CSA Cloud Controls Matrix v4

The most widely-cited cloud-security controls framework — 197 controls across 17 domains (AAC, AIS, BCR, CCC, CEK, DCS, DSP, GRC, HRS, IAM, IPY, IVS, LOG, SEF, STA, TVM, UEM). v4.0.13 (2024) is the most-current published spec with 144 controls mapping to NIST SP 800-53 (486 individual mappings) and explicit alignment with ISO 27001, ISO 27017, ISO 27018, PCI DSS, SOC 2, CIS Controls, FedRAMP. CCM v4 explicitly addresses shared-responsibility, multi-tenancy, data sovereignty, exit and portability — concerns specific to cloud deployments. v4.1 implementation guidelines were published in 2025 with no changes to the control set itself. Foundational for any cloud audit, CSP procurement, or STAR Level 1 / Level 2 attestation. B12 expansion: full 197-control v4.0.13 coverage with the 19-field shape, 5-level maturity, kebab-case normalisation axes, and CSP-CSC responsibility guidance.

Composition

202 controls currently indexed; participates in 38 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
• Board-approved security policy framework — IS policy, cyber security policy, and derived operational policies
• Business continuity and ICT recovery readiness
• Centralised logging with retention, tamper protection, and integrity
• Change management — IT systems, configuration, supplier services, risk
• Cloud IAM complete — CSA IAM control family
• Cloud Identity and Access Management — federation, vulnerability testing, monitoring
• Cloud Security Posture Management — continuous configuration assessment
• Cloud cryptography and key management — CSA CEK control family
• Cloud data privacy lifecycle — CSA CCM v4 DSP control family
• Cloud logging and monitoring — CSA LOG control family
• Cloud network security — remote access, vulnerability scanning, monitoring
• Cloud shared responsibility — CSC/CSP RACI
• Cloud supply chain transparency — STA control family
• Cloud-accessed endpoint management — CSA UEM control family
• Comprehensive asset inventory with classification and ownership
• Consumer / Data Subject / Data Principal rights response SLA
• Cross-jurisdiction breach notification timelines
• Cryptographic controls, key management, and post-quantum readiness
• Data Protection Impact Assessment / risk assessment for high-risk processing
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Encryption at rest — sensitive data and key management
• GDPR Articles 44-49 international transfers
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-factor authentication — universal MFA across access types
• Network protection — segmentation, monitoring, perimeter, and data leak prevention
• PCI DSS PAN protection — storage minimisation, masking, encryption
• PCI DSS Targeted Risk Analysis (TRA) — flexibility and customised approach
• PCI DSS e-skimming protection — payment page script integrity
• PCI DSS v4.0.1 customised approach with targeted risk analysis
• PCI DSS v4.0.1 universal MFA expansion to all CDE access
• PIMS cross-border PII transfers
• Privileged access management and access rights lifecycle
• Processor (PII Processor) obligations — ISO 27701 controller relationship
• Secure configuration baselines and hardening discipline
• Vulnerability management programme — discovery, prioritisation, remediation
• Workforce security awareness, role-based training, and human-factor controls
• Zero Trust Architecture — never trust, always verify