CSA Cloud Controls Matrix v4
De facto cloud security standard with 197 control objectives across 17 domains. Used for STAR certification and cloud provider assessments. Maps to ISO 27001, NIST 800-53, PCI DSS, SOC 2, and CIS Controls.
| Clause | Title | SP 800-53 Controls |
|---|---|---|
| AA-01 | Audit and Assurance Policy and Procedures | |
| AA-02 | Independent Assessments | |
| AA-03 | Risk Based Planning Assessment | |
| AA-04 | Requirements Compliance | |
| AA-05 | Audit Management Process | |
| AA-06 | Remediation | |
| AIS-01 | Application and Interface Security Policy and Procedures | |
| AIS-02 | Application Security Baseline Requirements | |
| AIS-03 | Application Security Metrics | |
| AIS-04 | Secure Application Design and Development | |
| AIS-05 | Automated Application Security Testing | |
| AIS-06 | Automated Secure Application Deployment | |
| AIS-07 | Application Vulnerability Remediation | |
| BCR-01 | Business Continuity Management Policy and Procedures | |
| BCR-02 | Risk Assessment and Impact Analysis | |
| BCR-03 | Business Continuity Strategy | |
| BCR-04 | Business Continuity Planning | |
| BCR-05 | Documentation | |
| BCR-06 | Business Continuity Exercises | |
| BCR-07 | Communication | |
| BCR-08 | Backup | |
| BCR-09 | Disaster Response Plan | |
| BCR-10 | Response Plan Exercise | |
| BCR-11 | Equipment Redundancy | |
| CCC-01 | Change Management Policy and Procedures | |
| CCC-02 | Quality Testing | |
| CCC-03 | Change Management Technology | |
| CCC-04 | Unauthorized Change Protection | |
| CCC-05 | Change Agreements | |
| CCC-06 | Change Management Baseline | |
| CCC-07 | Detection of Baseline Deviation | |
| CCC-08 | Exception Management | |
| CCC-09 | Change Restoration | |
| CEK-01 | Encryption and Key Management Policy and Procedures | |
| CEK-02 | CEK Roles and Responsibilities | |
| CEK-03 | Data Encryption | |
| CEK-04 | Encryption Algorithm | |
| CEK-05 | Encryption Change Management | |
| CEK-06 | Encryption Change Cost Benefit Analysis | |
| CEK-07 | Encryption Risk Management | |
| CEK-08 | CSC Key Management Capability | |
| CEK-09 | Encryption and Key Management Audit | |
| CEK-10 | Key Generation | |
| CEK-11 | Key Purpose | |
| CEK-12 | Key Rotation | |
| CEK-13 | Key Revocation | |
| CEK-14 | Key Destruction | |
| CEK-15 | Key Activation | |
| CEK-16 | Key Suspension | |
| CEK-17 | Key Deactivation | |
| CEK-18 | Key Archival | |
| CEK-19 | Key Compromise | |
| CEK-20 | Key Recovery | |
| CEK-21 | Key Inventory Management | |
| DCS-01 | Off-Site Equipment Disposal Policy and Procedures | |
| DCS-02 | Off-Site Transfer Authorization Policy and Procedures | |
| DCS-03 | Secure Area Policy and Procedures | |
| DCS-04 | Secure Media Transportation Policy and Procedures | |
| DCS-05 | Assets Classification | |
| DCS-06 | Assets Cataloguing and Tracking | |
| DCS-07 | Controlled Access Points | |
| DCS-08 | Equipment Identification | |
| DCS-09 | Secure Area Authorization | |
| DCS-10 | Surveillance System | |
| DCS-11 | Unauthorized Access Response Training | |
| DCS-12 | Cabling Security | |
| DCS-13 | Environmental Systems | |
| DCS-14 | Secure Utilities | |
| DCS-15 | Equipment Location | |
| DSP-01 | Security and Privacy Policy and Procedures | |
| DSP-02 | Secure Disposal | |
| DSP-03 | Data Inventory | |
| DSP-04 | Data Classification | |
| DSP-05 | Data Flow Documentation | |
| DSP-06 | Data Ownership and Stewardship | |
| DSP-07 | Data Protection by Design and Default | |
| DSP-08 | Data Privacy by Design and Default | |
| DSP-09 | Data Protection Impact Assessment | |
| DSP-10 | Sensitive Data Transfer | |
| DSP-11 | Personal Data Access, Reversal, Rectification and Deletion | |
| DSP-12 | Limitation of Purpose in Personal Data Processing | |
| DSP-13 | Personal Data Sub-processing | |
| DSP-14 | Disclosure of Data Sub-processors | |
| DSP-15 | Limitation of Production Data Use | |
| DSP-16 | Data Retention and Deletion | |
| DSP-17 | Sensitive Data Protection | |
| DSP-18 | Disclosure Notification | |
| DSP-19 | Data Location | |
| GRC-01 | Governance Program Policy and Procedures | |
| GRC-02 | Risk Management Program | |
| GRC-03 | Organizational Policy Reviews | |
| GRC-04 | Policy Exception Process | |
| GRC-05 | Information Security Program | |
| GRC-06 | Governance Responsibility Model | |
| GRC-07 | Information System Regulatory Mapping | |
| GRC-08 | Special Interest Groups | |
| HRS-01 | Background Screening Policy and Procedures | |
| HRS-02 | Acceptable Use of Technology Policy and Procedures | |
| HRS-03 | Clean Desk Policy and Procedures | |
| HRS-04 | Remote and Home Working Policy and Procedures | |
| HRS-05 | Asset returns | |
| HRS-06 | Employment Termination | |
| HRS-07 | Employment Agreement Process | |
| HRS-08 | Employment Agreement Content | |
| HRS-09 | Personnel Roles and Responsibilities | |
| HRS-10 | Non-Disclosure Agreements | |
| HRS-11 | Security Awareness Training | |
| HRS-12 | Personal and Sensitive Data Awareness and Training | |
| HRS-13 | Compliance User Responsibility | |
| IAM-01 | Identity and Access Management Policy and Procedures | |
| IAM-02 | Strong Password Policy and Procedures | |
| IAM-03 | Identity Inventory | |
| IAM-04 | Separation of Duties | |
| IAM-05 | Least Privilege | |
| IAM-06 | User Access Provisioning | |
| IAM-07 | User Access Changes and Revocation | |
| IAM-08 | User Access Review | |
| IAM-09 | Segregation of Privileged Access Roles | |
| IAM-10 | Management of Privileged Access Roles | |
| IAM-11 | CSCs Approval for Agreed Privileged Access Roles | |
| IAM-12 | Safeguard Logs Integrity | |
| IAM-13 | Uniquely Identifiable Users | |
| IAM-14 | Strong Authentication | |
| IAM-15 | Passwords Management | |
| IAM-16 | Authorization Mechanisms | |
| IPY-01 | Interoperability and Portability Policy and Procedures | |
| IPY-02 | Application Interface Availability | |
| IPY-03 | Secure Interoperability and Portability Management | |
| IPY-04 | Data Portability Contractual Obligations | |
| IVS-01 | Infrastructure and Virtualization Security Policy and Procedures | |
| IVS-02 | Capacity and Resource Planning | |
| IVS-03 | Network Security | |
| IVS-04 | OS Hardening and Base Controls | |
| IVS-05 | Production and Non-Production Environments | |
| IVS-06 | Segmentation and Segregation | |
| IVS-07 | Migration to Cloud Environments | |
| IVS-08 | Network Architecture Documentation | |
| IVS-09 | Network Defense | |
| LOG-01 | Logging and Monitoring Policy and Procedures | |
| LOG-02 | Audit Logs Protection | |
| LOG-03 | Security Monitoring and Alerting | |
| LOG-04 | Audit Logs Access and Accountability | |
| LOG-05 | Audit Logs Monitoring and Response | |
| LOG-06 | Clock Synchronization | |
| LOG-07 | Logging Scope | |
| LOG-08 | Log Records | |
| LOG-09 | Log Protection | |
| LOG-10 | Encryption Monitoring and Reporting | |
| LOG-11 | Transaction/Activity Logging | |
| LOG-12 | Access Control Logs | |
| LOG-13 | Failures and Anomalies Reporting | |
| SEF-01 | Security Incident Management Policy and Procedures | |
| SEF-02 | Service Management Policy and Procedures | |
| SEF-03 | Incident Response Plans | |
| SEF-04 | Incident Response Testing | |
| SEF-05 | Incident Response Metrics | |
| SEF-06 | Event Triage Processes | |
| SEF-07 | Security Breach Notification | |
| SEF-08 | Points of Contact Maintenance | |
| STA-01 | SSRM Policy and Procedures | |
| STA-02 | SSRM Supply Chain | |
| STA-03 | SSRM Guidance | |
| STA-04 | SSRM Control Ownership | |
| STA-05 | SSRM Documentation Review | |
| STA-06 | SSRM Control Implementation | |
| STA-07 | Supply Chain Inventory | |
| STA-08 | Supply Chain Risk Management | |
| STA-09 | Primary Service and Contractual Agreement | |
| STA-10 | Supply Chain Agreement Review | |
| STA-11 | Internal Compliance Testing | |
| STA-12 | Supply Chain Service Agreement Compliance | |
| STA-13 | Supply Chain Governance Review | |
| STA-14 | Supply Chain Data Security Assessment | |
| TVM-01 | Threat and Vulnerability Management Policy and Procedures | |
| TVM-02 | Malware Protection Policy and Procedures | |
| TVM-03 | Vulnerability Remediation Schedule | |
| TVM-04 | Detection Updates | |
| TVM-05 | External Library Vulnerabilities | |
| TVM-06 | Penetration Testing | |
| TVM-07 | Vulnerability Identification | |
| TVM-08 | Vulnerability Prioritization | |
| TVM-09 | Vulnerability Management Reporting | |
| TVM-10 | Vulnerability Management Metrics | |
| UEM-01 | Endpoint Devices Policy and Procedures | |
| UEM-02 | Application and Service Approval | |
| UEM-03 | Compatibility | |
| UEM-04 | Endpoint Inventory | |
| UEM-05 | Endpoint Management | |
| UEM-06 | Automatic Lock Screen | |
| UEM-07 | Operating Systems | |
| UEM-08 | Storage Encryption | |
| UEM-09 | Anti-Malware Detection and Prevention | |
| UEM-10 | Software Firewall | |
| UEM-11 | Data Loss Prevention | |
| UEM-12 | Remote Locate | |
| UEM-13 | Remote Wipe | |
| UEM-14 | Third-Party Endpoint Security Posture |