Next Generation Cloud Computing Audit Guidelines — CSA CCM v4.0

What is Cloud Computing?

A solid definition of cloud computing is provided by the National Institute of Standard and Technology (NIST). The definition is as follows:


Why the interest in Cloud Computing?

For companies, this approach offers in general flexibility, scalability and mobility. Some of the main advantages for companies are the following:

  1. They transfer the installation and maintenance of their IT systems to specialists and can concentrate on their core business.
  2. The same data can be accessed from different locations and by different people. Employees can therefore also process company data on the move using mobile devices such as smartphones and tablets.

Basic rules of Cloud Computing

In the context of cloud computing, specifically for the more risk-involved deployment models, data should always be transferred via an encrypted connection. Of highest priority are particularly sensitive information for which special measures have to be taken. This is where the choice of the cloud provider does matter. Only specialized cloud providers adapted to the requirements of the type of data or the industry in question should be used.

What is Cloud Compliance?

Cloud compliance refers to meeting the requirements or criteria needed to be in accordance with a certain type of certification or framework. There are a variety of different types of compliance that may be required by industry, request for proposal, client, etc. The type of cloud security and compliance requirements will help determine the cloud compliance that is right for an organization.

Auditing in Cloud Computing

During the planning and execution stages of a cloud security and compliance audit, it is vital to develop a thorough understanding of all relevant audit objectives. Ideally, companies should align their business objectives with the objectives of the audit. ISACA as an independent organization works in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. An excellent list of objectives for cloud computing is ISACA’s IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud.

CSA Cloud Controls Matrix (CSA CCM)

The cloud security alliance (CSA) is the world’s leading organization in defining best practices to help establish a secure cloud computing environment. Since 2010, the CSA has released multiple versions of a Cloud Controls Matrix (CCM) for public use. The latest version (v4.0) was released in July 2021 with SRCs managing directors Jan Jacobsen and Bilal Khattak being the lead authors.

CSA CCM Domains

In chapter 2 of CSA CCM v4.0 the auditing guidelines of 17 domains are described which altogether form CSA’s current cloud controls matrix. Note that each domain contains a set of controls. As part of each control, the control title, its ID, the control specification and the control-specific auditing guidelines are provided. The 17 domains CSA states are given in the following table:

Cloud Security Alliance Guide

The Cloud Security Alliance Guide v4.0 is a document that can be downloaded from the Cloud Security Alliance website through the link here. Briefly speaking, the guide provides additional educational information to organizations on how they can safely adopt cloud services, as well as identify and address the underlying risks.


This article tried to give a short, but still comprehensive overview of cloud computing and underlying aspects with respect to auditing and compliance. In addition to that, the CSA CCM v4.0 was introduced. The CSA CCM v4.0 is the most recent cloud security matrix (CCM) developed by the cloud security alliance (CSA) — the world’s leading organization in formulating best practices on secure cloud computing — to help organizations evaluate their cloud security posture and implement best practices.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SRC - Security, Risk, Compliance

SRC - Security, Risk, Compliance

Beratung, um Security, Risk und Compliance bei Ihnen als Enabler für das Business zu etablieren.