We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / CSA CCM / STAR
Cloud Security Alliance · Global

CSA CCM & STAR

The Cloud Controls Matrix and STAR programme for cloud security assurance.

Introduction: The Cloud Controls Matrix and the STAR Programme

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is the de-facto reference framework for cloud-computing security. First released in 2010 and evolved through successive versions, CCM provides a structured catalogue of security controls tailored specifically to the realities of cloud service delivery, where responsibility for security is shared between a cloud service provider (CSP) and the customers who consume its services. The current major version, CCM v4, comprises 197 control objectives organised across 17 security domains, and it is accompanied by the Consensus Assessments Initiative Questionnaire (CAIQ), a companion set of yes/no questions that allow a provider to assert how each control is implemented.

The Security, Trust, Assurance and Risk (STAR) programme is the assurance layer that sits on top of CCM. STAR is a publicly accessible registry and certification scheme through which cloud providers document, and independent assessors validate, the security posture of a given cloud offering. STAR is structured in tiers of increasing rigour: Level 1 is a self-assessment based on the CAIQ, Level 2 is a third-party independent assessment (STAR Attestation, STAR Certification, or a C-STAR assessment for the Greater China market), and a continuous-monitoring tier delivers near-real-time assurance. Together, CCM and STAR give buyers a transparent, comparable way to evaluate the security of cloud services before and during procurement.

This guide is written for security and compliance leaders, cloud architects, GRC practitioners and auditors who need to plan, execute or assure a CCM/STAR programme. It walks through the framework structure, provides a master assessment checklist covering every domain, and sets out a phased implementation approach, scoring model, evidence expectations and mappings to adjacent standards. Throughout, the emphasis is on practical, auditor-grade specifics rather than abstract theory.

Copyright and licensing note
The Cloud Controls Matrix, the CAIQ and the STAR programme materials are the intellectual property of the Cloud Security Alliance. CCM and CAIQ are released under the CSA's terms of use, which permit use for internal assessment but restrict commercial redistribution and derivative works. STAR Certification and Attestation are delivered by CSA-authorised certification bodies and assessors. This guide is an original CyberSigma explanatory work; it paraphrases and interprets the framework and does NOT reproduce CSA's copyrighted control text, question wording or logos. Always work from the current official CCM/CAIQ spreadsheet and STAR programme documentation obtained directly from the Cloud Security Alliance.

What is CSA CCM / STAR

CCM is a controls framework: a normalised, cloud-specific catalogue of control objectives that a provider or consumer can use to design, operate and audit a secure cloud environment. Unlike a general-purpose standard, CCM is explicitly built around cloud concepts, the shared responsibility model, the three service models (IaaS, PaaS, SaaS) and multi-tenancy. Each control objective is expressed as a concise statement of intent, and each is accompanied by implementation guidance, a shared-responsibility indicator and mappings to other authoritative standards.

Two companion artefacts make CCM operational. The CAIQ translates each control objective into one or more assessment questions that a provider answers, typically with a yes/no/NA response plus a narrative explanation and a statement of which party (provider, tenant, or shared) owns the control. The CCM implementation guidelines and the shared-responsibility model columns tell an organisation how the control is expected to be discharged across service models.

STAR is the assurance and transparency programme that consumes CCM/CAIQ output. A provider that completes a CAIQ can publish it to the public STAR Registry as a Level 1 self-assessment. To reach Level 2, an accredited third party validates the controls, either as a STAR Attestation (built on the SOC 2 framework and AICPA criteria), a STAR Certification (built on ISO/IEC 27001 with a CCM-based maturity scoring), or C-STAR for China. A continuous-monitoring tier extends assurance beyond a point-in-time snapshot. The result is a single, comparable, buyer-facing signal of cloud trustworthiness.

  • CCM v4: 197 control objectives across 17 domains, each with implementation guidance and shared-responsibility guidance.
  • CAIQ v4: the questionnaire form of CCM used to capture provider assertions and evidence pointers.
  • STAR Level 1: publicly published self-assessment (CAIQ or CCM) on the CSA STAR Registry.
  • STAR Level 2: independent third-party validation via Attestation (SOC 2), Certification (ISO 27001 + maturity), or C-STAR.
  • STAR Continuous: ongoing, machine-readable assurance for near-real-time monitoring.
  • CCM includes cross-mappings to ISO 27001/27002/27017/27018, NIST, PCI DSS, SOC 2, and other frameworks.

Who must comply

CCM/STAR is voluntary in the sense that no single law mandates it by name, yet it has become a contractual and procurement expectation across large swathes of the market. It applies to any organisation that builds, sells or heavily consumes cloud services, and it is increasingly requested in supplier due-diligence and RFP processes.

StakeholderWhy CCM/STAR applies to them
Cloud Service Providers (IaaS/PaaS/SaaS)Publishing a STAR entry (Level 1 minimum) is now a baseline expectation for enterprise sales; Level 2 differentiates in competitive procurement.
SaaS vendors and ISVsEnterprise and regulated buyers frequently demand a completed CAIQ or STAR listing as part of vendor risk assessment.
Cloud consumers / enterprisesUse CCM as a control baseline and use the STAR Registry to evaluate and compare prospective providers.
Managed service providers (MSPs/MSSPs)Demonstrate cloud security maturity to downstream customers and inherit/complement provider controls.
Regulated industries (BFSI, healthcare, government)Map CCM to sector rules (e.g. RBI, HIPAA, GDPR, DPDP) to evidence cloud due-diligence.
Procurement and third-party risk teamsUse CAIQ responses to shortcut security questionnaires and standardise supplier assessment.
Auditors and certification bodiesDeliver STAR Attestation/Certification and validate CCM control implementation.

Structure of CSA CCM / STAR

CCM v4 is organised into 17 domains. Each domain has a two- or three-letter identifier and contains a set of numbered control objectives (for example, IAM-01 through IAM-16). The 17 domains collectively contain 197 controls. The table below lists every CCM v4 domain, its identifier and its scope. Control counts per domain vary; the identifiers shown are the canonical CCM v4 domain codes.

Domain codeDomain nameScope in brief
A&AAudit & AssuranceInternal/external audit planning, independent assessments, risk-based audit, remediation tracking.
AISApplication & Interface SecuritySecure SDLC, application security testing, secure design, API/interface security.
BCRBusiness Continuity Mgmt & Operational ResilienceBCP/DR planning, backups, testing, response, restoration and resilience.
CCCChange Control & Configuration ManagementChange management, baselines, unauthorised change detection, deployment governance.
CEKCryptography, Encryption & Key ManagementEncryption policy, key lifecycle, key storage, rotation, algorithms and protocols.
DCSDatacenter SecurityPhysical and environmental security of facilities, secure areas, equipment, off-site.
DSPData Security & Privacy Lifecycle ManagementData classification, flow mapping, retention, disposal, privacy, data protection by design.
GRCGovernance, Risk & CompliancePolicies, risk management programme, compliance, exceptions and governance oversight.
HRSHuman ResourcesScreening, onboarding/offboarding, acceptable use, awareness, employment agreements.
IAMIdentity & Access ManagementIdentity lifecycle, authentication, authorisation, privileged access, SSO/MFA, segregation of duties.
IPYInteroperability & PortabilityData/service portability, interoperability, secure interchange, exit and migration.
IVSInfrastructure & Virtualization SecurityNetwork security, segmentation, hypervisor hardening, workload isolation, capacity.
LOGLogging & MonitoringAudit logging, log protection, clock sync, event monitoring, incident detection telemetry.
SEFSecurity Incident Mgmt, E-Discovery & Cloud ForensicsIncident response, forensics, e-discovery, breach notification and metrics.
STASupply Chain Mgmt, Transparency & AccountabilityThird-party/supply-chain risk, SLAs, provider assessments, inventory and transparency.
TVMThreat & Vulnerability ManagementVulnerability scanning, patching, penetration testing, malware defence, threat management.
UEMUniversal Endpoint ManagementEndpoint inventory, hardening, MDM/MAM, endpoint protection, data loss on devices.

STAR layers assurance tiers on top of this structure. The relationship between CCM (the controls) and STAR (the assurance) is summarised below.

STAR tierAssessment basisAssurance rigour
Level 1 — Self-Assessment (CAIQ/CCM)Provider completes CAIQ and self-publishesTransparency, unvalidated
Level 2 — STAR AttestationSOC 2 Type I/II + CCM criteria, by CPA firmIndependent, point-in-time or period
Level 2 — STAR CertificationISO/IEC 27001 + CCM maturity scoring, by accredited CBIndependent, certified with maturity rating
Level 2 — C-STARGB/T 22080 (China ISO 27001 equiv.) + CCMIndependent, Greater China market
ContinuousOngoing control monitoring, machine-readableNear-real-time, highest transparency

Master assessment checklist

This is the core of the guide. For every CCM domain it sets out what an assessor should verify and the typical evidence that substantiates the control. The intent is that a lead assessor can work domain by domain and leave no control area unexamined. Verify each item against the current CCM control text and the provider's CAIQ responses, and confirm both design and operating effectiveness where the STAR tier requires it.

A&A — Audit & Assurance

What to verifyTypical evidence
An audit and assurance policy exists, is approved and reviewed at planned intervalsSigned policy, review dates, approver records
A risk-based internal audit plan covers the cloud environment and CCM scopeAudit universe, annual audit plan, scoping notes
Independent assessments (external audits, penetration tests) are performed periodicallyThird-party assessment reports, engagement letters
Audit findings are tracked to closure with owners and due datesFindings/remediation register, corrective action plans
Compliance with applicable legal, regulatory and contractual obligations is verifiedCompliance mapping, regulatory register, evidence of checks

AIS — Application & Interface Security

What to verifyTypical evidence
A secure application design and development policy governs the SDLCAppSec policy, SDLC standard, secure coding guidelines
Application security testing (SAST/DAST/SCA) is performed before releaseScan reports, pipeline config, gate/threshold records
Security is embedded at design (threat modelling) and in acceptance criteriaThreat models, design review records, security requirements
APIs and interfaces enforce authentication, authorisation and input validationAPI gateway config, auth policy, validation test results
Vulnerabilities in applications are remediated within defined SLAsDefect tracking, remediation timelines, retest evidence

BCR — Business Continuity Management & Operational Resilience

What to verifyTypical evidence
A business continuity and disaster recovery programme is documented and approvedBCP/DR policy and plans, BIA outputs
RTO/RPO objectives are defined per service and are achievableBIA, RTO/RPO matrix, architecture diagrams
Backups are configured, encrypted, tested and restorableBackup schedules, restore test logs, encryption config
BCP/DR plans are exercised at planned intervals with lessons learnedTest/exercise reports, tabletop records, improvement actions
Resilience is engineered (redundancy, failover, capacity headroom)HA/DR architecture, failover test evidence, SLA data

CCC — Change Control & Configuration Management

What to verifyTypical evidence
A change management policy defines request, review, approval and rollbackChange policy, CAB terms of reference
Changes are risk-assessed, tested and approved before production deploymentChange tickets, approval records, test evidence
Configuration baselines and hardening standards are defined and enforcedBaseline docs, CIS benchmarks, config management tooling
Unauthorised or emergency changes are detected, logged and reviewedDrift detection reports, emergency change logs
Deployment automation and separation of duties prevent unilateral changeCI/CD config, RBAC on pipelines, segregation evidence

CEK — Cryptography, Encryption & Key Management

What to verifyTypical evidence
An encryption and key management policy specifies approved algorithms/protocolsCrypto policy, approved cipher list, TLS standard
Data is encrypted at rest and in transit across the serviceEncryption config, TLS scan results, storage settings
Keys have a defined lifecycle: generation, distribution, rotation, revocation, destructionKey management procedures, rotation logs, KMS/HSM records
Keys are stored and protected (HSM/KMS) with strict access controlHSM/KMS inventory, access logs, FIPS certification
Cryptographic implementations are reviewed for strength and deprecationAlgorithm review records, deprecation plan, cipher audits

DCS — Datacenter Security

What to verifyTypical evidence
Physical security controls protect facilities and secure areasFacility security policy, badge/CCTV records, floor plans
Access to datacentres is authorised, logged and periodically reviewedAccess lists, entry logs, access review records
Environmental controls (power, cooling, fire) are in place and monitoredEnvironmental monitoring, UPS/generator tests, alarms
Equipment is securely sited, maintained and disposed ofAsset records, maintenance logs, secure disposal certificates
For cloud tenants, provider datacentre assurance is obtained (SOC/ISO)Provider audit reports, datacentre certifications

DSP — Data Security & Privacy Lifecycle Management

What to verifyTypical evidence
Data is classified and handled per classification throughout its lifecycleData classification policy, labelling, handling rules
Data flows and locations (including cross-border) are mappedData flow diagrams, data inventory, residency records
Retention and secure disposal schedules are defined and enforcedRetention schedule, disposal logs, deletion evidence
Privacy by design and data-protection obligations are met (consent, DSAR)Privacy policy, DPIA records, DSAR process, consent logs
Personal and sensitive data receive additional safeguards (masking, minimisation)Masking/tokenisation config, minimisation records

GRC — Governance, Risk & Compliance

What to verifyTypical evidence
An information security governance structure and policy set is establishedGovernance charter, policy library, approval records
A risk management programme identifies, assesses and treats risksRisk methodology, risk register, treatment plans
Compliance obligations are inventoried and monitoredCompliance/legal register, obligation tracker
Policy exceptions are formally requested, approved and time-boundException register, approval and expiry records
Management reviews security performance and drives improvementManagement review minutes, KPI dashboards

HRS — Human Resources

What to verifyTypical evidence
Background screening is performed proportionate to role and riskScreening policy, completed checks, role risk mapping
Employment agreements include security and confidentiality obligationsContracts, NDAs, acceptable use acknowledgements
Onboarding and offboarding provision/revoke access promptlyJoiner/mover/leaver records, access revocation logs
Security awareness and role-based training are delivered and trackedTraining records, completion rates, phishing test results
Disciplinary process addresses security policy violationsDisciplinary policy, sanction records where applicable

IAM — Identity & Access Management

What to verifyTypical evidence
Identity lifecycle (provision, change, deprovision) is governedIAM policy, joiner/leaver logs, orphaned account reviews
Strong authentication (MFA) is enforced, especially for privileged/remote accessMFA config, coverage report, enforcement policy
Least-privilege and role-based access control are implementedRBAC matrix, entitlement reviews, privilege reports
Privileged access is restricted, monitored and time-limited (PAM)PAM tooling, session logs, just-in-time access records
Access rights are recertified at planned intervalsAccess review/attestation records, exception handling
Segregation of duties conflicts are identified and mitigatedSoD ruleset, conflict analysis, compensating controls

IPY — Interoperability & Portability

What to verifyTypical evidence
Standard, documented APIs/formats enable interoperabilityAPI documentation, supported format list
Customers can export/import their data in usable formatsExport capability, data portability documentation
Data interchange during migration is secure and integrity-checkedMigration procedures, integrity/checksum evidence
Exit and service-termination provisions are definedExit clauses, off-boarding and data-return procedures
Portability is tested so lock-in risk is understoodPortability test records, format validation

IVS — Infrastructure & Virtualization Security

What to verifyTypical evidence
Network security controls (firewalls, segmentation, micro-segmentation) are in placeNetwork diagrams, firewall/SG rules, segmentation design
Hypervisor and virtualization layers are hardened and patchedHardening baselines, patch records, config scans
Tenant workloads are isolated in multi-tenant environmentsIsolation architecture, tenancy controls, test evidence
Capacity and resource management prevent exhaustion/denialCapacity plans, autoscaling config, monitoring
Network traffic is monitored for anomalies and threatsIDS/IPS logs, netflow, anomaly detection records

LOG — Logging & Monitoring

What to verifyTypical evidence
Audit logs capture security-relevant events across systemsLogging policy, log source inventory, sample logs
Logs are protected from tampering and retained per policyImmutable/WORM storage, retention config, access controls
Clocks are synchronised to an authoritative time sourceNTP config, time-sync monitoring
Security events are monitored and correlated (SIEM/analytics)SIEM config, correlation rules, alert records
Alerting and escalation drive timely investigationAlert workflow, escalation matrix, response times

SEF — Security Incident Management, E-Discovery & Cloud Forensics

What to verifyTypical evidence
An incident response plan defines roles, phases and communicationsIR policy/plan, contact lists, playbooks
Incidents are triaged, classified and handled per severityIncident register, classification criteria, timelines
Forensic readiness and evidence-handling procedures existForensics procedures, chain-of-custody templates
Breach notification obligations (regulatory, contractual) are metNotification procedures, regulator/customer notices
Incident metrics and lessons learned drive improvementPost-incident reviews, metrics, improvement actions

STA — Supply Chain Management, Transparency & Accountability

What to verifyTypical evidence
Third parties and suppliers are inventoried and risk-assessedSupplier register, risk tiering, assessment records
Security requirements are embedded in contracts and SLAsContract clauses, SLAs, DPAs, right-to-audit terms
Provider/sub-processor security is validated on an ongoing basisProvider audit reports, CAIQ reviews, monitoring
Shared responsibility is documented and understoodResponsibility matrix (RACI), service descriptions
Supply-chain changes and incidents are communicated transparentlyChange notifications, sub-processor lists, incident notices

TVM — Threat & Vulnerability Management

What to verifyTypical evidence
Vulnerability scanning covers all in-scope assets on a scheduleScan policy, scan reports, asset coverage
Vulnerabilities are prioritised and remediated within risk-based SLAsRemediation SLAs, patch records, exception tracking
Penetration testing is performed periodically and after major changePen-test reports, retest evidence, scope definitions
Malware/anti-malware defences are deployed and updatedEndpoint/gateway AV config, signature/definition status
Threat intelligence informs proactive defenceTI feeds, threat briefings, detection tuning records

UEM — Universal Endpoint Management

What to verifyTypical evidence
Endpoints (managed and BYOD) are inventoried and governed by policyEndpoint inventory, UEM policy, enrolment records
Endpoints are hardened, patched and configuration-managedHardening baselines, MDM config, patch compliance
Endpoint protection (EDR/AV, encryption) is enforcedEDR/AV coverage, disk-encryption status
Mobile device and application management controls applyMDM/MAM config, containerisation, remote wipe capability
Data loss controls limit sensitive data on endpointsDLP policy, endpoint DLP config, alerts

Scoping

Scoping a CCM/STAR engagement means fixing precisely which cloud service(s), environments and control responsibilities are being assessed. Because CCM is cloud-specific and multi-tenant, scope decisions turn heavily on the service model and on the split of responsibility between provider and customer. Get scoping wrong and the assessment either over-claims (asserting controls the provider does not actually own) or under-claims (leaving material control areas unassessed).

  • Service definition: name the exact cloud service, edition and deployment region(s) in scope; exclude out-of-scope offerings explicitly.
  • Service model: determine IaaS, PaaS or SaaS, since this drives which controls fall to the provider versus the tenant.
  • Shared-responsibility mapping: for each of the 17 domains, record whether the control is provider, customer, or shared, using the CCM shared-responsibility columns.
  • Environment boundary: define production, DR and management planes in scope; note test/dev exclusions.
  • Data types: identify personal, sensitive and regulated data processed, as this raises DSP, CEK and compliance expectations.
  • Sub-service organisations: decide whether sub-processors are carved-in or carved-out (relevant to STA and STAR Attestation).
  • Assessment tier: fix the target STAR level (1, 2 Attestation, 2 Certification, or Continuous), which sets the evidence rigour.
  • Time period: for period-of-time assessments (SOC 2 Type II / Certification), define the observation window.
Shared responsibility is the crux of scope
The single most common CCM/STAR scoping error is misattributing control ownership. In IaaS the customer owns far more (OS hardening, application security, IAM inside the workload) than in SaaS, where the provider owns almost everything except data classification and end-user access. Document ownership per control before assessing, and make the responsibility matrix a deliverable in its own right.

Implementation approach

A CCM/STAR programme is best delivered in phases. The phasing below assumes an organisation moving from no formal cloud-control baseline towards a validated STAR Level 2 listing, but each phase adds value independently and can be a stopping point.

Phase 1 — Mobilise and scope

  • Activities: appoint a programme owner and steering group; confirm target STAR tier; define service/environment scope; obtain the current CCM/CAIQ.
  • Deliverables: programme charter, scope statement, shared-responsibility matrix, stakeholder RACI, project plan.

Phase 2 — Gap assessment against CCM

  • Activities: assess current controls against all 197 CCM objectives; complete a draft CAIQ; score maturity; identify gaps and quick wins.
  • Deliverables: completed draft CAIQ, gap register with severity, maturity heat-map, prioritised remediation roadmap.

Phase 3 — Remediation and control build

  • Activities: implement missing controls (policy, technical, process); harden configurations; stand up logging/monitoring; close SoD and IAM gaps.
  • Deliverables: updated policies/standards, implemented technical controls, remediation evidence, revised CAIQ.

Phase 4 — Evidence, operate and internal validation

  • Activities: operate controls to generate evidence over the required period; run internal audit/readiness review; test BCP, IR and access reviews.
  • Deliverables: evidence library, internal audit report, control operating-effectiveness records, readiness sign-off.

Phase 5 — STAR submission or independent assessment

  • Activities: publish CAIQ to the STAR Registry (Level 1) or engage an accredited assessor/CB for Attestation or Certification (Level 2).
  • Deliverables: STAR Registry entry, assessor report, STAR Attestation/Certification, maturity score (Certification).

Phase 6 — Continuous improvement and monitoring

  • Activities: track KPIs; remediate findings; refresh CAIQ on change; move towards STAR Continuous with automated control monitoring.
  • Deliverables: KPI dashboard, updated CAIQ, surveillance/re-certification plan, continuous-monitoring feeds.

Maturity and scoring model

STAR Certification does not merely pass or fail a provider; it assigns a management-capability maturity score across the CCM control domains, derived from a Capability Maturity Model style assessment. The scoring reflects how well controls are defined, managed and continuously improved. The indicative model below describes the maturity levels an assessor evaluates. In addition, STAR overall awards a bronze/silver/gold-style rating based on the aggregate maturity achieved.

Maturity levelCharacteristicsIndicative STAR outcome
No / Not applicableControl absent or not relevant to scopeGap; not scoreable
Level 1 — Ad hoc / InitialControls informal, reactive, undocumentedBelow certification threshold
Level 2 — RepeatableControls defined for key areas but inconsistentApproaching threshold; findings likely
Level 3 — DefinedControls documented, standardised and applied consistentlyBronze-equivalent achievable
Level 4 — Managed / MeasuredControls measured with metrics and reviewedSilver-equivalent achievable
Level 5 — OptimisingControls continuously improved and predictiveGold-equivalent achievable

For STAR Attestation (SOC 2 based) there is no maturity star rating; instead the assessment concludes on whether controls are suitably designed (Type I) and operating effectively over the period (Type II), with any exceptions documented. For Level 1 self-assessment there is no score at all: the value is transparency, and buyers weigh the completeness and credibility of the published CAIQ.

Assessment and audit approach

Whether performing an internal readiness review or an accredited STAR assessment, the following ordered approach ensures consistent, defensible results.

  1. Confirm scope, service model and shared-responsibility split; agree the target STAR tier and, if applicable, the observation period.
  2. Obtain and review the current CCM/CAIQ and the provider's completed self-assessment as the assessment baseline.
  3. Plan the assessment: build a test programme mapping each in-scope control to procedures (inquiry, inspection, observation, re-performance).
  4. Perform design assessment: confirm each control is suitably designed to meet the CCM objective.
  5. Perform operating-effectiveness testing (for period assessments): sample evidence across the window to confirm the control ran as designed.
  6. Assess maturity (for Certification): score each domain against the capability maturity model.
  7. Document exceptions, deficiencies and gaps with severity, root cause and impact.
  8. Agree management responses and remediation plans with owners and timelines.
  9. Draft the report (CAIQ, Attestation, or Certification) and perform quality review.
  10. Publish to the STAR Registry / issue the certificate, then schedule surveillance, re-assessment or continuous monitoring.

Evidence request list

The following categorised evidence list supports a CCM/STAR assessment. It is illustrative rather than exhaustive; tailor it to the in-scope service and STAR tier.

  • Governance and policy: information security policy suite, governance charter, risk methodology and register, exception register, management review minutes.
  • Shared responsibility and scope: service descriptions, shared-responsibility matrix, architecture and data-flow diagrams, sub-processor list.
  • Identity and access: IAM policy, MFA/PAM configuration, RBAC matrix, access review/recertification records, joiner-mover-leaver logs.
  • Cryptography and data: encryption and key-management policy, KMS/HSM records, key rotation logs, data classification and retention schedules, disposal certificates.
  • Change and configuration: change policy, CAB records, hardening baselines, drift/config-scan reports, CI/CD and pipeline access controls.
  • Vulnerability and threat: scan reports, patch/remediation records, penetration-test reports and retests, anti-malware and threat-intel evidence.
  • Logging and monitoring: logging policy, log source inventory, SIEM/alerting configuration, time-sync config, sample retained logs.
  • Resilience: BCP/DR plans, BIA, RTO/RPO matrix, backup and restore-test logs, DR exercise reports.
  • Incident and forensics: IR plan and playbooks, incident register, breach-notification records, post-incident reviews.
  • Human resources: screening records, employment/NDA agreements, awareness-training records, offboarding evidence.
  • Physical and datacentre: facility security policy, access logs, environmental monitoring, provider datacentre certifications.
  • Supply chain: supplier register and risk tiering, contracts/SLAs/DPAs, provider audit reports and CAIQ reviews.
  • Endpoint: endpoint inventory, UEM/MDM configuration, EDR/encryption coverage, endpoint DLP evidence.

Roles and responsibilities

RoleCCM/STAR responsibility
Executive sponsor / CISOOwns the programme, approves scope and risk appetite, secures resources.
Cloud security / GRC leadRuns the assessment, maintains the CAIQ, coordinates remediation.
Control / domain ownersImplement and operate controls in their domain, supply evidence.
IT and cloud operationsConfigure and run technical controls (IAM, encryption, logging, DR).
Legal / privacy / DPOAdvise on compliance, contracts, DPAs, breach notification, data protection.
Internal auditPerforms independent readiness review and validates evidence.
Third-party assessor / CBDelivers STAR Attestation/Certification and issues the report.
Procurement / vendor riskUses CAIQ and STAR Registry to assess and select cloud suppliers.

KPIs to track

  • Percentage of CCM controls implemented (design) and operating effectively.
  • Average CCM domain maturity score and trend over time.
  • Number and severity of open gaps/findings, and mean time to remediate.
  • MFA and privileged-access coverage across in-scope identities.
  • Vulnerability remediation SLA adherence (by severity).
  • Patch compliance rate and mean time to patch critical vulnerabilities.
  • Backup success rate and DR/BCP test pass rate against RTO/RPO.
  • Mean time to detect and respond to security incidents.
  • Access-review completion rate and orphaned-account count.
  • Percentage of suppliers assessed and STAR/CAIQ coverage of key providers.
  • CAIQ freshness (time since last refresh) and STAR listing currency.

Readiness checklist

  • Programme scope, service model and shared-responsibility matrix are documented and signed off.
  • Target STAR tier (Level 1, 2 Attestation, 2 Certification, or Continuous) is agreed.
  • A completed, current CAIQ exists with narratives and evidence pointers for all 197 controls.
  • All 17 CCM domains have been gap-assessed and material gaps remediated.
  • Policies exist and are approved for governance, IAM, cryptography, change, logging, BCP, IR and supply chain.
  • MFA, least-privilege and privileged access controls are enforced and reviewed.
  • Encryption at rest and in transit is verified with a functioning key-management lifecycle.
  • Logging, monitoring and alerting are operational with protected, time-synchronised logs.
  • BCP/DR and incident-response plans have been tested within the required period.
  • Vulnerability scanning, patching and penetration testing are current with SLAs met.
  • An evidence library covers the observation period for operating-effectiveness testing.
  • An internal readiness review has been completed and sign-off obtained before external assessment.

Common gaps

  • Misassigning shared responsibility, especially over-claiming provider controls in IaaS/PaaS deployments.
  • A CAIQ completed as a marketing exercise, with 'yes' answers unsupported by evidence.
  • MFA gaps for privileged, service and break-glass accounts despite general MFA coverage.
  • Incomplete key-management lifecycle: encryption enabled but no rotation, revocation or HSM protection.
  • Logs collected but not protected, retained, time-synchronised or actively monitored.
  • BCP/DR plans that exist on paper but have never been tested against stated RTO/RPO.
  • Access reviews not performed at planned intervals, leaving orphaned and over-privileged accounts.
  • Supply-chain and sub-processor risk unassessed, breaking the STA domain and STAR Attestation carve-in logic.
  • Configuration drift with no detection, undermining CCC and hardening baselines.
  • Data classification and retention undefined, weakening DSP and privacy obligations.
  • Treating STAR Level 1 self-assessment as equivalent to independent Level 2 assurance.
  • Stale CAIQ/STAR listings that no longer reflect the current environment after change.

CSA CCM / STAR mapped to other frameworks

A major strength of CCM is that each control is cross-mapped to other authoritative standards, allowing an organisation to assess once and evidence many. The table summarises the principal mappings and how CCM domains relate to adjacent frameworks. Always confirm the exact control-level mappings in the current official CCM spreadsheet.

FrameworkRelationship to CCM/STAR
ISO/IEC 27001 / 27002STAR Certification builds on 27001; CCM controls map to Annex A / 27002 controls.
ISO/IEC 27017Cloud-specific control guidance strongly aligned with CCM domains.
ISO/IEC 27018Cloud PII protection maps to CCM DSP and privacy controls.
SOC 2 (AICPA TSC)STAR Attestation is delivered on the SOC 2 framework with CCM criteria.
NIST SP 800-53 / CSFCCM maps to NIST control families and CSF functions for US-aligned buyers.
PCI DSSCCM maps to PCI requirements for cardholder-data cloud environments.
GDPR / DPDP ActDSP, CEK and STA controls support data-protection and residency obligations.
CIS Controls / BenchmarksHardening baselines under CCC/IVS align with CIS Benchmarks.
HIPAACCM data-security and access controls support healthcare compliance.

How CyberSigma helps

How CyberSigma helps with CSA CCM / STAR
CyberSigma helps cloud providers and cloud-consuming enterprises move from ad-hoc cloud security to validated STAR assurance. Our CERT-In empanelled and QSA-qualified assessors run a full CCM gap assessment across all 17 domains, build a defensible shared-responsibility matrix, complete and evidence your CAIQ, and stand up the technical and process controls needed to close gaps. We then prepare you for and support your chosen STAR tier, whether that is a credible Level 1 self-assessment, a STAR Attestation on SOC 2, or a STAR Certification with a strong maturity score, and we help you cross-leverage the same evidence for ISO 27001, SOC 2, PCI DSS and DPDP. Talk to CyberSigma to plan a right-sized, audit-ready CCM/STAR programme.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is CSA STAR a certification?
STAR Level 1 is a self-assessment; STAR Level 2 offers third-party certification (built on ISO 27001) or attestation (built on SOC 2).

Need help with CSA CCM / STAR?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.