Cloud Security Alliance Unveils Governance, Risk Management, and Compliance Stack

Provides toolkit for key stakeholders to implement, assess security of cloud environments

Note: ESJ’s editors carefully choose vendor-issued press releases about new or upgraded products and services. We have edited and/or condensed this release to highlight key features but make no claims as to the accuracy of the vendor's statements.

The Cloud Security Alliance (CSA) has released the CSA Governance, Risk Management, and Compliance (GRC) Stack, a suite of enabling tools for GRC in the cloud.

The CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors, and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards, and critical compliance requirements.

The Cloud Security Alliance GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix, and Consensus Assessments Initiative Questionnaire:

  • CloudAudit provides a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allows authorized consumers of their services to do likewise via an open, extensible, and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.

  • Cloud Controls Matrix (CCM) provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry.

  • Consensus Assessments Initiative Questionnaire (CAIQ): The CSA Consensus Assessments Initiative (CAI) performs research, creates tools, and creates industry partnerships to enable cloud computing assessments. The CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. The questionnaire (CAIQ) provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.

For more information, visit