please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.
- Call for participation in CCMv4 - IBM FS Cloud and CCMv4 - CRI FS Profile mapping activities.
- CSA would like to develop a CCMv4 Feedback Collection Tool/Process. Your comments for developing the tool's requirements is needed (see agenda point 4)
- CCMv4 SSRM guidelines. Let us know if you have CCMv4 implementation experience and you would like to be part of such guidelines development.
- CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
Please find below the usual summary of minutes from recent CCM WG call sessions.
Agenda Items (AIs):
Meeting Minutes (MMs):
- CCMv4.0 auditing guidelines development
- CCMv4.0 mapping & gap analysis exercises
- CSA Established Partnerships
- Feedback Collection Process/Tool
- SSRM Guidelines Development
1. CCMv4.0 auditing guidelines development
2. CCMv4.0 mapping & gap analysis exercises
- The CCMv4 auditing guidelines development is completed and the document is published in both excel (as part of CCM excel spreadsheet) and pdf formats.
3. CSA Established Partnerships
- CSA will be publishing two additional CCMv4.0 mappings to PCI DSS v3.2.1 and NIST 800-53r5, on February 10th. Please stay tuned.
- Further discussions involve updating the current mapping of CCMv4.0 to ISO/IEC 27001/02/17/18 based on the latest update of ISO 27002 Final Draft International Standard (FDIS)
a. CSA has established a partnership with IBM with one of the objective being the alignment of CCMv4.0 with IBM's Cloud framework for financial services.
- The CCM WG jointly with IBM are conducting the forward mapping of CCM v4.0 to IBM FS Cloud. The exercise is close to its completion.
- Next steps will involve the reverse mapping of IBM FS Cloud to CCM v4.0.
- Members who wish to participate in the reverse mapping exercise are kindly invited to contact me.
b. CSA has established a partnership with the Cyber Risk Institute (CRI) with one of the objective being the alignment of CCMv4.0 with CRI's Profile for financial services.
- The CCM WG is tasked with conducting a mapping activity of CCMv4.0 and CRI FS Profile.
- Members who wish to participate in the mapping exercise are kindly invited to contact me.
4. Feedback Collection Process/Tool
5. SSRM Guidelines Development
- Version 4.0 of the CCM was released in January 2021. A year later, CCM leadership has begun discussions for the next "dot" release of CCMv4.1, expected end of 2023, which will involve possible new additions or updates to its existing CCM control specifications and underlying components (CAIQ, implementation and auditing guidelines, metrics, etc).
- The purpose of this project is to define and develop a permanent process and tool that will be available online (e.g., via CSA website) and that will allow CSA to collect feedback from the cloud community and members with regards to future updates to the CCM.
- A draft description of the requirements and expected functionality of the process/tool can be found here. Your comments are always greatly appreciated.
- CSA would like to embark on another great project for 2022, that is, developing guidelines that will be based on the Shared Security Responsibility Model (SSRM), in support of current SSRM-based CCMv4.0 controls (STA-01 to 06), applicability matrix and CAIQv4 SSRM questionnaire.
- The project is currently at a planning phase, nevertheless would like to discuss and collect participation interests by any professionals who are experienced in the implementation of CCMv4 or other cloud security controls and might be interested in working on this project.
- Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.
Action Points (APs)
No action points defined.Please let me know if you have any questions/comments.Thank you all for your being active and supporting the CCMv4 development.Best regards,
Cloud Security Alliance