Cloud Controls Matrix

Dear members,
                      please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

Brief summary:

• CSA has released the "CCM Feedback Form" a tool that enables CSA and the CCM WG to collect feedback that will help is improve the Cloud Controls Matrix v4.0. Cloud security practitioners are kindly invited to help us improve the CCM by providing your feedback.
• CSA has published a CCMv4 addendum to Cyber Risk Institute's Financial Services Profile.
• CSA to publish soon a CCMv4 addendum to IBM's cloud framework for financial services (estimated publication by mid November).
• CSA and Singapore's CSA team conduct a mapping alignment of CCMv4 and Cyber Essentials (Call for participation).
• Mapping of the CCMv4 to ISO/IEC 27001:2022 and 27002:2022 is soon to be completed and published (estimated completion by end of October).
• CSA-ISF partnership and mapping project of CCMv4 and SOGP still in progress (completion expected mid November).
• CSA and CCM WG are about to embark on a new mapping project between CCMv4 and NIST CSF v1.1 (Call for participation).
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Please find below a comprehensive summary of activities and topics from recent CCM WG call sessions.

Agenda Items (AIs):

1. CSA - CRI Partnership
2. CSA - IBM Partnership
3. CSA - ISF Partnership
4. CSA - Singapore Cyber Security Agency Partnership
5. CCMv4 - ISO/IEC 27001:2022 mapping project
6. CCMv4 - NIST CSF v1.1 mapping project
7. CSA Chapter mappings
8. AoB

1. CSA - CRI Partnership

• The CSA and the Cyber Risk Institute (CRI) have teamed up to provide the financial community with a new cybersecurity framework that satisfies the security requirements of financial institutions that wish to adopt cloud computing technologies.
• The collaboration involved 2 mappings (forward and reverse) between CSA's CCMv4 and CRI's Financial Services Cybersecurity Profile v1.2 (FS Profile). Both mappings are successfully completed.
• CSA has published a 'CCMv4 Addendum to CRI FS Profile v1.2' following the recent CSA blog announcement on the topic.

2. CSA - IBM Partnership

• CSA has established a partnership with IBM to de-risk cloud environments and enrich IBM's framework for financial services with cloud security baselines destined for the financial sector.
• The collaboration involved 2 mappings (forward and reverse) between CSA's CCMv4 and IBM's cloud framework for financial services (FSCF). Both mappings are successfully completed.
• CSA is soon expected to publish (by mid November) a CCMv4 Addendum to IBM's FSCF.

3. CSA - ISF Partnership

• CSA has establish a partnership with the Internet Security Forum (ISF) with main objective the identification and possible integration of cloud security requirements into ISF's Standard of Good Practice (SOGP).
• The project activity involves a Base mapping between CCMv4 and ISF SOGP (currently in progress) expected for completion by mid November.

Snapshot of "progress status" tab of the mapping tool is shared below.


4. CSA - Singapore Cyber Security Agency Partnership (Call for participation)

• CSA and Singapore's CSA established partnership involves the alignment of CCMv4 to the agency's cyber security standards, namely, cyber trust mark and cyber essentials.
• First mapping project between the CCMv4 and Cyber Essentials has recently kicked-off (13/10).
• Experts with good knowledge of CCM and broad experience in the implementation/assessment of cyber sec. frameworks are kindly invited to participate and contribute to this project 

Snapshot of "progress status" tab of the mapping tool is shared below.


5. CCMv4 - ISO/IEC 27001:2022 mapping project

• The CCM WG is currently conducting a mapping and gap analysis between CCMv4 and ISO/IEC 27001:2022 and ISO/IEC 27002:2022.
• Mapping is close to completion with IVS domain mapping pending final consolidation by experts assigned (Alana James and Jason Lutz).
• In parallel, the group currently focuses on ensuring mapping completeness (assigned to Johan Olivier) and consistency (assigned to Angela Dogan) across all ISO clauses/Annex A controls and CCMv4 security domains, respectively.
• Mapping is expected to be completed by end of October.

Snapshot of "progress status" tab of the mapping tool is shared below.

6. CCMv4 - NIST CSF v1.1 mapping project (Call for participation)

• CSA and CCM WG are about to embark on a new mapping project between CCMv4 and NIST CSF v1.1.
• Eric Peeters (Weaver) has been selected by the CCM leadership team as the team leader for the mapping project.
• The mapping project is expected to kick-off during the CCM WG call on Wednesday, 26th.
• Experts that are interested in participating are kindly invited to join the call.

7. CSA Chapter mappings

• The CSA UAE Chapter has conducted & delivered a mapping between CCMv4 and UAE IA Regulation (publication).
• The CSA Japan Chapter has conducted & delivered a mapping between CCMv4 and Japan's Information System Security Management and Assessment Program (ISMAP) (publication).

8. AoB

• Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Action Points (APs)
Actions points are defined within each individual project.

Let me know if you have any questions or comments on the above.
Thank you all for your being active and supporting the CCMv4 development & evolution.
Best regards,

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------