HomeCompliance › CSA CCM

CSA CCM compliance software for cloud-service providers.

The 17-domain Cloud Controls Matrix pre-loaded with our recommendations, CAIQ-ready evidence, and a customer-questionnaire flow that means you stop starting from a blank spreadsheet every time procurement asks for one. Built for EU SaaS vendors selling into regulated buyers.

Open the portal See pricing

What is the CSA Cloud Controls Matrix?

The Cloud Controls Matrix v4 is the Cloud Security Alliance's reference baseline for cloud-service-provider security. It organises 197 controls across 17 domains - audit and assurance, application security, business continuity, change control, cryptography, data security, IAM, infrastructure, logging, incident response, supply chain and more - and is the foundation for the CAIQ questionnaire and the CSA STAR registry.

Who needs to comply

  • SaaS vendors whose customers ask for a CAIQ before they buy
  • Cloud-service providers listing in the CSA STAR registry
  • Service providers building a cloud-native security programme
  • Compliance teams answering enterprise security questionnaires

Key CCM domains covered by Dazr

A&A, AIS, BCR, CCCAudit, application security, continuity and change-control domains pre-loaded.
CEK, DSPCryptography & key management plus data-security-and-privacy controls.
GRC, IAMGovernance / risk / compliance plus identity and access management.
IPY, IVS, LOGInteroperability, infrastructure / virtualisation, logging and monitoring.
SEF, STA, TVMIncident response, supply chain, threat-and-vulnerability management.
CAIQ-readyAnswers and evidence at hand whenever a customer questionnaire arrives.

What auditors and buyers look for

CCM is rarely audited directly - what your customers actually want is the CAIQ filled in with real, recent answers, and the underlying evidence to back them up. Dazr keeps the CCM control library, the recommendations, and the evidence trail in one place so you don't start over every time procurement sends a questionnaire.

How Dazr helps with CSA CCM

  • Pre-loaded CCM v4 control library across all 17 domains
  • CAIQ-ready evidence: links from each control to your real evidence in Dazr
  • Run CCM alongside ISO 27001 and SOC 2 for evidence reuse
  • Hand customers a read-only view or a single-PDF answer pack
  • Subscribe their security team to a time-boxed auditor login

Back to the full Dazr Compliance overview › | Sign up free ›

CSA CCM questions, answered.

What is CSA CCM?

The Cloud Controls Matrix (CCM) is the Cloud Security Alliance's baseline of cloud-specific security controls organised into 17 domains. The Consensus Assessments Initiative Questionnaire (CAIQ) is the structured questionnaire your customers complete using the CCM as the underlying control set.

Does Dazr help me answer customer security questionnaires?

Yes. The CCM control library is pre-loaded with our recommendations and links to your evidence. When a customer sends a CAIQ-Lite or a vendor-security questionnaire, you have answers and evidence at hand instead of starting from a blank spreadsheet each time.

How does CCM map to ISO 27001 and SOC 2?

CCM is explicitly mapped to ISO 27001/27002, ISO 27017/27018, SOC 2, NIST 800-53 and others. Enable CCM alongside the framework you already certify against - the same evidence frequently satisfies both.

Where is data hosted?

European Union only. AES-256-GCM at rest.

Ready to start your CSA CCM program?

Free for one user. Pro €29/mo and Enterprise €299/mo are self-serve via Mollie. Custom (from €800/mo) is the only tier on a contract.

Open the portal All frameworks