AccountMade

One control, every framework.

Security frameworks mostly ask the same things in different words. Look up any control in CCM / CAIQ, ISO 27001, SOC 2, NIST, or SIG and see its equivalents across all the others — so you can answer once and reuse it everywhere. 197 controls, cross-referenced, with the source and confidence on every mapping.

Audit & Assurance

A&A-01 Audit and Assurance Policy and Procedures

Maintain and annually review documented audit and assurance policies, procedures, and standards.

ISO 27001
A.5.35 · Organizational controlsA.5.36 · Organizational controls
medium confidencecontrol-level

Audit/assurance policy ≈ independent review of infosec (5.35) & compliance with policies/standards (5.36).

SOC 2
No direct equivalent
NIST CSF 2.0
GV.OV-01 · GovernGV.OV-03 · GovernID.IM-02 · Identify
high confidencedomain-level

Anchored to the A&A domain, not this specific control.

NIST 800-53
CA-2CA-7AU-6PM-14
high confidencedomain-level

Control family anchor for the A&A domain.

SIG
Compliance ManagementInformation Assurance
medium confidencedomain-level

SIG aligns to CCM at the domain level.

What a buyer’s reviewer is really checking

Whether an independent party — not just your own team — regularly checks that your controls actually work, and whether you fix what they find.

A truthful answer needs

Name the assurance you hold (SOC 2 Type II, ISO 27001, etc.), its scope and period, who the auditor was, and how findings are tracked to closure. Attach the report or bridge letter under NDA.

Red flag

"We conduct regular internal audits." Internal-only review isn't independent assurance; reviewers read this as "no third-party attestation."

Answer this once, from a governed source

The full crosswalk

All 197 CSA CCM v4 controls, grouped by domain, mapped to ISO 27001:2022, SOC 2, NIST CSF 2.0, and SIG. NIST and SIG are aligned at the domain level; open a control above for NIST 800-53 and provenance.

CCM v4ISO 27001:2022SOC 2NIST CSF 2.0SIG domain
Audit & Assurance A&A
A&A-01 Audit and Assurance Policy and ProceduresA.5.35, A.5.36GV.OV-01, GV.OV-03, ID.IM-02Compliance Management, Information Assurance
A&A-02 Independent AssessmentsA.5.35CC1.1, CC2.2, CC2.3, CC4.1, CC4.2GV.OV-01, GV.OV-03, ID.IM-02Compliance Management, Information Assurance
A&A-03 Risk Based Planning AssessmentA.5.35CC1.1, CC4.1GV.OV-01, GV.OV-03, ID.IM-02Compliance Management, Information Assurance
A&A-04 Requirements ComplianceA.5.31CC1.5, CC2.2, CC2.3, CC3.1GV.OV-01, GV.OV-03, ID.IM-02Compliance Management, Information Assurance
A&A-05 Audit Management ProcessA.5.35, A.5.36CC1.1, CC1.5, CC2.2, CC2.3, CC4.1, CC4.2, CC7.2GV.OV-01, GV.OV-03, ID.IM-02Compliance Management, Information Assurance
A&A-06 RemediationA.5.36CC1.1, CC1.5, CC3.1, CC3.2, CC4.2, CC7.3, A1.2GV.OV-01, GV.OV-03, ID.IM-02Compliance Management, Information Assurance
Application & Interface Security AIS
AIS-01 Application and Interface Security Policy and ProceduresA.5.8CC2.3, CC5.2, PI1.2, PI1.3PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
AIS-02 Application Security Baseline RequirementsA.8.25, A.8.26CC5.2, CC6.1, CC6.7, CC7.1, CC8.1PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
AIS-03 Application Security MetricsA.8.29CC1.1, CC1.2, CC1.5, CC2.1, CC2.2, CC4.1, CC4.2, CC5.3PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
AIS-04 Secure Application Design and DevelopmentA.8.25, A.8.27, A.8.28CC2.3, CC4.1, CC5.2, CC8.1, PI1.1, PI1.2, PI1.3, PI1.4, PI1.5PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
AIS-05 Automated Application Security TestingA.8.29CC4.1PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
AIS-06 Automated Secure Application DeploymentA.8.31, A.8.32PI1.1, PI1.2, PI1.3, PI1.4, PI1.5PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
AIS-07 Application Vulnerability RemediationA.8.8CC4.2PR.PS-06, PR.PS-01Application Management, Artificial Intelligence
Business Continuity Management and Operational Resilience BCR
BCR-01 Business Continuity Management Policy and ProceduresA.5.29CC7.4, CC7.5, CC8.1, CC9.1, A1.2PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-02 Risk Assessment and Impact AnalysisA.5.29, A.5.30CC3.2, CC5.2, CC7.4, CC7.5, CC8.1, CC9.1, A1.2PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-03 Business Continuity StrategyA.5.29, A.5.30CC7.4, CC7.5, CC8.1, CC9.1, A1.2PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-04 Business Continuity PlanningA.5.29, A.5.30CC7.5PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-05 DocumentationA.5.29CC7.4, CC7.5, CC8.1, CC9.1, A1.2, P6.0, P6.1, P6.4PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-06 Business Continuity ExercisesA.5.29CC7.5, A1.3PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-07 CommunicationA.5.29CC7.5PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-08 BackupA.8.13CC7.5, A1.2, A1.3PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-09 Disaster Response PlanA.5.29, A.5.30CC7.4, CC7.5, CC8.1, CC9.1, A1.2PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-10 Response Plan ExerciseA.5.29CC7.5, A1.3PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
BCR-11 Equipment RedundancyA.8.14A1.2PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03IT Operations Management, Operational Resilience
Change Control and Configuration Management CCC
CCC-01 Change Management Policy and ProceduresA.8.9, A.8.32CC2.2, CC3.4, CC6.8, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-02 Quality TestingA.8.29, A.8.32CC2.2, CC3.4, CC6.8, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-03 Change Management TechnologyA.8.32CC2.2, CC3.4, CC6.8, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-04 Unauthorized Change ProtectionA.8.9, A.8.32CC6.8, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-05 Change AgreementsA.8.32CC2.2, CC3.4, CC6.8, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-06 Change Management BaselineA.8.9, A.8.32CC6.1, CC6.7, CC7.1, CC7.2, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-07 Detection of Baseline DeviationA.8.9, A.8.16CC7.1, CC7.2, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-08 Exception ManagementA.8.32CC7.1, CC7.2, CC8.1PR.PS-01, ID.AM-08IT Operations Management
CCC-09 Change RestorationA.8.32CC2.2, CC3.4, CC6.8, CC8.1PR.PS-01, ID.AM-08IT Operations Management
Cryptography, Encryption & Key Management CEK
CEK-01 Encryption and Key Management Policy and ProceduresA.8.24CC6.1, CC6.6, CC6.7PR.DS-01, PR.DS-02Asset and Information Management
CEK-02 CEK Roles and ResponsibilitiesA.5.2, A.8.24CC1.2, CC1.3, CC1.4, CC1.5, CC2.1, CC2.2, CC5.3, CC6.1, CC6.6, CC6.7, CC7.4PR.DS-01, PR.DS-02Asset and Information Management
CEK-03 Data EncryptionA.8.24CC6.1, CC6.6, CC6.7PR.DS-01, PR.DS-02Asset and Information Management
CEK-04 Encryption AlgorithmA.8.24CC2.1, CC6.1, CC6.5, CC6.6, CC6.7, CC8.1, A1.2, C1.1, PI1.4, PI1.5PR.DS-01, PR.DS-02Asset and Information Management
CEK-05 Encryption Change ManagementA.8.24CC2.2, CC3.4, CC6.8, CC8.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-06 Encryption Change Cost Benefit AnalysisA.8.24CC2.2, CC3.4, CC6.8, CC8.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-07 Encryption Risk ManagementA.8.24CC1.1, CC3.1, CC3.2, CC3.4, CC4.1, CC4.2, CC5.1, CC5.3, CC7.2, CC7.3, CC7.4, CC9.1, A1.2PR.DS-01, PR.DS-02Asset and Information Management
CEK-08 CSC Key Management CapabilityA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-09 Encryption and Key Management AuditA.5.35, A.8.24CC1.1, CC2.2, CC2.3, CC4.1, CC4.2, CC7.2PR.DS-01, PR.DS-02Asset and Information Management
CEK-10 Key GenerationA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-11 Key PurposeA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-12 Key RotationA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-13 Key RevocationA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-14 Key DestructionA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-15 Key ActivationA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-16 Key SuspensionA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-17 Key DeactivationA.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-18 Key ArchivalA.8.24PR.DS-01, PR.DS-02Asset and Information Management
CEK-19 Key CompromiseA.6.8, A.8.24CC6.1PR.DS-01, PR.DS-02Asset and Information Management
CEK-20 Key RecoveryA.8.24PR.DS-01, PR.DS-02Asset and Information Management
CEK-21 Key Inventory ManagementA.5.9, A.8.24PR.DS-01, PR.DS-02Asset and Information Management
Datacenter Security DCS
DCS-01 Off-Site Equipment Disposal Policy and ProceduresA.7.14CC6.4, A1.2PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-02 Off-Site Transfer Authorization Policy and ProceduresA.7.9, A.7.10CC6.5, C1.2, P4.3PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-03 Secure Area Policy and ProceduresA.7.3CC6.7, A1.2PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-04 Secure Media Transportation Policy and ProceduresA.7.10PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-05 Assets ClassificationA.5.9, A.5.12PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-06 Assets Cataloguing and TrackingA.5.9CC2.1, CC6.1, C1.1PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-07 Controlled Access PointsA.7.1, A.7.2CC2.1, CC6.1PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-08 Equipment IdentificationA.5.9CC6.4PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-09 Secure Area AuthorizationA.7.2CC6.1PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-10 Surveillance SystemA.7.4CC6.4PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-11 Unauthorized Access Response TrainingA.7.4CC6.4PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-12 Cabling SecurityA.7.12CC1.4, CC2.2PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-13 Environmental SystemsA.7.11PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-14 Secure UtilitiesA.7.11A1.2PR.AA-06, PR.IR-02Physical and Environmental Security
DCS-15 Equipment LocationA.7.5, A.7.8CC7.5, A1.2, A1.3PR.AA-06, PR.IR-02Physical and Environmental Security
Data Security and Privacy Lifecycle Management DSP
DSP-01 Security and Privacy Policy and ProceduresA.5.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-02 Secure DisposalA.7.10, A.7.14, A.8.10CC6.5, C1.2, P4.3PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-03 Data InventoryA.5.9CC2.1, CC6.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-04 Data ClassificationA.5.12CC2.1, CC6.1, C1.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-05 Data Flow DocumentationA.5.12CC2.1, C1.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-06 Data Ownership and StewardshipA.5.9CC2.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-07 Data Protection by Design and DefaultA.8.27CC2.2, CC3.2, CC5.1, CC5.2, CC6.1, CC8.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-08 Data Privacy by Design and DefaultA.5.34, A.8.27PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-09 Data Protection Impact AssessmentA.5.34CC3.2, CC5.2, PI1.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-10 Sensitive Data TransferA.5.14, A.8.24CC2.1, CC6.1, CC6.5, CC6.6, CC6.7, CC8.1, A1.2, C1.1, PI1.4, PI1.5PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-11 Personal Data Access, Reversal, Rectification and DeletionA.5.34, A.8.10P5.0, P5.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-12 Limitation of Purpose in Personal Data ProcessingA.5.34CC6.1, CC8.1, P1.1, P3.1, P4.0, P4.1, P6.7PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-13 Personal Data Sub-processingA.5.20, A.5.34P6.1, P6.4PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-14 Disclosure of Data Sub-processorsA.5.20, A.5.34CC2.3, P1.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-15 Limitation of Production Data UseA.8.31, A.8.33CC6.1, P4.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-16 Data Retention and DeletionA.5.33, A.8.10CC6.5, C1.1, C1.2, PI1.5, P4.0, P4.2, P4.3PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-17 Sensitive Data ProtectionA.5.34, A.8.11, A.8.12CC2.1, CC2.2, CC6.1, CC6.5, CC6.7, CC8.1, A1.2, C1.1, PI1.4, PI1.5, P4.0, P4.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-18 Disclosure NotificationA.5.34P5.1, P5.2, P6.0, P6.1, P6.2, P6.3, P6.4PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
DSP-19 Data LocationA.5.9CC2.1PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07Asset and Information Management, Privacy Management
Governance, Risk and Compliance GRC
GRC-01 Governance Program Policy and ProceduresA.5.1CC1.1, CC1.2, CC2.3GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-02 Risk Management ProgramA.5.2CC3.1, CC3.2, CC3.4, CC4.1, CC5.1, CC9.1, A1.2GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-03 Organizational Policy ReviewsA.5.1GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-04 Policy Exception ProcessA.5.1GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-05 Information Security ProgramA.5.1CC1.1, CC1.2, CC2.3GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-06 Governance Responsibility ModelA.5.2CC1.1, CC1.2, CC1.3, CC1.4, CC1.5, CC2.1, CC2.2, CC2.3, CC5.3, CC7.4, CC9.2GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-07 Information System Regulatory MappingA.5.31CC1.5, CC2.2, CC2.3, CC3.1, CC5.2GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
GRC-08 Special Interest GroupsA.5.6CC2.2, CC2.3GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance
Human Resources HRS
HRS-01 Background Screening Policy and ProceduresA.6.1CC1.1, CC1.2, CC1.3, CC1.4, CC1.5, CC2.2, CC2.3, CC3.3PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-02 Acceptable Use of Technology Policy and ProceduresA.5.10CC1.1PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-03 Clean Desk Policy and ProceduresA.7.7CC1.1PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-04 Remote and Home Working Policy and ProceduresA.6.7PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-05 Asset ReturnsA.5.11CC6.4PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-06 Employment TerminationA.6.5CC1.5, CC6.2PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-07 Employment Agreement ProcessA.6.2CC1.1PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-08 Employment Agreement ContentA.6.2CC1.1PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-09 Personnel Roles and ResponsibilitiesA.5.2CC1.2, CC1.3, CC1.4, CC1.5, CC2.1, CC2.2, CC5.3, CC7.4PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-10 Non-Disclosure AgreementsA.6.6CC1.5PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-11 Security Awareness TrainingA.6.3CC1.4, CC2.2PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-12 Personal and Sensitive Data Awareness and TrainingA.6.3CC1.4, CC2.2PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
HRS-13 Compliance User ResponsibilityA.5.4CC1.1PR.AT-01, PR.AT-02, GV.RR-02Human Resources Security
Identity & Access Management IAM
IAM-01 Identity and Access Management Policy and ProceduresA.5.15CC6.1, CC6.6PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-02 Strong Password Policy and ProceduresA.5.17CC6.1, CC6.6PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-03 Identity InventoryA.5.16PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-04 Separation of DutiesA.5.3CC5.1PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-05 Least PrivilegeA.5.15, A.8.2CC5.2, CC6.1PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-06 User Access ProvisioningA.5.18CC6.2, CC6.3PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-07 User Access Changes and RevocationA.5.18CC1.5, CC6.2, CC6.3PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-08 User Access ReviewA.5.18CC6.2, CC6.3PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-09 Segregation of Privileged Access RolesA.5.3, A.8.2CC5.2, CC6.1, CC6.2, CC6.3, CC6.8PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-10 Management of Privileged Access RolesA.8.2CC5.2, CC6.1, CC6.2, CC6.3PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-11 CSCs Approval for Agreed Privileged Access RolesA.8.2CC1.1, CC1.4, CC2.3, CC3.2, CC3.3, CC3.4, CC6.1, CC6.2, CC6.3, CC9.1, CC9.2PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-12 Safeguard Logs IntegrityA.8.15CC6.1PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-13 Uniquely Identifiable UsersA.5.16CC5.2, CC6.1, CC6.6PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-14 Strong AuthenticationA.8.5CC6.1, CC6.6PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-15 Passwords ManagementA.5.17CC6.1, CC6.6PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
IAM-16 Authorization MechanismsA.5.15, A.8.3PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05Access Control
Interoperability & Portability IPY
IPY-01 Interoperability and Portability Policy and ProceduresA.5.23CC6.1
IPY-02 Application Interface Availability
IPY-03 Secure Interoperability and Portability ManagementA.8.20, A.8.24
IPY-04 Data Portability Contractual ObligationsA.5.20CC1.1, CC2.3, CC6.1, CC9.1, CC9.2, P6.1, P6.4
Infrastructure & Virtualization Security IVS
IVS-01 Infrastructure and Virtualization Security Policy and ProceduresA.5.37PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-02 Capacity and Resource PlanningA.8.6PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-03 Network SecurityA.8.20, A.8.21, A.8.22PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-04 OS Hardening and Base ControlsA.8.9PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-05 Production and Non-Production EnvironmentsA.8.31PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-06 Segmentation and SegregationA.8.22PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-07 Migration to Cloud EnvironmentsA.5.23, A.8.24PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-08 Network Architecture DocumentationA.8.20PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
IVS-09 Network DefenseA.8.16, A.8.20PR.IR-01, PR.PS-01, DE.CM-01Cloud Services, IT Operations Management, Network Security, Server Security
Logging and Monitoring LOG
LOG-01 Logging and Monitoring Policy and ProceduresA.8.15CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-02 Audit Logs ProtectionA.8.15CC6.1, CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-03 Security Monitoring and AlertingA.8.16CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-04 Audit Logs Access and AccountabilityA.8.15CC6.1DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-05 Audit Logs Monitoring and ResponseA.8.15, A.8.16CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-06 Clock SynchronizationA.8.17DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-07 Logging ScopeA.8.15CC2.1, CC2.2, CC5.2, CC6.1DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-08 Log RecordsA.8.15CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-09 Log ProtectionA.8.15CC6.1, CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-10 Encryption Monitoring and ReportingA.8.16, A.8.24CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-11 Transaction/Activity LoggingA.8.15CC6.1, CC6.6, CC6.7DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-12 Access Control LogsA.7.4, A.8.15CC6.4, CC7.2DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
LOG-13 Failures and Anomalies ReportingA.8.16CC7.2, CC7.3DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04IT Operations Management
Security Incident Management, E-Discovery, & Cloud Forensics SEF
SEF-01 Security Incident Management Policy and ProceduresA.5.24, A.5.28CC2.2, CC7.3, CC7.4, A1.2RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-02 Service Management Policy and ProceduresA.5.24CC1.1, CC1.4, CC2.3, CC3.3, CC3.4, CC9.1, CC9.2RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-03 Incident Response PlansA.5.24, A.5.26CC2.2, CC2.3, CC7.3, CC7.4, A1.2RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-04 Incident Response TestingA.5.24RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-05 Incident Response MetricsA.5.27CC1.1, CC1.2, CC1.5, CC2.1, CC2.2, CC4.1, CC4.2, CC5.3RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-06 Event Triage ProcessesA.5.25CC2.2, CC2.3, CC7.3, CC7.4, A1.2RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-07 Security Breach NotificationA.5.5, A.5.26CC2.2, CC2.3, CC7.3, CC7.4, A1.2RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
SEF-08 Points of Contact MaintenanceA.5.5CC2.2, CC2.3, CC7.3, CC7.4, CC7.5, P6.3, P6.6, P6.7RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01Cybersecurity Incident Management
Supply Chain Management, Transparency, and Accountability STA
STA-01 SSRM Policy and ProceduresA.5.19CC1.1, CC1.4, CC2.3, CC3.3, CC3.4, CC9.1, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-02 SSRM Supply ChainA.5.21, A.5.23CC1.1, CC1.3, CC2.2, CC2.3, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-03 SSRM GuidanceA.5.19CC1.1, CC1.3, CC2.2, CC2.3, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-04 SSRM Control OwnershipA.5.19CC1.1, CC1.3, CC2.2, CC2.3, CC9.1, CC9.2, P6.4GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-05 SSRM Documentation ReviewA.5.20CC1.1, CC1.3, CC2.2, CC2.3, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-06 SSRM Control ImplementationA.5.19CC1.1, CC1.3, CC2.2, CC2.3, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-07 Supply Chain InventoryA.5.19, A.5.21CC1.1, CC1.3, CC2.2, CC2.3, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-08 Supply Chain Risk ManagementA.5.19, A.5.22CC2.1GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-09 Primary Service and Contractual AgreementA.5.20GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-10 Supply Chain Agreement ReviewA.5.22CC1.4, CC3.4, CC9.1, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-11 Internal Compliance TestingA.5.35, A.5.36CC1.1, CC2.3, CC9.1, CC9.2, P6.4GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-12 Supply Chain Service Agreement ComplianceA.5.22CC1.4, CC3.4, CC9.1, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-13 Supply Chain Governance ReviewA.5.22CC1.4, CC3.4, CC9.1, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
STA-14 Supply Chain Data Security AssessmentA.5.21, A.5.22CC1.4, CC3.4, CC9.1, CC9.2GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10Cloud Services, Nth Party Management, Supply Chain Risk Management
Threat & Vulnerability Management TVM
TVM-01 Threat and Vulnerability Management Policy and ProceduresA.5.7, A.8.8CC3.2, CC3.4, CC8.1, CC9.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-02 Malware Protection Policy and ProceduresA.8.7CC6.7ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-03 Vulnerability Remediation ScheduleA.8.8CC2.2, CC3.2, CC3.4, CC9.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-04 Detection UpdatesA.5.7, A.8.7CC3.2, CC3.3, CC3.4, CC9.1, CC9.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-05 External Library VulnerabilitiesA.8.8CC3.2, CC9.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-06 Penetration TestingA.8.8, A.8.29CC3.2, CC9.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-07 Vulnerability IdentificationA.8.8ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-08 Vulnerability PrioritizationA.8.8CC4.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-09 Vulnerability Management ReportingA.8.8CC3.4ID.RA-01, ID.RA-06, DE.CM-09Threat Management
TVM-10 Vulnerability Management MetricsA.8.8CC3.2, CC3.4, CC4.2, A1.2ID.RA-01, ID.RA-06, DE.CM-09Threat Management
Universal Endpoint Management UEM
UEM-01 Endpoint Devices Policy and ProceduresA.8.1CC6.7ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-02 Application and Service ApprovalA.8.19ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-03 CompatibilityA.8.19CC7.1, CC8.1ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-04 Endpoint InventoryA.5.9, A.8.1CC2.1, CC6.1ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-05 Endpoint ManagementA.8.1CC6.7ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-06 Automatic Lock ScreenA.7.7, A.8.1ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-07 Operating SystemsA.8.8CC6.1, CC6.7, CC7.1, CC8.1ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-08 Storage EncryptionA.8.24CC6.1, CC6.7ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-09 Anti-Malware Detection and PreventionA.8.7CC6.8ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-10 Software FirewallA.8.20ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-11 Data Loss PreventionA.8.12CC6.7ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-12 Remote LocateA.8.1CC6.7ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-13 Remote WipeA.8.1, A.8.10ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security
UEM-14 Third-Party Endpoint Security PostureA.8.1ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06Asset and Information Management, Endpoint Security, Server Security

Sources: CSA Cloud Controls Matrix v4; Secure Controls Framework (CCM↔SOC 2); ISO/IEC 27002:2022 Annex B (2013→2022); CSA CCM↔NIST CSF/800-53 (OLIR); Shared Assessments SIG 2024/25. Lower-confidence mappings are directional — verify against the primary framework.

FAQ

How do security frameworks like SOC 2, ISO 27001, and CCM map to each other?

The frameworks overlap heavily — most controls describe the same underlying practice in different words. For example, CSA CCM IAM-14 (strong authentication / MFA), SOC 2 CC6.1, ISO 27001:2022 A.8.5 (secure authentication) and NIST CSF PR.AA all cover the same control. This crosswalk maps all 197 CCM v4 controls across ISO 27001, SOC 2, NIST CSF 2.0, NIST 800-53, and SIG so you can see the equivalents at a glance.

If I've answered a SOC 2 question, does it cover ISO 27001 or a CAIQ?

Usually yes — most controls are shared. Answer a control once and it satisfies the equivalent control in every other framework. That's the whole point of a crosswalk: the same evidence and answer can be reused across SOC 2, ISO 27001, CAIQ, and a SIG. Look up your control here to see exactly which controls it maps to.

Where do these mappings come from?

The CCM v4 control set is from the Cloud Security Alliance. CCM→SOC 2 mappings are derived from the Secure Controls Framework (SCF) crosswalk; CCM→ISO 27001 mappings were verified control-by-control against ISO/IEC 27002:2022 and carry per-mapping confidence (most high or medium, a few directional); CCM→NIST and CCM→SIG are anchored at the domain level from CSA and Shared Assessments material. Every mapping shows its confidence and source — treat the lower-confidence ones as a strong starting point to verify against the primary framework.

Answer every buyer from one governed source.