls implemented by the cloud service provider and made available to the
cloud customer so as to monitor aspects of the cloud service for which the cloud customer is responsible.
e. Incident management and communication procedures: Timely notification of a security incident (or confirmed
breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted
supply chain) complying with SEF’s domain control requirements.
f. Right to audit and third party assessment: Assessment and independent verification of compliance with
agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent
forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed
g. Service termination: Expiration of the business relationship and treatment of customer (tenant) data impacted
h. Interoperability and portability requirements: Customer (tenant) service-to-service application (API) and data
interoperability and portability requirements for application development and information exchange, usage, and
integrity persistence
i. Data Privacy (refer to DSP domain)
Reviews should include activities to identify non-conformance with contractual requirements and SLAs for
services a CSP provides. If non-conformance issues are identified, the parties involved should negotiate and
remediate the problems.
The scope of assessments should include STA-related policies and procedures while validating adherence to STA
controls and SLA requirements. Applicability includes assessing conformance and effectiveness across the supply
chain, including the total cloud service technology stack (as appropriate).
Refer to A&A-02.
Contracts throughout the supply chain should include requirements for all third- and fourth-party service
providers and personnel with access to CSP and/or CSC systems and information.
Personnel policies should include employment agreements inclusive of information security requirements,
security awareness training, and insider risk management.
Reviews should validate alignment with applicable industry standards as well as service and contract
requirements.
Assessments should validate alignment with applicable industry standards as well as service and contract
requirements.
A policy on threat and vulnerability management (TVM) should be established that includes the intent, purpose,
and governance of how a CSP or CSC must address threats and vulnerabilities for their respective scope under
the SSRM.
Organizations should centrally manage malware protection mechanisms, including planning, implementing,
assessing, authorizing, and monitoring organizational-defined malware protection security controls. This process
will help to cohesively address malware within predefined timeframes.
Threat and vulnerability management policy should include the ability to address malware as a specific threat
element. This should provide the organization with a guideline to handle malware using appropriate tools,
relevant automation, and operational frameworks to meet their risk tolerance.
A full remediation schedule should be considered. The schedule should classify and prioritize vulnerabilities in
order of their severity and threat to the environment, aligned to the expectations of TVM Policy.
Vulnerability remediation schedules should be approved and communicated to all relevant stakeholders (and
included in SLA's).
A rolling schedule of detection, reporting, and mitigation should be established so that all actions to address
threats and non-conformance are performed on time and reported to the integrated TVM system for monitoring
and oversight. In addition, where applicable, implement automation so that threats and non-conformance are
mitigated on time.
Where a CSC or a CSP uses third party or open source libraries, these should be tracked, scanned and reported on
in the integrated TVM system. Installed or used packages, libraries and/or runtimes that are part of their solution
with their running version should be included. TVM scans can be performed automatically and the findings
should be promptly reported to the integrated TVM system. This activity should be monitored to avoid
operational gaps.
The organization should leverage global threat intelligence about threat signatures and vulnerability databases
that may contain indicators of attack and compromise. It should also consider implementing automated &
recurring processes so that human errors can be avoided.
A formal schedule of red team exercises interspersed with risk assessments, remediation, and penetration testing
aligned to the applicable service model (I-P-SaaS, and XaaS) should be established. Penetration testing should
comply with all applicable laws and regulations.
A written and signed authorization should be obtained and verified before and after services are rendered.
Penetration test schedules should be published on the integrated TVM system to ensure tactics, techniques, and
test procedures adhere to documented policies.
The integrated TVM system should track vulnerabilities to closure and report them to build oversight of residual
risks. Furthermore, the system should retain information that can be reused in future remediation activities.
Organizations should consider establishing an external-facing vulnerability disclosure program to allow external
parties to communicate detected vulnerabilities.
Vulnerabilities should be prioritized in terms of their relative risk, importance, organizational impact, and
urgency. When evaluating impact, consider exposure levels to applicable threats from the organization’s specific
usage and/or implementation. When evaluating importance, consider the criticality and value of the affected
assets. Finally, when assessing urgency, consider the Common Vulnerability Scoring System (CVSS) ratings and
timeframes, the relevance to current and ongoing threats, and the effort required for remediation.
The integrated TVM system should have comprehensive vulnerability tracking capabilities. Capabilities should
include when discoveries were made and remediated, systems impacted, reasons for the delay (where applicable),
and any communications that may have been made to stakeholders.
The integrated TVM system should be used to collect and report metrics about the vulnerability management
program. Metrics should demonstrate the coverage, efficacy, and efficiency of operational TVM activities.
Policies and procedures for both managed and unmanaged endpoints (including BYOD) should include the
following components:
a. Definition of endpoints and the acceptable-use policy requirements for all endpoints (mobile devices, virtual,
desktop, etc.). Note: Physical and virtual servers, containers, and similar "endpoints" are addressed in the DCS
and IVS domains, while application and interface "endpoints" are discussed in the AIS domain.
b. List the approved systems, servers, applications, application stores, application extensions, and plugins that
may be allowed for managed endpoint access and usage and/or enforced through enterprise management tools.
c. Policy and procedures related to installing non-approved applications or approved applications not obtained
through a pre-identified application store.
d. Prohibit the circumvention of vendor-supported and integrated (built-in) security controls on endpoints (i.e.,
jailbreaking or rooting). Enforce these restrictions through detective and preventive controls on the endpoint,
managed through a centralized system (e.g., an endpoint, system configuration control, or mobile device
management system).
e. Policies regarding privacy expectations and requirements for remote location identification, litigation, e-
discovery, and legal holds (especially for personally-owned devices).
f. Policies and procedures related to non-company data loss if a full or partial wipe of a device is required.
g. Performing policy reviews at planned intervals or upon significant organizational or environmental changes.
Policies and procedures should also integrate the following concepts (which may have applicable controls in
other domains to consider):
h. Passcodes, biometric authentication, idle/no-use screen locks, and logouts.
i. The use of anti-malware software.
j. The use of encryption for the entire device or data identified as non-public on all endpoints (enforced through
technology controls).
k. Each endpoint device should be assigned to a named person who is responsible for it. Such devices may be
shared (e.g., in shared work areas), but a single individual should still be assigned responsibility for it.
l. Non-device endpoints should also have "owners" responsible for assessing risks and ensuring appropriate
controls.
m. Endpoints should be vetted for policy compliance before being provisioned for organizational use.
For managed endpoints, universally enforce policies through one or more centralized configuration management
tools.
Use risk assessment to determine what (if any) information or systems may be accessed or stored using
unmanaged endpoints.
The company should have a documented application validation process to test for compatibility issues regarding
mobile devices, operating systems, and applications.
Misconfigured endpoints will not only impact operations but will also introduce attack vectors. Poor
configuration settings could involve open ports, outdated exceptions, insecure protocols allowed, etc. Any
configuration changes once in production should follow change management guidelines (why, what, how) and
require appropriate approvals.
All organizational endpoint systems should be identified and protected. In addition, a policy against the inventory
should be established and documented (including scan type, number of scans, schedule, and
exceptions/exclusions).
An inventory of all mobile devices used to store and access company data should be kept and maintained. Include
all device status changes (i.e., operating system, patch levels, lost/decommissioned status, and to whom the
device is assigned or approved for usage [BYOD]) in the inventory.
A documented list of approved application stores should be defined as acceptable for mobile devices accessing or
storing provider-managed data.
For managed endpoints, universal policy enforcement through one or more centralized configuration management
tools is essential. Note: "Universal" enforcement is not necessarily "unified." Some vendors claim to offer
"unified endpoint management" systems, but none are truly capable of managing all security features of all
endpoint types.
For unmanaged endpoints, guidance should be provided but will not be enforced (by definition).
Based on risk assessment, different configurations may be acceptable for systems access and/or information
storage—resulting in various degrees of end-points management with different access requirements. These may
include using container technology for sensitive data isolation. For example, an organization that prohibits using
electronic mail for sensitive information may determine that access to company electronic mail using a
personally-owned device requires only limited controls (such as an acceptable passcode, a lock screen, reasonably
up-to-date software, and no circumvention of vendor security controls [such as jailbreaking or rooting]).
The organization should implement this requirement through technical controls for all interactive-use endpoints.
The organization should consider the following points:
a. Changes should be managed strictly and consistently.
b. Formal management responsibilities and procedures should facilitate satisfactory control of all changes to
endpoint operating systems, patch levels, and/or applications, including:
1. The identification and recording of significant changes.
2. The planning and testing of changes.
3. The assessment of the potential impacts (including security impacts) of such changes.
4. The formal approval for proposed changes.
5. The communication of change details to all respective stakeholders.
Fallback procedures and responsibilities should be defined and implemented, including guidelines for aborting
and recovering from unsuccessful changes and unforeseen events.
To minimize data leak risks and protect data stored on the endpoint device, use encryption. Encryption
capabilities could be part of common endpoint solutions such as DLP, endpoint firewalls, and PAM.
Additionally, they could be standalone (e.g., device container technology, file encryption, and full-disk
encryption). The encryption strength should be based on the sensitivity of the data being protected.
Endpoint device policies should use encryption for the entire device or data identified as sensitive on all mobile
devices (potentially using container technology). This policy should be enforced through technology controls.
Organizations should consider the following:
a. Managed endpoints should be protected through anti-malware software, security awareness, appropriate system
access, and change management controls.
b. Organizations should have formal policies and technologies implemented to install and upgrade protective
measures promptly. These measures include installing and regularly updating anti-malware software and virus
definitions (automatically) and whenever updates are available. Additionally, organizations should periodically
review and scan installed software and system data content to identify and remove unauthorized software (when
possible).
c. Wherever possible, organizations should also:
1. Disable universal serial bus (USB) ports.
2. Prohibit writable media use (e.g., DVD-R).
3. Restrict read-only media (e.g., DVD-ROM) used to legitimate commercial sources for legitimate
business reasons (e.g., Linux installation disks) and allow only whitelisted software to run on the endpoint.
d. Employ anti-malware software that offers a centralized infrastructure that compiles information on file
reputations or has administrators manually push updates to all machines. After updating, automated systems
should verify that each system has received its signature update.
e. Define procedures to respond to malicious code or unauthorized software identification. Checking antivirus or
anti-spyware software generates audit logs of checks performed. Malicious code detection and repair software
checks to scan computers and media include:
1. Checking files on electronic or optical media and files received over networks for malicious code
before use.
2. Checking electronic mail attachments and downloads for malicious code or file types that are
unnecessary for organizational business before use. This check occurs at different places (e.g., electronic mail
servers, desktop computers, and when entering the organization’s network).
3. Checking web traffic—such as hypertext markup language (HTML), JavaScript, and hypertext transfer
protocol (HTTP)—for malicious code.
4. Checking removable media (e.g., USB tokens and hard drives, CDs/DVDs, FireWire devices, and
external serial advanced technology attachment devices) when inserted.
f. Have formal policies to prohibit using or installing unauthorized software, including restricting on obtaining
data and software from external networks. User awareness and training on these policies and methods should be
provided for all users regularly.
g. Bring your own device (BYOD) users should use anti-malware software (where supported).
All managed endpoints should properly configure endpoint firewalls to inspect traffic, apply rules, and perform
behavioral monitoring. These firewalls will protect the endpoint from malware and attacks originating from inside
or outside the corporate network. For example, a web application firewall (WAF) should be used to protect web
services from malicious attacks (e.g., structured query language (SQL) injection).
The organization should have a DLP program to discover, monitor, and protect data with regulatory or
compliance implications in transit and at rest across the network, storage, and endpoint systems.
The DLP solution should monitor and control the data flow. Furthermore, any anomalies that exceed normal
traffic patterns should be noted, and appropriate action should be taken to address them.
The DLP solution should also be used to monitor for sensitive information (e.g., personally identifiable
information), keywords, and metadata in order to discover unauthorized attempts for their disclosure across
network boundaries and block such transfers by alerting information security personnel.
The organization should configure the DLP solution to enforce ACLs even when data is copied off a server.
Remote management controls—such as remote data wipe, anti-tampering, and geotracking—should be
implemented around endpoint devices to protect if a device is lost or stolen.
All mobile devices (permitted through the company BYOD program or a company-assigned mobile device)
should allow for remote wipe by the company's corporate IT—or have all company-provided data wiped by its
corporate IT.
Define, implement and evaluate processes, procedures, and technical measures to enable the deletion of company
data remotely on managed endpoint devices, such as when a device is lost or stolen. Only rarely should the
network administrator or device owner issue the remote wipe command since it is potentially destructive and
removes all content until the device returns to its factory state.
The organization should perform due diligence before granting third party access to the organization's data or
establishing connectivity (and periodically thereafter, commensurate with the risk level of the third-party
relationship).
Written agreements (contracts) should be maintained and include an acknowledgment that the third party is
responsible for the security of the data the third party possesses or otherwise stores, processes, or transmits on the
organization’s behalf. In addition, agreements should include requirements to address the information security
risks associated with information and communications technology services (e.g., cloud computing services) and
the product supply chain. These requirements are subsequently applicable to relevant, third-party (i.e., fourth
parties) subcontractors (and so on) throughout the supply chain.
Personnel security requirements should be established and documented—including security roles and
responsibilities for third-party providers coordinated and aligned with internal security roles and responsibilities.
Monitor providers for compliance.
Additionally, the organization should have a screening process for contractors and third-party users. When
organizations provide contractors, the contract should specify the organization's responsibilities for screening and
relevant notification procedures if screening has not been completed (or if the results cause doubts or concerns).
Similarly, third-party agreements should specify all responsibilities and notification procedures for screening.
Third-party providers should notify a designated individual or role (e.g., a member of the contracting or supply
chain function) of any personnel transfers or terminations of third-party personnel who possess organizational
credentials, badges, or have information system privileges.
Mutually agreed-upon provisions and/or terms should be established to satisfy customer (tenant) requirements for
service-to-service application (API), information processing interoperability, portability for application
development and information exchange, usage, and integrity persistence.
CLOUD CONTROLS MATRIX v4.0.6
v4.0.6
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Operational Resilience
Business Continuity
Management and Business Continuity Strategy BCR-03
Operational Resilience
Business Continuity
Management and Business Continuity Planning BCR-04
Operational Resilience
Business Continuity
Management and Documentation BCR-05
Operational Resilience
Business Continuity
Management and Business Continuity Exercises BCR-06
Operational Resilience
Business Continuity
Management and Communication BCR-07
Operational Resilience
Business Continuity
Management and Backup BCR-08
Operational Resilience
Business Continuity
Management and Disaster Response Plan BCR-09
Operational Resilience
Business Continuity
Management and Response Plan Exercise BCR-10
Operational Resilience
Business Continuity
Management and Equipment Redundancy BCR-11
Operational Resilience
Cryptography,
Encryption and Key Management
Encryption & Key CEK-01
Policy and Procedures
Management
Cryptography,
Encryption & Key CEK Roles and Responsibilities CEK-02
Management
Cryptography,
Encryption & Key Data Encryption CEK-03
Management
Cryptography,
Encryption & Key Encryption Algorithm CEK-04
Management
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Encryption & Key CEK-06
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Interoperability &
Application Interface Availability IPY-02
Portability
Infrastructure &
Capacity and Resource Planning IVS-02
Virtualization Security
Infrastructure &
Network Security IVS-03
Virtualization Security
Infrastructure &
OS Hardening and Base Controls IVS-04
Virtualization Security
Infrastructure &
Migration to Cloud Environments IVS-07
Virtualization Security
Infrastructure &
Network Architecture Documentation IVS-08
Virtualization Security
Infrastructure &
Network Defense IVS-09
Virtualization Security
Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency, and
Accountability
Supply Chain
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Guidelines
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
Control Specification
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
Review and validate SSRM documentation for all cloud services offerings
the organization uses.
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
• Service termination
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
End of Guidelines
You may download, store, display on your computer, view, print, and link to the Cloud Security
loudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used
ud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix
r notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as
provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix
al for other usages not addresses in the copyright notice, please contact
Auditing Guidelines
1. Examine policy and procedures to confirm content adequacy in terms of purpose, authority and accountability,
responsibilities, planning, communication, reporting, and follow-up.
2. Examine audit charter and determine if independence, impartiality, and objectivity are guaranteed.
3. Examine policy and procedures for evidence of review at least annually.
1. Examine the process to determine standards and regulations applicable to the organization's systems and
environments.
2. Determine if the organization maintains and reviews a list of such standards and regulations.
3. Determine if senior management exercises oversight over the independence of the assessment process.
4. Determine if the audit plan is informed by previous assessments, and is scheduled on an annual basis.
1. Examine the process for determining the risks applicable to the organization's systems and environments.
2. Determine if a list of such risks is maintained and reviewed.
3. Determine if senior management exercises oversight over the applicable risks.
4. Determine if the audit plan is risk-based, and is scheduled on an annual basis.
1. Examine the process for determining the standards and regulations applicable to the organization's systems and
environments.
2. Examine the process to determine contractual, legal, and technical requirements applicable to the organization's
systems and environments.
3. Determine if the organization maintains and reviews a list of relevant standards, regulations, legal/contractual,
and statutory requirements.
4. Determine if senior management exercises oversight over this control specification.
5. Determine if the audit plan is informed by the list of the organization's requirements.
1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to
planning, delivery, and support of the organization's application security capabilities.
2. Examine policy and procedures for evidence of review at least annually.
1. Examine policy and procedures for adequacy and effectiveness.
2. Determine if security baseline requirements of respective applications are clearly defined.
3. Examine the process to determine the baseline for an application.
1. Examine policy and procedures for definition of operational metrics, security, and compliance requirements.
1. Examine policy and procedures for definition of SDLC (Software Development Lifecycle), security, and
compliance requirements.
2. Examine the state of implementation of the SDLC process.
3. Verify that the SDLC implementation is in accordance with requirements.
1. Examine policy and procedures for definition of testing strategies, automation of security testing, and change
management.
2. Determine security assurance and acceptance criteria for the new information system(s).
3. Determine if the software release process is automated where applicable.
1. Examine policy and procedures for implementation of application deployment.
2. Determine if segregation of duties (role and responsibilities) is clearly defined among security and application
teams.
3. Determine if Identification and integration process is defined and verified for application deployment
processes.
4. Evaluate the extent of automation deployed, and criteria used.
1. Examine the policy and procedures to remediate application security vulnerabilities and automating
remediation.
2. Evaluate whether roles and responsibilities, including escalation paths for application security incident
response and remediation, are defined and effective.
3. Determine if the organization leverages automation when possible and if this automation increases remediation
efficiency.
1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to
business continuity and resilience.
2. Examine policy and procedures for evidence of review at least annually.
1. Examine the policy to determine business impact and the criteria for developing business continuity.
2. Evaluate the process to review and approve the policy.
1. Examine the policy for adequacy, approval, communication, and effectiveness as applicable to planning,
delivery, and support of the organization's application security capabilities.
2. Evaluate if the organization’s operational resilience strategies and capabilities are used as an input for the
policy and implementation.
3. Examine policy and procedures for evidence of review.
1. Examine the process for determining the documentation required to support business continuity and
operational resilience.
2. Examine the process for developing or acquiring such documentation and maintaining its currency.
3. Evaluate the process and implementation of identifying stakeholders and making documentation available.
4. Examine the policy and procedures for evidence of review.
1. Examine the plans for business continuity and operational resilience tests, with reference to their intended
outputs.
2. Examine the schedules of such tests and their periodicity.
3. Evaluate if the plans are tested upon significant changes, or at least annually.
1. Examine the policy for identifying data for which a backup is required.
2. Examine the requirements for the security of such backups.
3. Evaluate the effectiveness of the backup and restore.
1. Examine the policy and procedures for adequacy, approval, communication, and effectiveness as applicable to
a disaster response plan.
2. Examine the policy and procedures for evidence of review, upon significant changes, or at least annually.
1. Examine the policy for planning and scheduling disaster response exercises, and involving local emergency
authorities, if possible.
2. Evaluate if plans are tested upon significant changes, or at least annually.
1. Examine the process to identify business-critical equipment and any redundant equipment.
2. Examine the process to identify applicable industry standards.
3. Evaluate if the redundant business-critical equipment is independently located at a reasonable distance.
1. Examine policy and procedures to determine if they cover necessary parts of change management, including
scope, documentation, testing, approval, and emergency changes.
2. Examine a sample record of changes to information assets, including systems, networks, and network services
to determine if compliance is met with the organization's change management policy and procedures.
3. Examine if the policy and procedures are reviewed and updated at least annually.
1. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), relevant
stakeholders, for change management and determine if the policy control requirements provided in the policy
have been implemented.
2. Examine measures that evaluate(s) the organization's compliance with the change and configuration
management policy and determine if these measures are implemented according to policy control requirements.
1. Examine policy related to the change management of assets.
2. Examine the policy for the identification of risks arising from these changes being applied.
3. Determine if assets are classified based on their management responsibility, and if these have specific risk
profiles.
1. Examine policy and/or procedures related to change management to determine whether provisions are included
for limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests
within service level agreements between CSPs and CSCs.
2. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or
relevant stakeholders, as needed, for change agreements and determine if the policy control requirements
stipulated in the policy have been implemented.
3. Examine measures that evaluate the organization's change agreement policy and determine if these measures
are implemented according to policy control requirements.
1. Examine policy and/or standards related to change management to determine if changes are formally
controlled, documented and enforced to minimize the corruption of information systems.
2. Determine if the introduction of new systems and major changes to existing systems are formally documented,
specified, tested, quality controlled, and the implementation managed.
1. Examine measures that evaluate the organization's compliance with the change management policy and
determine if these measures are implemented according to policy control requirements.
1. Verify that the organization establishes and documents mandatory configuration settings for information
technology products employed within the information system, as determined by adoption of the latest suitable
security configuration baselines.
2. Confirm that the process identifies, documents, and approves exceptions from the mandatory established
configuration settings for individual components based on explicit operational requirements.
3. Determine that the organization monitors and controls changes to the configuration settings in accordance with
organizational policy and procedures.
1. Examine policy and/or procedures related to change management and determine if roll back procedures are
defined and implemented, including procedures and responsibilities for aborting and recovering from
unsuccessful changes and unforeseen events.
2. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s) and/or
relevant stakeholders, as needed to ensure that roll back procedures are defined and implemented and determine if
the policy control requirements stipulated in the policy have been implemented. Select a sample of changes and
examine the change management record to confirm that the change was assessed and included appropriate
fallback procedures in the event of a failed change.
3. Examine measure(s) that evaluate(s) the organization's compliance with the change management policy and
determine if these measures are implemented according to policy control requirements.
4. Obtain and examine supporting documentation maintained as evidence of these metrics, measures, tests, or
audits to determine if the office or individual responsible reviews the information and, if issues were identified,
they were investigated and corrected.
1. Review cryptography, encryption, and key management policy and procedures and confirm that these have
been approved by appropriate management.
2. Confirm that the policy and procedures are reviewed at least annually.
1. Obtain cryptographic, encryption policy, and key management procedures.
2. Verify, by interviews or otherwise, that employees and stakeholders are aware of their roles and
responsibilities, and obtain supporting documentation evidencing that the responsibilities are being managed in-
line with policy and procedures.
1. Obtain a copy of the change management policy and procedures. Confirm that these documents include
assessment of impact on downstream effects, including residual risk, cost, and benefit analysis.
2. Examine recent changes made to cryptography-, encryption-, and key management-related systems (including
policy and procedures), and confirm that these changes include an account of downstream effects of proposed
changes, including residual risk, cost, and benefits analysis.
3. Confirm that the changes have been reviewed and approved by appropriate management.
1. Identify and confirm the existence of the organization's risk assessment process and obtain the risk register.
2. Confirm that the risk register includes as part of a regular process or control review encryption and key
management.
3. Obtain evidence that demonstrates that a risk assessment is performed of the encryption and key management
program and process.
1. Identity CSC's data key encryption policy and standards.
2. Review the implementation of the CSP key broker and key management services (KMS) and the cloud
hardware security modules (HSMs).
3. Confirm that the configuration enables appropriate management of the key, e.g., customer-managed master
key, CSP-managed master key, and CSP-owned master key.
4. Confirm that HSM meets internal compliance standards, e.g., FIPS 140-2.
1. Examine the master audit plan to confirm that audits of encryption and key management systems, policy and
processes are included in the plan.
2. Review previously completed audits and confirm that audits of encryption and key management systems,
policy and processes have been completed and that any issues raised have been included in issue logs and tracked
appropriately.
1. Confirm that the organization has an approved process for the generation of cryptographic keys.
2. Identify the keys being used.
3. Observe the generation of an encryption key in a production-like sandbox or as a test tenant in production and
confirm the keys have been generated according to the appropriate procedure and technical specifications.
1. Obtain copies of the policy and procedures detailing the management of secret and private cryptographic keys.
2. Identify cryptographic secret and private keys that have been provisioned for a unique purpose.
3. Ascertain that these keys are being managed in accordance with policy and procedures.
Consider the symmetric vs. asymmetric key rotation capabilities of CSPs and an appropriate rotation process
adopted.
1. Confirm that policy and procedures include a requirement for regular key rotation.
2. Identify keys used within the organization. Confirm that these keys are part of the rotation process.
3. Review the key rotation process to confirm logging and monitoring of key rotation, tracking of date, time,
encryption algorithm used, and authorization process used.
1. Examine the organization procedures and confirm the existence of a key revocation process.
2. Identify a population of keys and confirm that they are captured within the key revocation process.
3. Confirm that a list of entities no longer part of the organization is maintained.
1. Confirm the existence of key destruction processes and procedures.
2. Review the access permissions for the destruction and restoration of keys and confirm that only appropriate
individuals have access to these capabilities.
3. Review keys that have been destroyed and ascertain the appropriate process and procedure have been followed.
4. Establish documented criteria that determine when it is appropriate for a cryptographic key to be stored outside
a secure environment.
1. Confirm the existence of processes and procedures to manage the transition state of keys.
2. Review the access and permissions regarding the transition state of keys and confirm that these are restricted to
appropriate individuals.
3. Verify that it is possible to modify a key state and suspend/disable keys when required.
1. Confirm the existence of processes and procedures to deactivate keys.
2. Review the access and permissions around the key deactivation process and confirm this is restricted to
appropriate individuals.
3. Review key deactivation process and configurations. Confirm that they are in line with internal and external
requirements.
4. Confirm the key deactivation process e.g. manual, on expiration, at a defined future time.
1. Confirm the existence of a documented and valid process for key archival.
2. Verify that the key archival process implements least privilege throughout the key archival cycle.
3. Establish whether the storage medium is secure, as per internal and external requirements.
1. Examine if the organization has defined processes, procedures and technical measures for secure handling of
compromised keys.
2. Review if the process for secure usage of compromised keys fulfills the organization and external business /
operational continuity requirements.
3. Evaluate the significance of technical and organizational measures defined and implemented for usage of
compromised keys in a secure environment.
1. Examine if the organization has defined processes and procedures for handling the operational risk of
compromised keys.
2. Determine if the key recovery process fulfills the organization and external business / operational continuity
requirements.
3. Evaluate the significance of technical and organizational measures as per the key management lifecycle.
1. Examine the organization's policy and procedures related to relocation, transfer or retirement of assets.
2. Determine if policy has been approved, communicated, and reviewed.
3. Determine if the policy requires recorded authorisation of movements.
1. Examine the organization's policy and procedures related to physical areas under the organization's control.
2. Determine if policy has been approved, communicated, and reviewed.
1. Examine the organization's policy and procedures for secure transportation of physical media.
2. Determine if policy has been approved, communicated, and reviewed.
1. Confirm the existence of policy and procedures relating to environmental control in the datacenter.
2. Verify that the environment control systems are documented and operational in accordance with policy and
procedures.
3. Determine if testing for operational control effectiveness is conducted at regular intervals.
4. Determine if environment system logs (e.g., temperature and humidity) are generated and if related monitoring
controls are maintained.
5. Confirm that the system logs are reviewed on a periodic basis and items are disposed of in accordance with
policy and procedures.
1. Confirm the existence of the policy and procedures relating to utilities services.
2. Confirm that the control effectiveness of utilities services is conducted at periodic intervals.
3. Determine if utility services logs are maintained and reviewed periodically.
4. Determine if testing of the utilities services is included in the CSP contract with the customer.
1. Examine procedures related to DPIA risk assessment and determine if once a requirement has been established,
the organization identifies and grades the associated risks and reports and prioritizes the remediation of risks and
non-compliance activities. Examine whether the DPIA process and templates align to the organization's risk
methodology and taxonomy.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a sample of DPIAs and examine evidence to confirm that each assessment was performed to identify
associated risks. Further, confirm that any action plans were identified and carried out appropriately. Confirm
that all relevant evidence was formally documented.
1. Examine the organization's procedures and technical requirements for the secure and lawful transfer of
personal data and sensitive data. Establish that this process and key controls comply with the organization's data
privacy and security policy.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a range of personal data transfers and a range of sensitive data transfers to confirm that each transfer
adhered to the organization's policy, procedures, and controls. Confirm that all relevant evidence was formally
documented.
1. Examine whether the organization's policy and procedures related to data privacy addresses the requirement
that authorized users must be able to access, modify, or delete personal data. Establish whether the organization
has processes in place to manage and respond to data access requests from data subjects. Establish whether the
organization has documented the roles and responsibilities for this process.
2. Select a range of data changes to confirm that only authorized users are able to successfully access, modify and
delete personal data. Select a sample of data access requests to establish that these were completed correctly
following the organization's processes. Confirm that all relevant evidence was formally documented.
1. Examine whether the organization's policy and procedures related to data privacy address the requirement that
data the organization is responsible for is processed lawfully and used only for the purposes stated to data
subjects.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Review the organization's data breaches and confirm that action plans were identified and carried out
appropriately. Confirm that all supporting evidence was formally documented.
4. Review the organization's processes that inform data subjects why the organization requests this data and what
it will be used for. Confirm that any organization documentation (including web page content) is subject to
formal periodic review for relevance and compliance to legislation and regulation.
1. Examine the organization's contractual terms, procedures, roles and responsibility documents and technical
requirements for the transfer of personal data and sensitive data to sub-processors and how sub-processors are to
treat this data.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a sample of data transfers to sub-processors to establish that the controls and reporting the sub-processor
are in place and ensure that these comply with the organization's data privacy and security policy.
4. Examine the organization's contractual requirements for sub-processor compliance, reporting and non-
compliance sanctions, and the organization's right to audit. Establish sub-processors' processes, controls and
metrics to comply with those of the organization.
1. Examine the organization's contractual requirements and procedures whereby sub-processors will disclose all
occasions when personal or sensitive data was accessible by sub-processors prior to initiation of that processing.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a sample of data transfers to sub-processors to establish that the controls and reporting the sub-processor
are in place and ensure that these comply with the organization's data privacy and security policy.
Note: A real-life case will be rare. Should it not be possible to follow a real-life case, a theoretical case should be
tested to establish that systems, processes, and controls are operating as designed and as agreed with the sub-
processor.
1. Examine the organization's procedures and technical requirements related to the use of production data in non-
production environments or requests to replicate production data for use in non-production environments.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a sample of requests and assess whether such requests have followed the approval and secure
deployment processes through to completion. Confirm that all relevant evidence was formally documented and
recorded.
4. Review the organization's data breaches for examples in which this requirement was not followed correctly.
Further, confirm that any appropriate action plans were identified and carried out.
1. Examine the organization's procedures, technical requirements and other documentation for the retention,
archiving and deletion of data.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Establish that the organization maintains a source(s) of record of data types, owners, and retention periods.
Select a range of entries to establish that the information recorded is correct.
4. Establish how the organization determines that its retention records are accurate and complete. Establish that
the organization has documented its understanding of the extent of its remit in terms of its role as a supplier and
the extent of its own supplier's obligations to this requirement.
5. Confirm that the data retention process meets the organization's requirements as detailed in policy and
procedures.
1. Examine whether the organization's policy and procedures related to data privacy address the requirement to
manage and protect sensitive data throughout its lifecycle.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Select a sample of sensitive data types to establish the systems, processes, and controls operating to manage
sensitive data throughout its lifecycle. Select a sample to establish the examples following the organization's
processes.
4. Review the organization's data breaches for examples for which this requirement was not followed correctly.
Further, confirm that any relevant action plans were identified and carried out. Confirm that all relevant evidence
was formally documented.
1. Examine the organization's procedures and technical requirements related to personal data requests from law
enforcement authorities.
2. Establish that processes and controls comply with the organization's data privacy and security policy.
3. Establish whether the organization has documented the roles and responsibilities for this process.
4. Select a sample of requests and assess whether such requests have followed the approvals and secure
communication processes through to completion. Confirm that all evidence was formally documented.
5. Review the organization's data breaches for examples for which this requirement was not followed correctly.
Further, confirm that relevant action plans were identified and carried out.
1. Examine the organization's procedures, technical requirements, and other documentation to direct, manage and
review the records of the organization's data physical storage locations.
2. Establish whether the organization has documented the roles and responsibilities for this process.
3. Confirm that the organization’s policy and procedures include details of guidelines for the storage and
processing of data within the designated countries/regions/zones/jurisdictions.
4. Establish that the organization maintains a source(s) of record of its physical data storage locations and is able
to trace data lineage. Select a range of entries to establish that the information is recorded appropriately.
5. Confirm that the data storage records are accurate and complete as detailed in policy and procedures.
6. Establish that the organization has documented its understanding of the extent of its remit in terms of its role as
a supplier and the extent of its own supplier's obligations to this requirement.
7. Confirm that the data storage process meets the organization's requirements as detailed in policy and
procedures.
1. Examine the policy and/or procedures related to information governance programs to determine whether the
organization has developed a comprehensive strategy for information governance.
2. Examine policies and procedures for evidence of review at least annually.
1. Examine the policy and/or procedures related to the Enterprise Risk Management (ERM) program to determine
whether the organization has developed a comprehensive strategy to manage risk to organizational operations and
assets, and individuals.
2. Review ERM documentation, processes, and supporting evidence to confirm if the ERM program includes
provisions for cloud security and privacy risk.
3. Examine measure(s) that evaluate(s) the organization's compliance with the risk management policy and
determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the
policy level.
4. Obtain and examine supporting evidence to determine if the office or individual responsible reviews the
information and, if issues were identified, if they were investigated and remediated appropriately.
1. Examine the policy and/or procedures related to the Enterprise Risk Management (ERM) program to determine
if the organization reviews these documents at least annually or when a substantial change occurs within the
organization.
2. Confirm that Policy reviews have taken place in compliance with the organization's review requirements and
that any exceptions identified are investigated and remediated.
1.Examine the policy and/or procedures to determine if the policy exception process has been established.
2.Identify and confirm that exceptions to policies are tracked, authorised, and evidenced.
3.Confirm a review of policy exceptions takes place on a periodic basis by appropriate management.
1. Examine the policy and/or procedures related to the Information Security Program to determine whether the
organization has developed and implemented a comprehensive strategy to manage Information Security across
the organization.
2. Review the details of the information security program and establish if this covers the CCMv4 relevant
domains.
3. Confirm that identified gaps/issues are being tracked, monitored, and remediated with appropriate escalation
where required.
1. Confirm the organization has established a governance framework which details roles, responsibilities, and
accountability.
2. Evidence that governance meetings are reported and documented appropriately.
3. Confirm that individuals/groups responsible for governance are tracking and monitoring progress against the
governance program.
1. Confirm that policy and procedures include provisions to identify and document all relevant standards,
regulations, legal/contractual, and statutory requirements.
2. Establish that the organization maintains an inventory of CCM controls and relevant regulatory information is
mapped across to the CCM inventory.
3. Identify and examine any metrics and supporting evidence to provide assurance that the information system
regulatory mapping is reviewed on a periodic basis, and that any gaps in the mapping are appropriately actioned.
1. Examine the organization's policy and procedures related to contact with cloud-related special interest groups
to determine if membership is required and actively maintained.
2. Identify relevant individuals responsible for contacting cloud-related special interest groups and determine if
the policy requirements stipulated in the policy level have been implemented.
1. Examine policy for adequacy, currency, communication, and effectiveness.
2. Examine the process for selection of local laws, regulations, ethics, and contractual constraints, and for review
of its output.
3. Verify that the background verification required is mapped to the risks and data classification.
4. Examine the policy and procedures for evidence of review at least annually.
5. Examine Human Resources tickets upon hire which trigger background review and final confirmation from
third party conducting background reviews showing it has been completed and how exceptions or failed checks
have been addressed.
1. Verify that the organization has defined formats and templates of Employment Agreements.
2. Verify that the Agreements include references to the organization's Information Security Management System
(ISMS), and that they mandate compliance.
1. Examine if the organization has identified its requirements for non-disclosure and confidentiality.
2. Determine the planned interval for review.
3. Verify that the requirements are reviewed at such planned intervals.
1. Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
2. Verify, by Interviews or otherwise, that the training program has been implemented.
3. Verify that the scope of the training program extends to all employees.
4. Examine policy and procedures for evidence of review.
1. Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
2. Verify that a definition of sensitive organizational and personal data exists, and is implemented.
3. Verify, by Interviews or otherwise, that the training program has been implemented.
4. Verify that the scope of the training program extends to all employees with access to such data.
5. Examine policy and procedures for evidence of review.
1. Examine the process for selection of applicable legal, statutory, or regulatory compliance obligations, and for
review of its output.
2. Verify, by Interviews or otherwise, that employees are aware of their roles and responsibilities with respect to
such obligations.
1. Examine policy and/or procedures related to identity and access management to determine if policy and/or
procedure content:
a. addresses the provisioning, modification and deprovisioning of logical access.
b. establishes password complexity and management requirements.
c. addresses authorization concept following separation of duties and least privilege.
d. addresses privileged access management and access reviews.
e. includes roles and responsibilities for provisioning, modifying and deprovisioning of logical access.
f. understands the delineation of identity and access management control responsibility in relation to the shared
responsibility model.
2. Determine if the policy is clearly communicated and available to stakeholders.
3. Examine if policy and procedures are reviewed and updated at least annually.
1. Examine policy and/or procedures related to passwords to determine if minimum password complexity
requirements are defined.
2. Determine if the organization enforces minimum password complexity requirements as defined in policy.
3. Examine policy and procedures for evidence of review at least annually.
1. Determine if the organization has defined acceptable storage methods and locations of system identities.
2. Evaluate if the organization is consistently utilizing approved methods and locations to store system identities.
3. Evaluate if access to stored identities is managed following established processes.
1. Determine if divisions of responsibility and separation of duties are defined and documented.
2. Determine if information system access authorizations are established to support separation of duties.
1.Examine the policy to determine the least privilege required for each role or user.
2.Evaluate the effectiveness of the implementation and review of policy.
1. Determine if personnel required to approve system access requests are identified and documented.
2. Evaluate if access requests are documented and approved by required personnel prior to access provisioning.
1. Determine if a process is established for removing logical access when users leave the organization or when
access is no longer appropriate.
2. Determine if a timeframe for access removal and access modification is defined.
3. Verify that a process is established for removing existing system access and assigning appropriate access or for
modifying existing access after internal transfer or change of job functions.
4. Determine if established processes for access removal and modification, within the defined time frame, are
followed in practice.
1. Determine if the required frequency for review of accounts is established.
2. Determine if accounts are reviewed for compliance, including the level of access and conflicting access,
following the principle of least privilege and consideration of separation of duties.
3. Determine if accounts are reviewed at the organization-defined frequency.
1. Determine if processes, procedures and technical measures for the separation of privileged access are defined
and include requirements for separation of administrative access to data, encryption, key management and
logging capabilities.
2. Evaluate if established processes, procedures and technical measures for the separation of privileged access are
implemented and followed in practice.
1. Determine if an access process, that includes requirements for limiting the time period of privileged access
roles and rights, is defined.
2. Determine if procedures address the prevention of culmination of segregated privileged access.
3. Evaluate if an access process, that includes requirements for limiting the time period of privileged access roles
and rights, is implemented and consistently followed in practice.
4. Evaluate if procedures that address the prevention of culmination of segregated privileged access is
implemented and consistently followed in practice.
1. Determine if processes and procedures for customers to participate, where applicable, in the granting of access
for agreed, high risk (as defined by the organizational risk assessment) privileged access roles are defined,
implemented and consistently followed in practice.
1. Determine if processes, procedures and technical measures are defined for log management.
2. Determine if processes, procedures and technical measures for log management include the following two
requirements:
a. the logging infrastructure is read-only for all with write access, including privileged access roles.
b. the ability to disable and/or modify logs is controlled following separation of duties and established break
glass procedures.
3. Evaluate if the processes, procedures and technical measures for log management are implemented and
consistently followed in practice.
1. Determine if processes, procedures and technical measures are defined and require that users are identifiable
through unique IDs or by association of individuals to the usage of user IDs.
2. Determine if the established processes, procedures and technical measures are implemented and consistently
followed in practice.
1. Determine if processes, procedures and technical measures for authenticating access to systems, applications
and sensitive data are defined and maintained.
2. Determine if processes, procedures and technical measures for authenticating access to systems, applications
and sensitive data include organization-defined requirements for specific use cases of multifactor authentication,
digital certificates and/or alternative security measures.
3. Determine if processes, procedures and technical measures for authenticating access to systems, applications
and sensitive data are implemented and consistently followed in practice.
1. Determine if processes, procedures and technical measures for the secure management of passwords are
defined.
2. Determine if processes, procedures and technical measures for the secure management of passwords are
implemented and consistently followed in practice.
1. Determine if processes, procedures and technical measures, for verification of access authorization to data and
system functions, are defined.
2. Determine if processes, procedures and technical measures, for verification of access authorization to data and
system functions, are implemented and consistently followed in practice.
1. Examine policy for adequacy, currency, communication, and effectiveness.
2. Examine the inventory of documentation that establishes the requirements and communication of this control.
3. Examine policy and procedures for evidence of review at least annually.
1. Examine the list of Application Programming Interfaces (API) available to Cloud Service Consumers.
2. Determine if such list and usable documentation is made available to Cloud Service Consumers.
1. Examine the policy for the secure transmission of requests and data.
2. Inspect the requirements, with respect to any security domains defined.
3. Examine the policy that specifies protocols for transmission, with respect to standardization.
1. Examine the standard form of contract for offboarding the Cloud Service Consumers.
2. Determine if non-standard clauses allow the Cloud Service Consumers to waive such rights.
3. Determine if there are requests for data in unsupported formats.
4. Examine the policy regarding deletion of resources no longer in the control of a client, and determine if such
policy corresponds to the contractual data retention.
1. Interview the team to determine if policy and procedures have been documented.
2. Evaluate the documented policy to determine if it has been approved and communicated to the relevant internal
and external teams.
3. Determine if the policy has been applied to the infrastructure and virtualization security operations and if
relevant procedures have been drafted.
4. Determine if the procedures are periodically evaluated and if they are maintained, up to date, and relevant.
5. Determine if policy and procedures are reviewed and updated on an annual basis. Policy may contain
segregation of environments and roles, change management requirements and continuous exercising.
1. Determine if the host and the guest OS has been hardened as per best practices.
2. Determine if the hypervisor or infrastructure control planes are hardened as per best practices.
3. Determine if appropriate technical controls exist that ensure that the hardening is done.
4. Determine if a security baseline has been set up.
5. Determine if the security baseline contains information about the hardening done.
1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to
planning, delivery and support of the organization's logging and monitoring requirements.
2. Examine policy and procedures for evidence of review at least annually.
1. Examine policy that establishes the time scale and epoch, or traceability, of time across systems.
2. Evaluate the process that ensures synchronization of time on relevant systems.
1. Examine policy for the identification of loggable events, applications, or systems.
2. Examine the outputs of such identification, with respect to review and approval.
3. Examine scope for evidence of review at least annually.
1. Examine policy related to audit logging and determine if it includes requirements to generate audit records
containing relevant security information.
2. Examine audit records and determine if they adequately reflect the policy.
1. Examine policy related to the monitoring and reporting of operations of cryptographic policy.
2. Examine the process to identify such a policy.
3. Evaluate the effectiveness of such reporting capability.
1. Examine policy for logging and monitoring usage of cryptographic key usage lifecycle events.
2. Examine the process to identify such events.
3. Evaluate the review of these logs.
1. Examine policy for logging and monitoring physical access.
2. Examine the process to identify such events.
3. Evaluate the review of these logs.
1. Examine the policy for reporting of anomalies and failures of the monitoring system.
2. Examine the process for identifying accountable parties.
1. Examine policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery
and support of the organization’s Security Incident Management, E-Discovery and Cloud Forensics.
2. Examine policy and procedures for evidence of review at least annually.
1. Examine the policy for adequacy, approval, communication, and effectiveness as applicable to planning,
delivery and support of the organization’s Security Incident Management, with respect to timely management.
2. Examine the policy and procedures for evidence of review at least annually.
1. Examine the policy for adequacy, approval, communication, and effectiveness as applicable to planning,
delivery and support of the organization’s Security Incident Management, with respect to timely management.
2. Examine the processes to identify impacted stakeholders.
3. Determine if this plan meets stakeholder requirements.
1. Verify if there is a calendar of exercises available, if exercises are performed at planned intervals and when
there are significant changes within the organization or the context in which it operates.
2. Verify if the organization has reviewed and acted upon the results of its exercising and testing to implement
changes and improvements.
1. Verify that metrics have been established to measure information security incidents.
2. Verify that metrics together demonstrate the efficacy, effectiveness and success of the information security
incident response plan to address incidents as they happen.
3. Verify that the metrics are measured and reported to stakeholders.
1. Verify if operational processes that help the organization to prepare for, identify, detect, protect, respond to and
recover from information security incidents in a step-by-step manner exist.
2. Verify if tools that support these organizational procedures to triage security related events complement the
ability of the teams to detect, review, monitor and quickly decide upon the context and the possible impact of the
incident as it happens and over time.
1. Examine policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery
and support of the organization’s Security Breach Notification management.
2. Verify if there is a formal program that documents the breach notification requirements for all regulatory or
contractual domains that the organization asserts adherence to.
3. Verify if there is a periodic awareness program to ensure all those associated with information security incident
response are aware of the procedures involved for their roles, responsibilities and authorities.
4. Determine if the organization has established breach notification Time Objectives for information security
breaches that meet the minimum expectation of the applicable regulation and verify if those time objectives are
reflected in all internal and external service level expectations.
1. Examine the process used to determine applicable points of contact, and the procedure for reviewing the
list/documentation that contains them.
2. Verify if the organization has updated the list of points of contact for applicable regulation authorities, national
and local law enforcement, and other legal jurisdictional authorities.
3. Examine when the last updates were done and if there is a schedule for reviewing and updating these contacts.
1. Examine policy for adequacy, approval, communication, currency, and effectiveness.
2. Examine policy and procedures for evidence of review at least annually.
1. Examine whether SSRM guidance documentation has been approved by management and communicated to
CSCs.
2. Examine the process for review of SSRM Guidance if required.
1. Examine the policy for assessing, demarcating, and documenting the interfaces at the edges of the
organization’s responsibility.
2. Determine if the delineation has been done, and is current.
3. Examine the process for communicating the security responsibility boundaries to third-parties.
1. Examine the policy for assessing, demarcating, and documenting the interfaces at the edges of the
Organization’s responsibility.
2. Examine the process for validating the boundaries for cloud services used.
3. Examine the process for validating the seamlessness of controls for cloud services used.
1. Examine the policy related to addressing security in third-party agreements and determine if organizations
employ formal contracts.
2. Determine if written procedures exist for addressing security in third-party agreements and whether or not the
procedure(s) address(es) each element of the policy/control requirement(s) stipulated in the policy level.
3. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or
relevant stakeholders, as needed, for addressing security in third-party agreements and determine if the
policy/control requirements stipulated in the policy level have been implemented.
4. Examine measure(s) that evaluate(s) the organization's compliance with the third-party management policy and
determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the
policy level.
1. Determine if there is an inventory maintained of all supply chain relationships.
2. Establish ownership for maintaining this inventory.
3. Examine the inventory's records to establish whether CSP/CSC relationships are maintained in this inventory.
4. Determine whether this inventory is subject to review.
1. Examine the policy related to identification of risks related to external parties and determine if the organization
conducts due diligence of the external party.
2. Determine if the policy/control requirements stipulated in the policy level have been implemented.
3. Determine the periodicity of review of risk factors.
1. Examine the policy for inclusion of the Control in third party agreements.
2. Examine the policy related to the review of third-party services to determine if the organization incorporates
compliance by third parties.
1. Determine if a documented review schedule of CSP-CSC supply chain agreements exists on an annual basis
and is operating.
2. Examine the organization's implementation of its third-party management policy.
1. Examine the process for determining the standards and policy that service level agreements must conform to.
2. Examine the process to determine contractual, legal, and technical requirements applicable to service level
agreements.
3. Determine if internal assessments are defined, planned, and executed, at least annually.
1. Examine the policy for incorporation of requirements into contractual documents throughout the CSP’s supply
chain.
2. Determine if requirements have been incorporated in contracts.
3. Evaluate if the right to audit is protected, where required.
1. Examine the policy for review of supply chain partners governance of IT.
2. Determine if the right to review is incorporated contractually.
3. Evaluate whether such a review cycle is operating within the organization.
1. Examine the policy related to the security assessments of the supply chain.
2. Examine the policy related to identification of risks related to external parties.
3. Determine if procedures exist for identification of risks related to external parties
4. Evaluate evidence of the conduct of assessments of organizations within the supply chain, periodically as
required by the policy.
1. Examine the organization's change management policy for controls related to changes on endpoints.
2. Determine if such controls are in place for making changes to production and infrastructure systems and if the
controls are evaluated as effective.
1. Examine the organization's asset disposal policy for end-of-life security requirements.
2. Examine the organization's policy on encryption or otherwise protection of data at rest on endpoints.
3. Determine if such controls are in place and evaluated as effective.
1. Examine the organization's software firewall and other endpoint network protection policy.
2. Examine the policy on configuration of such controls.
3. Determine if such controls are in place and evaluated as effective.
1. Examine the organization's data loss policy.
2. Examine the policies on configuration of such controls.
3. Determine if such controls are driven by risk assessments.
4. Determine if such controls are in place and evaluated as effective.
1. Examine the organization's remote geo-location for managed mobile endpoints policy.
2. Determine if such controls are in place.
Business Continuity
Business Continuity Management
Management and BCR-01
Policy and Procedures
Operational Resilience
Business Continuity
Management and Risk Assessment and Impact Analysis BCR-02
Operational Resilience
Business Continuity
Management and Business Continuity Strategy BCR-03
Operational Resilience
Business Continuity
Management and Business Continuity Planning BCR-04
Operational Resilience
Business Continuity
Management and Documentation BCR-05
Operational Resilience
Business Continuity
Management and Business Continuity Exercises BCR-06
Operational Resilience
Business Continuity
Management and Communication BCR-07
Operational Resilience
Business Continuity
Management and Backup BCR-08
Operational Resilience
Business Continuity
Management and Disaster Response Plan BCR-09
Operational Resilience
Business Continuity
Management and Response Plan Exercise BCR-10
Operational Resilience
Business Continuity
Management and Equipment Redundancy BCR-11
Operational Resilience
Cryptography,
Encryption & Key Encryption Change Management CEK-05
Management
Cryptography,
Encryption Change Cost Benefit
Encryption & Key CEK-06
Analysis
Management
Cryptography,
Encryption & Key Encryption Risk Management CEK-07
Management
Cryptography,
Encryption & Key CSC Key Management Capability CEK-08
Management
Cryptography,
Encryption & Key Encryption and Key Management Audit CEK-09
Management
Cryptography,
Encryption & Key Key Generation CEK-10
Management
Cryptography,
Encryption & Key Key Purpose CEK-11
Management
Cryptography,
Encryption & Key Key Rotation CEK-12
Management
Cryptography,
Encryption & Key Key Revocation CEK-13
Management
Cryptography,
Encryption & Key Key Destruction CEK-14
Management
Cryptography,
Encryption & Key Key Activation CEK-15
Management
Cryptography,
Encryption & Key Key Suspension CEK-16
Management
Cryptography,
Encryption & Key Key Deactivation CEK-17
Management
Cryptography,
Encryption & Key Key Archival CEK-18
Management
Cryptography,
Encryption & Key Key Compromise CEK-19
Management
Cryptography,
Encryption & Key Key Recovery CEK-20
Management
Cryptography,
Encryption & Key Key Inventory Management CEK-21
Management
Infrastructure &
Capacity and Resource Planning IVS-02
Virtualization Security
Infrastructure &
Network Security IVS-03
Virtualization Security
Infrastructure &
OS Hardening and Base Controls IVS-04
Virtualization Security
Infrastructure &
Network Defense IVS-09
Virtualization Security
Security Incident
Management, E- Security Incident Management Policy
SEF-01
Discovery, & Cloud and Procedures
Forensics
Security Incident
Management, E- Service Management Policy and
SEF-02
Discovery, & Cloud Procedures
Forensics
Security Incident
Management, E-
Incident Response Plans SEF-03
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Testing SEF-04
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Incident Response Metrics SEF-05
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Event Triage Processes SEF-06
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Security Breach Notification SEF-07
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Points of Contact Maintenance SEF-08
Discovery, & Cloud
Forensics
Supply Chain
Management,
SSRM Supply Chain STA-02
Transparency, and
Accountability
Supply Chain
Management,
SSRM Guidance STA-03
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Ownership STA-04
Transparency, and
Accountability
Supply Chain
Management,
SSRM Documentation Review STA-05
Transparency, and
Accountability
Supply Chain
Management,
SSRM Control Implementation STA-06
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Inventory STA-07
Transparency, and
Accountability
Supply Chain
Management,
Supply Chain Risk Management STA-08
Transparency, and
Accountability
Supply Chain
Management, Primary Service and Contractual
STA-09
Transparency, and Agreement
Accountability
Supply Chain
Management,
Supply Chain Agreement Review STA-10
Transparency, and
Accountability
Supply Chain
Management,
Internal Compliance Testing STA-11
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Service Agreement
STA-12
Transparency, and Compliance
Accountability
Supply Chain
Management,
Supply Chain Governance Review STA-13
Transparency, and
Accountability
Supply Chain
Management, Supply Chain Data Security
STA-14
Transparency, and Assessment
Accountability
Universal Endpoint
Application and Service Approval UEM-02
Management
Universal Endpoint
Compatibility UEM-03
Management
Universal Endpoint
Endpoint Inventory UEM-04
Management
Universal Endpoint
Endpoint Management UEM-05
Management
Universal Endpoint
Automatic Lock Screen UEM-06
Management
Universal Endpoint
Operating Systems UEM-07
Management
Universal Endpoint
Storage Encryption UEM-08
Management
Universal Endpoint
Anti-Malware Detection and Prevention UEM-09
Management
Universal Endpoint
Software Firewall UEM-10
Management
Universal Endpoint
Data Loss Prevention UEM-11
Management
Universal Endpoint
Remote Locate UEM-12
Management
Universal Endpoint
Remote Wipe UEM-13
Management
Universal Endpoint
Third-Party Endpoint Security Posture UEM-14
Management
End of Standard
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
Control Specification Control Mapping
27001: A.5.1
27001: A.8.25
27001: A.8.26
27002: 5.1 (l)
27002: 8.25 (c)
Define and implement technical and operational metrics in alignment
with business objectives, security requirements, and compliance obligations. 27001: 9.1
27001: A.8.25
27001: A.5.36
27002: 8.25 (d)
27001: A.5.8
27001: A.8.25
27001: A.8.26
27001: A.8.28
Implement a testing strategy, including criteria for acceptance of
new information systems, upgrades and new versions, which provides application
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible. 27001: A.8.25
27001: A.8.29
27001: A.8.32
27002: 8.25 (e)
27002: 8.32 (d)
27001: A.8.25
27001: A.8.32
27002: 8.32 (e)
27001: A.5.26
27001: A.8.8
27002: 5.26 (j)
Management and Operational Resilience - BCR
Establish, document, approve, communicate, apply, evaluate and maintain
business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.29
27001: A.5.30
27001: A.5.36
27001: A.5.37
27002: 5.29
27002: 5.30
27001: A.5.30
27002: 5.30
27001: A.8.13
27001: A.5.23
27001: A.5.30
27002: 8.13
27002: 5.23 2nd (i)
Establish, document, approve, communicate, apply, evaluate and maintain
a disaster response plan to recover from natural and man-made disasters. Update
the plan at least annually or upon significant changes.
27001: A.5.29
27001: A.5.30
27002: 5.29
27002: 5.30
27001: A.5.5
27001: A.5.30
27002: 5.30 (b)(1)
Supplement business-critical equipment with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry
standards.
27001: A.5.20
27001: A.7.11
27001: A.8.14
27002: 5.20 (t)
27002: 8.14 (c)
27001: A.8.32
27001: A.8.29
Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced).
27001: A.5.22
27001: A.8.9
27001: A.8.29
27001: A.8.31
27001: A.8.32
Restrict the unauthorized addition, removal, update, and management
of organization assets.
27001: A.8.3
27001: A.8.4
27001: A.8.15
27001: A.8.31
27001: A.8.32
27001: A.8.9
27001: A.8.32
27002: 8.32 (a-i)
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: A.8.24
27002: A.5.1 (i)
27002: 8.24 (a)
Define and implement cryptographic, encryption and key management
roles and responsibilities.
27001: 5.3
27001: A.5.2
27001: A.8.24
27002: 8.24 (e)
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards.
27001: A.5.14
27001: A.8.24
27002: 8.24 Other Information (a)
Use encryption algorithms that are appropriate for data protection,
considering the classification of data, associated risks, and usability of the
encryption technology.
27001: 6.1.2
27001: 6.1.3
27001: A.8.24
27001: A.5.12
27001: A.5.13
27002: 8.24 General (b)
27001: 8
27001: A.8.24
27001: A.8.32
Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback.
27001: 8
27001: A.8.24
CSPs must provide the capability for CSCs to manage their own data
encryption keys.
27001: A.5.23
27001: A.8.24
27001: A.5.10
27001: A.8.24
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
27001: A.5.12
27001: A.5.37
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
27001: A.5.9
27001: A.7.1
27002: 7.1 Other Information
No Mapping
Allow only authorized personnel access to secure areas, with all
ingress and egress points restricted, documented, and monitored by physical
access control mechanisms. Retain access control records on a periodic basis
as deemed appropriate by the organization.
27001: A.7.2
27002: 7.2 (a,b)
27001: A.7.8
27001: A.7.9
27002: 7.8 (c, e)
27002: 7.9 (b)
27001: A.7.5
27001: A.7.8
and Privacy Lifecycle Management - DSP
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the classification, protection and handling of data
throughout its lifecycle, and according to all applicable laws and regulations,
standards, and risk level. Review and update the policies and procedures at
least annually. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.10
27001: A.5.12
27001: A.5.34
27001: A.5.37
27002: 5.1 (j)
Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
27001: A.7.10
27001: A.7.14
27001: A.8.10
27002: 7.10 (Secure reuse or disposal)
Create and maintain a data inventory, at least for any sensitive
data and personal data.
27001: A.5.9
27001: A.8.12
27001: A.5.12
Create data flow documentation to identify what data is processed,
stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change.
No Mapping
27001: A.5.9
Develop systems, products, and business practices based upon a principle
of security by design and industry best practices.
27001: A.8.27
27001: A.8.28
27001: A.8.29
27002: 5.8 (Information security
requirements a-i)
Develop systems, products, and business practices based upon a principle
of privacy by design and industry best practices. Ensure that systems' privacy
settings are configured by default, according to all applicable laws and regulations.
27001: A.8.11
27001: A.5.14
27001: A.7.10
Define and implement, processes, procedures and technical measures
to enable data subjects to request access to, modification, or deletion of their
personal data, according to any applicable laws and regulations.
27001: A.5.34
Define, implement and evaluate processes, procedures and technical
measures to ensure that personal data is processed according to any applicable
laws and regulations and for the purposes declared to the data subject.
27001: A.5.34
Define, implement and evaluate processes, procedures and technical
measures for the transfer and sub-processing of personal data within the service
supply chain, according to any applicable laws and regulations.
27001: A.5.14
27001: A.5.20
27001: A.5.20
27001: A.5.33
27001: A.8.10
27002: 5.33 (b)
27001: A.8.11
27001: A.8.12
The CSP must have in place, and describe to CSCs the procedure to
manage and respond to requests for disclosure of Personal Data by Law Enforcement
Authorities according to applicable laws and regulations. The CSP must give
special attention to the notification procedure to interested CSCs, unless otherwise 27001: A.5.34
prohibited, such as a prohibition under criminal law to preserve confidentiality 27001: A.6.8
of a law enforcement investigation. 27002: 6.8
Define and implement, processes, procedures and technical measures
to specify and document the physical locations of data, including any locations
in which data is processed or backed up.
27001: A.5.9
27001: A.8.12
27001: A.8.13
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.37
27001: 4.3
Define and document roles and responsibilities for planning, implementing,
operating, assessing, and improving governance programs.
27001: 5.1
27001: 5.3
27001: A.5.1
27001: A.5.2
27001: A.5.4
27002: 5.1 (f)
27001: A.5.11
Establish, document, and communicate to all personnel the procedures
outlining the roles and responsibilities concerning changes in employment.
27001: A.6.5
27001: 7.4
27001: A.5.2
27001: 7.3
27001: A.6.3
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.17
27001: A.6.3
27001: A.8.5
27001: A.5.37
Manage, store, and review the information of system identities, and
level of access.
27001: A.5.15
27001: A.5.16
27001: A.5.18
27001: A.5.15
27001: A.5.18
Review and revalidate user access for least privilege and separation
of duties with a frequency that is commensurate with organizational risk tolerance.
27001: A.5.3
27001: A.5.18
27001: A.8.3
27001: A.8.2
27001: A.8.18
27002: 8.2 (i)
Define, implement and evaluate processes and procedures for customers
to participate, where applicable, in the granting of access for agreed, high
risk (as defined by the organizational risk assessment) privileged access roles.
27001: A.5.19
27001: A.5.22
27001: A.8.15
27001: A.8.18
27002: 8.15 Protection of Logs
Define, implement and evaluate processes, procedures and technical
measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs.
27001: A.5.16
Define, implement and evaluate processes, procedures and technical
measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities.
27001: A.5.15
27001: A.5.17
27001: A.8.5
27001: A.8.24
27002: 8.5
27002: 8.24 other information (d)
Define, implement and evaluate processes, procedures and technical
measures for the secure management of passwords.
27001: A.5.17
Define, implement and evaluate processes, procedures and technical
measures to verify access to data and system functions is authorized.
27001: A.5.18
eroperability & Portability - IPY
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for interoperability and portability including
requirements for:
a. Communications between application interfaces
b. Information processing interoperability 27001: 5.1
c. Application development portability 27001: 5.2
d. Information/Data exchange, usage, portability, integrity, and persistence 27001: 7.3
Review and update the policies and procedures at least annually. 27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.23
27001: A.8.25
27001: A.8.26
27001: A.8.27
27001: A.5.37
Provide application interface(s) to CSCs so that they programmatically
retrieve their data to enable interoperability and portability.
27001: A.5.23
27001: A.8.26
27001: 8.1
27001: A.8.22
27001: A.8.31
Design, develop, deploy and configure applications and infrastructures
such that CSP and CSC (tenant) user access and intra-tenant access is appropriately
27001: 9.1
segmented and segregated, monitored and restricted from other tenants.
27001: A.5.15
27001: A.5.20
27001: A.8.3
27001: A.8.9
27001: A.8.16
27001: A.8.22
27002: 5.15 (b)
27002: 8.3 (b)
27002: 8.16 (b)
Use secure and encrypted communication channels when migrating servers,
services, applications, or data to cloud environments. Such channels must include
only up-to-date and approved protocols.
27001: A.5.14
27001: A.8.20
27001: A.8.24
27002: 8.20 (e)
27002: 8.24 Guidance (b,f), other
information (a)
Identify and document high-risk environments.
27001: 6.1.2
27001: 7.5
27001: A.5.37
27001: A.8.20
27001: A.8.22
27002: 8.20 (c)
27001: A.8.15
The information system protects audit records from unauthorized access,
modification, and deletion.
27001: A.8.15
27001: A.8.24
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.26
27001: A.5.37
27001: A.6.8
'Establish, document, approve, communicate, apply, evaluate and maintain
a security incident response plan, which includes but is not limited to: relevant
internal departments, impacted CSCs, and other business critical relationships
(such as supply-chain) that may be impacted.'
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: A.5.26
27002: 5.26 (e,f)
27001: A.5.36
27002: 5.36
Establish and monitor information security incident metrics.
27001: A.5.24
27002: 5.24 (b)
27001: A.5.25
Define and implement, processes, procedures and technical measures
for security breach notifications. Report security breaches and assumed security
breaches including any relevant supply chain breaches, as per applicable SLAs,
laws and regulations. 27001: A.5.19
27001: A.5.22
27001: A.5.23
27001: A.5.24
27001: A.5.26
27001: A.6.8
27002: 5.19 (f)
27002: 5.22 (f,g,h,i)
27002: 5.23 (h)
27002: 5.26 (e)
27001: A.5.5
27001: A.5.24
27002: 5.24 Incident management
procedure (d)
Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
27001: A.5.20
27001: A.5.22
27001: A 5.23
27002: 5.23 (d)
Provide SSRM Guidance to the CSC detailing information about the
SSRM applicability throughout the supply chain. 27001: 7.4
27001: 9.1
27001: A.5.20
27001: A.5.21
27001: A.5.23
27002: 5.20 (a-z)
27002: 5.21 (a-m)
27002: 5.23 (d)
Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
27001: A.5.23
27002: 5.23 (d)
Review and validate SSRM documentation for all cloud services offerings
the organization uses. 27001: 9.1
27001: 9.3
27001: A.5.20
27001: A.5.23
27002: 5.23 (d)
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability 27001: A.5.19
• Incident management and communication procedures 27001: A.5.20
• Right to audit and third party assessment 27002: 5.19 (m4)
• Service termination 27002: 5.20 (a-d,u,e,j,o,p,x,y,z)
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
27001: A.5.20
27001: A.5.22
27001: 6.1.1
27001: 6.1.2
27001: 8.1
27001: 8.2
27001: A.5.19
27001: A.5.20
27001: A.5.21
27001: A.5.23
27002: 5.19 (g)
27002: 5.20 (q)
27002: 5.21 (f)
27002: 5.23 (f,i)
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5.1
27001: A.5.4
27001: A.5.7
27001: A.5.37
27001: A.8.7
27002: 5.7 (b)
Define, implement and evaluate processes, procedures and technical
measures to enable both scheduled and emergency responses to vulnerability
identifications, 27001: 6.1.3
based on the identified risk. 27001: A.8.7
27001: A.8.8
27001: A.8.32
27002: 8.7
27002: 8.8
27002: 8.32
27001: 6.1.3
27001: A.5.1
27001: A.8.8
27001: A.8.15
27001: A.8.16
27002: 5.1
27002: 5.37
27002: 8.8
27002: 8.15 (d)
27002: 8.16 (d,e)
27002: 8.31 2nd (a)
Define, implement and evaluate processes, procedures and technical
measures to identify updates for applications which use third party or open
source libraries according to the organization's vulnerability management policy. 27001: 6.1.3
27001: A 5.6
27001: A.8.19
27001: A.8.8
27001: A.8.28
27001: A.8.31
27002: 5.6 (c)
27001: 8.19
27001: 8.8
27001: 8.28
27001: 8.31
27001: A.8.8
27002: 8.8
27001: 8.2
27001: 8.3
27001: A.8.8
27001: A.8.19
27002: 8.8
27002: 8.19
Define and implement a process for tracking and reporting vulnerability
identification and remediation activities that includes stakeholder notification.
27001: 7.4
27001: A.6.8
27002: 6.8
27001: 5.3
27001: 9.1
27001: A.6.8
27001: A.8.8
27002: 6.8 (i)
27002: 8.8
27001: A.5.9
27001: A.8.1
27001: A.8.3
27001: A.8.19
27001: A.8.27
27002: A.8.1 (d)
Define and implement a process for the validation of the endpoint
device's compatibility with operating systems and applications.
27001: A.8.19
27001: A.8.29
27001: A.8.32
27001: A.8.1
27001: A.8.32
27002: A.8.1 (e)
27001: A.8.1
27002: 8.1 (h)
27001: A.8.1
27001: A.8.20
27002: 8.20 (i)
27002: 8.1 (f)
27001: A.5.12
27001: A.8.3
27001: A.8.1
27001: A.5.14
27001: A.5.21
27001: A.5.22
End of Standard
You may download, store, display on your computer, view, print, and link to the Cloud Security
loudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used
ud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix
r notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as
provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix
al for other usages not addresses in the copyright notice, please contact
ISO/IEC 27001:2022, 27002:2022
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
'Define and implement technical and operational metrics'.
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Ν/Α
Νο Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full CCM control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full CCM control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Partial Gap
N/A
No Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
Partial Gap
N/A
No Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'policies and procedures for virtualization security'.
'at least annually (Review)'.
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Recommend that the full CCM control specification is to be used to close the gap. The mapped ISO
controls cover in part but inadequately the high specificity of the CCM control objective.
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
'CSP and CSC (tenant) and intra-tenant access is appropriately segmented and segregated'.
Partial Gap
Missing specification(s) in ISOs:
'(secure and encrypted communication channels when) migrating servers, services, applications, or
data to cloud environments'.
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Gap
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'incident metrics'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Gap
N/A
No Gap
N/A
No Gap
CIS v8.0
16.7 No Gap
16.2 Partial Gap
16.1 No Gap
16.12
Partial Gap
16.13
16.2
Partial Gap
16.6
No Mapping Full Gap
11.1
11.2
11.3 Partial Gap
11.4
11.5
No Mapping Full Gap
3.1
Partial Gap
3.5
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
1.3
No Gap
1.5
No Mapping Full Gap
3.7 No Gap
3.8 No Gap
3.1 No Gap
16.1 Partial Gap
No Mapping Full Gap
3.1
3.1 No Gap
3.14
14 No Gap
14.1
Partial Gap
14.9
6.8 No Gap
6.8 No Gap
6.1 No Gap
5.3
No Gap
6.2
5.1 Partial Gap
16.8 No Gap
No Mapping Full Gap
No Mapping Full Gap
No Mapping Full Gap
13.3
Partial Gap
13.8
8.1 Partial Gap
8.1
8.9 Partial Gap
8.1
8.4 No Gap
8.1 No Gap
8.2 No Gap
No Mapping Full Gap
17.2 No Gap
No Mapping Full Gap
15.3 No Gap
15.5 No Gap
15.6 No Gap
7.1 No Gap
9.7
Partial Gap
10.1
7.2
7.7 No Gap
17.9
10.2 No Gap
2.6 Partial Gap
18.1
No Gap
18.2
7.1
7.5 No Gap
7.6
7.2
18.3 No Gap
16.6
7.1 Partial Gap
1.1 No Gap
1.3
1.4 Partial Gap
1.5
4.3 No Gap
No Mapping Full Gap
3.6 No Gap
9.7
No Gap
10.1
4.4
No Gap
4.5
3.13 No Gap
4.11 No Gap
15.4 Partial Gap
CIS v8.0
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control: (7.2) 'Establish and maintain No Mapping
a risk-based remediation strategy'.
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
Missing specification(s) in CISv8:
'Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for application security'.
6.7
12.1
12.1.1
12.11
N/A
6.3
11.4
Missing specification(s) in CISv8:
'metrics in alignment with business objectives'.
No Mapping
N/A
6.3
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(16.12) 'Implement Code-Level Security Checks' (as part of AIS-05 testing
strategy) A.3.2.2
(16.13) 'Conduct Application Penetration Testing' (as part of AIS-05 A.3.2.2.1
testing strategy). 6.6
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
A.3.2.2
A.3.2.2.1
6.6
6.2
6.5
6.5.1-10
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
9.5.1
12.10.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(4.1) 'Establish and maintain a secure configuration process for
enterprise assets', 'Review and update documentation annually'.
2.5
6.4
6.4.5
6.4.6
12.1
12.1.1
12.11
A3.2.2.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
6.4.5.3
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
6.4.5.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
6.4.5.3
6.4.5.4
11.5
11.5.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
6.4.5.4
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.5
3.6
3.7
4.3
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
1.15
3.6.8
12.4
A3.1.3
Missing specification(s) in CISv8:
'using cryptographic libraries certified to approved standards.'
Requirement 3
2.2.3
2.3
3.4
3.5.3
4.1
8.2.1
PCI Glossary - Strong Cryptography
Missing specification(s) in CISv8:
'considering the classification of data, associated risks, and usability A2
of the encryption technology.' Requirement 3
2.3
2.2.3
3.4
3.5.3
4.1
8.2.1
PCI Glossary - Strong Cryptography
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
Missing specification(s) in CISv8:
'libraries specifying the algorithm strength and the random number
generator used.'
2.2.3
3.6.1
PCI Glossary - Cryptographic Key
Generation
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.6.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.6.4
3.6.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.6.4
3.6.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.6.4
3.6.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.6.4
3.6.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.5.1
3.6.3
PCI Glossary - Cryptographic Key
Management
3.1
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
4.1
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.1
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.6
9.6.2
9.6.2.a
9.6.2.b
9.6.3
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
2.4
2.4a
2.4b
N/A
2.4
9.7.1
9.9.1
9.9.1.a
9.9.1.b
9.9.1.c
12.3.3
12.3.4
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
3.7
9.1
N/A
12.3.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.1
9.1.3
9.3
9.3.a
9.3.b
9.3.c
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.4.4.a
9.4.4.b
9.4.4.c
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.1.1
9.1.1a
9.1.1b
9.9.3
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.1.3
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
N/A
12.1
12.1.1
12.11
12.3
No Mapping
N/A
9.6.1
N/A
1.1.3
N/A
No Mapping
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(16.1) 'Establish and maintain a secure application development process.
In the process, address such items as: secure application design
standards, secure coding practices'.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
A.3.2.2
Missing specification(s) in CISv8.0:
'transfer of personal data is protected'.
4.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
6.3.1
6.4.3
Missing specification(s) in CISv8:
'in accordance with applicable laws and regulations'.
3.1
N/A
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.10.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(3.1) 'Establish and maintain a data management process'.
12.1
12.1.1
12.11
12.4.1
A.3.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.2
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
'Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard' (3.1, 3.8, 4.1, 4.2, 7.1,
8.1, 9.1, 11.1, 12.4, 16.1, 16.2).
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.7
A3.1.2
12.4.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.3
12.3.5
Missing specifications in CISv8.0:
'Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures' 'Review and update the policies and procedures
at least annually'.
9.5
12.1
12.1.1
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(13.5) 'Manage access control for assets remotely connecting to
enterprise resources.' (14.8) 'all users securely configure their home
network infrastructure'.
12.1
12.1.1
12.3.10
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.3
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(6.1) 'Establish and follow a process, preferably automated, for granting
access to enterprise assets upon new hire, rights grant, or role change
of a user.' (6.2) 'revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or
role change of a user'. 12.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.6.2
N/A
12.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
N/A
12.6
12.6.1
12.6.1a
12.6.1b
12.6.1c
12.6.2
Missing specifications in CISv8.0:
'Provide all employees with access to personal data with appropriate
security awareness training'
12.6.1c
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
A3.1.4
12.6
12.4.1.a
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
6.1 'Establish an Access Granting Process'
6.2 'Establish an Access Revoking Process'
6.6 'Establish and Maintain an Inventory of Authentication and
Authorization Systems'. 7.1
7.3
8.1
8.4
8.5
8.8
12.1
12.1.1
12.11
12.5.4
N/A
8.4
12.1
12.1.1
12.11
N/A
2.4.a
N/A
6.4
6.4.2
N/A
7.1
7.1.1
7.1.2
N/A
7.1.3
7.1.4
8.1.1
N/A
8.1.2
8.1.3
Missing specification(s) in CISv8:
'Review and revalidate user access for separation of duties'.
12.5.5
7.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
10.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
8.1
8.2
8.6
Missing specification(s) in CISv8:
'Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities'.
8.1.2
8.1.3
8.1.6
8.2
8.3
8.3.2
12.3.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
8.2
8.2.1-6
N/A
5.3
7.1.4
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
N/A
1.1.6
1.2
1.2.3
2.2
4.1.1
10.2
N/A
2.2
N/A
6.4.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
2.6
8.3.1
10.8
11.3
A3.2.1
A3.3.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
6.1
12.2
6.6
1.1
1.2
1.3
1.5
12.10.5
Missing specification(s) in CISv8:
'approve, communicate, apply, evaluate'.
10.6.1
10.6.2
10.6.3
10.8
10.8.1
10.9
12.1
12.1.1
12.11
N/A
10.4
N/A
10.3
N/A
10.3
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
10.5
10.5.1
10.5.2
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
9.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
10.6
12.1
12.1.1
12.11
N/A
12.1
12.1.1
12.5.3
12.11
N/A
12.1
12.10.1
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.5.2
Missing specification(s) in CISv8:
'Report security breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws and
regulations'
12.5.2
12.5.3
N/A
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.4.1
12.8.2
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.8.2
12.9
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.4.1
12.5.1
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.4.1
12.8.2
12.9
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1.1
12.8.4
12.8.5
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.5
12.6
12.7
12.8
12.9
12.1
N/A
2.4
12.8.1
N/A
12.2b
12.8.3
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1.1
12.2
12.4
12.4.1
12.8
12.9
12.11
N/A
12.1.1
12.2
12.8.3
12.8.4
12.8.5
N/A
12.8.4
N/A
5.2.a
5.4
6.1
6.1.a
6.7
12.1
12.1.1
12.3.1
12.5.1
12.11
Missing specification(s) in CISv8:
'Review and update the policies and procedures at least annually.'
5.4
12.1
12.1.1
12.3.1
12.5.1
12.11
N/A
6.1
6.1.a
6.1.b
N/A
5.2
5.2a
5.2b
5.2c
Missing specification(s) in CISv8:
'Define, implement and evaluate processes, procedures and technical
measures to identify updates'
6.1
6.2
6.3.2
N/A
11.3
11.3.1
11.3.2
11.3.3
11.3.4
N/A
6.1
11.2
11.2.1
N/A
6.1
6.5.6
Missing specification(s) in CISv8:
'reporting vulnerability identification and remediation activities that
12.5.3
includes stakeholder notification.'
12.1
12.10.1
12.10.3
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
12.1
12.1.1
12.11
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
N/A
2.4
12.3.3
N/A
8.1.6
8.1.7
N/A
6.4.6
12.11
N/A
3.4
3.6
N/A
5.1
N/A
1.4
N/A
A3.2.6
The full V4 control specification is missing from CISv8.0 and has to be used to close the gap.
No Mapping
N/A
No Mapping
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(15.4) 'Ensure Service Provider Contracts Include Security Requirements'
8.3.1
9.3.3
12.1
PCI DSS v3.2.1
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for application security'.
Partial Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'approve business continuity management and operational resilience policies and procedures'.
Partial Gap
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for managing the risks associated with applying changes to
organization assets'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for Cryptography, Encryption and Key Management'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for the classification, protection and handling of data throughout its
lifecycle'.
Partial Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
No Gap
N/A
No Gap
Full Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for an information governance program, which is sponsored by the
leadership of the organization'.
Partial Gap
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
Full Gap gap.
Missing specification(s) in PCI DSS:
'approve policies and procedures for background verification of all new employees'
'according to local laws, regulations, ethics, and contractual constraints'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Partial Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for identity and access management'.
Partial Gap
Missing specification(s) in PCI DSS:
'approve strong password policies and procedures'.
Partial Gap
Missing specification(s) in PCI DSS:
'system identities level of access'.
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'authorizes, records, and communicates access changes to data and assets'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for interoperability and portability'
'a. Communications between application interfaces,
b. Information processing interoperability,
c. Application development portability,
d. Information/Data exchange, usage, portability, integrity, and persistence'.
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Missing specification(s) in PCI DSS:
'approve, policies and procedures for infrastructure and virtualization security'.
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for logging and monitoring'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for the timely management of security incidents'.
Partial Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for the application of the Shared Security Responsibility Model
(SSRM) within the organization'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in PCI DSS:
'identify updates for applications which use third party or open source libraries'.
Partial Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'organizationally managed assets at least monthly'.
Partial Gap
N/A
No Gap
Missing specification(s) in PCI DSS:
'process for tracking' and 'stakeholder notification'.
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
Missing specification(s) in PCI DSS:
'approve policies and procedures for all endpoints'.
Partial Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
Full Gap gap.
The full V4 control specification is missing from PCI DSS v3.2.1 and has to be used to close the
gap.
Full Gap
N/A
No Gap
AICPA TSC 2017
CC2.2
CC2.3
Partial Gap
CC3.2
CC5.3
CC3.1 No Gap
CC3.1
Partial Gap
CC3.2
CC8.1
CC4.1 Partial Gap
CC5.3
No Mapping Full Gap
CC6.8
Partial Gap
CC8.1
CC6.8
Partial Gap
CC8.1
CC7.1
CC7.4 No Gap
CC8.1
CC5.3
CC9.1 Partial Gap
A1.2
CC3.1
CC3.2
A1.2
No Gap
CC7.3
CC7.4
CC7.5
CC7.3
CC7.4
Partial Gap
CC7.5
A1.2
CC7.5
A1.2 Partial Gap
A1.3
CC2.1
Partial Gap
PI1.1
A1.3
Partial Gap
CC7.5
CC2.3
CC7.5 Partial Gap
CC9.1
A1.2
No Gap
A1.3
A1.2
Partial Gap
CC3.2
A1.3 No Gap
A1.2
No Gap
CC3.2
CC8.1
No Gap
CC5.3
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC8.1 No Gap
CC7.4
CC7.5
Partial Gap
CC8.1
CC9.2
CC8.1 No Gap
CC5.3
CC6.1 Partial Gap
CC6.7
No Mapping Full Gap
CC6.1
Partial Gap
CC6.7
CC6.1
Partial Gap
CC6.7
P5.1
CC5.3
CC6.5
CC3.3 Partial Gap
P1.1
P2.1
P4.0
A1.2
CC5.3 No Gap
CC6.1
CC3.4
CC5.3
CC6.4 Partial Gap
CC6.5
CC6.7
CC5.3 Partial Gap
CC3.4
CC6.4
Partial Gap
CC6.5
CC6.7
CC1.4
Partial Gap
CC6.4
A1.2 Full Gap
A1.2
Partial Gap
CC3.2
PI1.1
PI1.5
P4.1
Partial Gap
P4.2
P4.3
CC5.3
CC6.1
CC6.2
CC6.3
CC6.4 Partial Gap
CC6.5
CC6.7
P4.3
CC6.1 No Gap
CC6.1
No Gap
C1.1
No Mapping Full Gap
CC1.1
CC1.3
CC1.5
No Gap
P2.1
P3.2
P6.7
PI1.2
Partial Gap
PI1.3
P1.1 Partial Gap
P6.1 No Gap
CC2.1
CC6.1
CC6.3
CC6.7
CC8.1
C1.1 No Gap
P2.0
P3.0
P4.0
P5.0
P6.0
P4.1 No Gap
A1.2 Partial Gap
CC1.3
CC1.4 No Gap
CC5.3
CC3.1
CC3.2
No Gap
CC5.1
A1.2
CC5.3 No Gap
CC1.1
Partial Gap
CC9.2
CC3.4
No Gap
CC7.4
CC1.1
CC1.4
CC2.2 No Gap
CC5.2
CC5.3
CC1.1
CC1.4
CC2.2 No Gap
CC5.2
CC5.3
CC1.3
CC1.4
No Gap
CC1.5
CC2.2
CC9.2
No Gap
P6.4
CC1.3
CC1.5 No Gap
CC2.2
CC5.3
CC6.1
No Gap
CC6.2
CC6.3
No Mapping Full Gap
CC6.1
No Gap
CC6.3
CC1.3
CC5.1 No Gap
CC6.3
CC6.3 No Gap
CC6.3
No Gap
CC8.1
CC5.3
No Gap
CC6.3
CC6.2
Partial Gap
CC6.3
CC5.1
CC6.1 Partial Gap
CC6.3
CC6.1
CC6.2 Partial Gap
CC6.3
CC3.2
CC6.1 Partial Gap
CC6.3
CC6.7 No Gap
PI1.1
PI1.2 Partial Gap
PI1.3
CC3.1
CC5.2 Partial Gap
CC5.3
A1.1 No Gap
CC6.1
Partial Gap
CC6.7
CC6.1
CC6.8 Partial Gap
CC7.1
CC6.6
CC6.8
CC7.1 No Gap
CC7.2
CC7.5
CC5.3
Partial Gap
CC7.2
CC6.8
Partial Gap
CC7.3
CC7.2 No Gap
CC7.2 No Gap
No Mapping Full Gap
CC6.1
Partial Gap
CC7.2
CC6.1
Partial Gap
CC7.2
CC6.4
No Gap
CC7.2
CC2.3
No Gap
CC7.3
CC5.3
CC7.3
Partial Gap
CC7.4
CC7.5
CC5.3
CC7.3 Partial Gap
CC7.4
CC7.2
CC7.3 Partial Gap
CC7.4
CC7.5 No Gap
CC7.2 No Gap
CC7.3 No Gap
CC7.4
Partial Gap
CC7.5
CC2.3 No Gap
No Mapping Full Gap
CC9.2 No Gap
CC9.2 No Gap
CC3.2 No Gap
CC3.2 No Gap
CC3.2
CC5.3
CC6.6 No Gap
CC7.1
CC7.4
CC5.3
No Gap
CC6.8
CC5.3
CC7.1 Partial Gap
CC7.4
CC4.1
Partial Gap
CC7.1
CC7.1 Partial Gap
CC6.1
Partial Gap
CC6.7
N/A
27001: 9.3.2
27001: A.18.2.2
27002: 18.2.2
27001: A.18.2.3
27002: 18.2.3
27001: A.5.1.1
27017: 5.1.1
27001: A.7.2.2
27002: 7.2.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 9.1
27001: A.18.2.2
27002: 18.2.2
27001: A.14.1.1
27002: 14.1.1
27017: 14.1.1
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
27001: A.14.2.1
27002: 14.2.1
27017: 14.2.1
Missing specification(s) in TSC 2017:
'criteria for acceptance of new information systems, upgrades and new 27001: A.14.2.8
versions' 27001: A.14.2.9
'application security assurance and (testing strategy) maintains 27001: A.12.1.2
compliance' 27002: 12.1.2
'Automate when applicable and possible'. 27001: A.14.1.1
27002: 14.1.1
27001: A.14.2.2
27002: 14.2.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
No mapping
N/A
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27001: A.12.6.1
27002: 12.6.1
27017: 12.6.1
27018: 12.6.1
Missing specification(s) in TSC 2017:
'Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures'
'Review and update the policies and procedures at least annually'.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.7.2.1
27001: A.17.1.2
N/A
27001: 4.2
27001: 6.1.2
27001: 6.1.3
27001: 8.2
27001: 8.3
27001: A.16.1.6
27001: A.17.1
Missing specification(s) in TSC 2017:
'Establish strategies', 'risk appetite'.
27001: 6.1.1
27001: A.17.1.1
27001: A.17.1.2
27001: A.17.1.3
N/A
27001: A.12.3
27017: 12.3
27018: 12.3.1
Missing specification(s) in TSC 2017:
'to recover from man-made disasters'.
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 8.1
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.12.1.1
27001: A.12.1.2
27002: 12.1.2
27017: 12.1.2
27001: A.14.2.2
27001: A.14.2.3
N/A
27001: A.14.2.2
27002: 14.2.2
27017: 14.2.2
N/A
27001:A.5.1.1
27017: 5.1.1
27001: A.12.1.2
27002: 12.1.2
27001: A.12.1.4
27001: A.14.2.3
27001: A.15.2.2
27002: 15.2.2
27001: A.14.2.6
27002: 14.2.6
N/A
27001: A.12.1.4
27002: 12.1.4
27001: A.12.4.2
27002: 12.4.2
27001: A.14.2.2
27017: 14.2.2
N/A
27001: A.15.2.2
27001: A.14.2.2
27002: 14.2.2
27001: A.12.1.2
27017: 12.1.2
N/A
27001: A.12.1.1
27002: 12.1.1
27001: 14.2.2
27002: 14.2.2
N/A
27001: A.14.2.2
27001: A.14.2.4
27001: A.12.4.1
27002: 12.4.1 (g)
27001: A.5.1.1
27017: 5.1.1
27001: 5.3
27001: A.5.1.1
27002: 5.1.1
27001: A.6.1.1
27002: 6.1.1
27017: 6.1.1
27001: A.6.1.2
27017: 6.1.2
27001: A.9.1
27002: 9.1
27001: A.10.1.1
27002: 10.1.1
27001: A.15.1.2
27017: 15.1.2
27001: A.13.1.3
27017: 13.1.3
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27017: CLD 6.3
Missing specification(s) in TSC 2017:
'Cryptographic libraries certified to approved standards'.
27001: A.18.1.1
27001: A.18.1.2
27001: A.18.1.3
27001: A.18.1.4
27001: A.18.1.5
27001: A.10.1
27002: 10.1
27001: A.13.2.1
27002: 13.2.1
27001: A.18
27002: 18
27001: A.14.1.2
27002: 14.1.2
27001: A.14.1.3
27002 14.1.3 c)
27001 - A.10.1.1
27017 - 10.1.1
27001 - A.10.1.2
27017 - 10.1.2
Missing specification(s) in TSC 2017:
'considering the classification of data', 'usability of encryption 27001: 6.1.2
technology'. 27001: 6.1.3
27001: A.8.2
27002: 8.2
27001: A.8.3
27001: A.10.1.1
27002: 10.1.1 (b)
27001: A.10.1.2
27002: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.12.1.2
27002: 12.1.2
27017: 12.1.2
27001: A.10.1.2
27002: 10.1.2 e)
27001: A.14.2.2
27002: 14.2.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8
27001: A.12.1.2
27002: 12.1.2
27001: A.10.1.2
27002: 10.1.2 e)
27017: 10.1.2
27001: A.10.1.1
27002: 10.1.1
27017: 10.1.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8
27001: A.10.1.1
27002: 10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1
27017: 10.1
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 9.2
27001: A.18.2.1
27001: A.18.2.2
27001: A.12.7
27002: 12.7
27017: 12.7
27001: A.10.1.2
27001: A.10.1.2
27002: 10.1.2 k)
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27002: 10.1.1 (e)
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27002: 10.1.2 (a)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 (c)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 e)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 (g),(f)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27017: 10.1.2
27001: A.10.1.2
27002: 10.1.2 (j)
27001: A.18.1.3
27002: 18.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2 a)
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27017: 10.1.1
27001: A.10.1.2
27017: 10.1.2
27002: 10.1.2 (i)
27001: 9.0
27002: 9.0
27017: 9.0
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.1
27002: 10.1.1 (d)
27001: A.10.1.2
27002: 10.1.2 (f),(g)
27001: A.18.1.5
27001: A.18.1.3
27002: 18.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8.2
27001: 8.3
27001: A.10.1.2
27002: 10.1.2 (h)
27001: A.18.1.5
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.10.1.2
27002: 10.1.2
27017: 10.1.2
27001: A.18.1.5
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.11.2.5
Missing specification(s) in TSC 2017:
'policies and procedures for maintaining a safe and secure working
environment in offices, rooms, and facilities'
'Review and update the policies and procedures at least annually'. 27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.11.1.3
27002: 11.1.3
27017: 11.1.3
27001: A.11.1.5
27002: 11.1.5
27017: 11.1.5
Missing specification(s) in TSC 2017:
'policies and procedures for the secure transportation of physical media'
'Review and update the policies and procedures at least annually'.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.8.3.3
27002: 8.3.3
27017: 8.3.3
27001: A.8.2.1
27002: 8.2.1
27017: 8.2.1
Missing specification(s) in TSC 2017:
'track the physical and logical assets'
'located at all of the CSPs sites'.
27001: A.8.1.1
27002: 8.1.1
27017: 8.1.1
27001: A.11.1.1
27002: 11.1.1
27017: 11.1.1
No Mapping
Missing specification(s) in TSC 2017:
'retain access control records on a periodic basis as deemed appropriate
by the organization'.
27001: A.11.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
No Mapping
27001: A.11
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.17.1.3
27001: A.11.2.1
27001: A.11.2.2
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.8.2.1
27001: A.12.1
27002: 12.1
27001: A.8.1.1
27002: 8.1.1
N/A
27001: A.8.2.1
27002: 8.2.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
No Mapping
N/A
27001: A.8.1.2
Missing specification(s) in TSC 2017:
'security by design'.
27001: A.14.1.1
27002:14.1.1
27001: A.14.2.5
27002:14.2.5
Missing specification(s) in TSC 2017:
'privacy settings are configured by default'.
No Mapping
27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
27001: A.18.1.4
Missing specification(s) in TSC 2017:
'transfer of personal data is protected'.
27001: A.13.2.1
27002: 13.2.1
27001: A.8.3.3
27002: 8.3.3
27001: A.13.2.3
27002: 13.2.3
Missing specification(s) in TSC 2017:
'according to any applicable laws and regulations'.
No Mapping
N/A
27001: A.18.1.4
27002: 18.1.4
N/A
No Mapping
N/A
27018: A.6.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.14.3.1
27002: 14.3.1
27001: A.12.1.4
27002: 12.1.4
N/A
27001: A.18.1.3
N/A
27001: A.18.1.3
27002: 18.1.3
27001:A.18.1.4
27002:18.1.4
N/A
27018: A.6.1
Missing specification(s) in TSC 2017:
'document the physical locations of data'.
27001: A.8.1.1
27002: 8.1.1
27017: 8.1.1
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: 5.1
27001: 5.2
27001: 5.3
27001: A.5
27002: 5
N/A
27001: 6.1
27001: 6.2
27001: A.6.1.2
N/A
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 4.3
N/A
27001: 5.1
27001: 5.3
27001: A.6.1.1
27002: 6.1.1
27001: A.7.2.1
27002: 7.2.1
27018: 5.1.1
N/A
27001: 4.2
27001: A.18.1
27001: A.18.2.2
27018: A.18.1
27018: A.18.2.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.6.1.4
Missing specification(s) in TSC 2017:
'Review and update the policies and procedures at least annually'.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.7.1.1
27002: 7.1.1
27017: 7.1.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.8.1.4
27002: 8.1.4
27017: 8.1.4
N/A
27001: A.7.3.1
27002: 7.3.1
27017: 7.3.1
N/A
No Mapping
N/A
27001: 7.3
27001: A.7.1.2
27002: 7.1.2
27017: 7.1.2
N/A
27001: 7.4
27001: A.6.1.1
27002: 6.1.1
27017: 6.1.1
N/A
27001: A.7.1.2
27002: 7.1.2
27017: 7.1.2
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
27001: 7.3
27001: A.7.2.2
27002: 7.2.2
27017: 7.2.2
N/A
27001: 5.1
27001: 7.3
27001: A.7.2.1
27002: 7.2.1
27017: 7.2.1
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.9.1.1
27002: 9.1.1
27001: A.5
27002: 5
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.9.4.3
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27001: A.7.2.2
27002: 7.2.2
27001: A.9.2.6
27002: 9.2.6
27001: A.9.2.3
27002: 9.2.3
N/A
N/A
27001: A.6.1.2
27002: 6.1.2
N/A
27001: A.9.1.1
27002: 9.1.1
27001: A.9.1.2
27002: 9.1.2
27001: A.9.2.3
27002: 9.2.3
N/A
No Mapping
N/A
No Mapping
Missing specification(s) in TSC 2017:
'for least privilege and separation of duties with a frequency that is 27001: A.9.2.5
commensurate with organizational risk tolerance'. 27001: A.9.2.6
27001: A.9.4.1
27017: 9.4.1
27001: A.6.1.2
27001: A 9.2.5
27001: A.9.2.3
27002: 9.2.3
27017: 9.2.3
27018: 9.2.3
27001: A.9.4.4
27002: 9.4.4
27017: 9.4.4
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(CC3.2) 'Identifies and Assesses Criticality of Information Assets and
Identifies Threats and Vulnerabilities', 'Analyzes Threats and
Vulnerabilities From Vendors, Business Partners, and Other Parties',
'Considers the Significance of the Risk'
(CC6.1) 'Restricts Logical Access'
(CC6.3) 'Reviews Access Roles and Rules'. No Mapping
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.12.4.1
27002: 12.4.1
27017: 12.4.1
27018: 12.4.1
27001: A.12.4.2
27002: 12.4.2
27017: 12.4.2
27018: 12.4.2
27001: A.12.4.3
27002: 12.4.3
27017: 12.4.3
27018: 12.4.3
Missing specification(s) in TSC 2017:
'unique IDs or which can associate individuals to the usage of user IDs'.
27001: A.9.2.1
27002: 9.2.1
Missing specification(s) in TSC 2017:
'multi-factor authentication'.
27001: A.9.1.2
27002: 9.1.2
27017: 9.1.2
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27001: A.9.4.2
27002: 9.4.2
27017: 9.4.2
27018: 9.4.2
N/A
27001: A.9.2.4
27002: 9.2.4
27017: 9.2.4
27018: 9.2.4
27001: A.9.3.1
27002: 9.3.1
27017: 9.3.1
27018: 9.3.1
27001: A.9.4.3
27002: 9.4.3
27017: 9.4.3
27018: 9.4.3
N/A
27001: A.9.2.5
27002: 9.2.5
27017: 9.2.5
27018: 9.2.5
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control: 27001: 5.1
(CC5.3) 'Establishes Policies and Procedures to Support Deployment of 27001: 5.2
Management’s Directives', 'Reassesses Policies and Procedures'. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.14.1.1
27017: 14.1.1
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
27001: A.14.2
27002: 14.2
27001: A.14.2.1
27017: 14.2.1
27001: A.14.2.5
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(PI1.1) All points of focus
(PI1.3) 'Defines Processing Specifications'.
No Mapping
N/A
27001: A.18.1
27001: A.15.1.1
27002: 15.1.1
27017: 15.1.1
No Mapping
Missing specification(s) in TSC 2017:
'Review and update the policies and procedures at least annually'.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27017: 5
27018: 5
N/A
27001: 5.3
27001: 6.1
27001: 9.1
27001: A.12.1.3
27002: 12.1.3
Missing specification(s) in TSC 2017:
'Review these configurations at least annually, and support them by
a documented justification of all allowed services, protocols, ports, and
compensating controls'.
27001: 7.5
27001: 9.1
27001: A.13.1.1
27002: 13.1.1
27001: A.13.1.2
27002: 13.1.2
27001: A.13.1.3
27002: 13.1.3
Missing specification(s) in TSC 2017:
'security baseline'.
27001: 7.5
27001: 9.1
27001: A.14.2.2
27002: 14.2.2
27001: A.14.2.3
27001 A.14.2.4
27018: 12.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8.1
27001 A.12.1.4
27002 12.1.4
27017 12.1.4
27018 12.1.4
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 9.1
27001: A.13.1.3
27002: 13.1.3
27017: 13.1.3
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control:
(CC6.1) 'Uses Encryption to Protect Data' 27001: A.13.1.1
(CC6.7) 'Uses Encryption Technologies or Secure Communication Channels to 27002: 13.1.1
Protect Data'. 27017: 13.1.1
27018: 13.1.1
27001: A.13.1.2
27002: 13.1.2
27017: 13.1.2
27018: 13.1.2
27001: A.13.1.3
27002: 13.1.3
27017: 13.1.3
27018: 13.1.3
27001: A.13.2.1
27002: 13.2.1
27017: 13.2.1
27018: 13.2.1
27001: A.13.2.2
27002: 13.2.2
27017: 13.2.2
27018: 13.2.2
27001: A.13.2.3
27002: 13.2.3
27017: 13.2.3
27018: 13.2.3
27001: A.13.2.4
27002: 13.2.4
27017: 13.2.4
27018: 13.2.4
N/A
27001: 6.1.2
27001: 7.5
27001: A.9.1.2
27002: 9.1.2
27017: 9.1.2
27001: A.9.4.2
27002: 9.4.2
27017: 9.4.2
27018: 9.4.2
27001: A.14.2.5
27002: 14.2.5
27017: 14.2.5
N/A
27001: 6.1
27001: 6.2
27001: A.14.1.2
27002: 14.1.2
27017: 14.1.2
27001: A.11.1.4
27002: 11.1.4
27017: 11.1.4
27018: 16.1.1
Missing specification(s) in TSC 2017:
'Review and update the policies and procedures at least annually'.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.12.4.1
27001: A.12.4.2
27001: A.12.4.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.18.1.3
27002: 18.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.12.4.2
27001: A.12.4.1
27002: 12.4.2
N/A
27001: A.12.4.3
27002: 12.4.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.12.4.4
27002: 12.4.4
27017: 12.4.4
N/A
27001: 7.5.3
27001: A.12.4.1
27002: 12.4.1
27017: 12.4.1
N/A
27001: A.12.4.1
27002: 12.4.1
27017: 12.4.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.12.4.2
27002: 12.4.2
N/A
27001: A.11.1.2
27002: 11.1.2
N/A
27001: A.16.1.1
27002: 16.1.1
27001: A.16.1.2
27017: 16.1.2
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27017: CLD.12.1.5
27018: 16.1.5
N/A
27001: A.18.2.3
N/A
No Mapping
N/A
27001: A.16.1.4
27002: 16.1.4
27017: 16.1.4
27018: 16.1.4
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that
is, covering in part the V4 control: 27001: A.16.1.1
(CC7.4) 'Develops and Implements Communication Protocols for Security 27002: 16.1.1
Incidents' 27017: 16.1.1
(CC7.5) 'Communicates Information About the Event'. 27018: 16.1.1
27001: A.16.1.2
27002: 16.1.2
27017: 16.1.2
27018: 16.1.2
27001: A.16.1.5
27002: 16.1.5
27017: 16.1.5
27018: 16.1.5
N/A
27001: 4.2
27001: A.6.1.3
27002: 6.1.3
27017: 6.1.3
27018: 6.1.3
27001: A.16.1.1
27002: 16.1.1
27001: A.18.1.1
27002: 18.1.1
27017: 18.1.1
27018: 18.1.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.15.1.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 6.2
27001: 7.1
27001: 8.1
27001: 8.2
27001: 9.1
27001: 9.3
27001: A.15.1
27001: A.15.2
Missing specification(s) in TSC 2017:
'SSRM' (Mapped controls don't specifically call out SSRM).
27001: 7.4
27001: 9.1
27001: A.15.1.2
27001: A.15.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 6.2
27001: 7.4
27001: 9.1
27001: A.15.1.2
27001: A.15.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 9.1
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8.1
27001: A.15.1.2
27001: A.15.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8.1
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 6.1.1
27001: 6.1.2
27001: 6.1.3
27001: 6.2
27001: 8.1
27001: A.15.1.2
27001: A.15.1.3
27001: A.15.1
27001: A.15.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.15.2
N/A
27001: 5.2
27001: A.5.1
27001: A.7.2.1
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 8.1
27001: 9.2
27001: 9.3
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 6.1.1
27001: 6.1.2
27001: 8.1
27001: 8.2
27001: A.15.1.2
27001: A.15.1.3
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
N/A
27001: 5.1
27001: 5.2
27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.12.2.1
27001: A.6.2.1
27002: 6.2.1 (h)
27001: A.6.2.2
27002: 6.2.2 (j)
27001: A.7.2.2
27002: 7.2.2 (d)
27001: A.10.1.1
27002: 10.1.1 (g)
27001: A.13.2.1
27002: 13.2.1 (b)
27001: A.15.1.2
27017: 15.1.2
27001: A.12.2.1
27002: 12.2.1 (a),(d)
27017: CLD.9.5.2
Missing specification(s) in TSC 2017:
'responses to vulnerability identifications, based on the identified
risk'.
27001: 6.1.3
27001: A.12.2.1
27001: A.12.6.1
27002: 12.6.1(c)(d)(j)
27018: 12.6.1(k)(i)
27001: 6.1.3
27001: A.5.1.1
27002: 5.1.1 (h)
27001: A.12.6.1
27002: 12.6.1 (b),(c)
Missing specification(s) in TSC 2017:
"third party or open source libraries" and "according to the
organization's vulnerability management policy".
27001: 6.1.3
27001: A.12.6.2
27002: 12.6.2
27001: A.12.6
27001: A.12.6.1
27002: 12.6.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 8.2
27001: 8.3
27001: A.12.5.1
27001: A.12.6.1
27001: A.12.6.1
27001: A.18.2.3
N/A
27001: 7.4
27001: A.16.1.2
27002: 16.1.2
27001: A.16.1.3
27002: 16.1.3
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: 5.3
27001: 9.1
Missing specification(s) in TSC 2017:
Requirement on 'endpoint' systems (AICPA TSC CC6.7 has reference to
"Protect Mobile Devices" only whereas CCM control refers to endpoint 27001: 5.1
devices such as: mobile devices, servers, desktops, IoT, virtual etc.) 27001: 5.2
'Review the policies and procedures at least annually'. 27001: 7.3
27001: 7.4
27001: 7.5
27001: 9.1
27001: 9.3
27001: A.5
27002: 5
27001: A.6.2.1
27002: 6.2.1
27017: 6.2.1
27018: 6.2.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.9.1.1
27002: 9.1.1
27001: A.9.2.2
27002: 9.2.2
27001: A.12.1.2
27002: 12.1.2
27001: A.12.5
27002: 12.5
27001: A.13.2.3
27002: 13.2.3
27001: A.14.2.2
27002:14.2.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.14.2.4
27002: 14.2.4
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.8.1.1
27002: 8.1.1
27017: 8.1.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.12.6.2
27002:12.6.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
No Mapping
Missing specification(s) in TSC 2017:
Requirement on 'endpoint' systems.
27001: A.14.2
27001: A.14.2.2
27002: 14.2.2
27001: A.14.2.3
27001: A.14.2.4
27018: 12.1.2
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.6.2.1
27002: 6.2.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.6.2.1
27002: 6.2.1
The full V4 control specification is missing from TSC 2017 and has to be used to close the gap.
27001: A.15.1.1
27002: 15.1.1
27001: A.14.1.2
27002: 14.1.2
27001: A.6.1.1
27017: 6.1.1
27001: A.9.2.2
27017: 9.2.2
27001: A.9.2.4
27017: 9.2.4
ISO/IEC 27001:2013,27002:2013,27017:2015,27018:2019
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'to review and update the policies and procedures at least annually.'
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
ISO does not explicitly specify the need to implement technical and operational metrics in alignment
Partial Gap with business objectives, security requirements, and compliance obligations.
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
Missing specification(s) in ISOs:
The requirement to provide a framework for setting business continuity objectives.
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
No reference to Business Continuity Strategies
Partial Gap
Partial Gap
Partial Gap
Partial Gap
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Missing specification(s) in ISOs:
'Review and update the policies and procedures at least annually.'
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'Establish change management baselines'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
'secure repository requiring least privileged access'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
'Apply and maintain policies and procedures for the relocation or transfer of hardware, software, or
data/information to an offsite or alternate location'
'relocation requires the cryptographically verifiable authorization.'
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
'classify physical assets'
Partial Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement to review and update the policies and procedures at least annually.
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement for maintaining an inventory for personal data
Partial Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Partial Gap
Missing specification(s) in ISOs:
incorporating security requirements at the design stage
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement to ensure information is only processed within scope as permitted by the respective
laws and regulations.
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Missing specification(s) in ISOs:
Processing personal data as per the purpose declared to the data subject
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Partial Gap
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing in the ISOs:
'policies and procedures for an information governance program'
'Review and update the policies and procedures at least annually.'
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement of 'at least annually'
Partial Gap
N/A
No Gap
Partial Gap
Missing in the ISOs:
'for planning, implementing, operating, assessing, and improving governance programs.'
'document roles and responsibilities'
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
requirement to review and update the policies and procedures at least annually.
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
requirement to review and update the policies and procedures at least annually.
Partial Gap
Missing specification(s) in ISOs:
requirement to review and update the policies and procedures at least annually.
Partial Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement to focus training on 'sensitive organizational and personal data'
Partial Gap
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement to review and update the policies and procedures at least annually.
Partial Gap
Missing specification(s) in ISOs:
ISO partially addressed Identity Inventory under asset management
Partial Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from ISOs and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from ISOs and has to be used to close the gap.
Full Gap
Missing specification(s) in ISOs:
Requirement of separation of duties in reviewing of user access rights.
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement to prevent the culmination of segregated privileged access.
Partial Gap
N/A
Full Gap
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement to include multifactor authentication for at least privileged user and sensitive data
access.
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement of communications between application services (APIs)
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Missing specification(s) in ISOs:
Requirement of 'Infrastructure & Virtualization Security'
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement of 'Infrastructure & Virtualization Security'
Partial Gap
Missing specification(s) in ISOs:
Requirement of 'Infrastructure & Virtualization Security'
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
'Design, develop, deploy and configure applications and infrastructures'
'monitored and restricted from other tenants.'
Partial Gap
Missing specification(s) in ISOs:
Requirement of 'Infrastructure & Virtualization Security'
Partial Gap
Missing specification(s) in ISOs:
Requirement of 'Infrastructure & Virtualization Security'
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
'at least annually (Review)'.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement to review and update the policies and procedures at least annually.
Partial Gap
N/A
No Gap
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement to report relevant supply chain breaches.
Requirement to report as per applicable SLAs, laws and regulations.
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement of a Shared Security Responsibility Model (SSRM).
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement of a Shared Security Responsibility Model (SSRM).
Partial Gap
Partial Gap
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement of a Shared Security Responsibility Model (SSRM).
Partial Gap
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement of a Shared Security Responsibility Model (SSRM).
Partial Gap
Partial Gap
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement of a Shared Security Responsibility Model (SSRM).
Partial Gap
N/A
No Gap
Missing specification(s) in ISOs:
Requirement of 'malware policy and procedures'
Partial Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
Requirement of 'for applications which use...open source libraries according to the organization's
vulnerability management standard.'
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in ISOs:
Term 'endpoint' device
Partial Gap
Partial Gap
Missing specification(s) in ISOs:
Term 'endpoint' device
Partial Gap
Partial Gap
The full V4 control specification is missing from the ISOs and has to be used to close the gap.
Full Gap
Missing specification(s) in ISOs:
Term 'endpoint' device
Partial Gap
Partial Gap
Partial Gap
Partial Gap
Partial Gap
NIST 800-53 rev 5
CA-1 No Gap
CA-2
CA-2(1)
CA-2(2) No Gap
CA-7
CA-7(1)
CA-2
CA-2(1)-(3)
No Gap
PL-10
PL-11
CA-1 No Gap
CA-1
CA-2 No Gap
PM-4
CA-5
CA-5(1) No Gap
PM-4
CM-3
CM-3(2)
PM-20
PM-20(1)
SA-1 No Gap
SA-4
SA-8
SA-8(29)-(33)
SI-17
CM-2
CM-2(2)
CM-2(3)
SA-8
SA-8(8) No Gap
SA-8(14)
SA-8(23)
SA-8(29)
SA-8(31)
SA-15
No Gap
SA-15(1)
PL-2
PL-8
PL-8(1)
SA-3
SA-3(1)
SA-4
SA-4(2)
SA-4(3)
SA-4(8)
SA-4(9)
No Gap
SA-5
SA-8
SA-8(1)-(7)
SA-8(9)-(13)
SA-8(15)-(20)
SA-8(22)
SA-8(24)-(28)
SA-8(30)-(33)
SA-17
SA-17(1)-(9)
SA-11
SA-11(1)-(9)
SI-6
SI-6(2) No Gap
SI-6(3)
SI-10
SI-10(1)-(6)
SA-3
SA-3(2)
SA-3(3)
SA-4
SA-4(3)
No Gap
SA-8
SA-8(31)
SA-16
SR-9
SR 9(1)
SI-2
SI-2(2)-(6)
SA-11
SA-11(2)
No Gap
SA-15
SA-15(1)-(3)
SA-15(5)-(8)
SA-15(10)-(12)
CP-1
CP-2 No Gap
PL-2
CP-2
PM-8 No Gap
PM-9
CP-1
CP-2
CP-2(1)
No Gap
CP-2(2)
CP-2(5)
CP-2(7)
CP-2
CP-4 No Gap
PM-8
CP-1
CP-2 No Gap
CP-4
AT-3
AT-3(3)
CP-3
CP-3(1)
No Gap
CP-4
CP-4(4)
IR-4
IR-4(3)
CP-2
No Gap
CP-2(1)
CP-4
CP-4(4)
CP-6
CP-6(1)-(3)
CP-9
No Gap
CP-9(1)
CP-9(2)
CP-10
CP-10(2)
CP-10(4)
CP-2(1)
CP-2(2)
CP-2(3)
CP-2(5)
CP-2(6)
CP-2(7) No Gap
CP-2(8)
PE-13
PE-13(1)
PE-13(2)
PE-13(4)
AT-2
AT-2(1)
AT-3
AT-3(3)
AT-4
CP-3
No Gap
CP-3(1)
IR-3
IR-3(2)
IR-3(3)
IR-9
IR-9(2)
NCP-2
CP-2(2)
CP-4(3)
CP-6
CP-6(1)
No Gap
CP-7
CP-8
CP-8(1)-(3)
CP-9
CP-9(6)
CM-1
CM-9
CM-9(1)
CM-10
CM-10(1)
CM-11
No Gap
PM-9
PS-8
SA-8
SA-8(1)
SA-8(24)
SI-12
CM-2
CM-2(2)
CM-2(6)
CM-3
CM-3(2) No Gap
CM-3(7)
CM-4
CM-4(1)
CM-4(2)
CM-2
CM-2(2)
CM-2(3)
CM-2(7)
CM-3
CM-3(2)
CM-3(3)
CM-3(5)
CM-3(6)
CM-4
CM-4(1)
CM-5 No Gap
CM-5(5)
CM-5(6)
CM-7
CM-7(2)-(7)
CM-11
CM-11(2)
CM-14
SA-10
SA-10(7)
SA-11
SA-11(9)
CA-7
CA-7(4)
CM-3
CM-3(1)
CM-3(5)
CM-3(7)
CM-3(8)
CM-5
CM-5(1)
CM-5(4) No Gap
CM-5(5)
CM-6
CM-6(1)
CM-6(2)
CM-7
CM-7(1)
CM-7(4)
CM-7(5)
CM-7(9)
CM-3
CM-3(1) No Gap
CM-3(2)
CM-2
CM-2(3)
CM-5
CM-5(6)
CM-8 No Gap
CM-8(1)-(9)
CM-9
CM-9(1)
CM-14
CM-6
CM-6(2)
No Gap
SI-2
SI-2(2)-(6)
CM-3
No Gap
CM-3(1)
CM-2
CM-2(3)
CM-3
CM-3(3) No Gap
CM-3(7)
SA-8
SA-8(24)
SC-1
SA-9
SA-9(6)
No Gap
SC-12
SC-12(2)
SC-12(3)
IA-7
IA-8
IA-8(5)
SA-9
SA-9(1) No Gap
SA-9(6)
SC-12
SC-12(6)
SC-13
AC-19
AC-19(5)
SC-8
SC-8(1)
SC-8(3)
SC-8(4)
SC-12
SC-12(2) No Gap
SC-12(3)
SC-28
SC-28(1)-(3)
SI-4
SI-4(10)
SI-7
SI-7(6)
SC-12
SC-12(2)
SC-12(3) No Gap
SC-28
SC-28(1)
CM-3
CM-3(6)
No Gap
SI-7
SI-7(6)
CM-3
CM-3(6) No Gap
PL-2
CM-3
CM-3(6)
PM-31
No Gap
SC-28
SC-28(1)
SC-28(3)
CP-9
CP-9(8)
SA-9
No Gap
SA-9(6)
SC-12
SC-12(6)
AU-9
AU-9(3) No Gap
PM-31
SC-12
SC-12(2)
No Gap
SC-12(3)
SC-13
IA-5
IA-5(2)
PM-32
SC-12 No Gap
SC-12(2)
SC-12(3)
SC-13
SC-12
SC-12(2)
No Gap
SC-12(3)
SC-13
SC-12
SC-12(2) No Gap
SC-12(3)
SC-12
SC-12(2) No Gap
SC-12(3)
SC-12
SC-12(2)
No Gap
SC-12(3)
SC-13
PM-31
SC-12
SC-12(2) No Gap
SC-12(3)
SC-13
SC-12
SC-12(2) No Gap
SC-12(3)
SC-12
SC-12(1)-(3)
No Gap
SC-28
SC-28(3)
SC-12
No Gap
SC-12(1)-(3)
CM-3
CM-3(6)
CP-9
No Gap
CP-9(8)
SC-12
SC-12(1)-(3)
SC-12
SC-12(1)-(3) No Gap
SC-12(6)
MP6
MP-6(1)-(3)
MP-6(8) No Gap
MP-7(2)
MP-8
AC-1
AC-4
CA-3
MP-5 Partial Gap
MP-5(3)
SC-4
SC-4(2)
PE-1
PE-6
PE-6(1)-(4)
SC-15 No Gap
SC-15(1)
SC-15(3)
SC-15(4)
MP-1
MP-5 No Gap
MP-5(3)
CM-8
CM-8(1)
CM-8(2)
CM-8(4)
CM-8(6)
No Gap
CM-8(7)
CM-8(9)
PM-5
PM-5(1)
PE-20
CM-8
CM-8(1)
CM-8(2)
No Gap
CM-8(4)
CM-8(7)
CM-8(8)
AT-3(2)
PE-2
PE-2(1)
PE-2(3)
PE-3
PE-3(2)-(5)
No Gap
PE-3(7)
PE-3(8)
PE-6
PE-6(1)-(4)
PE-8
PE-8(1)
AC-18
AC-18(1)
IA-3 No Gap
IA-3(3)
IA-3(4)
MP-4(2)
PE-3
PE-3(8)
PE-5
No Gap
PE-6
PE-6(1)-(4)
PE-18
SC-42
PE-6
No Gap
PE-6(1)-(3)
AT-3
AT-3(2)
No Gap
IR-2
IR-2(1)-(3)
PE-9
PE-9(1)
PE-9(2) No Gap
PE-19
PE-19(1)
MA-6
MA-6(1)
MA-6(2)
PE-13
PE-13(1)
No Gap
PE-13(4)
PE-14
PE-14(1)
PE-15
PE-15(1)
MA-6
MA-6(1) No Gap
MA-6(2)
PE-18
No Gap
PE-23
PL-2
PL-7
PM-17
PM-18
PM-19
PM-20
PM-20(1)
PM-23
PM-24 No Gap
PM-26
PT-1
PT-5
PT-5(2)
PT-6
PT-6(1)
PT-7
PT-7(2)
PM-22
SI-12
SI-12(3)
SI-18 No Gap
SI-18(1)
SI-18(4)
SI-18(5)
CM-12
CM-12(1)
PM-5
PM-5(1)
SI-12 No Gap
SI-12(1)
SI-19
SI-19(1)
SI-19(2)
AC-16
AC-16(9)
PM-22
PM-23
PT-2
No Gap
PT-2(1)
SI-18
SI-18(2)
SI-19
SI-19(6)
AC-4
AC-4(1)-(3)
AC-4(5)-(8)
AC-4(10)
AC-4(12)
AC-16
AC-16(3)
AC-16(7)
No Gap
AC-16(8)
AC-4(13)
AC-4(19)
SA-5
SA-17
SA-17(3)
SC-7
SC-7(24)
PM-18
PM-19
PM-22
PT-2
PT-2(1) No Gap
PS-6
PS-6(2)
SI-12
SI-12(1)
PM-17
PM-24
PM-25
PT-2
PT-2(2)
SA-3
SA-4
SA-5
SA-8
SA-8(9)
SA-8(13)
SA-8(18)
SA-8(20)
SA-8(22)
No Gap
SA-8(23)
SA-8(33)
SA-15
SA-15(12)
SC-3
SC-3(3)
SC-7
SC-7(24)
SC-8
SC-8(1)-(4)
SC-28
SC-28(1)
SI-12
SI-12(1)-(3)
PM-22
PM-24
PT-1
PT-2
PT-2(1)
PT-5
PT-5(1)
PT-5(2)
PT-6
PT-8 No Gap
SA-11
SA-11(3)
SI-18
SI-18(3)
SA-19
SI-19(1)
SI-19(5)
SI-19(6)
SI-19(8)
CM-4
CM-4(1)
CM-4(2)
PT-3
No Gap
RA-8
SA-4
SA-9
SA-9(1)
AC-4
AC-4(23)-(25)
CA-3
CA-3(6)
CA-6
CA-6(1)
CA-6(2)
SC-4
No Gap
SC-4(2)
SC-7
SC-7(10)
SC-7(24)
SC-8
SC-8(1)-(5)
SC-16
SC-16(1)-(3)
PM-22
PM-24
PT-2
PT-2(1)
PT-4
PT-4(1)
PT-4(3)
PT-6
No Gap
PT-6(2)
PT-7
PT-7(2)
SI-12
SI-12(1)
SI-19
SI-19(1)
SI-19(7)
PM-23
PM-27
PM-32
PT-2
PT-2(1)
PT-3
PT-3(1)
PT-3(2)
PT-4
No Gap
PT-4(2)
PT-4(3)
PT-6
PT-6(1)
PT-6(2)
SI-12
SI-12(1)
SI-19
SI-19(1)
CM-13
PT-3
PT-3(1)
SA-9
SA-9(1)
SA-9(3) No Gap
SA-9(5)
SR-3
SR-3(3)
SR-4
SR-4(1)
PM-22
PT-6
PT-6(1)
PT-6(2) No Gap
PT-8
SR-4
SR-4(1)
SA-3
SA-3(2)
No Gap
SI-19
SI-19(3)
SI-12
SI-12(1)-(3)
SI-18
SI-18(1)
No Gap
SI-18(4)
SI-18(5)
SI-19
SI-19(2)
PL-2
PM-22
PM-24
PT-7
PT-7(1)
PT-7(2) No Gap
PT-8
SC-8
SC-8(1)-(5)
SC-28
SC-28(1)
IR-6
IR-6(3)
No Gap
PM-21
SR-8
CA-3
CA-3(6)
CM-8
CM-8(8)
CM-12
CM-12(1)
PM-5 No Gap
PM-5(1)
PM-22
PM-24
SA-9
SA-9(5)
SA-9(8)
PL-1
PM-1
PM-17
AC-1
AT-1
AU-1
CA-1
CM-1
CP-1
IA-1
IR-1 No Gap
MA-1
MP-1
PE-1
PS-1
PT-1
RA-1
SA-1
SC-1
SI-1
SR-1
PL-1
PL-2
PM-4
No Gap
PM-9
PM-10
PM-28
PL-1
PM-1
No Gap
PM-14
PM-17
CM-6 No Gap
PM-1
PM-3
PM-14
No Gap
PL-2
PM-18
PM-31
PM-29 No Gap
PL-1 No Gap
PM-15 No Gap
IA-12
IA-12(2)
IA-12(3)
MA-5
MA-5(2)-(4)
PS-1 No Gap
PS-2
PS-3
PS-3(1)
PS-3(2)
PS-3(4)
PL-4
PL-4(1)
PS-1 No Gap
PS-6
PS-6(2)
AC-11
AC-11(1)
No Gap
MP-4
PS-1
AC-17
AC-17(6)
AC-17(9)
AC-20
AC-20(1)-(5) No Gap
PE-17
PS-1
SC-7
SC-7(7)
PS-1
PS-4
PS-4(1) No Gap
PS-6
PS-6(3)
AC-17
AC-17(9)
PS-1
PS-4
PS-4(1)
PS-4(2)
No Gap
PS-5
PS-6
PS-6(3)
SI-4
SI-4(19)
SI-4(21)
PE-3
PE-3(1)
PS-6 No Gap
PS-6(2)
PS-9
PL-4
PL-4(1)
PS-6
No Gap
PS-6(2)
PS-6(3)
PS-7
AC-1
AT-1 No Gap
PS-1
PL-4
PS-6 No Gap
PS-6(2)
AT-1
AT-2
AT-2(1)-(6) No Gap
AT-4
AT-6
AT-3
AT-3(1)
AT-3(2)
AT-3(3)
AT-3(5)
AT-4
AT-6 No Gap
IR-9
IR-9(2)
PM-12
PM-16
SR-11
SR-11(1)
PL-4
PL-4(1)
PS-1 No Gap
PS-6
PS-6(2)
AC-1
AC-2
AC-2(3)
AC-2(9)
AC-2(11)
AC-16
AC-16(1)
AC-16(6)
IA-4 No Gap
IA-4(5)
IA-4(6)
IA-5
IA-5(16)
IA-8
IA-8(4)
IA-12
IA-12(2)-(6)
AC-2
AC-2(3)
AC-2(11)
AC-3
AC-3(3)
AC-12
No Gap
AC-12(1)
IA-2
IA-2(10)
IA-5
IA-5(1)
IA-5(18)
AU-10
AU-10(1)
AU-10(2)
AU-16
AU-16(1)
IA-4
IA-4(8)
IA-4(9) No Gap
IA-5
IA-5(5)
IA-8
IA-8(4)
PM-5(1)
SA-8
SA-8(22)
AC-2
AC-2(3)
AC-2(11) No Gap
AC-6
AC-6(1)-(10)
AC-6
AC-6(4)
IA-12 No Gap
IA-12(2)
IA-12(3)
AC-3
AC-16
AC-16(2)
AC-16(4) No Gap
AC-16(10)
IA-12
IA-12(1)
AC-2
AC-2(1)
AC-2(2)
AC-2(6)
AC-2(8)
AC-3
AC-3(8)
AC-6 No Gap
AC-6(7)
AU-10
AU-10(4)
AU-16
AU-16(1)
CM-7
CM-7(1)
AC-6
AC-6(4)
AC-6(8) No Gap
IA-8
IA-8(4)
AC-6
AC-3(7)
AC-6(4)
AC-6(8)
No Gap
IA-5
IA-5(6)
IA-8
IA-8(4)
AC-2
AC-2(7)
AC-3
AC-3(4)
AC-3(11)
AC-3(13)
AC-3(14)
AC-6
AC-6(4) No Gap
AC-6(5)
AC-6(8)
AC-12
AC-12(3)
AC-17
AC-17(4)
IA-8
IA-8(4)
AC-6
AC-6(4)
AC-6(6)
AU-10
AU-10(4)
CA-6
CA-6(2)
No Gap
IA-2
IA-2(1)
IA-2(2)
IA-2(12)
IA-12
IA-12(2)
IA-12(4)
AC-2
AC-2(11)
AC-2(12)
IA-8
IA-8(4)
SA-8
SA-8(22) No Gap
SC-34
SC-34(1)
SC-34(2)
SC-36
SI-4
SI-4(5)
AC-3
AC-3(14)
AC-24
AC-24(2)
AU-10
AU-10(1)
IA-2
IA-2(1)
IA-2(2) No Gap
IA-2(12)
IA-4
IA-4(1)
SA-8
SA-8(22)
SC-23
SC-23(3)
SC-40(4)
AC-6
AC-6(5)
AC-7
AC-7(4)
AU-10
AU-10(2)
IA-2
IA-2(1)
IA-2(2)
IA-2(8)
IA-2(12)
IA-3
IA-3(1) No Gap
IA-5
IA-5(2)
IA-5(7)
IA-5(9)
IA-5(10)
IA-5(12)
IA-5(14)-(16)
IA-8
IA-8(1)
IA-8(6)
SC-23
SC-23(3)
IA-4
IA-4(8)
IA-5
No Gap
IA-5(1)
IA-5(8)
IA-5(18)
AC-3
AC-3(5)
AC-4
AC-4(17)
AC-4(21)
AC-4(22)
AC-6
AC-6(8)
AC-6(9)
AC-12
AC-12(1)
AC-20
AC-20(1)
AU-10
AU-10(1)
AU-10(2) No Gap
IA-2
IA-2(1)
IA-2(2)
IA-2(12)
IA-3
IA-3(1)
IA-5(1)
IA-5(2)
IA-5(5)
IA-5(8)
IA-5(10)
IA-5(12)
IA-8
IA-8(1)
IA-8(2)
PT-2
PT-2(1)
PT-3
PT-3(1)
SC-1
No Gap
SA-8
SA-8(8)
SC-27
SC-29
SC-29(1)
CM-13
PT-2
PT-2(1)
PT-2(2)
PT-3 Νο Gap
PT-3(1)
PT-3(2)
SA-8
SA-8(20)
PT-2
PT-2(2)
SA-4 Νο Gap
SC-16
SC-16(3)
PT-2
PT-2(1)
PT-3
PT-3(1)
PT-4(3)
Partial Gap
SA-4
SA-4(11)
SA-4(12)
SI-12
SI-12(3)
AC-1
CM-1
IA-1
RA-1
SA-1
Partial Gap
SC-1
SI-1
SC-46
SC-49
SC-50
CP-2
CP-2(2)
SC-5
No Gap
SC-5(2)
SC-4
SI-4
SC-1
SC-4
SC-7
SC-7(4)
SC-7(5)
SC-7(8)
SC-7(9)
SC-7(11)
No Gap
SC-8
SC-8(1)
SC-11
SC-12
SC-16
SC-23
SC-29
SC-29(1)
CM-6
CM-6(1)
SC-29
SC-29(1)
SC-2
SC-7
No Gap
SC-7(12)
SC-30
SC-34
SC-35
SC-39
SC-44
CM-2
CM-2(6)
CM-5
CM-5(5)
SA-3
SA-3(1)
SA-8 No Gap
SA-8(1)
SA-8(2)
SA-8(3)
SA-8(6)
SC-3
SC-3(2)
SC-3
SC-7 No Gap
SC-7(20)
AC-17
AC-20
SC-7
SC-7(28)
SC-8
SC-8(1)
SC-12 No Gap
SC-23
SC-29
SI-7
SI-7(1)-(3)
SI-7(5)-(10)
SI-7(12)
PL-8
PL-8(1)
SA-8 No Gap
SA-8(3)
SA-8(17)
PL-8
PL-8(1)
SC-5
SC-5(1) No Gap
SC-5(3)
SC-7
SC-7(13)
AU-1 No Gap
AU-4
No Gap
AU-11
AU-5
AU-5(2) No Gap
AU-13
AU-9
AU-9(4)
No Gap
AU-9(6)
AU-10
AU-6
AU-6(1) No Gap
AU-6(5)
AU-8 No Gap
AU-1
AU-14 No Gap
AU-16
AU-3
AU-3(1)
AU-3(3)
AU-6
AU-6(8) No Gap
AU-12
AU-12(1)
AU-12(2)
AU-12(3)
AU-9
AU-9(2)
AU-9(3)
No Gap
AU-9(4)
AU-12(3)
AU-12(3)
AU-1
AU-9 No Gap
AU-9(3)
AU-9
No Gap
AU-9(3)
AU-6
AU-6(6) No Gap
AU-14
AU-5
AU-5(2)
AU-6
AU-6(3) No Gap
AU-6(4)
AU-6(5)
AU-16
IR-1
IR-2
IR-2(1)
IR-4
Partial Gap
IR-4(12)
IR-4(14)
PM-1
PM-12
PM-1
PM-6
IR-4
No Gap
IR-4(6)
IR-4(9)
IR-4(14)
IR-1
IR-2
IR-2(1)-(3)
IR-3
IR-3(1)-(3)
IR-4
IR-4(1)-(15)
IR-5
IR-5(1)
IR-6 No Gap
IR-6(1)-(3)
IR-7
IR-7(1)
IR-7(2)
IR-8
IR-8(1)
IR-9
IR-9(1)-(4)
PM-12
IR-2
IR-2(1)-(3)
IR-3
IR-3(1)-(3) No Gap
IR-8
IR-9
IR-9(2)
CA-7
CA-7(3)
CA-7(4)
IR-5
IR-4
No Gap
IR-6
IR-6(2)
IR-6(3)
PM-6
PM-31
CA-7
CA-7(3)
CA-7(4)
CA-7(5)
CA-7(6) No Gap
IR-4
IR-4(1)
IR-4(3)
IR-4(4)
AU-13
AU-13(1)-(3)
IR-4
IR-4(15)
No Gap
IR-6
IR-6(1)-(3)
PM-21
PM-23
IR-4
IR-4(8)
IR-6
IR-6(3)
IR-7 No Gap
IR-7(2)
PM-21
PM-23
PM-26
SR-1
SR-2
SR-3
SR-5
SA-4
SA-4(1) Partial Gap
SA-4(2)
SA-4(5)
SA-4(9)
SA-4(10)
PM-30
SR-1
SR-2
SR-3
Partial Gap
SR-3(1)-(3)
SR-5
PM-30
No Mapping Full Gap
SR-1
SR-2
SR-3 Partial Gap
SR-6
SR-6(1)
SA-4
SA-4(11)
SR-1
SR-2 Partial Gap
SR-3
SR-5
SR-6
CM-8
CM-8(4)
No Gap
SR-4
SR-4(1)-(4)
SR-2
SR-2(1)
SR-4
SR-5 No Gap
SR-5(1)
SR-5(2)
SR-6
SA-4
SA-4(1)
SA-4(2)
SA-4(5) Partial Gap
SA-4(9)
SA-4(10)
SR-8
PM-30
PM-30(1)
No Gap
SR-2
SR-6
PM-30
PM-30(1)
No Gap
SR-6
SR-6(1)
SA-9
SA-9(5) No Gap
SR-6
SA-9
SA-9(1)-(8)
No Gap
SR-2
SR-2(1)
SA-9
SA-9(2)
SR-4
SR-4(3)
SR-6
SR-6(1)
SR-7
No Gap
SR-9
SR-9(1)
SR-11
SR-11(1)
SR-11(3)
PM-23
PM-30
PM-16
PM-16(1)
PM-31
RA-5
SA-11
No Gap
SA-11(2)
SA-11(5)
SA-15
SA-15(5)
SA-15(8)
RA-3
RA-3(3)
RA-5
RA-5(3)
No Gap
RA-5(5)
SI-3
SI-3(4)
SI-3(10)
PM-31
RA-3
RA-3(1)
RA-5
No Gap
RA-5(2)-(4)
RA-5(6)
SI-3
SI-3(10)
CM-7
CM-7(4)
RA-3
RA-3(3)
RA-5(2)
SA-10
SA-10(5)
SA-11
SA-11(2)
SI-2 No Gap
SI-2(4)
SI-3
SI-3(4)
SI-4
SI-4(9)
SI-4(24)
SI-8
SI-8(2)
SI-8(3)
RA-5
RA-5(3)
SA-11 No Gap
SA-11(2)
SA-11(5)
CA-8
CA-8(1)-(3)
No Gap
SA-11
SA-11(5)
RA-5
RA-5(4)
RA-5(5)
SA-11
SA-11(5)
SA-15(5)
No Gap
SC-7
SC-7(10)
SI-3(8)
SI-3(10)
SI-7
SI-7(9)1
RA-2
RA-2(1)
SA-11
SA-11(1)
SA-15
No Gap
SA-15(8)
SI-2
SI-2(2)
SI-3
SI-3(10)
RA-5
RA-5(8)
RA-5(11) No Gap
SA-15
SA-15(1)
PM-31
RA-5
RA-5(6)
RA-5(8)
RA-5(10) No Gap
SA-15
SA-15(1)
SI-2
SI-2(3)
CM-1
CM-11 No Gap
AC-19
CM-7
CM-7(6)
CM-8(3)
CM-11 No Gap
SC-18
SC-18(2)
SC-18(3)
AC-19
CM-1
CM-2
CM-2(2) No Gap
CM-6
CM-8(3)
SI-7
CM-8
No Gap
CM-8(7)
AU-6
AC-19
AC-24
CM-2 No Gap
CM-2(2)
CM-8(3)
SC-1
AC-11
No Gap
AC-11(1)
CM-1
CM-3
CM-4
CM-8
CM-8(3) No Gap
CM-9
CM-9(1)
CM-11
SI-7
AC-19(5)
SC-28 No Gap
SC-28(1)
IR-1
SI-17 No Gap
SI-7(17)
SC-7
SC-7(12) No Gap
SC-7(17)
SC-7
No Gap
SC-7(10)
CM-8
No Gap
CM-8(8)
AC-7
AC-7(2)
No Gap
MP-6
MP-6(8)
SR-5
SR-5(2)
No Gap
SR-6
SR-6(1)
NIST 800-53 rev 5
N/A
GRM-06
GRM-09
N/A
AAC-02
N/A
AAC-01
AAC-02
N/A
GRM-01
GRM-03
N/A
AAC-01
N/A
GRM-10
GRM-11
N/A
AIS-01
AIS-04
N/A
AIS-01
N/A
No Mapping
N/A
AIS-01
AIS-03
N/A
AIS-01
AIS-03
N/A
AIS-01
AIS-03
N/A
TVM-02
N/A
BCR-07
BCR-10
BCR-11
GRM-06
GRM-09
N/A
BCR-09
N/A
BCR-04
BCR-06
BCR-08
BCR-09
BCR-10
N/A
BCR-01
N/A
BCR-01
BCR-04
N/A
BCR-02
N/A
BCR-01
BCR-02
N/A
BCR-11
N/A
No Mapping
N/A
No Mapping
N/A
BCR-06
N/A
CCC-05
GRM-06
GRM-09
N/A
CCC-03
N/A
CCC-05
N/A
CCC-04
N/A
CCC-05
N/A
No Mapping
N/A
GRM-01
N/A
No Mapping
N/A
No Mapping
N/A
EKM-01
EKM-02
EKM-03
GRM-06
GRM-09
N/A
No Mapping
N/A
EKM-03
EKM-04
N/A
EKM-04
N/A
EKM-02
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
EKM-04
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
DCS-05
GRM-06
GRM-09
Missing specification(s) in NIST 800-53:
'The relocation or transfer request requires the written or cryptographically verifiable authorization'.
DCS-04
GRM-06
GRM-09
N/A
DCS-06
GRM-06
GRM-09
N/A
GRM-06
GRM-09
DCS - 01
N/A
DCS - 01
N/A
DCS-02
DCS-08
N/A
DCS - 03
N/A
DCS-07
DCS-09
N/A
DCS-02
DCS-07
DCS-08
N/A
HRS-09
N/A
BCR - 03
N/A
BCR - 03
N/A
BCR - 03
N/A
BCR - 06
N/A
DSI-04
GRM-06
GRM-09
N/A
DSI-07
N/A
No Mapping
N/A
DSI-01
N/A
DSI-02
N/A
DSI-06
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
GRM-02
EKM-03
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
DSI-05
N/A
GRM-02
BCR-11
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
GRM-06
GRM-09
N/A
GRM-08
GRM-10
GRM-11
N/A
GRM-09
N/A
GRM-01
N/A
GRM-04
N/A
No Mapping
N/A
AAC-03
HRS-02
GRM-06
GRM-09
N/A
HRS-08
GRM-06
GRM-09
N/A
HRS-11
GRM-06
GRM-09
N/A
GRM-06
GRM-09
N/A
HRS-01
N/A
HRS-04
N/A
HRS-03
N/A
HRS-03
N/A
HRS-07
HRS-10
N/A
HRS-06
N/A
HRS-09
HRS-10
N/A
HRS-09
HRS-10
N/A
HRS-10
N/A
IAM-02
GRM-06
GRM-09
N/A
IAM-02
IAM-12
GRM-06
GRM-09
N/A
IAM-04
IAM-08
IAM-10
N/A
IAM-05
N/A
IAM-02
IAM-06
IVS-11
N/A
IAM-09
N/A
IAM-11
N/A
IAM-10
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
IAM-02
IAM-05
N/A
No Mapping
N/A
IAM-02
N/A
IPY-03
GRM-06
GRM-09
Ν/Α
No Mapping
Ν/Α
IPY-04
Recommend adding the full V4 control specification to the NIST 800-53r5 addendum.
No Mapping
Missing specification(s) in NIST 800-53:
'policies and procedures for virtualization security'.
GRM-06
GRM-09
N/A
IVS-04
N/A
IVS-06
N/A
IVS-07
IVS-11
N/A
IVS-08
N/A
IVS-09
N/A
IVS-10
N/A
IVS-13
N/A
IVS-13
N/A
GRM-06
GRM-09
N/A
IVS-01
N/A
SEF-03
SEF-05
N/A
IVS-01
N/A
No Mapping
N/A
IVS-03
N/A
No Mapping
N/A
No Mapping
N/A
GRM-04
IVS-01
N/A
EKM-02
EKM-03
N/A
EKM-02
N/A
DCS-08
N/A
SEF-03
SEF-02
GRM-06
GRM-09
N/A
SEF-02
GRM-06
GRM-09
N/A
BCR-02
N/A
BCR-02
N/A
SEF-05
N/A
SEF-02
N/A
SEF-04
STA-05
N/A
SEF-01
Missing specification(s) in NIST 800-53:
'policies and procedures for the application of the Shared Security Responsibility Model (SSRM)
within the organization'.
No Mapping
No Mapping
The full V4 control specification is missing from NIST 800-53r5 and has to be used to close the gap.
No Mapping
The full V4 control specification is missing from NIST 800-53r5 and has to be used to close the gap.
No Mapping
No Mapping
No Mapping
N/A
No Mapping
N/A
STA-06
STA-08
STA-05
N/A
STA-07
N/A
STA-04
N/A
STA-01
STA-09
N/A
STA-06
N/A
STA-08
N/A
TVM-02
GRM-06
GRM-09
N/A
TVM-01
GRM-06
GRM-09
N/A
TVM-02
N/A
No mapping
N/A
No mapping
N/A
TVM-02
N/A
TVM-02
N/A
TVM-02
N/A
TVM-02
N/A
No mapping
N/A
GRM-06
GRM-09
MOS-03
MOS-04
MOS-05
MOS-08
MOS-11
MOS-12
MOS-13
MOS-16
MOS-17
MOS-20
N/A
MOS-02
MOS-03
MOS-04
MOS-06
N/A
MOS-07
N/A
MOS-09
N/A
MOS-10
N/A
MOS-14
N/A
MOS-15
MOS-19
N/A
MOS-11
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
No Mapping
N/A
MOS-18
N/A
No Mapping
CCM v3.0.1
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
'apply, evaluate, maintain policies and procedures for application security'
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control: (AIS-01) 'Applications and programming interfaces (APIs) shall be designed, developed,
deployed, and tested in accordance with leading industry standards'
Partial Gap
Missing specification(s) in CCMv3.0.1:
'Automate when applicable and possible.'
Partial Gap
Partial Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'at least annually'
Partial Gap
N/A
No Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'apply, evaluate policies and procedures for managing the risks associated with applying changes to
organization assets'
'regardless of whether the assets are managed internally or externally (i.e., outsourced)'
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'regardless of whether the assets are managed internally or externally (i.e., outsourced)'
Partial Gap
Missing specification(s) in CCMv3.0.1:
'removal, update, and management of organization assets'
Partial Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
'Apply and evaluate the policies and procedures for Cryptography, Encryption and Key Management'
Requirement of 'at least annually' in last sentence.
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'considering the classification of data, associated risks, and usability of the encryption technology.'
Partial Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control: (EKM-04) 'open/validated formats and standard algorithms shall be required'.
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for the relocation or transfer of hardware, software, or
data/information to an offsite or alternate location'
'or cryptographically verifiable authorization'
Requirement of 'at least annually' in last sentence.
Partial Gap
Missing specification(s) in CCMv3.0.1:
'evaluate (implementation of) policies and procedures'
Requirement of 'at least annually' in last sentence.
Partial Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for the secure transportation of physical media.'
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'all ingress and egress points (are) documented'
'Retain access control records on a periodic basis as deemed appropriate by the organization.'
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for the classification, protection and handling of data
throughout its lifecycle and according to all applicable laws and regulations, standards, and risk
level.'
Requirement of 'at least annually' in last sentence.
Partial Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'Review data flow documentation at defined intervals, at least annually, and after any change.'
Partial Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
The reference to personal data: 'transfer of personal data is protected from unauthorized access and
only processed within scope as permitted by the respective laws and regulations'
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for an information governance program'
Requirement of 'at least annually' in last sentence.
Partial Gap
No Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
'apply, evaluate, policies and procedures for background verification of all new employees'
Requirement of 'at least annually' in last sentence.
Partial Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
'apply, evaluate, policies and procedures that require unattended workspaces to not have openly
visible confidential data'
Requirement of 'at least annually' in last sentence.
Partial Gap
Missing specification(s) in CCMv3.0.1:
'apply, evaluate, policies and procedures to protect information accessed, processed or stored at
remote sites and locations'
Requirement of 'at least annually' in last sentence.
Partial Gap
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
'Provide all employees with access to sensitive organizational and personal data with appropriate
security
awareness training'
Partial Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
Requirement of 'at least annually' in last sentence.
Partial Gap
(If Password is equal to "authentication secrets" then)
Missing specification(s) in CCMv3.0.1:
Requirement of 'at least annually' in last sentence.
Partial Gap
Missing specification(s) in CCMv3.0.1:
'system identities'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'Review and revalidate user access for separation of duties'
'a frequency that is commensurate with organizational risk tolerance'
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
'Adopt digital certificates or alternatives which achieve an equivalent level of security for system
identities'
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for interoperability and portability.'
Requirement of 'at least annually' in last sentence.
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for infrastructure and virtualization security.'
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'Such channels must include only up-to-date and approved protocols'.
Partial Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'apply and evaluate policies and procedures for logging and monitoring'
Requirement of 'at least annually' in last sentence.
Partial Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Recommend the full V4 control specification to be used to close the gap.
Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control: (IVS-01) 'Higher levels of assurance are required for protection of audit logs', (GRM-04) 'to
Partial Gap protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and
destruction'.
Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control: (EKM-02) 'Policies and procedures shall be established for the management of
Partial Gap cryptographic keys', (EKM-03) 'Policies and procedures shall be established, and supporting
business processes and technical measures implemented, for the use of encryption protocols'.
Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control: (EKM-02) 'management of cryptographic keys in the service's cryptosystem'.
Partial Gap
Partial Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
Requirement of 'at least annually' in last sentence.
Partial Gap
Missing specification(s) in CCMv3.0.1:
'Establish, document, approve, communicate, apply, a security incident response plan, which
Include relevant internal departments'
Partial Gap
N/A
No Gap
N/A
No Gap
N/A
No Gap
Missing specification(s) in CCMv3.0.1:
'Define and implement, processes, procedures and technical measures for security breach
notifications'
'Report assumed security breaches'
Partial Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
N/A
No Gap
N/A
No Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
Requirement of 'at least annually' in last sentence.
Partial Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Portion in the mapped control(s) contributing to the partial gap, that is, covering in part the V4
control: (TVM-02) 'supporting processes and technical measures implemented, for timely detection
of vulnerabilities within organizationally-owned or managed applications, infrastructure network and
Partial Gap system components (e.g., penetration testing)'
Missing specification(s) in CCMv3.0.1:
Requirement of 'at least monthly'.
Partial Gap
Partial Gap
N/A
No Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Missing specification(s) in CCMv3.0.1:
'endpoints' (The term is missing from CCMv3.0.1 and MOS domain. Mobile device policies are a
subset of endpoint devices policy).
'apply, evaluate policies and procedures for all endpoints'.
Requirement of 'at least annually' in last sentence.
Partial Gap
Partial Gap
Missing specification(s) in CCMv3.0.1:
'endpoint'.
'Define and implement a process'.
Partial Gap
Partial Gap
Partial Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
The full V4 control specification is missing from CCMv3.0.1 and has to be used to close the gap.
Full Gap
Full Gap
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE
v4.0.2
Remediation A&A-06
Application & Interface Security - AIS
Communication BCR-07
Backup BCR-08
Disaster Response Plan BCR-09
Datacenter Security
Interoperability &
Portability
Application Interface Availability IPY-02
Infrastructure &
Virtualization Security
OS Hardening and Base Controls IVS-04
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Security Incident
Management, E-
Discovery, & Cloud
Forensics
Incident Response Testing SEF-04
Compatibility UEM-03
Universal Endpoint
Management
End of Standard
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the C
Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4
solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Clou
v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Cloud Controls Ma
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Con
Version 4.0.6. If you are interested in obtaining a license to this #material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
TIVE QUESTIONNAIRE
A&A-01.2
A&A-06.2
ication & Interface Security - AIS
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for application security to provide guidance to the
appropriate planning, delivery and support of the organization's application
security capabilities. Review and update the policies and procedures at least
annually.
AIS-01.1
AIS-01.2
AIS-05.2
Establish and implement strategies and capabilities for secure, standardized,
and compliant application deployment. Automate where possible.
AIS-06.1
AIS-06.2
AIS-07.2
BCR-05.2
BCR-05.3
BCR-08.2
BCR-08.3
Establish, document, approve, communicate, apply, evaluate and maintain
a disaster response plan to recover from natural and man-made disasters. Update
the plan at least annually or upon significant changes.
BCR-09.1
BCR-09.2
BCR-10.2
CCC-01.1
CCC-01.2
CCC-08.2
CEK-01.2
CEK-06.1
CSPs must provide the capability for CSCs to manage their own data
encryption keys.
CEK-08.1
Audit encryption and key management systems, policies, and processes
with a frequency that is proportional to the risk exposure of the system with
audit occurring preferably continuously but at least annually and after any
security event(s).
CEK-09.1
CEK-09.2
CEK-13.1
CEK-19.1
DCS-01.1
DCS-01.2
DCS-01.3
DCS-02.3
DCS-04.2
Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
DCS-05.1
Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
DCS-06.1
DCS-07.2
DCS-08.1
Allow only authorized personnel access to secure areas, with all
ingress and egress points restricted, documented, and monitored by physical
access control mechanisms. Retain access control records on a periodic basis
as deemed appropriate by the organization.
DCS-09.1
DCS-09.2
DCS-12.1
DSP-01.2
Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
DSP-02.1
Create and maintain a data inventory, at least for any sensitive
data and personal data.
DSP-03.1
DSP-05.2
DSP-06.2
Develop systems, products, and business practices based upon a principle
of security by design and industry best practices.
DSP-07.1
DSP-08.2
DSP-10.1
DSP-15.1
DSP-18.2
Define and implement, processes, procedures and technical measures
to specify and document the physical locations of data, including any locations
in which data is processed or backed up.
DSP-19.1
GRC-01.2
Establish a formal, documented, and leadership-sponsored Enterprise
Risk Management (ERM) program that includes policies and procedures for identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy
risks.
GRC-02.1
HRS-01.3
Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for defining allowances and conditions for the acceptable
use of organizationally-owned or managed assets. Review and update the policies
and procedures at least annually.
HRS-02.1
HRS-02.2
HRS-04.2
HRS-11.2
HRS-12.2
Make employees aware of their roles and responsibilities for maintaining
awareness and compliance with established policies and procedures and applicable
legal, statutory, or regulatory compliance obligations.
HRS-13.1
IAM-01.2
IAM-02.2
Review and revalidate user access for least privilege and separation
of duties with a frequency that is commensurate with organizational risk tolerance.
IAM-08.1
IAM-09.1
IAM-10.2
IPY-01.2
IPY-01.3
IPY-01.4
IPY-01.5
IVS-01.2
IVS-03.1
IVS-03.2
IVS-03.3
IVS-03.4
IVS-03.5
IVS-09.1
LOG-01.2
LOG-03.2
Restrict audit logs access to authorized personnel and maintain records
that provide unique access accountability.
LOG-04.1
LOG-05.2
LOG-07.2
LOG-08.1
LOG-13.2
SEF-02.2
SEF-04.1
Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
STA-02.1
Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
STA-04.1
Review and validate SSRM documentation for all cloud services offerings
the organization uses.
STA-05.1
Implement, operate, and audit or assess the portions of the SSRM
which the organization is responsible for.
STA-06.1
STA-07.1
Service agreements between CSPs and CSCs (tenants) must incorporate at least the
following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
• Service termination STA-09.1
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at least annually.
STA-10.1
TVM-01.2
TVM-02.2
Define, implement and evaluate processes, procedures and technical
measures to enable both scheduled and emergency responses to vulnerability
identifications,
based on the identified risk.
TVM-03.1
TVM-05.1
UEM-01.2
UEM-12.1
End of Standard
You may download, store, display on your computer, view, print, and link to the Cloud Security
loudsecurityalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used
ud Controls Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix
r notices may not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as
provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix
al for other usages not addresses in the copyright notice, please contact
Consensus Assessments Question
Are audit and assurance policies, procedures, and standards established, documented,
approved, communicated, applied, evaluated, and maintained?
Are audit and assurance policies, procedures, and standards reviewed and updated
at least annually?
Are application security policies and procedures reviewed and updated at least
annually?
Does the testing strategy outline criteria to accept new information systems,
upgrades, and new versions while ensuring application security, compliance adherence,
and organizational speed of delivery goals?
Are strategies developed to reduce the impact of, withstand, and recover from
business disruptions in accordance with risk appetite?
Are the business continuity and operational resilience plans exercised and
tested at least annually and when significant changes occur?
Do business continuity and resilience procedures establish communication with
stakeholders and participants?
Is the disaster response plan updated at least annually, and when significant
changes occur?
Are the policies and procedures reviewed and updated at least annually?
Is a defined quality change control, approval and testing process (with established
baselines, testing, and release standards) followed?
Are risks associated with changing organizational assets (including applications,
systems, infrastructure, configuration, etc.) managed, regardless of whether asset
management occurs internally or externally (i.e., outsourced)?
Are change management baselines established for all relevant authorized changes
on organizational assets?
'Is the procedure aligned with the requirements of the GRC-04: Policy Exception
Process?'
Are cryptography, encryption, and key management policies and procedures established,
documented, approved, communicated, applied, evaluated, and maintained?
Are cryptography, encryption, and key management policies and procedures reviewed
and updated at least annually?
Are appropriate data protection encryption algorithms used that consider data
classification, associated risks, and encryption technology usability?
Are standard change management procedures established to review, approve,
implement and communicate cryptography, encryption, and key management technology
changes that accommodate internal and external sources?
Are CSPs providing CSCs with the capacity to manage their own data encryption
keys?
Are encryption and key management systems, policies, and processes audited
with a frequency proportional to the system's risk exposure, and after any security
event?
Are encryption and key management systems, policies, and processes audited
(preferably continuously but at least annually)?
Are private keys provisioned for a unique purpose managed, and is cryptography
secret?
Are cryptographic keys rotated based on a cryptoperiod calculated while considering
information disclosure risks and legal and regulatory requirements?
Are cryptographic keys revoked and removed before the end of the established
cryptoperiod (when a key is compromised, or an entity is no longer part of the
organization) per defined, implemented, and evaluated processes, procedures, and
technical measures to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to monitor, review and approve
key transitions (e.g., from any state to/from suspension) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
Are processes, procedures, and technical measures to deactivate keys (at the
time of their expiration date) being defined, implemented, and evaluated to include
legal and regulatory requirement provisions?
Are key management system processes, procedures, and technical measures being
defined, implemented, and evaluated to track and report all cryptographic materials
and status changes that include legal and regulatory requirements provisions?
Are policies and procedures for the secure disposal of equipment used outside
the organization's premises established, documented, approved, communicated, enforced,
and maintained?
Are policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location established, documented,
approved, communicated, implemented, enforced, maintained?
Does a relocation or transfer request require written or cryptographically
verifiable authorization?
Are policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location reviewed and updated at
least annually?
Are policies and procedures for maintaining a safe and secure working environment
(in offices, rooms, and facilities) established, documented, approved, communicated,
enforced, and maintained?
Are policies and procedures for maintaining safe, secure working environments
(e.g., offices, rooms) reviewed and updated at least annually?
Are policies and procedures for the secure transportation of physical media
established, documented, approved, communicated, enforced, evaluated, and maintained?
Are policies and procedures for the secure transportation of physical media
reviewed and updated at least annually?
Are data security and privacy policies and procedures reviewed and updated
at least annually?
Are industry-accepted methods applied for secure data disposal from storage
media so information is not recoverable by any forensic means?
Is a data inventory created and maintained for sensitive and personal information
(at a minimum)?
Is the ownership and stewardship of all relevant personal and sensitive data
documented?
Are systems' privacy settings configured by default and according to all applicable
laws and regulations?
Is authorization from data owners obtained, and the associated risk managed,
before replicating or using production data in non-production environments?
Does the CSP give special attention to the notification procedure to interested
CSCs, unless otherwise prohibited, such as a prohibition under criminal law to
preserve confidentiality of a law enforcement investigation?
Are processes, procedures, and technical measures defined and implemented
to specify and document physical data locations, including locales where data
is processed or backed up?
Are the policies and procedures reviewed and updated at least annually?
Is there an established formal, documented, and leadership-sponsored enterprise
risk management (ERM) program that includes policies and procedures for identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy
risks?
Are background verification policies and procedures of all new employees (including
but not limited to remote employees, contractors, and third parties) established,
documented, approved, communicated, applied, evaluated, and maintained?
Are background verification policies and procedures designed according to
local laws, regulations, ethics, and contractual constraints and proportional
to the data classification to be accessed, business requirements, and acceptable
risk?
Are the policies and procedures for defining allowances and conditions for
the acceptable use of organizationally-owned or managed assets reviewed and updated
at least annually?
Are identity and access management policies and procedures established, documented,
approved, communicated, implemented, applied, evaluated, and maintained?
Are identity and access management policies and procedures reviewed and updated
at least annually?
Is system identity information and levels of access managed, stored, and reviewed?
Are reviews and revalidation of user access for least privilege and separation
of duties completed with a frequency commensurate with organizational risk tolerance?
Are processes, procedures, and technical measures for the segregation of privileged
access roles defined, implemented, and evaluated such that administrative data
access, encryption, key management capabilities, and logging capabilities are
distinct and separate?
Are processes, procedures, and technical measures to ensure the logging infrastructure
is "read-only" for all with write access (including privileged access roles) defined,
implemented, and evaluated?
Is the ability to disable the "read-only" configuration of logging infrastructure
controlled through a procedure that ensures the segregation of duties and break
glass procedures?
Are processes, procedures, and technical measures that ensure users are identifiable
through unique identification (or can associate individuals with user identification
usage) defined, implemented, and evaluated?
Are processes, procedures, and technical measures for the secure management
of passwords defined, implemented, and evaluated?
Are CSCs able to programmatically retrieve their data via an application interface(s)
to enable interoperability and portability?
Do agreements include provisions specifying CSC data access upon contract termination, and
have the following?
a. Data format
b. Duration data will be stored
c. Scope of the data retained and made available to the CSCs
d. Data deletion policy
Are infrastructure and virtualization security policies and procedures established,
documented, approved, communicated, applied, evaluated, and maintained?
Is every host and guest OS, hypervisor, or infrastructure control plane hardened
(according to their respective best practices) and supported by technical controls
as part of a security baseline?
Is a process established and followed to review and take appropriate and timely
actions on detected anomalies?
Is a reliable time source being used across all relevant information processing
systems?
Are audit records generated, and do they contain relevant security information?
Does the information system protect audit records from unauthorized access,
modification, and deletion?
Are key lifecycle management events logged and monitored to enable auditing
and reporting on cryptographic keys' usage?
Is physical access logged and monitored using an auditable access control
system?
Are processes and technical measures for reporting monitoring system anomalies
and failures defined, implemented, and evaluated?
Are policies and procedures for timely management of security incidents established,
documented, approved, communicated, applied, evaluated, and maintained?
Are policies and procedures for timely management of security incidents reviewed
and updated at least annually?
Are processes, procedures, and technical measures for security breach notifications
defined and implemented?
Are security breaches and assumed security breaches reported (including any
relevant supply chain breaches) as per applicable SLAs, laws, and regulations?
Is the SSRM applied, documented, implemented, and managed throughout the supply
chain for the cloud service offering?
Is the CSC given SSRM guidance detailing information about SSRM applicability
throughout the supply chain?
Is the shared ownership and applicability of all CSA CCM controls delineated
according to the SSRM for the cloud service offering?
Is SSRM documentation for all cloud services the organization uses reviewed
and validated?
Are the portions of the SSRM the organization is responsible for implemented,
operated, audited, or assessed?
Are risk factors associated with all organizations within the supply chain
periodically reviewed by CSPs?
Do service agreements between CSPs and CSCs (tenants) incorporate at least the following
mutually agreed upon provisions and/or terms?
• Scope, characteristics, and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third-party assessment
• Service termination
• Interoperability and portability requirements
• Data privacy
Are supply chain agreements between CSPs and CSCs reviewed at least annually?
Are policies that require all supply chain CSPs to comply with information
security, confidentiality, access control, privacy, audit, personnel policy, and
service level requirements and standards implemented?
Are supply chain partner IT governance policies and procedures reviewed periodically?
Are threat and vulnerability management policies and procedures reviewed and
updated at least annually?
Are policies and procedures to protect against malware on managed assets established,
documented, approved, communicated, applied, evaluated, and maintained?
Are asset management and malware protection policies and procedures reviewed
and updated at least annually?
Are processes, procedures, and technical measures defined, implemented, and
evaluated to enable scheduled and emergency responses to vulnerability identifications
(based on the identified risk)?
Is an inventory of all endpoints used and maintained to store and access company
data?
Are processes, procedures, and technical measures defined, implemented and
evaluated, to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data?
Are managed endpoints configured with data loss prevention (DLP) technologies
and rules per a risk assessment?
Are remote geolocation capabilities enabled for all managed mobile endpoints?
Authors Authors
Martin Acherman
John Britton
Ricky Arora
Bobbie-Lynn Burton
Christian Banse
Daniele Catteddu
Rolf Becker
Aradhna Chetal
John Britton
Peter Dickman
Jon-Michael Brook
Angell Duran
Bobbie-Lynn Burton
Rajeev Gupta
Daniele Catteddu
Shawn Harris
Sean Cordero
Roberto Hernandez
Peter Dickman
Matthew Hoerig
Sean Estrada
Erik Johnson
Tom Follo
Harry Lu
Shawn Harris
Claus Matzke
Matthew Hoerig
Vani Murthy
Erik Johnson
Johan Olivier
Harry Lu
Bala Kaundinya
Maksym Nowak
Nancy Kramer
Surinder S. Rait
Surinder Singh Rait
Michael Roza
Michael Roza
Agnidipta Sarkar
Agnidipta Sarkar
Chris Shull
Lefteris Skoutaris
Lefteris Skoutaris
Ashish Vashishtha
Tony Snook
Contributors Contributors
Kai Axford
Darin Blank
Kevin Burgin
Martin Capuder
Vishal Chaudhary
Aradhna Chetal
Jeff Cook
Angela Dogan
Doug Egan
Andreas von Grebmer
Mohin Gulzar
Sandra Ackland
Frank Jaramillo
Geoff Bird
Gaurav Khanna
Madhav Chablani
Keri Kusznir
Ramon Codina
Jens Laundrup
Mamane Ibrahim
Robin Lyons
Joel John
Loredana Mancini
Giovanni Massard
Julien Mauvieux
Jean-Sebastien Mine
Bill Marriott
Chirag Sheth
Claus Matzke
Matthew Meersman
David Nance
Christine Peters
Lisa Peterson
Paul Rich
Max Simakov
Tima Soni
Luke Synnestvedt
Eric Tierling
Raj Tuliani
Editorial Team
CCM Leadership
End of acknowledgments
© Copyright 2022-2023 Cloud Security Alliance - All rights reserved. You may download, store, display on your computer, view, print, and link to the
Cloud Security Alliance “Cloud Controls Matrix (CCM) Version 4.0.6” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud
Controls Matrix v4.0.6 may be used solely for your personal, informational, non-commercial use; (b) the Cloud Controls Matrix v4.0.6 may not be
modified or altered in any way; (c) the Cloud Controls Matrix v4.0.6 may not be redistributed; and (d) the trademark, copyright or other notices may
not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as permitted by the Fair Use provisions of the United States Copyright
Act, provided that you attribute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.6. If you are interested in obtaining a
license to this #material for other usages not addresses in the copyright notice, please contact info@cloudsecurityalliance.org.
ntation Guidelines CCM v4.0 Auditing Guidelines CCM v4.0 - ISO/IEC 27001:2022, 2
utors Contributors
ckland
Bird Brian Dorsey
Chablani Angell Duran
Codina Joel John
Ibrahim Erik Johnson
ohn Michael Roza
Massard Claus Matzke
ien Mine Vani Murthy
Sheth
omputer, view, print, and link to the
bject to the following: (a) the Cloud
ntrols Matrix v4.0.6 may not be
k, copyright or other notices may
ns of the United States Copyright
you are interested in obtaining a
iance.org.
CM v4.0 - ISO/IEC 27001:2022, 27002:2022 CCM v4.0 - CIS v8.0 Mapping
Contributors Contributors
Robin Basham
Michael Bayere Renu Bedi
Geoff Bird Geoff Bird
Hyunho Chang Ramon Codina
Elastos Chimwanda Angell Duran
Angela Dogan David Friedenberg
Phil Garrelhas Yogesh Gupta
Mohin Gulzar Frank Jaramillo
Alana James-Aikins Joel John
Joel John Bala Kaundinya
Erik Johnson Claus Matzke
Jason Lutz Vani Murthy
Krishna Das Manghat Johan Olivier
Claus Matzke Michael Roza
Deb Mukherjee Thomas Sager
Johan Olivier Keith Stocks
Tim Pasaribu Ashish Vashishtha
Gina Rodriguez Dimitri Vekris
Alex Stezycki
CCM v4.0 - PCI DSS v3.2.1 Mapping CCM v4.0 - AICPA TSC 2017 Mapping
Contributors Contributors
Renu Bedi
Madhav Chablani
Renu Bedi
Angela Dogan
Geoff Bird
Angell Duran
Madhav Chablani
Odutola Ekundayo
Vishal Chaudhary
Roberto Hernandez
Angell Duran
Frank Jaramillo
Frank Jaramillo
Joel John
Joel John
Audrey Katcher
Bala Kaundinya
Bala Kaundinya
Claus Matzke
Giovanni Massard
Vani Murthy
Vani Murthy
Johan Olivier
Johan Olivier
Michael Roza
Michael Roza
Tanya Tipper-Luster
Agnidipta Sarkar
Thomas Sager
Chirag Sheth
Ashish Vashishtha
Ashish Vashishtha
Dimitri Vekris
Dimitri Vekris
Surya Vinjamuri
TSC 2017 Mapping CCM v4.0 - ISO27001/02/17/18 Mapping CCM v4.0 - NIST 800-53r5 Ma
Contributors Contributors
Robin Basham (Team Lead)
Sandra Ackland
Geoff Bird
Renu Bedi
Madhav Chablani
Glenn Bluff
Denny Dean
Anders Brännfors
Angela Dogan
Madhav Chablani
Angell Duran
Aislin Cole
Mayank Garg
Brian Dorsey
Alana James
Angell Duran
Frank Jaramillo
Rajeev Gupta
Joel John
Frank Jaramillo
Erik Johnson
Bala Kaundinya
Evan Jones
Nancy Kramer
Bala Kaundinya
Claus Matzke
Kimberley Laris
Vani Murthy
Claus Matzke
Johan Olivier
Michelle Moore
Michael Roza
Vani Murthy
Surinder Singh Rait
Johan Olivier
Ashish Vashishtha
Michael Roza
Dimitri Vekris
Thomas Sager
CAIQ v4.0
Contributors
Tony Snook (Team Lead)
Renu Bedi
Geoff Bird
John Britton
Jon-Michael Brook
Bobbie-Lynn Burton
Hannah Day
Angela Dogan
Brian Dorsey
Angell Duran
Odutola Ekundayo
Rajeev Gupta
Roberto Hernandez
Frank Jaramillo
Erik Johnson
Bala Kaundinya
Johan Olivier
Michael Roza
Lefteris Skoutaris
Luis Urena
Ashish Vashishtha
Casey Wood
CLOUD CONTROLS MATRIX v4.0.6
v4.0.6
Change Log
Description of Change
The mapping of CCM v4.0 to ISO/IEC 27001:2022 and 27002:2022 is included in the
standard.
The mappings of CCM v4.0 to PCI DSS v3.2.1 and NIST 800-53 rev. 5 are included in the
standard.
The CCM v4.0 Auditing Guidelines component is released.
The mappings of CCM v4.0 to AICPA TSC 2017 and CIS v8.0 are included in the
standard.
The mappings of CCM v4.0 to CCM v3.0.1 and ISO/IEC 27001/02/17/18 are included in
the first release of the standard.
The Cloud Control Matrix version 4 (CCM v4.0) is released (including the controls
applicability matrix).
End of Change Log
u may download, store, display on your computer, view, print, and link to the Cloud Security Alliance
yalliance.org subject to the following: (a) the Cloud Controls Matrix v4.0.6 may be used solely for
Matrix v4.0.6 may not be modified or altered in any way; (c) the Cloud Controls Matrix v4.0.6 may
not be removed. You may quote portions of the Cloud Controls Matrix v4.0.6 as permitted by the Fair
ute the portions to the Cloud Security Alliance Cloud Controls Matrix Version 4.0.6. If you are
sses in the copyright notice, please contact info@cloudsecurityalliance.org.