CCAK · Question #20
Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will C
The correct answer is A. No. CCM must be completed with definitions established by the CSP because of its relevance to. CCM (Cloud Controls Matrix) is a comprehensive control framework, but it is not self-sufficient on its own. It must be supplemented with CSP-specific definitions, service descriptions, and operational context because controls must be interpreted and implemented differently depend
Question
Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?
Options
- ANo. CCM must be completed with definitions established by the CSP because of its relevance to
- BYes. CCM suffices since it maps a huge library of widely accepted frameworks.
- CYes. When implemented in the right manner. CCM alone can help to measure, assess and monitor
- DNo. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed
How the community answered
(28 responses)- A93% (26)
- B4% (1)
- C4% (1)
Explanation
CCM (Cloud Controls Matrix) is a comprehensive control framework, but it is not self-sufficient on its own. It must be supplemented with CSP-specific definitions, service descriptions, and operational context because controls must be interpreted and implemented differently depending on the specific cloud services, deployment models, and technologies in use. While CCM maps to many widely accepted frameworks (ISO 27001, NIST, PCI DSS, etc.), it does not capture every nuance of a particular CSP's environment, contractual obligations, or the unique risk profile of the customer's use case. A complete cloud assessment program requires CCM as a foundation plus CSP-specific and organization-specific additions.
Topics
Community Discussion
No community discussion yet for this question.