Back to Journal Cloud Security

CSA Cloud Controls Matrix - Cloud Security Assurance for Providers and Customers

A complete guide to the CSA Cloud Controls Matrix (CCM) — what it covers, how it maps to other standards, how to complete the CAIQ, and how cloud providers use STAR certification to demonstrate security assurance.

Savadub GRC Team ·
CSA Cloud Controls Matrix - Cloud Security Assurance for Providers and Customers

CSA Cloud Controls Matrix: The Industry's Cloud Security Standard

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is the most widely used cloud-specific security controls framework. CCM v4 provides 197 control specifications across 17 domains, mapped to over 40 industry standards and regulations. For cloud service providers, implementing and demonstrating CCM controls — through the STAR Programme — provides the most credible, cloud-specific security assurance available to enterprise customers.

The 17 CCM Domains

CCM v4 organises controls into 17 security domains:

AIS — Application and Interface Security · BCR — Business Continuity Management and Operational Resilience · CCC — Change Control and Configuration Management · CEK — Cryptography, Encryption, and Key Management · DSP — Data Security and Privacy Lifecycle Management · GRC — Governance, Risk, and Compliance · HRS — Human Resources Security · IAM — Identity and Access Management · IPY — Interoperability and Portability · IVS — Infrastructure and Virtualisation Security · LOG — Logging and Monitoring · SEF — Security Incident Management, E-Discovery, and Cloud Forensics · STA — Supply Chain Management, Transparency, and Accountability · TVM — Threat and Vulnerability Management · UEM — Universal Endpoint Management

Each domain contains multiple control specifications addressing specific security requirements for cloud environments.

The CAIQ: The Cloud Security Questionnaire

The Consensus Assessments Initiative Questionnaire (CAIQ) is the standardised questionnaire based on CCM that allows cloud customers to assess cloud provider security. It contains yes/no and descriptive questions for each CCM control.

Cloud providers publish their CAIQ responses in the CSA STAR Registry, creating a public, searchable database of cloud provider security postures. Enterprise security teams use CAIQ responses as part of cloud vendor due diligence — comparing providers' responses and drilling into specific controls of concern.

Completing and publishing a CAIQ is a significant differentiator for cloud service providers targeting enterprise customers — particularly those in regulated industries who require detailed cloud security documentation.

CSA STAR Certification: The Gold Standard for Cloud Security

The CSA Security, Trust, Assurance and Risk (STAR) programme provides three levels of cloud security assurance:

STAR Level 1 — Self-Assessment: The provider completes and publishes a CAIQ or a CAIQ mapped to CCM. No independent verification. Publicly available in the STAR Registry.

STAR Level 2 — Third-Party Assessment: The provider undergoes an independent third-party assessment against CCM requirements. Two options: STAR Certification (combined ISO 27001 + CCM assessment by an accredited certification body) or STAR Attestation (combined SOC 2 + CCM assessment by a CPA firm). This is the most commercially valuable level for enterprise cloud sales.

STAR Level 3 — Continuous Monitoring: Continuous, technology-based monitoring of security controls against CCM requirements. Currently in development.

STAR Certification is increasingly required by enterprise procurement teams — particularly in financial services and healthcare — as evidence that the cloud provider's security controls have been independently verified against a comprehensive, cloud-specific framework.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like