Document provides auditors a baseline understanding of the CCM audit areas, allowing them to better perform a CCM-related audit and assessment
The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the Cloud Controls Matrix (CCM) Auditing Guidelines. Drafted by the CCM Working Group, this new addition to the Cloud Controls Matrix v4 contains a set of auditing guidelines tailored to the control specifications of each of the CCM’s 17 cloud security domains. This document provides auditors with a baseline understanding of the CCM audit areas, allowing them to better perform a CCM-related audit and assessment.
The guidelines are an extension of Chapter 7: CCM Auditing Guidelines found in the Certificate of Cloud Auditing Knowledge guide (specifically of subsection 7.5: CCM Audit Workbook) and were drafted to provide direction to:
- auditors who plan to perform audits against the CCM on cloud service providers (CSPs)
- cloud service customers (CSCs) using the CCM framework to evaluate their cloud service portfolio, and
- CSPs or CSCs who intend to use the CCM framework to guide the design, development, and implementation of their cloud security controls.
“We are very excited about the work done with CCM v4. The auditing guidelines represent an additional aid for the organizations adopting CCM and will facilitate and streamline the execution of assessment based on CCM control. This document will clearly make it easier for companies to join the STAR Program,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.
“The guidelines have been drafted in such a way as to allow auditors to tailor various aspects to address their specific objectives and will support a cloud security audit or assessment, regardless of company’s size, business, cloud deployment complexity, or maturity level. It’s hoped these guidelines will make it even easier for CSPs and CSCs, who are seeking secure implementation, assessment, and management of cloud services security risks, to determine where the responsibility for various aspects of security lie,” said Sanjeev Gupta, a lead author of the paper.
The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains, covering all key aspects of the cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.
Along with releasing updated versions of the CCM and CAIQ, the Cloud Controls Matrix Working Group provides control mappings, gap analysis, and addendums between the CCM and other industry standards and regulations to keep it continually up to date. Those interested in participating in the working group or its research are invited to join.
For more such updates and perspectives around Digital Innovation, IoT, Data Infrastructure, AI & Cybersecurity, go to AI-Techpark.com.