CSA CCM

CSA Cloud Controls Matrix v4.1

StandardInternational

The Cloud Controls Matrix (CCM) v4.1 is the de facto standard for cloud security assurance. Released January 2026, it defines 207 controls across 17 security domains covering governance, data protection, infrastructure, identity management, and supply chain. CCM provides a shared responsibility framework for cloud service providers and customers.

Also explore

GDPR DORA NIS2 SOC 2 HIPAA PCI DSS ISO 27001 CMMC IEC 62443 NERC CIP MITRE ATT&CK ICS CISA CPGs Saudi OTCC NIST CSF 2.0 NIST 800-53 NIST 800-171 CIS Controls CSA CAIQ

207

Controls

Security Domains

v4.1

Current (Jan 2026)

All Cloud

IaaS/PaaS/SaaS

Who Needs to Comply

Cloud Service Providers

IaaS, PaaS, and SaaS providers documenting security controls
Providers pursuing CSA STAR Level 1 or Level 2 certification
Multi-cloud and hybrid cloud service operators
Managed cloud security service providers

Cloud Customers

Organisations evaluating cloud provider security posture
Enterprise procurement teams conducting vendor security assessments
Compliance teams mapping cloud controls to ISO 27001, SOC 2, or NIST
Organisations governing multi-cloud environments

Key Compliance Areas

GRM, STA

Governance & Risk

Governance, risk management, and compliance policies; security threat and vulnerability management across cloud environments.

IAM, HRS

Identity & Access

Identity and access management, human resources security, and credential lifecycle management for cloud services.

DSP, EKM

Data Security & Privacy

Data security and privacy lifecycle management, encryption and key management for data at rest and in transit.

IVS, DCS, BCR

Infrastructure & Operations

Infrastructure and virtualisation security, datacenter security, and business continuity and disaster recovery.

SCI, LOG

Supply Chain & Logging

Supply chain management transparency, service bill of materials, logging and monitoring, and audit log sanitisation (new in v4.1).

How Orizon Helps

Shared Responsibility Mapping

Use the CCM Control Applicability Matrix to assign responsibilities between Cloud Service Provider and Customer.

Domain-by-Domain Assessment

Evaluate compliance across all 17 security domains against applicable controls.

Gap Identification

Document unmet controls with remediation plans, priorities, and timelines.

Control Implementation

Deploy controls prioritised by risk and domain, using CCM Implementation Guidelines.

STAR Registration

Submit self-assessment (Level 1) or third-party audit (Level 2) to the CSA STAR Registry.

Continuous Governance

Update assessment annually; transition to v4.1 before the December 2027 deadline.

Official Sources

Assess Your Compliance

Expert guidance for your CSA CCM compliance journey.

Get Started