Introduction: The Cloud Controls Matrix and the STAR Programme
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is the de-facto reference framework for cloud-computing security. First released in 2010 and evolved through successive versions, CCM provides a structured catalogue of security controls tailored specifically to the realities of cloud service delivery, where responsibility for security is shared between a cloud service provider (CSP) and the customers who consume its services. The current major version, CCM v4, comprises 197 control objectives organised across 17 security domains, and it is accompanied by the Consensus Assessments Initiative Questionnaire (CAIQ), a companion set of yes/no questions that allow a provider to assert how each control is implemented.
The Security, Trust, Assurance and Risk (STAR) programme is the assurance layer that sits on top of CCM. STAR is a publicly accessible registry and certification scheme through which cloud providers document, and independent assessors validate, the security posture of a given cloud offering. STAR is structured in tiers of increasing rigour: Level 1 is a self-assessment based on the CAIQ, Level 2 is a third-party independent assessment (STAR Attestation, STAR Certification, or a C-STAR assessment for the Greater China market), and a continuous-monitoring tier delivers near-real-time assurance. Together, CCM and STAR give buyers a transparent, comparable way to evaluate the security of cloud services before and during procurement.
This guide is written for security and compliance leaders, cloud architects, GRC practitioners and auditors who need to plan, execute or assure a CCM/STAR programme. It walks through the framework structure, provides a master assessment checklist covering every domain, and sets out a phased implementation approach, scoring model, evidence expectations and mappings to adjacent standards. Throughout, the emphasis is on practical, auditor-grade specifics rather than abstract theory.
Copyright and licensing note
The Cloud Controls Matrix, the CAIQ and the STAR programme materials are the intellectual property of the Cloud Security Alliance. CCM and CAIQ are released under the CSA's terms of use, which permit use for internal assessment but restrict commercial redistribution and derivative works. STAR Certification and Attestation are delivered by CSA-authorised certification bodies and assessors. This guide is an original CyberSigma explanatory work; it paraphrases and interprets the framework and does NOT reproduce CSA's copyrighted control text, question wording or logos. Always work from the current official CCM/CAIQ spreadsheet and STAR programme documentation obtained directly from the Cloud Security Alliance.
What is CSA CCM / STAR
CCM is a controls framework: a normalised, cloud-specific catalogue of control objectives that a provider or consumer can use to design, operate and audit a secure cloud environment. Unlike a general-purpose standard, CCM is explicitly built around cloud concepts, the shared responsibility model, the three service models (IaaS, PaaS, SaaS) and multi-tenancy. Each control objective is expressed as a concise statement of intent, and each is accompanied by implementation guidance, a shared-responsibility indicator and mappings to other authoritative standards.
Two companion artefacts make CCM operational. The CAIQ translates each control objective into one or more assessment questions that a provider answers, typically with a yes/no/NA response plus a narrative explanation and a statement of which party (provider, tenant, or shared) owns the control. The CCM implementation guidelines and the shared-responsibility model columns tell an organisation how the control is expected to be discharged across service models.
STAR is the assurance and transparency programme that consumes CCM/CAIQ output. A provider that completes a CAIQ can publish it to the public STAR Registry as a Level 1 self-assessment. To reach Level 2, an accredited third party validates the controls, either as a STAR Attestation (built on the SOC 2 framework and AICPA criteria), a STAR Certification (built on ISO/IEC 27001 with a CCM-based maturity scoring), or C-STAR for China. A continuous-monitoring tier extends assurance beyond a point-in-time snapshot. The result is a single, comparable, buyer-facing signal of cloud trustworthiness.
- CCM v4: 197 control objectives across 17 domains, each with implementation guidance and shared-responsibility guidance.
- CAIQ v4: the questionnaire form of CCM used to capture provider assertions and evidence pointers.
- STAR Level 1: publicly published self-assessment (CAIQ or CCM) on the CSA STAR Registry.
- STAR Level 2: independent third-party validation via Attestation (SOC 2), Certification (ISO 27001 + maturity), or C-STAR.
- STAR Continuous: ongoing, machine-readable assurance for near-real-time monitoring.
- CCM includes cross-mappings to ISO 27001/27002/27017/27018, NIST, PCI DSS, SOC 2, and other frameworks.
Who must comply
CCM/STAR is voluntary in the sense that no single law mandates it by name, yet it has become a contractual and procurement expectation across large swathes of the market. It applies to any organisation that builds, sells or heavily consumes cloud services, and it is increasingly requested in supplier due-diligence and RFP processes.
| Stakeholder | Why CCM/STAR applies to them |
|---|
| Cloud Service Providers (IaaS/PaaS/SaaS) | Publishing a STAR entry (Level 1 minimum) is now a baseline expectation for enterprise sales; Level 2 differentiates in competitive procurement. |
| SaaS vendors and ISVs | Enterprise and regulated buyers frequently demand a completed CAIQ or STAR listing as part of vendor risk assessment. |
| Cloud consumers / enterprises | Use CCM as a control baseline and use the STAR Registry to evaluate and compare prospective providers. |
| Managed service providers (MSPs/MSSPs) | Demonstrate cloud security maturity to downstream customers and inherit/complement provider controls. |
| Regulated industries (BFSI, healthcare, government) | Map CCM to sector rules (e.g. RBI, HIPAA, GDPR, DPDP) to evidence cloud due-diligence. |
| Procurement and third-party risk teams | Use CAIQ responses to shortcut security questionnaires and standardise supplier assessment. |
| Auditors and certification bodies | Deliver STAR Attestation/Certification and validate CCM control implementation. |
Structure of CSA CCM / STAR
CCM v4 is organised into 17 domains. Each domain has a two- or three-letter identifier and contains a set of numbered control objectives (for example, IAM-01 through IAM-16). The 17 domains collectively contain 197 controls. The table below lists every CCM v4 domain, its identifier and its scope. Control counts per domain vary; the identifiers shown are the canonical CCM v4 domain codes.
| Domain code | Domain name | Scope in brief |
|---|
| A&A | Audit & Assurance | Internal/external audit planning, independent assessments, risk-based audit, remediation tracking. |
| AIS | Application & Interface Security | Secure SDLC, application security testing, secure design, API/interface security. |
| BCR | Business Continuity Mgmt & Operational Resilience | BCP/DR planning, backups, testing, response, restoration and resilience. |
| CCC | Change Control & Configuration Management | Change management, baselines, unauthorised change detection, deployment governance. |
| CEK | Cryptography, Encryption & Key Management | Encryption policy, key lifecycle, key storage, rotation, algorithms and protocols. |
| DCS | Datacenter Security | Physical and environmental security of facilities, secure areas, equipment, off-site. |
| DSP | Data Security & Privacy Lifecycle Management | Data classification, flow mapping, retention, disposal, privacy, data protection by design. |
| GRC | Governance, Risk & Compliance | Policies, risk management programme, compliance, exceptions and governance oversight. |
| HRS | Human Resources | Screening, onboarding/offboarding, acceptable use, awareness, employment agreements. |
| IAM | Identity & Access Management | Identity lifecycle, authentication, authorisation, privileged access, SSO/MFA, segregation of duties. |
| IPY | Interoperability & Portability | Data/service portability, interoperability, secure interchange, exit and migration. |
| IVS | Infrastructure & Virtualization Security | Network security, segmentation, hypervisor hardening, workload isolation, capacity. |
| LOG | Logging & Monitoring | Audit logging, log protection, clock sync, event monitoring, incident detection telemetry. |
| SEF | Security Incident Mgmt, E-Discovery & Cloud Forensics | Incident response, forensics, e-discovery, breach notification and metrics. |
| STA | Supply Chain Mgmt, Transparency & Accountability | Third-party/supply-chain risk, SLAs, provider assessments, inventory and transparency. |
| TVM | Threat & Vulnerability Management | Vulnerability scanning, patching, penetration testing, malware defence, threat management. |
| UEM | Universal Endpoint Management | Endpoint inventory, hardening, MDM/MAM, endpoint protection, data loss on devices. |
STAR layers assurance tiers on top of this structure. The relationship between CCM (the controls) and STAR (the assurance) is summarised below.
| STAR tier | Assessment basis | Assurance rigour |
|---|
| Level 1 — Self-Assessment (CAIQ/CCM) | Provider completes CAIQ and self-publishes | Transparency, unvalidated |
| Level 2 — STAR Attestation | SOC 2 Type I/II + CCM criteria, by CPA firm | Independent, point-in-time or period |
| Level 2 — STAR Certification | ISO/IEC 27001 + CCM maturity scoring, by accredited CB | Independent, certified with maturity rating |
| Level 2 — C-STAR | GB/T 22080 (China ISO 27001 equiv.) + CCM | Independent, Greater China market |
| Continuous | Ongoing control monitoring, machine-readable | Near-real-time, highest transparency |
Master assessment checklist
This is the core of the guide. For every CCM domain it sets out what an assessor should verify and the typical evidence that substantiates the control. The intent is that a lead assessor can work domain by domain and leave no control area unexamined. Verify each item against the current CCM control text and the provider's CAIQ responses, and confirm both design and operating effectiveness where the STAR tier requires it.
A&A — Audit & Assurance
| What to verify | Typical evidence |
|---|
| An audit and assurance policy exists, is approved and reviewed at planned intervals | Signed policy, review dates, approver records |
| A risk-based internal audit plan covers the cloud environment and CCM scope | Audit universe, annual audit plan, scoping notes |
| Independent assessments (external audits, penetration tests) are performed periodically | Third-party assessment reports, engagement letters |
| Audit findings are tracked to closure with owners and due dates | Findings/remediation register, corrective action plans |
| Compliance with applicable legal, regulatory and contractual obligations is verified | Compliance mapping, regulatory register, evidence of checks |
AIS — Application & Interface Security
| What to verify | Typical evidence |
|---|
| A secure application design and development policy governs the SDLC | AppSec policy, SDLC standard, secure coding guidelines |
| Application security testing (SAST/DAST/SCA) is performed before release | Scan reports, pipeline config, gate/threshold records |
| Security is embedded at design (threat modelling) and in acceptance criteria | Threat models, design review records, security requirements |
| APIs and interfaces enforce authentication, authorisation and input validation | API gateway config, auth policy, validation test results |
| Vulnerabilities in applications are remediated within defined SLAs | Defect tracking, remediation timelines, retest evidence |
BCR — Business Continuity Management & Operational Resilience
| What to verify | Typical evidence |
|---|
| A business continuity and disaster recovery programme is documented and approved | BCP/DR policy and plans, BIA outputs |
| RTO/RPO objectives are defined per service and are achievable | BIA, RTO/RPO matrix, architecture diagrams |
| Backups are configured, encrypted, tested and restorable | Backup schedules, restore test logs, encryption config |
| BCP/DR plans are exercised at planned intervals with lessons learned | Test/exercise reports, tabletop records, improvement actions |
| Resilience is engineered (redundancy, failover, capacity headroom) | HA/DR architecture, failover test evidence, SLA data |
CCC — Change Control & Configuration Management
| What to verify | Typical evidence |
|---|
| A change management policy defines request, review, approval and rollback | Change policy, CAB terms of reference |
| Changes are risk-assessed, tested and approved before production deployment | Change tickets, approval records, test evidence |
| Configuration baselines and hardening standards are defined and enforced | Baseline docs, CIS benchmarks, config management tooling |
| Unauthorised or emergency changes are detected, logged and reviewed | Drift detection reports, emergency change logs |
| Deployment automation and separation of duties prevent unilateral change | CI/CD config, RBAC on pipelines, segregation evidence |
CEK — Cryptography, Encryption & Key Management
| What to verify | Typical evidence |
|---|
| An encryption and key management policy specifies approved algorithms/protocols | Crypto policy, approved cipher list, TLS standard |
| Data is encrypted at rest and in transit across the service | Encryption config, TLS scan results, storage settings |
| Keys have a defined lifecycle: generation, distribution, rotation, revocation, destruction | Key management procedures, rotation logs, KMS/HSM records |
| Keys are stored and protected (HSM/KMS) with strict access control | HSM/KMS inventory, access logs, FIPS certification |
| Cryptographic implementations are reviewed for strength and deprecation | Algorithm review records, deprecation plan, cipher audits |
DCS — Datacenter Security
| What to verify | Typical evidence |
|---|
| Physical security controls protect facilities and secure areas | Facility security policy, badge/CCTV records, floor plans |
| Access to datacentres is authorised, logged and periodically reviewed | Access lists, entry logs, access review records |
| Environmental controls (power, cooling, fire) are in place and monitored | Environmental monitoring, UPS/generator tests, alarms |
| Equipment is securely sited, maintained and disposed of | Asset records, maintenance logs, secure disposal certificates |
| For cloud tenants, provider datacentre assurance is obtained (SOC/ISO) | Provider audit reports, datacentre certifications |
DSP — Data Security & Privacy Lifecycle Management
| What to verify | Typical evidence |
|---|
| Data is classified and handled per classification throughout its lifecycle | Data classification policy, labelling, handling rules |
| Data flows and locations (including cross-border) are mapped | Data flow diagrams, data inventory, residency records |
| Retention and secure disposal schedules are defined and enforced | Retention schedule, disposal logs, deletion evidence |
| Privacy by design and data-protection obligations are met (consent, DSAR) | Privacy policy, DPIA records, DSAR process, consent logs |
| Personal and sensitive data receive additional safeguards (masking, minimisation) | Masking/tokenisation config, minimisation records |
GRC — Governance, Risk & Compliance
| What to verify | Typical evidence |
|---|
| An information security governance structure and policy set is established | Governance charter, policy library, approval records |
| A risk management programme identifies, assesses and treats risks | Risk methodology, risk register, treatment plans |
| Compliance obligations are inventoried and monitored | Compliance/legal register, obligation tracker |
| Policy exceptions are formally requested, approved and time-bound | Exception register, approval and expiry records |
| Management reviews security performance and drives improvement | Management review minutes, KPI dashboards |
HRS — Human Resources
| What to verify | Typical evidence |
|---|
| Background screening is performed proportionate to role and risk | Screening policy, completed checks, role risk mapping |
| Employment agreements include security and confidentiality obligations | Contracts, NDAs, acceptable use acknowledgements |
| Onboarding and offboarding provision/revoke access promptly | Joiner/mover/leaver records, access revocation logs |
| Security awareness and role-based training are delivered and tracked | Training records, completion rates, phishing test results |
| Disciplinary process addresses security policy violations | Disciplinary policy, sanction records where applicable |
IAM — Identity & Access Management
| What to verify | Typical evidence |
|---|
| Identity lifecycle (provision, change, deprovision) is governed | IAM policy, joiner/leaver logs, orphaned account reviews |
| Strong authentication (MFA) is enforced, especially for privileged/remote access | MFA config, coverage report, enforcement policy |
| Least-privilege and role-based access control are implemented | RBAC matrix, entitlement reviews, privilege reports |
| Privileged access is restricted, monitored and time-limited (PAM) | PAM tooling, session logs, just-in-time access records |
| Access rights are recertified at planned intervals | Access review/attestation records, exception handling |
| Segregation of duties conflicts are identified and mitigated | SoD ruleset, conflict analysis, compensating controls |
IPY — Interoperability & Portability
| What to verify | Typical evidence |
|---|
| Standard, documented APIs/formats enable interoperability | API documentation, supported format list |
| Customers can export/import their data in usable formats | Export capability, data portability documentation |
| Data interchange during migration is secure and integrity-checked | Migration procedures, integrity/checksum evidence |
| Exit and service-termination provisions are defined | Exit clauses, off-boarding and data-return procedures |
| Portability is tested so lock-in risk is understood | Portability test records, format validation |
IVS — Infrastructure & Virtualization Security
| What to verify | Typical evidence |
|---|
| Network security controls (firewalls, segmentation, micro-segmentation) are in place | Network diagrams, firewall/SG rules, segmentation design |
| Hypervisor and virtualization layers are hardened and patched | Hardening baselines, patch records, config scans |
| Tenant workloads are isolated in multi-tenant environments | Isolation architecture, tenancy controls, test evidence |
| Capacity and resource management prevent exhaustion/denial | Capacity plans, autoscaling config, monitoring |
| Network traffic is monitored for anomalies and threats | IDS/IPS logs, netflow, anomaly detection records |
LOG — Logging & Monitoring
| What to verify | Typical evidence |
|---|
| Audit logs capture security-relevant events across systems | Logging policy, log source inventory, sample logs |
| Logs are protected from tampering and retained per policy | Immutable/WORM storage, retention config, access controls |
| Clocks are synchronised to an authoritative time source | NTP config, time-sync monitoring |
| Security events are monitored and correlated (SIEM/analytics) | SIEM config, correlation rules, alert records |
| Alerting and escalation drive timely investigation | Alert workflow, escalation matrix, response times |
SEF — Security Incident Management, E-Discovery & Cloud Forensics
| What to verify | Typical evidence |
|---|
| An incident response plan defines roles, phases and communications | IR policy/plan, contact lists, playbooks |
| Incidents are triaged, classified and handled per severity | Incident register, classification criteria, timelines |
| Forensic readiness and evidence-handling procedures exist | Forensics procedures, chain-of-custody templates |
| Breach notification obligations (regulatory, contractual) are met | Notification procedures, regulator/customer notices |
| Incident metrics and lessons learned drive improvement | Post-incident reviews, metrics, improvement actions |
STA — Supply Chain Management, Transparency & Accountability
| What to verify | Typical evidence |
|---|
| Third parties and suppliers are inventoried and risk-assessed | Supplier register, risk tiering, assessment records |
| Security requirements are embedded in contracts and SLAs | Contract clauses, SLAs, DPAs, right-to-audit terms |
| Provider/sub-processor security is validated on an ongoing basis | Provider audit reports, CAIQ reviews, monitoring |
| Shared responsibility is documented and understood | Responsibility matrix (RACI), service descriptions |
| Supply-chain changes and incidents are communicated transparently | Change notifications, sub-processor lists, incident notices |
TVM — Threat & Vulnerability Management
| What to verify | Typical evidence |
|---|
| Vulnerability scanning covers all in-scope assets on a schedule | Scan policy, scan reports, asset coverage |
| Vulnerabilities are prioritised and remediated within risk-based SLAs | Remediation SLAs, patch records, exception tracking |
| Penetration testing is performed periodically and after major change | Pen-test reports, retest evidence, scope definitions |
| Malware/anti-malware defences are deployed and updated | Endpoint/gateway AV config, signature/definition status |
| Threat intelligence informs proactive defence | TI feeds, threat briefings, detection tuning records |
UEM — Universal Endpoint Management
| What to verify | Typical evidence |
|---|
| Endpoints (managed and BYOD) are inventoried and governed by policy | Endpoint inventory, UEM policy, enrolment records |
| Endpoints are hardened, patched and configuration-managed | Hardening baselines, MDM config, patch compliance |
| Endpoint protection (EDR/AV, encryption) is enforced | EDR/AV coverage, disk-encryption status |
| Mobile device and application management controls apply | MDM/MAM config, containerisation, remote wipe capability |
| Data loss controls limit sensitive data on endpoints | DLP policy, endpoint DLP config, alerts |
Scoping
Scoping a CCM/STAR engagement means fixing precisely which cloud service(s), environments and control responsibilities are being assessed. Because CCM is cloud-specific and multi-tenant, scope decisions turn heavily on the service model and on the split of responsibility between provider and customer. Get scoping wrong and the assessment either over-claims (asserting controls the provider does not actually own) or under-claims (leaving material control areas unassessed).
- Service definition: name the exact cloud service, edition and deployment region(s) in scope; exclude out-of-scope offerings explicitly.
- Service model: determine IaaS, PaaS or SaaS, since this drives which controls fall to the provider versus the tenant.
- Shared-responsibility mapping: for each of the 17 domains, record whether the control is provider, customer, or shared, using the CCM shared-responsibility columns.
- Environment boundary: define production, DR and management planes in scope; note test/dev exclusions.
- Data types: identify personal, sensitive and regulated data processed, as this raises DSP, CEK and compliance expectations.
- Sub-service organisations: decide whether sub-processors are carved-in or carved-out (relevant to STA and STAR Attestation).
- Assessment tier: fix the target STAR level (1, 2 Attestation, 2 Certification, or Continuous), which sets the evidence rigour.
- Time period: for period-of-time assessments (SOC 2 Type II / Certification), define the observation window.
Shared responsibility is the crux of scope
The single most common CCM/STAR scoping error is misattributing control ownership. In IaaS the customer owns far more (OS hardening, application security, IAM inside the workload) than in SaaS, where the provider owns almost everything except data classification and end-user access. Document ownership per control before assessing, and make the responsibility matrix a deliverable in its own right.
Implementation approach
A CCM/STAR programme is best delivered in phases. The phasing below assumes an organisation moving from no formal cloud-control baseline towards a validated STAR Level 2 listing, but each phase adds value independently and can be a stopping point.
Phase 1 — Mobilise and scope
- Activities: appoint a programme owner and steering group; confirm target STAR tier; define service/environment scope; obtain the current CCM/CAIQ.
- Deliverables: programme charter, scope statement, shared-responsibility matrix, stakeholder RACI, project plan.
Phase 2 — Gap assessment against CCM
- Activities: assess current controls against all 197 CCM objectives; complete a draft CAIQ; score maturity; identify gaps and quick wins.
- Deliverables: completed draft CAIQ, gap register with severity, maturity heat-map, prioritised remediation roadmap.
Phase 3 — Remediation and control build
- Activities: implement missing controls (policy, technical, process); harden configurations; stand up logging/monitoring; close SoD and IAM gaps.
- Deliverables: updated policies/standards, implemented technical controls, remediation evidence, revised CAIQ.
Phase 4 — Evidence, operate and internal validation
- Activities: operate controls to generate evidence over the required period; run internal audit/readiness review; test BCP, IR and access reviews.
- Deliverables: evidence library, internal audit report, control operating-effectiveness records, readiness sign-off.
Phase 5 — STAR submission or independent assessment
- Activities: publish CAIQ to the STAR Registry (Level 1) or engage an accredited assessor/CB for Attestation or Certification (Level 2).
- Deliverables: STAR Registry entry, assessor report, STAR Attestation/Certification, maturity score (Certification).
Phase 6 — Continuous improvement and monitoring
- Activities: track KPIs; remediate findings; refresh CAIQ on change; move towards STAR Continuous with automated control monitoring.
- Deliverables: KPI dashboard, updated CAIQ, surveillance/re-certification plan, continuous-monitoring feeds.
Maturity and scoring model
STAR Certification does not merely pass or fail a provider; it assigns a management-capability maturity score across the CCM control domains, derived from a Capability Maturity Model style assessment. The scoring reflects how well controls are defined, managed and continuously improved. The indicative model below describes the maturity levels an assessor evaluates. In addition, STAR overall awards a bronze/silver/gold-style rating based on the aggregate maturity achieved.
| Maturity level | Characteristics | Indicative STAR outcome |
|---|
| No / Not applicable | Control absent or not relevant to scope | Gap; not scoreable |
| Level 1 — Ad hoc / Initial | Controls informal, reactive, undocumented | Below certification threshold |
| Level 2 — Repeatable | Controls defined for key areas but inconsistent | Approaching threshold; findings likely |
| Level 3 — Defined | Controls documented, standardised and applied consistently | Bronze-equivalent achievable |
| Level 4 — Managed / Measured | Controls measured with metrics and reviewed | Silver-equivalent achievable |
| Level 5 — Optimising | Controls continuously improved and predictive | Gold-equivalent achievable |
For STAR Attestation (SOC 2 based) there is no maturity star rating; instead the assessment concludes on whether controls are suitably designed (Type I) and operating effectively over the period (Type II), with any exceptions documented. For Level 1 self-assessment there is no score at all: the value is transparency, and buyers weigh the completeness and credibility of the published CAIQ.
Assessment and audit approach
Whether performing an internal readiness review or an accredited STAR assessment, the following ordered approach ensures consistent, defensible results.
- Confirm scope, service model and shared-responsibility split; agree the target STAR tier and, if applicable, the observation period.
- Obtain and review the current CCM/CAIQ and the provider's completed self-assessment as the assessment baseline.
- Plan the assessment: build a test programme mapping each in-scope control to procedures (inquiry, inspection, observation, re-performance).
- Perform design assessment: confirm each control is suitably designed to meet the CCM objective.
- Perform operating-effectiveness testing (for period assessments): sample evidence across the window to confirm the control ran as designed.
- Assess maturity (for Certification): score each domain against the capability maturity model.
- Document exceptions, deficiencies and gaps with severity, root cause and impact.
- Agree management responses and remediation plans with owners and timelines.
- Draft the report (CAIQ, Attestation, or Certification) and perform quality review.
- Publish to the STAR Registry / issue the certificate, then schedule surveillance, re-assessment or continuous monitoring.
Evidence request list
The following categorised evidence list supports a CCM/STAR assessment. It is illustrative rather than exhaustive; tailor it to the in-scope service and STAR tier.
- Governance and policy: information security policy suite, governance charter, risk methodology and register, exception register, management review minutes.
- Shared responsibility and scope: service descriptions, shared-responsibility matrix, architecture and data-flow diagrams, sub-processor list.
- Identity and access: IAM policy, MFA/PAM configuration, RBAC matrix, access review/recertification records, joiner-mover-leaver logs.
- Cryptography and data: encryption and key-management policy, KMS/HSM records, key rotation logs, data classification and retention schedules, disposal certificates.
- Change and configuration: change policy, CAB records, hardening baselines, drift/config-scan reports, CI/CD and pipeline access controls.
- Vulnerability and threat: scan reports, patch/remediation records, penetration-test reports and retests, anti-malware and threat-intel evidence.
- Logging and monitoring: logging policy, log source inventory, SIEM/alerting configuration, time-sync config, sample retained logs.
- Resilience: BCP/DR plans, BIA, RTO/RPO matrix, backup and restore-test logs, DR exercise reports.
- Incident and forensics: IR plan and playbooks, incident register, breach-notification records, post-incident reviews.
- Human resources: screening records, employment/NDA agreements, awareness-training records, offboarding evidence.
- Physical and datacentre: facility security policy, access logs, environmental monitoring, provider datacentre certifications.
- Supply chain: supplier register and risk tiering, contracts/SLAs/DPAs, provider audit reports and CAIQ reviews.
- Endpoint: endpoint inventory, UEM/MDM configuration, EDR/encryption coverage, endpoint DLP evidence.
Roles and responsibilities
| Role | CCM/STAR responsibility |
|---|
| Executive sponsor / CISO | Owns the programme, approves scope and risk appetite, secures resources. |
| Cloud security / GRC lead | Runs the assessment, maintains the CAIQ, coordinates remediation. |
| Control / domain owners | Implement and operate controls in their domain, supply evidence. |
| IT and cloud operations | Configure and run technical controls (IAM, encryption, logging, DR). |
| Legal / privacy / DPO | Advise on compliance, contracts, DPAs, breach notification, data protection. |
| Internal audit | Performs independent readiness review and validates evidence. |
| Third-party assessor / CB | Delivers STAR Attestation/Certification and issues the report. |
| Procurement / vendor risk | Uses CAIQ and STAR Registry to assess and select cloud suppliers. |
KPIs to track
- Percentage of CCM controls implemented (design) and operating effectively.
- Average CCM domain maturity score and trend over time.
- Number and severity of open gaps/findings, and mean time to remediate.
- MFA and privileged-access coverage across in-scope identities.
- Vulnerability remediation SLA adherence (by severity).
- Patch compliance rate and mean time to patch critical vulnerabilities.
- Backup success rate and DR/BCP test pass rate against RTO/RPO.
- Mean time to detect and respond to security incidents.
- Access-review completion rate and orphaned-account count.
- Percentage of suppliers assessed and STAR/CAIQ coverage of key providers.
- CAIQ freshness (time since last refresh) and STAR listing currency.
Readiness checklist
- Programme scope, service model and shared-responsibility matrix are documented and signed off.
- Target STAR tier (Level 1, 2 Attestation, 2 Certification, or Continuous) is agreed.
- A completed, current CAIQ exists with narratives and evidence pointers for all 197 controls.
- All 17 CCM domains have been gap-assessed and material gaps remediated.
- Policies exist and are approved for governance, IAM, cryptography, change, logging, BCP, IR and supply chain.
- MFA, least-privilege and privileged access controls are enforced and reviewed.
- Encryption at rest and in transit is verified with a functioning key-management lifecycle.
- Logging, monitoring and alerting are operational with protected, time-synchronised logs.
- BCP/DR and incident-response plans have been tested within the required period.
- Vulnerability scanning, patching and penetration testing are current with SLAs met.
- An evidence library covers the observation period for operating-effectiveness testing.
- An internal readiness review has been completed and sign-off obtained before external assessment.
Common gaps
- Misassigning shared responsibility, especially over-claiming provider controls in IaaS/PaaS deployments.
- A CAIQ completed as a marketing exercise, with 'yes' answers unsupported by evidence.
- MFA gaps for privileged, service and break-glass accounts despite general MFA coverage.
- Incomplete key-management lifecycle: encryption enabled but no rotation, revocation or HSM protection.
- Logs collected but not protected, retained, time-synchronised or actively monitored.
- BCP/DR plans that exist on paper but have never been tested against stated RTO/RPO.
- Access reviews not performed at planned intervals, leaving orphaned and over-privileged accounts.
- Supply-chain and sub-processor risk unassessed, breaking the STA domain and STAR Attestation carve-in logic.
- Configuration drift with no detection, undermining CCC and hardening baselines.
- Data classification and retention undefined, weakening DSP and privacy obligations.
- Treating STAR Level 1 self-assessment as equivalent to independent Level 2 assurance.
- Stale CAIQ/STAR listings that no longer reflect the current environment after change.
CSA CCM / STAR mapped to other frameworks
A major strength of CCM is that each control is cross-mapped to other authoritative standards, allowing an organisation to assess once and evidence many. The table summarises the principal mappings and how CCM domains relate to adjacent frameworks. Always confirm the exact control-level mappings in the current official CCM spreadsheet.
| Framework | Relationship to CCM/STAR |
|---|
| ISO/IEC 27001 / 27002 | STAR Certification builds on 27001; CCM controls map to Annex A / 27002 controls. |
| ISO/IEC 27017 | Cloud-specific control guidance strongly aligned with CCM domains. |
| ISO/IEC 27018 | Cloud PII protection maps to CCM DSP and privacy controls. |
| SOC 2 (AICPA TSC) | STAR Attestation is delivered on the SOC 2 framework with CCM criteria. |
| NIST SP 800-53 / CSF | CCM maps to NIST control families and CSF functions for US-aligned buyers. |
| PCI DSS | CCM maps to PCI requirements for cardholder-data cloud environments. |
| GDPR / DPDP Act | DSP, CEK and STA controls support data-protection and residency obligations. |
| CIS Controls / Benchmarks | Hardening baselines under CCC/IVS align with CIS Benchmarks. |
| HIPAA | CCM data-security and access controls support healthcare compliance. |
How CyberSigma helps
How CyberSigma helps with CSA CCM / STAR
CyberSigma helps cloud providers and cloud-consuming enterprises move from ad-hoc cloud security to validated STAR assurance. Our CERT-In empanelled and QSA-qualified assessors run a full CCM gap assessment across all 17 domains, build a defensible shared-responsibility matrix, complete and evidence your CAIQ, and stand up the technical and process controls needed to close gaps. We then prepare you for and support your chosen STAR tier, whether that is a credible Level 1 self-assessment, a STAR Attestation on SOC 2, or a STAR Certification with a strong maturity score, and we help you cross-leverage the same evidence for ISO 27001, SOC 2, PCI DSS and DPDP. Talk to CyberSigma to plan a right-sized, audit-ready CCM/STAR programme.