Cloud Security Alliance, Cyber Risk Institute Partner to Create Cloud Controls Matrix (CCM) Addendum for the Financial Sector

·4 min read

Strategic collaboration addresses sector-specific requirements within CCM framework

SEATTLE, June 28, 2022--(BUSINESS WIRE)--The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today announced that it has partnered with the Cyber Risk Institute (CRI), a non-profit coalition of financial institutions and trade associations, to develop an addendum to its Cloud Controls Matrix (CCM), written specifically for the financial sector.

This press release features multimedia. View the full release here:

For many years, the cloud was a tempting, albeit forbidden, fruit for financial institutions. However, as cloud service providers' (CSP) security measures have improved to accommodate most, if not all, of the financial sector's regulatory requirements, increasing numbers of financial institutions are now looking to extend their rate of cloud adoption. Unfortunately, until now there hasn’t been a framework that adequately addresses this sector’s unique regulatory security requirements within the context of cloud computing.

"Rather than layer new controls over CCM’s core set, we chose to partner with another like-minded organization that would allow us to mutually take advantage of the work each of us has done in addressing cyber and cloud security. We are excited to further build on our relationship with CRI in what we see as the first step in creating a version of CSA Security, Trust, Assurance, and Risk (STAR) Level 2 specific to financial institutions," said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.

While CCM has become the de facto standard for cloud security assurance and compliance, it has not yet evolved to the point where it’s sufficient to satisfy the security and compliance requirements for every business sector. Correspondingly, the CRI Profile, the financial sector’s benchmark for cyber risk assessment, covered many of the financial sector’s unique cybersecurity requirements but lacked the specificity of cloud security. After mapping the controls within their respective frameworks, CSA and CRI performed a gap analysis to create and incorporate both cloud-specific controls into the CRI Profile, and correspondingly, financial sector-specific requirements into CCM.

"When we released the CRI Cloud Profile in March of this year, we knew it was a tremendous step forward for financial institutions looking to move to the cloud with confidence by outlining roles and responsibilities. This recent reverse mapping by CSA to the Profile is the missing piece that allows cloud service providers to speak financial sector language," said CRI Founder and President, Josh Magri. "This is not the end, though. We are excited to continue our collaboration with CSA and look forward to building on this success."

Financial organizations interested in learning more about the CRI Profile are encouraged to attend the session, The Cloud Profile: A Rosetta Stone for Cloud, Security, and Finance Sector Compliance, at the CxO Summit in Barcelona on June 29.

Learn more about the Cloud Controls Matrix and the financial services addendum.

About Cyber Risk Institute

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. CRI is working to protect the global economy by enhancing cybersecurity and resiliency through assessment standardization. Its Cyber Profile tool is the benchmark for cyber security and resiliency in the financial services industry. Learn more at

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

View source version on


Media Contacts
Kristina Rundquist
ZAG Communications for the CSA

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting