Cloud Controls Matrix

  • 1.  CCMv4 Development Activities Update (24/11/22)

    Posted 9 days ago
    Dear members,
                          please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

    Brief summary:
    • CSA has kicked-off the development of a CCMv4 lightweight version (currently called CCM-Lite). Experts are welcome to participate and review the current draft.
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.
    • CCMv4 - ISO/IEC 27001:2022 mapping is completed and scheduled for publication on Dec. 14th.
    • Help us improve the CCMv4 and its underlying components (controls, CAIQ, guidelines, metrics, mappings) by providing your input to the CCM Feedback form.

    Agenda Items (AIs):

    1. CCM-Lite Development
    2. CSA - Singapore Cyber Security Agency Partnership
    3. CCMv4 - NIST CSF v1.1 mapping project
    4. CCMv4 - ISO/IEC 27001:2022 mapping project
    5. CCM Feedback Form
    6. CSA Chapter mappings
    7. AoB

    1. CCM-Lite Development (Call for Participation)
    • CSA has kicked-off another great project that aims to the development of a lightweight version of existing CCMv4, called CCM-Lite.
    • Current project development status and inputs from the WG are documented in the CCM-Lite project worksheet.
    • Project objective is to present a lightweight CCMV4 of a minimum set of baseline foundational cloud security requirements.
    • CCM-Lite is planned to be a cost-effective solution that can be adopted by low-risk profile cloud organizations (SMEs) and allow them to implement & demonstrate "basic cloud-security hygiene".
    • More information on the project can be found under the 'ReadMe' tab of the worksheet (shared right above)
    • Experts that wish to contribute to this project are kindly invited to contact me (Lefteris).

      2. CSA - Singapore Cyber Security Agency (SI-CSA) Partnership
      • CSA and Singapore's CSA established partnership involves the alignment of CCMv4 to the SI-CSA's cyber security standards, namely, Cyber Trust Mark and Cyber Essentials.
      • Collaboration has planned for the alignment to be established with two (2) mappings of SI-CSA frameworks and CCMv4.0.
      • First mapping project between the CCMv4 and Cyber Essentials is currently in progress and scheduled for delivery by 30/11.
      • A joint review exercise is expected to follow.
      Snapshot of "progress status" tab of the mapping tool is shared below.

      3. CCMv4 - NIST CSF v1.1 mapping project
      • The CCM WG has recently kicked-off a mapping project of CCMv4 to NIST CSFv1.1. Progress is excellent!
      • The project involves both a mapping and gap analysis and aims to identify the requirements 'overlaps' and 'deltas' between the two (2) frameworks.
      • Gap analysis aims to identify possible gaps that NIST CSF has when compared to CCMv4.
      Snapshot of "progress status" tab of the mapping tool is shared below.

      4. CCMv4 - ISO/IEC 27001:2022 mapping project
      • This mapping project has been successfully completed.
      • The mapping is scheduled for publication on Dec. 14th.
      • Release will trigger a minor update version of CCM to v4.0.6.

      5. CCM Feedback Form
      • The purpose of this form is to collect feedback that will enable the continuous improvement and evolution of the Cloud Controls Matrix (CCM).
      • Cloud Security experts are now enabled to provide input on all CCMv4 components (controls, CAIQ, guidelines, mappings, metrics).
      • Help us improve the CCM by providing us with your input.

      6. CSA Chapter mappings
      • Spanish chapter has completed a mapping between CCMv4 and Spain's National Cyber Security Framework.
      • The mapping is currently processed and prepared for publication at CSA's website.
      • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

      Action Points (APs)
      Actions points are defined within each individual project.

      Let me know if you have any questions or comments on the above.
      Thank you all for your being active and supporting the CCMv4 development & evolution.
      Best regards,

      Eleftherios Skoutaris
      Program Manager
      Cloud Security Alliance

    1. 2.  RE: CCMv4 Development Activities Update (24/11/22)

      Posted 3 days ago
      Completed my review of CCM-lite when would we be discussing as a group.

      T. Devon Artis
      Cloud Security Architect/DevSecOps Lead

    2. 3.  RE: CCMv4 Development Activities Update (24/11/22)

      Posted 3 days ago
      Hi Troin,
      Thanks for your input on CCM-Lite.
      Would like to give more time to the rest of the group to provide their feedback as well.

      We'll touch base again next week to see where we are at.

      Please stay tuned! 
      Kind regards,