What is the Cloud Controls Matrix?
The Cloud Controls Matrix (CCM) is a cybersecurity control framework built specifically for cloud computing, published and maintained by the Cloud Security Alliance (CSA). It is not a law you have to comply with, and it is not a certification you hold on its own — it is a structured set of security controls, written for the realities of cloud service delivery, that a provider implements and that a customer can assess against.
That framing matters. The CCM does not ask "is your product secure?" in the abstract. It lays out specific control objectives across the areas that matter for cloud (access, data, applications, infrastructure, supply chain, incident response and governance) and asks you to show, control by control, how you meet them and who owns each one. Because cloud responsibility is shared between provider and customer, the matrix is explicit about that split rather than leaving it implied.
The current version is CCM v4. If you read older material referring to a different domain count or control numbering, it is likely describing an earlier release — the framework is revised periodically as cloud practice moves, and v4 is the version to map against today.
A framework, not a certificate
It is worth being precise, because the language gets muddled. The CCM is the control set. There is no standalone "CCM certificate" you can earn or display. When people say a provider has "done the CCM", they almost always mean the provider has completed an assessment against the CCM (a self-assessment or a third-party one) through the CSA STAR program, which is covered further down. The matrix is what you measure against; STAR is how you demonstrate the result.