One control, every framework.
Security frameworks mostly ask the same things in different words. Look up any control in CCM / CAIQ, ISO 27001, SOC 2, NIST, or SIG and see its equivalents across all the others — so you can answer once and reuse it everywhere. 197 controls, cross-referenced, with the source and confidence on every mapping.
A&A-01 Audit and Assurance Policy and Procedures
Maintain and annually review documented audit and assurance policies, procedures, and standards.
Audit/assurance policy ≈ independent review of infosec (5.35) & compliance with policies/standards (5.36).
Anchored to the A&A domain, not this specific control.
Control family anchor for the A&A domain.
SIG aligns to CCM at the domain level.
What a buyer’s reviewer is really checking
Whether an independent party — not just your own team — regularly checks that your controls actually work, and whether you fix what they find.
Name the assurance you hold (SOC 2 Type II, ISO 27001, etc.), its scope and period, who the auditor was, and how findings are tracked to closure. Attach the report or bridge letter under NDA.
"We conduct regular internal audits." Internal-only review isn't independent assurance; reviewers read this as "no third-party attestation."
The full crosswalk
All 197 CSA CCM v4 controls, grouped by domain, mapped to ISO 27001:2022, SOC 2, NIST CSF 2.0, and SIG. NIST and SIG are aligned at the domain level; open a control above for NIST 800-53 and provenance.
| CCM v4 | ISO 27001:2022 | SOC 2 | NIST CSF 2.0 | SIG domain |
|---|---|---|---|---|
| Audit & Assurance A&A | ||||
| A&A-01 Audit and Assurance Policy and Procedures | A.5.35, A.5.36 | — | GV.OV-01, GV.OV-03, ID.IM-02 | Compliance Management, Information Assurance |
| A&A-02 Independent Assessments | A.5.35 | CC1.1, CC2.2, CC2.3, CC4.1, CC4.2 | GV.OV-01, GV.OV-03, ID.IM-02 | Compliance Management, Information Assurance |
| A&A-03 Risk Based Planning Assessment | A.5.35 | CC1.1, CC4.1 | GV.OV-01, GV.OV-03, ID.IM-02 | Compliance Management, Information Assurance |
| A&A-04 Requirements Compliance | A.5.31 | CC1.5, CC2.2, CC2.3, CC3.1 | GV.OV-01, GV.OV-03, ID.IM-02 | Compliance Management, Information Assurance |
| A&A-05 Audit Management Process | A.5.35, A.5.36 | CC1.1, CC1.5, CC2.2, CC2.3, CC4.1, CC4.2, CC7.2 | GV.OV-01, GV.OV-03, ID.IM-02 | Compliance Management, Information Assurance |
| A&A-06 Remediation | A.5.36 | CC1.1, CC1.5, CC3.1, CC3.2, CC4.2, CC7.3, A1.2 | GV.OV-01, GV.OV-03, ID.IM-02 | Compliance Management, Information Assurance |
| Application & Interface Security AIS | ||||
| AIS-01 Application and Interface Security Policy and Procedures | A.5.8 | CC2.3, CC5.2, PI1.2, PI1.3 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| AIS-02 Application Security Baseline Requirements | A.8.25, A.8.26 | CC5.2, CC6.1, CC6.7, CC7.1, CC8.1 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| AIS-03 Application Security Metrics | A.8.29 | CC1.1, CC1.2, CC1.5, CC2.1, CC2.2, CC4.1, CC4.2, CC5.3 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| AIS-04 Secure Application Design and Development | A.8.25, A.8.27, A.8.28 | CC2.3, CC4.1, CC5.2, CC8.1, PI1.1, PI1.2, PI1.3, PI1.4, PI1.5 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| AIS-05 Automated Application Security Testing | A.8.29 | CC4.1 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| AIS-06 Automated Secure Application Deployment | A.8.31, A.8.32 | PI1.1, PI1.2, PI1.3, PI1.4, PI1.5 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| AIS-07 Application Vulnerability Remediation | A.8.8 | CC4.2 | PR.PS-06, PR.PS-01 | Application Management, Artificial Intelligence |
| Business Continuity Management and Operational Resilience BCR | ||||
| BCR-01 Business Continuity Management Policy and Procedures | A.5.29 | CC7.4, CC7.5, CC8.1, CC9.1, A1.2 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-02 Risk Assessment and Impact Analysis | A.5.29, A.5.30 | CC3.2, CC5.2, CC7.4, CC7.5, CC8.1, CC9.1, A1.2 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-03 Business Continuity Strategy | A.5.29, A.5.30 | CC7.4, CC7.5, CC8.1, CC9.1, A1.2 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-04 Business Continuity Planning | A.5.29, A.5.30 | CC7.5 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-05 Documentation | A.5.29 | CC7.4, CC7.5, CC8.1, CC9.1, A1.2, P6.0, P6.1, P6.4 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-06 Business Continuity Exercises | A.5.29 | CC7.5, A1.3 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-07 Communication | A.5.29 | CC7.5 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-08 Backup | A.8.13 | CC7.5, A1.2, A1.3 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-09 Disaster Response Plan | A.5.29, A.5.30 | CC7.4, CC7.5, CC8.1, CC9.1, A1.2 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-10 Response Plan Exercise | A.5.29 | CC7.5, A1.3 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| BCR-11 Equipment Redundancy | A.8.14 | A1.2 | PR.IR-03, PR.IR-04, RC.RP-01, RC.CO-03 | IT Operations Management, Operational Resilience |
| Change Control and Configuration Management CCC | ||||
| CCC-01 Change Management Policy and Procedures | A.8.9, A.8.32 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-02 Quality Testing | A.8.29, A.8.32 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-03 Change Management Technology | A.8.32 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-04 Unauthorized Change Protection | A.8.9, A.8.32 | CC6.8, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-05 Change Agreements | A.8.32 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-06 Change Management Baseline | A.8.9, A.8.32 | CC6.1, CC6.7, CC7.1, CC7.2, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-07 Detection of Baseline Deviation | A.8.9, A.8.16 | CC7.1, CC7.2, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-08 Exception Management | A.8.32 | CC7.1, CC7.2, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| CCC-09 Change Restoration | A.8.32 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.PS-01, ID.AM-08 | IT Operations Management |
| Cryptography, Encryption & Key Management CEK | ||||
| CEK-01 Encryption and Key Management Policy and Procedures | A.8.24 | CC6.1, CC6.6, CC6.7 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-02 CEK Roles and Responsibilities | A.5.2, A.8.24 | CC1.2, CC1.3, CC1.4, CC1.5, CC2.1, CC2.2, CC5.3, CC6.1, CC6.6, CC6.7, CC7.4 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-03 Data Encryption | A.8.24 | CC6.1, CC6.6, CC6.7 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-04 Encryption Algorithm | A.8.24 | CC2.1, CC6.1, CC6.5, CC6.6, CC6.7, CC8.1, A1.2, C1.1, PI1.4, PI1.5 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-05 Encryption Change Management | A.8.24 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-06 Encryption Change Cost Benefit Analysis | A.8.24 | CC2.2, CC3.4, CC6.8, CC8.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-07 Encryption Risk Management | A.8.24 | CC1.1, CC3.1, CC3.2, CC3.4, CC4.1, CC4.2, CC5.1, CC5.3, CC7.2, CC7.3, CC7.4, CC9.1, A1.2 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-08 CSC Key Management Capability | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-09 Encryption and Key Management Audit | A.5.35, A.8.24 | CC1.1, CC2.2, CC2.3, CC4.1, CC4.2, CC7.2 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-10 Key Generation | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-11 Key Purpose | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-12 Key Rotation | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-13 Key Revocation | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-14 Key Destruction | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-15 Key Activation | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-16 Key Suspension | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-17 Key Deactivation | A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-18 Key Archival | A.8.24 | — | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-19 Key Compromise | A.6.8, A.8.24 | CC6.1 | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-20 Key Recovery | A.8.24 | — | PR.DS-01, PR.DS-02 | Asset and Information Management |
| CEK-21 Key Inventory Management | A.5.9, A.8.24 | — | PR.DS-01, PR.DS-02 | Asset and Information Management |
| Datacenter Security DCS | ||||
| DCS-01 Off-Site Equipment Disposal Policy and Procedures | A.7.14 | CC6.4, A1.2 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-02 Off-Site Transfer Authorization Policy and Procedures | A.7.9, A.7.10 | CC6.5, C1.2, P4.3 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-03 Secure Area Policy and Procedures | A.7.3 | CC6.7, A1.2 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-04 Secure Media Transportation Policy and Procedures | A.7.10 | — | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-05 Assets Classification | A.5.9, A.5.12 | — | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-06 Assets Cataloguing and Tracking | A.5.9 | CC2.1, CC6.1, C1.1 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-07 Controlled Access Points | A.7.1, A.7.2 | CC2.1, CC6.1 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-08 Equipment Identification | A.5.9 | CC6.4 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-09 Secure Area Authorization | A.7.2 | CC6.1 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-10 Surveillance System | A.7.4 | CC6.4 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-11 Unauthorized Access Response Training | A.7.4 | CC6.4 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-12 Cabling Security | A.7.12 | CC1.4, CC2.2 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-13 Environmental Systems | A.7.11 | — | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-14 Secure Utilities | A.7.11 | A1.2 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| DCS-15 Equipment Location | A.7.5, A.7.8 | CC7.5, A1.2, A1.3 | PR.AA-06, PR.IR-02 | Physical and Environmental Security |
| Data Security and Privacy Lifecycle Management DSP | ||||
| DSP-01 Security and Privacy Policy and Procedures | A.5.1 | — | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-02 Secure Disposal | A.7.10, A.7.14, A.8.10 | CC6.5, C1.2, P4.3 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-03 Data Inventory | A.5.9 | CC2.1, CC6.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-04 Data Classification | A.5.12 | CC2.1, CC6.1, C1.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-05 Data Flow Documentation | A.5.12 | CC2.1, C1.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-06 Data Ownership and Stewardship | A.5.9 | CC2.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-07 Data Protection by Design and Default | A.8.27 | CC2.2, CC3.2, CC5.1, CC5.2, CC6.1, CC8.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-08 Data Privacy by Design and Default | A.5.34, A.8.27 | — | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-09 Data Protection Impact Assessment | A.5.34 | CC3.2, CC5.2, PI1.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-10 Sensitive Data Transfer | A.5.14, A.8.24 | CC2.1, CC6.1, CC6.5, CC6.6, CC6.7, CC8.1, A1.2, C1.1, PI1.4, PI1.5 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-11 Personal Data Access, Reversal, Rectification and Deletion | A.5.34, A.8.10 | P5.0, P5.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-12 Limitation of Purpose in Personal Data Processing | A.5.34 | CC6.1, CC8.1, P1.1, P3.1, P4.0, P4.1, P6.7 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-13 Personal Data Sub-processing | A.5.20, A.5.34 | P6.1, P6.4 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-14 Disclosure of Data Sub-processors | A.5.20, A.5.34 | CC2.3, P1.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-15 Limitation of Production Data Use | A.8.31, A.8.33 | CC6.1, P4.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-16 Data Retention and Deletion | A.5.33, A.8.10 | CC6.5, C1.1, C1.2, PI1.5, P4.0, P4.2, P4.3 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-17 Sensitive Data Protection | A.5.34, A.8.11, A.8.12 | CC2.1, CC2.2, CC6.1, CC6.5, CC6.7, CC8.1, A1.2, C1.1, PI1.4, PI1.5, P4.0, P4.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-18 Disclosure Notification | A.5.34 | P5.1, P5.2, P6.0, P6.1, P6.2, P6.3, P6.4 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| DSP-19 Data Location | A.5.9 | CC2.1 | PR.DS-01, PR.DS-02, GV.OC-03, ID.AM-07 | Asset and Information Management, Privacy Management |
| Governance, Risk and Compliance GRC | ||||
| GRC-01 Governance Program Policy and Procedures | A.5.1 | CC1.1, CC1.2, CC2.3 | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-02 Risk Management Program | A.5.2 | CC3.1, CC3.2, CC3.4, CC4.1, CC5.1, CC9.1, A1.2 | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-03 Organizational Policy Reviews | A.5.1 | — | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-04 Policy Exception Process | A.5.1 | — | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-05 Information Security Program | A.5.1 | CC1.1, CC1.2, CC2.3 | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-06 Governance Responsibility Model | A.5.2 | CC1.1, CC1.2, CC1.3, CC1.4, CC1.5, CC2.1, CC2.2, CC2.3, CC5.3, CC7.4, CC9.2 | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-07 Information System Regulatory Mapping | A.5.31 | CC1.5, CC2.2, CC2.3, CC3.1, CC5.2 | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| GRC-08 Special Interest Groups | A.5.6 | CC2.2, CC2.3 | GV.RM-01, GV.PO-01, GV.OC-01, ID.RA-01 | Artificial Intelligence, Compliance Management, Enterprise Risk Management, Environmental, Social, Governance (ESG), Information Assurance |
| Human Resources HRS | ||||
| HRS-01 Background Screening Policy and Procedures | A.6.1 | CC1.1, CC1.2, CC1.3, CC1.4, CC1.5, CC2.2, CC2.3, CC3.3 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-02 Acceptable Use of Technology Policy and Procedures | A.5.10 | CC1.1 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-03 Clean Desk Policy and Procedures | A.7.7 | CC1.1 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-04 Remote and Home Working Policy and Procedures | A.6.7 | — | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-05 Asset Returns | A.5.11 | CC6.4 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-06 Employment Termination | A.6.5 | CC1.5, CC6.2 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-07 Employment Agreement Process | A.6.2 | CC1.1 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-08 Employment Agreement Content | A.6.2 | CC1.1 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-09 Personnel Roles and Responsibilities | A.5.2 | CC1.2, CC1.3, CC1.4, CC1.5, CC2.1, CC2.2, CC5.3, CC7.4 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-10 Non-Disclosure Agreements | A.6.6 | CC1.5 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-11 Security Awareness Training | A.6.3 | CC1.4, CC2.2 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-12 Personal and Sensitive Data Awareness and Training | A.6.3 | CC1.4, CC2.2 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| HRS-13 Compliance User Responsibility | A.5.4 | CC1.1 | PR.AT-01, PR.AT-02, GV.RR-02 | Human Resources Security |
| Identity & Access Management IAM | ||||
| IAM-01 Identity and Access Management Policy and Procedures | A.5.15 | CC6.1, CC6.6 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-02 Strong Password Policy and Procedures | A.5.17 | CC6.1, CC6.6 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-03 Identity Inventory | A.5.16 | — | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-04 Separation of Duties | A.5.3 | CC5.1 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-05 Least Privilege | A.5.15, A.8.2 | CC5.2, CC6.1 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-06 User Access Provisioning | A.5.18 | CC6.2, CC6.3 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-07 User Access Changes and Revocation | A.5.18 | CC1.5, CC6.2, CC6.3 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-08 User Access Review | A.5.18 | CC6.2, CC6.3 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-09 Segregation of Privileged Access Roles | A.5.3, A.8.2 | CC5.2, CC6.1, CC6.2, CC6.3, CC6.8 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-10 Management of Privileged Access Roles | A.8.2 | CC5.2, CC6.1, CC6.2, CC6.3 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-11 CSCs Approval for Agreed Privileged Access Roles | A.8.2 | CC1.1, CC1.4, CC2.3, CC3.2, CC3.3, CC3.4, CC6.1, CC6.2, CC6.3, CC9.1, CC9.2 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-12 Safeguard Logs Integrity | A.8.15 | CC6.1 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-13 Uniquely Identifiable Users | A.5.16 | CC5.2, CC6.1, CC6.6 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-14 Strong Authentication | A.8.5 | CC6.1, CC6.6 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-15 Passwords Management | A.5.17 | CC6.1, CC6.6 | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| IAM-16 Authorization Mechanisms | A.5.15, A.8.3 | — | PR.AA-01, PR.AA-02, PR.AA-03, PR.AA-05 | Access Control |
| Interoperability & Portability IPY | ||||
| IPY-01 Interoperability and Portability Policy and Procedures | A.5.23 | CC6.1 | — | — |
| IPY-02 Application Interface Availability | — | — | — | — |
| IPY-03 Secure Interoperability and Portability Management | A.8.20, A.8.24 | — | — | — |
| IPY-04 Data Portability Contractual Obligations | A.5.20 | CC1.1, CC2.3, CC6.1, CC9.1, CC9.2, P6.1, P6.4 | — | — |
| Infrastructure & Virtualization Security IVS | ||||
| IVS-01 Infrastructure and Virtualization Security Policy and Procedures | A.5.37 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-02 Capacity and Resource Planning | A.8.6 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-03 Network Security | A.8.20, A.8.21, A.8.22 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-04 OS Hardening and Base Controls | A.8.9 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-05 Production and Non-Production Environments | A.8.31 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-06 Segmentation and Segregation | A.8.22 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-07 Migration to Cloud Environments | A.5.23, A.8.24 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-08 Network Architecture Documentation | A.8.20 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| IVS-09 Network Defense | A.8.16, A.8.20 | — | PR.IR-01, PR.PS-01, DE.CM-01 | Cloud Services, IT Operations Management, Network Security, Server Security |
| Logging and Monitoring LOG | ||||
| LOG-01 Logging and Monitoring Policy and Procedures | A.8.15 | CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-02 Audit Logs Protection | A.8.15 | CC6.1, CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-03 Security Monitoring and Alerting | A.8.16 | CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-04 Audit Logs Access and Accountability | A.8.15 | CC6.1 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-05 Audit Logs Monitoring and Response | A.8.15, A.8.16 | CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-06 Clock Synchronization | A.8.17 | — | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-07 Logging Scope | A.8.15 | CC2.1, CC2.2, CC5.2, CC6.1 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-08 Log Records | A.8.15 | CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-09 Log Protection | A.8.15 | CC6.1, CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-10 Encryption Monitoring and Reporting | A.8.16, A.8.24 | CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-11 Transaction/Activity Logging | A.8.15 | CC6.1, CC6.6, CC6.7 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-12 Access Control Logs | A.7.4, A.8.15 | CC6.4, CC7.2 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| LOG-13 Failures and Anomalies Reporting | A.8.16 | CC7.2, CC7.3 | DE.CM-01, DE.CM-03, DE.CM-09, PR.PS-04 | IT Operations Management |
| Security Incident Management, E-Discovery, & Cloud Forensics SEF | ||||
| SEF-01 Security Incident Management Policy and Procedures | A.5.24, A.5.28 | CC2.2, CC7.3, CC7.4, A1.2 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-02 Service Management Policy and Procedures | A.5.24 | CC1.1, CC1.4, CC2.3, CC3.3, CC3.4, CC9.1, CC9.2 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-03 Incident Response Plans | A.5.24, A.5.26 | CC2.2, CC2.3, CC7.3, CC7.4, A1.2 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-04 Incident Response Testing | A.5.24 | — | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-05 Incident Response Metrics | A.5.27 | CC1.1, CC1.2, CC1.5, CC2.1, CC2.2, CC4.1, CC4.2, CC5.3 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-06 Event Triage Processes | A.5.25 | CC2.2, CC2.3, CC7.3, CC7.4, A1.2 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-07 Security Breach Notification | A.5.5, A.5.26 | CC2.2, CC2.3, CC7.3, CC7.4, A1.2 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| SEF-08 Points of Contact Maintenance | A.5.5 | CC2.2, CC2.3, CC7.3, CC7.4, CC7.5, P6.3, P6.6, P6.7 | RS.MA-01, RS.AN-03, RS.MI-01, RC.RP-01 | Cybersecurity Incident Management |
| Supply Chain Management, Transparency, and Accountability STA | ||||
| STA-01 SSRM Policy and Procedures | A.5.19 | CC1.1, CC1.4, CC2.3, CC3.3, CC3.4, CC9.1, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-02 SSRM Supply Chain | A.5.21, A.5.23 | CC1.1, CC1.3, CC2.2, CC2.3, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-03 SSRM Guidance | A.5.19 | CC1.1, CC1.3, CC2.2, CC2.3, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-04 SSRM Control Ownership | A.5.19 | CC1.1, CC1.3, CC2.2, CC2.3, CC9.1, CC9.2, P6.4 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-05 SSRM Documentation Review | A.5.20 | CC1.1, CC1.3, CC2.2, CC2.3, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-06 SSRM Control Implementation | A.5.19 | CC1.1, CC1.3, CC2.2, CC2.3, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-07 Supply Chain Inventory | A.5.19, A.5.21 | CC1.1, CC1.3, CC2.2, CC2.3, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-08 Supply Chain Risk Management | A.5.19, A.5.22 | CC2.1 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-09 Primary Service and Contractual Agreement | A.5.20 | — | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-10 Supply Chain Agreement Review | A.5.22 | CC1.4, CC3.4, CC9.1, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-11 Internal Compliance Testing | A.5.35, A.5.36 | CC1.1, CC2.3, CC9.1, CC9.2, P6.4 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-12 Supply Chain Service Agreement Compliance | A.5.22 | CC1.4, CC3.4, CC9.1, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-13 Supply Chain Governance Review | A.5.22 | CC1.4, CC3.4, CC9.1, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| STA-14 Supply Chain Data Security Assessment | A.5.21, A.5.22 | CC1.4, CC3.4, CC9.1, CC9.2 | GV.SC-01, GV.SC-04, GV.SC-07, ID.RA-10 | Cloud Services, Nth Party Management, Supply Chain Risk Management |
| Threat & Vulnerability Management TVM | ||||
| TVM-01 Threat and Vulnerability Management Policy and Procedures | A.5.7, A.8.8 | CC3.2, CC3.4, CC8.1, CC9.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-02 Malware Protection Policy and Procedures | A.8.7 | CC6.7 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-03 Vulnerability Remediation Schedule | A.8.8 | CC2.2, CC3.2, CC3.4, CC9.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-04 Detection Updates | A.5.7, A.8.7 | CC3.2, CC3.3, CC3.4, CC9.1, CC9.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-05 External Library Vulnerabilities | A.8.8 | CC3.2, CC9.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-06 Penetration Testing | A.8.8, A.8.29 | CC3.2, CC9.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-07 Vulnerability Identification | A.8.8 | — | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-08 Vulnerability Prioritization | A.8.8 | CC4.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-09 Vulnerability Management Reporting | A.8.8 | CC3.4 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| TVM-10 Vulnerability Management Metrics | A.8.8 | CC3.2, CC3.4, CC4.2, A1.2 | ID.RA-01, ID.RA-06, DE.CM-09 | Threat Management |
| Universal Endpoint Management UEM | ||||
| UEM-01 Endpoint Devices Policy and Procedures | A.8.1 | CC6.7 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-02 Application and Service Approval | A.8.19 | — | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-03 Compatibility | A.8.19 | CC7.1, CC8.1 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-04 Endpoint Inventory | A.5.9, A.8.1 | CC2.1, CC6.1 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-05 Endpoint Management | A.8.1 | CC6.7 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-06 Automatic Lock Screen | A.7.7, A.8.1 | — | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-07 Operating Systems | A.8.8 | CC6.1, CC6.7, CC7.1, CC8.1 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-08 Storage Encryption | A.8.24 | CC6.1, CC6.7 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-09 Anti-Malware Detection and Prevention | A.8.7 | CC6.8 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-10 Software Firewall | A.8.20 | — | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-11 Data Loss Prevention | A.8.12 | CC6.7 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-12 Remote Locate | A.8.1 | CC6.7 | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-13 Remote Wipe | A.8.1, A.8.10 | — | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
| UEM-14 Third-Party Endpoint Security Posture | A.8.1 | — | ID.AM-01, ID.AM-02, PR.PS-01, PR.AA-06 | Asset and Information Management, Endpoint Security, Server Security |
Sources: CSA Cloud Controls Matrix v4; Secure Controls Framework (CCM↔SOC 2); ISO/IEC 27002:2022 Annex B (2013→2022); CSA CCM↔NIST CSF/800-53 (OLIR); Shared Assessments SIG 2024/25. Lower-confidence mappings are directional — verify against the primary framework.