The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a cybersecurity control framework specifically for cloud computing, and the STAR (Security, Trust, Assurance and Risk) programme provides a registry and certification/attestation for cloud providers’ security posture.
The Cloud Controls Matrix (CCM)
- A comprehensive set of cloud-specific control objectives across domains such as identity & access, data security & privacy, application security, infrastructure & virtualisation, logging & monitoring, and supply-chain management.
- Maps to ISO 27001/27017/27018, SOC 2, NIST, PCI DSS and more, so one assessment supports many.
- Defines shared-responsibility guidance between cloud provider and customer.
CAIQ and STAR levels
| Element | What it is |
|---|---|
| CAIQ | Consensus Assessments Initiative Questionnaire — a self-assessment aligned to the CCM |
| STAR Level 1 | Self-assessment (CAIQ) published in the CSA STAR Registry |
| STAR Level 2 | Third-party certification/attestation (e.g., STAR Certification built on ISO 27001, or STAR Attestation built on SOC 2) |
How to use it
- Complete the CAIQ against the CCM to baseline your cloud security posture.
- Publish to the STAR Registry (Level 1) for transparency to customers.
- For higher assurance, pursue STAR Level 2 (certification/attestation) atop ISO 27001 or SOC 2.
- Use the CCM mappings to satisfy overlapping frameworks.
How CyberSigma helps
We assess your cloud environment against the CSA CCM, complete the CAIQ, and integrate STAR with your ISO 27001 or SOC 2 work for third-party cloud assurance.
Frequently asked questions
Is CSA STAR a certification?
STAR Level 1 is a self-assessment; STAR Level 2 offers third-party certification (built on ISO 27001) or attestation (built on SOC 2).
Official documents
CyberSigma resources
Need help with CSA CCM / STAR?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
