Understanding the CSA Cloud Controls Matrix and CAIQ

Diana Kelley explains how the CSA Cloud Controls Matrix and the CAIQ can be used to assess cloud providers' controls and risk models.

There are a number of useful, free documents available from the Cloud Security Alliance (CSA) that security pros...

may find helpful when it comes to securing cloud initiatives within their organizations. In this tip, we'll offer a brief introduction to several CSA resource papers and explain how they can be applied to help shore up enterprise cloud security.

The CSA Security Guidance

The "flagship" CSA document is the CSA Security Guidance, v3. The Guidance is a distillation of input from CSA members and lessons learned from experts working on other CSA initiatives, such as the CSA GRC Stack. Though the CSA flagged it as a "C-level best practice" document, unless the CEO and CFO of your organization have considerable technical knowledge, the document is more of a D-level (director-level) document for those lower-level business managers directly responsible for the technical aspects of cloud adoption (including risk assessment and audit).

The completeness of this document, and the level to which it is targeted, makes it a great starting point for professionals who want to learn more about cloud security considerations but don't want or need a deep dive into what to look for in a cloud provider. That's where the CSA GRC Stack comes in -- particularly two of the documents in the Stack: the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ).


The CSA GRC Stack is comprised of four separate initiatives: Cloud Audit, CCM, CAIQ and Cloud Trust Protocol (CTP). The CCM and CAIQ are the two documents that are the most directly useful for companies trying to assess a given cloud provider's controls and risk model.

The CAIQ was designed to help with one of the leading concerns that companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them. The document consists of a set of questions, presented in a spreadsheet, that a company can ask its vendors before signing up for a cloud service. The questions are categorized by control group and then mapped to major compliance and regulatory standards like CoBiT, HIPAA, PCI and FedRAMP. Using the information and conversational control assertion questions from the CAIQ, an organization can build a robust RFP (request for proposal) and verify that the answers the vendor gives during the RFP review interview are valid.

Content source reformatted from CSA CAIQ


Organizations can use the Cloud Controls Matrix to build a very detailed list of requirements and controls that they want their cloud service provider to implement.

Going deeper still, organizations can use the CSA Cloud Controls Matrix to build a detailed list of requirements and controls that they want their cloud service provider to implement. The CCM complements the CAIQ because it uses the same control area and control ID categorizations, enabling cloud customers to quickly move back and forth between the documents and build a customized set of controls and validating questions for their prospective providers.

One of the most useful aspects of the CCM is that it is mapped to so many other industry standards and controls frameworks, including the following: HIPAA and HITECH Act; ISO/IEC 27001-2005; NIST SP800-53 R3; PCI DSS 2.0; generally accepted privacy principles, or GAPP, (Aug 2009); and Jericho Forum. In the most recent September 2012 release, the CSA added FedRAMP Security Controls to the mapping section.

The CCM also shows where a control has architectural relevance. For example, is it relevant to the network, the application, the data or all three? It also outlines to which cloud service delivery model (IaaS, PaaS, or SaaS) a control applies and whether or not a given control has relevance for corporate governance.


When used together, the CAIQ and the CCM represent a solid starting point for an organization to determine which controls it needs from its cloud provider. The documents also provide a way to normalize an RFP request for those controls. Both documents, but especially the CCM, provide detailed mapping to major compliance initiatives, enabling companies that must comply with certain requirements to quickly determine which controls are non-negotiable when contracting with a provider. Once a robust list of controls has been built using the CCM as a guide, the company can leverage the controls assertion questions in the CAIQ to validate that the provider has those controls in place.

Overall, the CSA's CCM and CAIQ help provide a solid foundation for assessing the risk models and controls of a cloud provider, making them well worth a read.

About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Next Steps

Cloud Security Alliance launches cloud security certification initiative

CSA forms group to focus on cloud data privacy

Dig Deeper on Evaluating Cloud Computing Providers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.