RegScale Announces Support for CSA’s CCM v4 + CAIQ

August 2, 2022 | By J. Travis Howerton
CSA cloud security alliance

The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the Cloud Security Alliance (CSA) best practices, that is considered the de-facto standard for cloud security and privacy. The accompanying questionnaire, the Consensus Assessments Initiative Questionnaire (CAIQ), provides a set of “yes or no” questions based on the security controls in the CCM.

At RegScale, we give cloud security professionals easy and free tools to get started with building a fully compliant CSA program with support for tracking policies, related assessments, evidence collection, issues management/performance improvement, and other related workflows. As of August 2, 2022, RegScale has announced that we officially support the CCM v4 + CAIQ as a catalog within our platform with automated tools/wizards for building compliant CSA Security, Trust, Assurance, and Risk (STAR) programs. In addition, we have published multiple machine readable formats of CCM v4 including an Excel spreadsheet, raw JSON, and NIST OSCAL that are available upon request. These artifacts are freely available for others to reuse in their compliance automation programs using machine readable formats.

Schedule a free demo today to learn how RegScale can help you continuously meet your CCM v4 requirements. If you are ready to start automating your compliance processes for creating and managing CSA requirements, this demo will also show how you can leverage RegScale to deliver continuous compliance. In addition to offering free tools, we have experienced compliance professionals who can assist you in creating robust CSA compliance artifacts that will help you pass audits and reduce your risk with ease. With RegScale, our customers get software with a service to provide a concierge like experience for reducing risk related to their cloud systems.

Ready to get started?

Choose the path that is right for you! 

Skip the line

My organization doesn’t have GRC tools yet and I am ready to start automating my compliance with continuous monitoring pipelines now. 


My organization already has legacy compliance software, but I want to automate many of the manual processes that feed it.