0% found this document useful (0 votes)

321 views36 pages

CCC Methodology and Mapping Annex en

This document provides an overview of the methodology and structure of the Cloud Cybersecurity Controls (CCC). The CCC was designed as a modular extension to the Essential Cybersecurity Controls (ECC) to provide additional controls for both Cloud Service Providers and Cloud Service Tenants. The CCC is aligned with four of the five ECC domains and incorporates 20 of the ECC's subdomains. It also includes four new subdomains that are specific to cloud computing services. The CCC was informed by five leading international cloud computing standards and guidelines: ISO/IEC 27001, FedRAMP, CSA CCM, C5, and MTCS SS. Controls were distilled from these standards into a consolidated list to form the

Uploaded by

Sk Islam

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

321 views36 pages

CCC Methodology and Mapping Annex en

Uploaded by

Sk Islam

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 36

Cloud Cybersecurity Controls

Methodology and Mapping Annex

)CCC - 1 : 2020(

Sharing Notice: White

Document Classification: Open
Disclaimer: The following controls will be governed by and implemented
in accordance with the laws of the Kingdom of Saudi Arabia, and must be
subject to the exclusive jurisdiction of the courts of the Kingdom of Saudi
Arabia. Therefore, the Arabic version will be the binding language for all
matters relating to the meaning or interpretation of this document.
In the Name of Allah,
The Most Gracious,
The Most Merciful
Traffic Light Protocol (TLP):

This marking protocol is widely used around the world. It has four colors (traffic lights):

Red – Personal and Confidential to the Recipient only

The recipient has no rights to share information classified in red with any person outside the
defined range of recipients either inside or outside the organization.

Amber – Restricted Sharing

The recipient may share information classified in orange only with intended recipients inside
the organization and with recipients who are required to take action related to the shared
information.

Green – Sharing within the Same Community

The recipient may share information classified in green with other recipients inside the
organization or outside it within the same sector or related to the organization. However, it is
not allowed to exchange or publish this information on public channels.

White – No Restriction
Table of Contents

Design Principles of the CCC 8

Relationship to other International Standards 9
Design Methodology of the CCC 10
Main Domains and Subdomains Structure of the CCC 11
Domain Mapping to International Standards 13
Control Mapping to International Standards 15
Essential Cybersecurity Controls and Cloud Cybersecurity Controls Subdomain Mapping 21
Control Applicability on Different Cloud Service Models (IaaS, PaaS, SaaS) 24

List of the Figures and Illustrations

Figure 1: CCC as a Modular Extension of the ECC 8

Figure 2: International Cloud Computing Standards Distilled to the Consolidated Control List 10
Figure 3: Main Domain and Subdomain Basis of the CCC Cloud Cybersecurity Controls 11
Figure 4: CCC Cloud Cybersecurity Controls Main Domain and Subdomain Stack 12

List of Tables

Table 1: CCC Domain Mapping to International Standards 14

Table 2: CCC Control Mapping 20
Table 3: ECC/CCC Subdomain Mapping 23
Table 4: CSP Controls Applicability on Different Cloud Service Models 31
Table 5: CST Controls Applicability on Different Cloud Service Models 33
Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Design Principles of the CCC

The CCC was designed to provide controls to both CSPs and CSTs.
The CCC was designed as a modular extension to ECC, to provide controls to both CSPs and CSTs.
Both CSPs and CSTs shall comply with ECC controls first, and then the additional controls provided by
the CCC. In other words, compliance with ECC is required as a pre-requisite to compliance to CCC.

Cloud Cybersecurity
Controls

Cloud Services Provider )CSP( Control A Cloud Services Tenant )CST(

37 Main Control Control B 18 Main Control
Control C
Control D
Control E
...

Essential Cybersecurity Controls )ECC(

Figure 1: CCC as a Modular Extension of the ECC

For CSPs, the following principles were applied:

• The security level of the controls in the CCC is additional to the security levels of the ECC.
• High level cybersecurity leveraging other countries’ cloud security standards (such as US
FedRAMP. Singapore MTCS SS, Germany C5) or industry standards (CCM, ISO27001).
• The control/subcontrol catalogue has a reference to other standards.
For CSTs, the following principle was applied:
• The security level of the controls in the CCC is additional to the security levels of the ECC.

8 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Relationship to other International Standards

The international cloud computing standards and guideline formed the foundation for the cloud
cybersecurity controls. The five leading standards used were:
• ISO/IEC 27001
• The Federal Risk and Authorization Management Program (FedRAMP (FR))
• The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
• German Government-backed Cloud Computing Compliance Controls Catalog (C5)
• The Multi-Tier Cloud Security (MTCS SS) Singapore standard

Document Classification: Open 9

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Design Methodology of the CCC

To accomplish the cloud cybersecurity controls aims, the design methodology reviewed existing
and anticipated regulations, and international cloud computing standards and guidelines. Informed by
this baseline data, the NCA designed the CCC as an extension to the ECC in terms of both depth and
outreach through the cloud computing sector.

In developing the cloud cybersecurity controls, security controls across a consolidated domain list
were distilled from the five cloud security reference standards described in section “Relationship to
other International Standards” into a consolidated stack of cloud controls.

Figure 2: International Cloud Computing Standards Distilled to the Consolidated Control List

10 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Main Domains and Subdomains Structure of the CCC

Relationship to ECC
Main domains and subdomains of the ECC and the cloud cybersecurity controls in the CCC are
aligned in a structure. Four of the five ECC domains are in the CCC. In addition, 20 of the ECC
subdomains are CCC subdomains (shown in white in Figure 3). Four new subdomains were added as
they were specific to cloud computing services (shown in dark blue in Figure 3). Eight ECC domains
do not have specific controls for cloud and are not part of CCC (shown in grey in Figure 3).

Cybersecurity Cybersecurity Cybersecurity Policies Cybersecurity Roles and Cybersecurity Risk Cybersecurity in Information
Cybersecurity Strategy Management and Procedures Responsibilities Management and Technology Projects
Governance
Compliance with Cybersecurity Periodical Cybersecurity Cybersecurity in Human Cybersecurity Awareness Cybersecurity in Change
Standards, Laws and Regulations Review and Audit Resources and Training Program Management

Cybersecurity Asset Management

Identity and Access
Management
Information System and Information Processing
Facilities Protection
Email protection
Network Security
Management
Defense
Backup and Recovery Vulnerability
Mobile Devices Security Data and Information Protection Cryptography
Management Management

Cybersecurity Event Logs and Monitoring Cybersecurity Incident and Threat

Penetration Testing Physical Security
Management Management

Web Application Security Key Management System Development Security

Storage Media Security

Cybersecurity
Cybersecurity Resilience Aspects of Business Continuity Management (BCM)
Resilience

Third-party
Third-Party Cybersecurity Cloud Computing and Hosting Cybersecurity
Cybersecurity

ECC and CCC ECC domains with no

New CCC Subdomains
subdomains cloud controls

Figure 3: Main Domain and Subdomain Basis of the CCC Cloud Cybersecurity Controls

Document Classification: Open 11

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Main Domains and Subdomains Structure of the Cloud Cybersecurity Controls

As a result of the above, the cloud cybersecurity controls in the CCC is constituted by the following
Main Domains and Subdomains:

Cybersecurity Cybersecurity Roles and Responsibilities Cybersecurity Risk Management

Governance
Compliance with Cybersecurity Standards, Laws and
Cybersecurity in Human Resources Cybersecurity in Change Management
Regulations

Cybersecurity Information System and Information Network Security

Asset Management Identity and Access Management
Processing Facilities Protection Management
Defense
Mobile Devices Security Data and Information Protection Cryptography Backup and Recovery
Management

Cybersecurity Event Logs and Monitoring Cybersecurity Incident and Threat

Vulnerability Management Penetration Testing
Management Management

Physical Security Web Application Security Key Management

System Development Security Storage Media Security

Cybersecurity
Cybersecurity Resilience Aspects of Business Continuity Management )BCM(
Resilience

Third-party
Supply Chain and Third-Party Cybersecurity
Cybersecurity

Figure 4: CCC Cloud Cybersecurity Controls Main Domain and Subdomain Stack

12 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Domain Mapping to International Standards

In case of a discrepancy between the cloud cybersecurity controls domains and the five international
standards referenced, the CCC description shall take precedence.

CCC Standard Domain Comparison

Main Domains FedRAMP MTCS
Domains ISO 27001 CCM C5
(FR) SS
1-1 Cybersecurity Roles and A.6.1 AU 1 - OIS
Responsibilities
Cybersecurity
Governance 1-2 Cybersecurity Risk Management 6.1 RA GRM/G 8
1-3 Compliance with Cybersecurity A.18 AAC 16 - COM 10
Standards, Laws and Regulations
1-4 Cybersecurity in Human Resources A.7 PS HRS 3 - HR 7
AT
1-5 Cybersecurity in Change Management A.12 6 - RB 19
Cybersecurity 2-1 Asset Management A.8.1 CM 4 - AM 20
Defense
MA 14
2-2 Identity and Access Management A.9 AC IAM 23
IA 7 - IDM
2-3 Information System and Information SC AIS 22
Processing Facilities Protection SI IVS 4
2-4 Networks Security Management A.13 SC 9 - KOS
2-5 Mobile Devices Security A.6.2 MOS 17 - MDM
2-6 Data and Information Protection A.8.2 DSI 12
2-7 Cryptography A.10 EKM 8 - KRY 17
2-8 Backup and Recovery Management
2-9 Vulnerabilities Management TVM
2-10 Penetration Testing CA 18 - RB 15
2-11 Cybersecurity Event Logs and A.12.4 AU 13
Monitoring Management CA 15 - SPN 15
2-12 Cybersecurity Incident and Threat A.16 IR SEF 13 - SIM 11
Management
2-13 Physical Security A.11 PE DCS 5 - PS 18
2-14 Web Application Security
2-15 Key Management A.10 EKM 8 - KRY 17
2-16 System Development Security A.14 SA 11- BEI 16
2-17 Storage Media Security A.8.3 MP

Document Classification: Open 13

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

CCC Standard Domain Comparison

Main Domains FedRAMP MTCS
Domains ISO 27001 CCM C5
(FR) SS
Cybersecurity 3-1 Cybersecurity Resilience Aspects of A.17 CP BCR 14 - BCM 21
Resilience Business Continuity Management
(BCM)

Third-party 4-1 Supply Chain and Third-Party Security A.15 SA SCM 12 - DLL 9
Cybersecurity

Table 1: CCC Domain Mapping to International Standards

14 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Control Mapping to International Standards

In case of a discrepancy between the cloud cybersecurity controls in the CCC and the five
international standards referenced, the CCC controls shall take precedence.
Please note that Standard reference ‘original’ implies that it was not mentioned in the five international
standards and developed by NCA.

1 Cybersecurity Governance

Subdomain Subdomain CSP Control CST Control Standard Other standard

ID ID ID reference references
1-1 Cybersecurity Roles and 1-1-P-1-1 1-1-T-1-1 C5-OIS-02, C5- ISO27001 - A.6.1.1
Responsibilities OIS-03
1-2 Cybersecurity Risk 1-2-P-1-1 1-2-T-1-1 CCM GRM-11
Management 1-2-P-1-2 1-2-T-1-2 CCM GRM-02
1-2-P-1-3 1-2-T-1-3 MTCS SS 8.4
1-3 Compliance with 1-3-P-1-1 ISO27001 MTCS SS 10.1, C5 COM-
Cybersecurity Standards, A.18.1.1 01, CCM-BCR-11, CCM-
Laws and Regulations AAC-03
1-3-T-1-1 MTCS SS 10.6
1-4 Cybersecurity in Human 1-4-P-1-1 original
Resources 1-4-P-1-2 1-4-T-1-1 MTCS SS 7.2
1-4-P-1-3 FR PS-6
1-4-P-2-1 MTCS SS 7.5 CCM HRS-01
1-5 Cybersecurity in Change 1-5-P-3-1 FR-CM-3 CCM- CCC-05
Management
1-5-P-3-2 C5- BEI-10

Document Classification: Open 15

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

2 Cybersecurity Defense

Subdomain CSP Control CST Control Other standard

Subdomain Standard reference
ID ID ID references
2-1 Asset Management 2-1-P-1-1 2-1-T-1-1 ISO27001 A.8.1.1

2-1-P-1-2 ISO27001 A.8.1.2

2-2 Identity and Access 2-2-P-1-1 C5-IDM-08

Management 2-2-T-1-1 CCM- IAM-12
2-2-T-1-2 C5-IDM-07
2-2-P-1-2 2-2-T-1-3 C5-IDM- 08
2-2-P-1-3 2-2-T-1-4 FR IA-2 (1)
2-2-P-1-4 2-2-T-1-5 MTCS SS-23.4 FR-AC-7
2-2-P-1-5 C5-IDM-11 FR-IA-5 (1)
2-2-P-1-6 CCM-IAM-07
2-2-P-1-7 C5-IAM-12
2-2-P-1-8 FR IA-06
2-2-P-1-9 C5-IDM-03
2-2-P-1-10 FR AC-17 (9)
2-2-P-1-11 FR IA-2 (1)
2-2-P-1-12 MTCS SS-24.5
2-3 Information System and 2-3-P-1-1 MTCS SS-14.9
Information Processing 2-3-P-1-2 MTCS SS-24.6
Facilities Protection 2-3-P-1-3 FR-CM-7
2-3-P-1-4 FR SC-24, FR- SI-
10, FR- SI-11, FR-
SI-16
2-3-P-1-5 FR SC-03
2-3-P-1-6 original
2-3-P-1-7 FR- SI-7
2-3-P-1-8 MTCS SS-24.1
2-3-P-1-9 2-3-T-1-1 original
2-3-P-1-10 original
2-3-P-1-11 original
2-3-P-1-12 original

16 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Subdomain CSP Control CST Control Other standard

Subdomain Standard reference
ID ID ID references
2-4 Networks Security 2-4-P-1-1 FR SI-4 (11) (18)
Management (22)
2-4-P-1-2 FR SC-07
2-4-P-1-3 FR SC-05
2-4-P-1-4 FR SC-08 (1)
2-4-P-1-5 C5 KOS-03
2-4-P-1-6 MTCS SS-24.2 C5-KOS-04
2-4-T-1-1 FR SC-08
2-5 Mobile Devices Security 2-5-P-1-1 CCM, MOS-09
2-5-P-1-2 CCM, MOS-10
2-5-P-1-3 CCM, MOS-16
2-5-P-1-4 2-5-T-1-1 original
2-6 Data and Information 2-6-P-1-1 CCM-DSI-05
Protection 2-6-P-1-2 MTCS SS-12.6
2-6-P-1-3 MTCS SS-12.6
2-6-P-1-4 2-6-T-1-1 ISO27001 A.18.1.4

2-6-P-1-5 2-6-T-1-2 C5-PI-03

2-7 Cryptography 2-7-P-1-1 2-7-T-1-1 original
2-7-P-1-2 FR SC-17
2-7-T-1-2 FR- SC-28 (1)
2-8 Backup and Recovery 2-8-P-1-1 FR CP-10 (4) CCM BCR-11
Management 2-8-P-1-2 FR CP-10 (4) CCM BCR-11
2-9 Vulnerabilities 2-9-P-1-1 2-9-T-1-1 MTCS SS-24.4 CCM-IVS-05,
Management MTCS SS-15.1
2-9-P-1-2 2-9-T-1-2 C5-RB-20
2-10 Penetration Testing 2-10-P-1-1 FR-CA-08
2-11 Cybersecurity Event 2-11-P-1-1 MTCS SS 13.3 MTCS SS 13.4
Logs and Monitoring
Management
2-11-P-1-2 2-11-T-1-1 ISO27001 A.12.4.3

2-11-P-1-3 C5-RB-15
2-11-P-1-4 ISO27001 A.18.1.3

2-11-P-1-5 FR- SI-04 MTCS SS 13.2

Document Classification: Open 17

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Subdomain CSP Control CST Control Other standard

Subdomain Standard reference
ID ID ID references
2-11-P-1-6 2-11-T-1-2 MTCS SS 13.2
2-11-P-1-7 FR AC-17 (1)
2-11-P-1-8 C5-RB-11
2-12 Cybersecurity Incident 2-12-P-1-1 C5-OIS-05 ISO27001 -
and Threat Management A.6.1.4
2-12-P-1-2 FR-IR-02
2-12-P-1-3 MTCS SS-11.2
2-12-P-1-4 MTCS SS-11.4
2-12-P-1-5 CCM-SEF-04
2-12-P-1-6 MTCS SS-11.3
2-12-P-1-7 FR-IR-07
2-12-P-1-8 CCM-SEF-05
2-13 Physical Security 2-13-P-1-1 FR-PE-06
2-13-P-1-2 FR-PE-05
2-13-P-1-3 CCM-DCS-05
2-14 Web Application 2-14-P-1-1 ISO27001 A.14.1.2,
Security ISO27001 A.14.1.3
2-15 Key Management 2-15-P-3-1 2-15-T-3-1 CCM-EKM-01
2-15-P-3-2 2-15-T-3-2 CCM-EKM-04; FR
SC-12 (1)
2-15-P-3-3 ISO27001 A.12.4.3
2-16 System Development 2-16-P-3-1 ISO27001 A.14.1.1
Security 2-16-P-3-2 ISO27001 A.14.2.6
2-17 Storage Media Security 2-17-P-3-1 FR-MP-6
2-17-P-3-2 MTCS SS-12.8 CCM-DSI-07
2-17-P-3-3 ISO27001 A.8.3.1
2-17-P-3-4 FR-MP-3
2-17-P-3-5 FR-MP-4
2-17-P-3-6 FR MP-7

18 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

3 Cybersecurity Resilience

Subdomain Subdomain CSP Control CST Control Standard Other standard

ID ID ID reference references
3-1 Cybersecurity Resilience 3-1-P-1-1 3-1-T-1-1 FR CP-2 (4)
Aspects of Business
Continuity Management 3-1-P-1-2 C5 BCM-02
(BCM)

Document Classification: Open 19

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

4 Third party Cybersecurity

Subdomain Subdomain CSP Control CST Control Standard Other standard

ID ID ID reference references
4-1 Supply Chain & Third-Party 4-1-P-1-1 original
Security 4-1-P-1-2 FR-SA-05
4-1-P-1-3 MTCS SS 10.5
4-1-P-1-4 CCM-STA-06
Table 2: CCC Control Mapping

20 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Essential Cybersecurity Controls and Cloud Cybersecurity Controls Subdomain

Mapping

Cloud Cybersecurity Controls

Main Domains ECC Consolidated Subdomains
Subdomains
1-1 Cybersecurity Strategy

1-2 Cybersecurity Management

Cybersecurity Policies and

1-3
Procedures

Cybersecurity Roles and Cybersecurity Roles and

1-4 1-1
Responsibilities Responsibilities

1-5 Cybersecurity Risk Management 1-2 Cybersecurity Risk Management

Cybersecurity in Information
1-6
Technology Projects
Cybersecurity
Governance Compliance with Cybersecurity Compliance with Cybersecurity
1-7 1-3
Standards, Laws and Regulations Standards, Laws and Regulations

Periodical Cybersecurity Review

1-8
and Audit

Cybersecurity in Human Cybersecurity in Human

1-9 1-4
Resources Resources

Cybersecurity Awareness and

1-10
Training Program

Cybersecurity in Change
1-5
Management

Document Classification: Open 21

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Cloud Cybersecurity Controls

Main Domains ECC Consolidated Subdomains
Subdomains
2-1 Asset Management 2-1 Asset Management

2-2 Identity and Access Management 2-2 Identity and Access Management

Information System and Information System and

2-3 Information Processing Facilities 2-3 Information Processing Facilities
Protection Protection
2-4 Email Protection

2-5 Network Security Management 2-4 Network Security Management

2-6 Mobile Device Security 2-5 Mobile Device Security

2-7 Data and Information Protection 2-6 Data and Information Protection

2-8 Cryptography 2-7 Cryptography

Cybersecurity Backup and Recovery Backup and Recovery

2-9 2-8
Defense Management Management
2-10 Vulnerabilities Management 2-9 Vulnerabilities Management

2-11 Penetration Testing 2-10 Penetration Testing

Cybersecurity Event Logs and Cybersecurity Event Logs and

2-12 2-11
Monitoring Management Monitoring Management

Cybersecurity Incident and Cybersecurity Incident and

2-13 2-12
Threat Management Threat Management

2-14 Physical Security 2-13 Physical Security

2-15 Web Application Security 2-14 Web Application Security

2-15 Key Management

2-16 System Development Security

2-17 Storage Media Security

22 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Cloud Cybersecurity Controls

Main Domains ECC Consolidated Subdomains
Subdomains
Cybersecurity Resilience Aspects Cybersecurity Resilience Aspects
Cybersecurity 3-1 of Business Continuity 3-1 of Business Continuity
Resilience
Management (BCM) Management (BCM)

Third-party Supply Chain and Third-Party

Cybersecurity 4-2 Third-Party Cybersecurity 4-1
Security

Table 3: ECC/CCC Subdomain Mapping

Document Classification: Open 23

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Control Applicability on different Cloud Service Models (IaaS, PaaS, SaaS)

This section shows a sample of the applicability of the CCC controls (for both the CSP and the
CST) on different cloud service models (Software as a Service “SaaS”, Platform as a Service “PaaS”,
Infrastructure as a service “IaaS”). The applicability of each control may differ from what is shown in
this section as it depends on the type of the service and the relationship between CSP and CST.

for Cloud Service Provider (CSP):

Table 4 below shows the applicability of the CSP controls on different cloud service models (SaaS,
PaaS, and IaaS).
Please note the following:
- x : means the control may not be applicable
- : means the control maybe applicable
- Resources: means the control may be applicable on the CSP especially on the CSP’s own resources
- Cloud Technology Stack: means the control may be applicable on the CSP especially on the
CSP’s own cloud technology stack
- System development: means the control may be applicable on the CSP especially on the CSP’s
own system development
- Physical Security: means the control may be applicable on the CSP especially on the CSP’s own
physical security
- Business Continuity Management: means the control may be applicable on the CSP especially
on the CSP’s own business continuity management
- Offerings: means the control may be applicable on the CSP especially on the CSP’s offerings

24 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Main Control Sub Control IaaS PaaS SaaS

1-1-P-1
1-1-P-1-1
1-2-P-1
1-2-P-1-1
1-2-P-1-2
1-2-P-1-3
1-3-P-1
1-3-P-1-1
1-4-P-1
1-4-P-1-1
1-4-P-1-2
(Resources and cloud (Resources and cloud
technology stack) technology stack)
1-4-P-1-3
(Resources and cloud (Resources and cloud
technology stack) technology stack)
1-4-P-2
1-4-P-2-1
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
1-5-P-1
1-5-P-2
1-5-P-3
1-5-P-3-1
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
1-5-P-3-2
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
1-5-P-4
2-1-P-1
2-1-P-1-1
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-1-P-1-2
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-2-P-1

Document Classification: Open 25

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Main Control Sub Control IaaS PaaS SaaS

2-2-P-1-1
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-2
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-3
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-4
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-5
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-6
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-7
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-8
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-9
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-10
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-11
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-2-P-1-12
(Offerings and cloud (Offerings and cloud (Offerings and cloud
technology stack) technology stack) technology stack)
2-3-P-1
2-3-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)

26 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Main Control Sub Control IaaS PaaS SaaS

2-3-P-1-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-3-P-1-3
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-3-P-1-4
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-3-P-1-5
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-3-P-1-6
2-3-P-1-7
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-3-P-1-8
(Cloud technology x x
stack)
2-3-P-1-9
2-3-P-1-10
2-3-P-1-11
2-3-P-1-12
2-4-P-1
2-4-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-4-P-1-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-4-P-1-3
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-4-P-1-4
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-4-P-1-5
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)

Document Classification: Open 27

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Main Control Sub Control IaaS PaaS SaaS

2-4-P-1-6
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-5-P-1
2-5-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-5-P-1-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-5-P-1-3
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-5-P-1-4
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-6-P-1
2-6-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-6-P-1-2
(Cloud technology (Cloud technology
stack) stack)
2-6-P-1-3
2-6-P-1-4
2-6-P-1-5
2-7-P-1
2-7-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-7-P-1-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-8-P-1
2-8-P-1-1
x (Cloud technology (Cloud technology
stack) stack)
2-8-P-1-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)

28 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Main Control Sub Control IaaS PaaS SaaS

2-9-P-1
2-9-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-9-P-1-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-10-P-1
2-10-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-11-P-1
2-11-P-1-1
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-11-P-1-2
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-11-P-1-3
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-11-P-1-4
(Resources, cloud tech-
(Resources and cloud (Resources and cloud nology stack, and CST
technology stack) technology stack) related data managed by
CSP)
2-11-P-1-5
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-11-P-1-6
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-11-P-1-7
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-11-P-1-8
(Resources and cloud (Resources and cloud (Resources and cloud
technology stack) technology stack) technology stack)
2-12-P-1
2-12-P-1-1

Document Classification: Open 29

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

Main Control Sub Control IaaS PaaS SaaS

2-12-P-1-2
2-12-P-1-3
2-12-P-1-4
2-12-P-1-5
2-12-P-1-6
2-12-P-1-7
2-12-P-1-8
2-13-P-1
2-13-P-1-1
(Physical Security) (Physical Security) (Physical Security)
2-13-P-1-2
(Physical Security) (Physical Security) (Physical Security)
2-13-P-1-3
(Physical Security) (Physical Security) (Physical Security)
2-14-P-1
2-14-P-1-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-15-P-1
2-15-P-2
2-15-P-3
2-15-P-3-1
(Cloud technology stack) (Cloud technology stack) (Cloud technology stack)
2-15-P-3-2
(Cloud technology stack) (Cloud technology stack) (Cloud technology stack)
2-15-P-3-3
(Cloud technology stack) (Cloud technology stack) (Cloud technology stack)
2-15-P-4
2-16-P-1
2-16-P-2
2-16-P-3
2-16-P-3-1
(System development (System development (System development
and cloud technology and cloud technology and cloud technology
stack) stack) stack)
2-16-P-3-2
(System development (System development (System development
and cloud technology and cloud technology and cloud technology
stack) stack) stack)
2-16-P-4

30 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Main Control Sub Control IaaS PaaS SaaS

2-17-P-1
2-17-P-2
2-17-P-3
2-17-P-3-1
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-17-P-3-2
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-17-P-3-3
2-17-P-3-4
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-17-P-3-5
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
2-17-P-3-6
(Cloud technology (Cloud technology (Cloud technology
stack) stack) stack)
3-1-P-1

(Cloud technology (Cloud technology (Cloud technology stack

3-1-P-1-1
stack and business con- stack and business con- and business continuity
tinuity management) tinuity management) management)

(Cloud technology (Cloud technology (Cloud technology stack

3-1-P-1-2
stack and business con- stack and business con- and business continuity
tinuity management) tinuity management) management)
4-1-P-1
4-1-P-1-1
4-1-P-1-2
4-1-P-1-3
4-1-P-1-4
Table 4: CSP Controls Applicability on Different Cloud Service Models

Document Classification: Open 31

Sharing Notice: White Cloud Cybersecurity Controls Methodology and Mapping Annex

for Cloud Service Tenant (CST):

Table 5 below shows applicability of the CST controls on different cloud service models (SaaS, PaaS,
and IaaS).
Please note the following:
- x : means the control may not be applicable
- : means the control maybe applicable
- Cryptographic keys: means the control may be applicable on the CST especially on the CST’s
own cryptographic keys

Main Control Sub Control IaaS PaaS SaaS

1-1-T-1
1-1-T-1-1
1-2-T-1
1-2-T-1-1
1-2-T-1-2
1-2-T-1-3
1-3-T-1
1-3-T-1-1
1-4-T-1
1-4-T-1-1
2-1-T-1
2-1-T-1-1
2-2-T-1
2-2-T-1-1
2-2-T-1-2
2-2-T-1-3
2-2-T-1-4
2-2-T-1-5
2-3-T-1
2-3-T-1-1
2-4-T-1
2-4-T-1-1
2-5-T-1
2-5-T-1-1
2-6-T-1
2-6-T-1-1
2-6-T-1-2

32 Document Classification: Open

Cloud Cybersecurity Controls Methodology and Mapping Annex Sharing Notice: White

Main Control Sub Control IaaS PaaS SaaS

2-7-T-1
2-7-T-1-1 x
2-7-T-1-2
2-9-T-1
2-9-T-1-1 x
2-9-T-1-2 x
2-11-T-1
2-11-T-1-1
2-11-T-1-2
2-15-T-1
2-15-T-2
2-15-T-3
2-15-T-3-1
(Cryptographic (Cryptographic (Cryptographic
keys) keys) keys)
2-15-T-3-2
(Cryptographic (Cryptographic (Cryptographic
keys) keys) keys)
2-15-T-4
3-1-T-1
3-1-T-1-1
Table 5: CST Controls Applicability on Different Cloud Service Models

Document Classification: Open 33

Erm Risk Assessment Workbook
No ratings yet
Erm Risk Assessment Workbook
135 pages
Cloud Controls
No ratings yet
Cloud Controls
46 pages
FedRAMP Security Controls Baseline
No ratings yet
FedRAMP Security Controls Baseline
3,273 pages
Security Audit - IsO 27001 2022, CSDI Based Framework - Harpreet Singh ISO 27001-2022 - LA
No ratings yet
Security Audit - IsO 27001 2022, CSDI Based Framework - Harpreet Singh ISO 27001-2022 - LA
44 pages
Catalogo Typhoon Piaggio 125 4T 2V 2010-2011
No ratings yet
Catalogo Typhoon Piaggio 125 4T 2V 2010-2011
62 pages
Toshiba Tosvert VF S11 Manual PDF
50% (2)
Toshiba Tosvert VF S11 Manual PDF
81 pages
Checkpoint Enterprise Security Framework Whitepaper v2
No ratings yet
Checkpoint Enterprise Security Framework Whitepaper v2
34 pages
CIS Controls v8 Mapping To SOC2!2!2023
No ratings yet
CIS Controls v8 Mapping To SOC2!2!2023
152 pages
Fire-Alarm A Guide To Bs5839 Part-1 2002
No ratings yet
Fire-Alarm A Guide To Bs5839 Part-1 2002
114 pages
Identity Access Management For RSA Archer Based On RSA Identity Governance Lifecycle
No ratings yet
Identity Access Management For RSA Archer Based On RSA Identity Governance Lifecycle
37 pages
Sectrio NIST CSF 20 Audit
No ratings yet
Sectrio NIST CSF 20 Audit
89 pages
985YslWAQEughLycwyGw - 2024 FRSecure CISSP Mentor Program - Class Eight
No ratings yet
985YslWAQEughLycwyGw - 2024 FRSecure CISSP Mentor Program - Class Eight
122 pages
Defending-Data-Smartly WHPDDS WHP Eng 0822
No ratings yet
Defending-Data-Smartly WHPDDS WHP Eng 0822
15 pages
AWS Audit Checklist - Sachin Hissaria
No ratings yet
AWS Audit Checklist - Sachin Hissaria
6 pages
NIST SP 800-53 Security Controls Reference
100% (1)
NIST SP 800-53 Security Controls Reference
2 pages
ISO 27001 Fundamental Concepts: Presented by John Laffey
100% (1)
ISO 27001 Fundamental Concepts: Presented by John Laffey
23 pages
(Class Note) Module 11 - Security Reporting and Oversight
No ratings yet
(Class Note) Module 11 - Security Reporting and Oversight
30 pages
FCI ANSIFCI 70-3 - Standard For Regulator Seat Leakage Testing
No ratings yet
FCI ANSIFCI 70-3 - Standard For Regulator Seat Leakage Testing
5 pages
Iso 27001 Annex S Control Mapping PDF
No ratings yet
Iso 27001 Annex S Control Mapping PDF
22 pages
WSCC Security Considerations Cloud Computing - WHP - Eng - 0912 PDF
No ratings yet
WSCC Security Considerations Cloud Computing - WHP - Eng - 0912 PDF
80 pages
Schedule C-3-2 Cloud Security Risk Assessment Questionnaire
No ratings yet
Schedule C-3-2 Cloud Security Risk Assessment Questionnaire
22 pages
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
No ratings yet
CIS Controls v8 Mapping To GSMA FS.31 Baseline Security Controls v2.0
106 pages
Cyber Risk Management Assessment 1708187613
No ratings yet
Cyber Risk Management Assessment 1708187613
34 pages
CPRT CSF 2 0 0 11-13-2024
No ratings yet
CPRT CSF 2 0 0 11-13-2024
17 pages
Implementing Iso 55000 For Small or Immature Organisations: Rolan Moodley, Jacobs Consulting Pty LTD
No ratings yet
Implementing Iso 55000 For Small or Immature Organisations: Rolan Moodley, Jacobs Consulting Pty LTD
6 pages
2020-08-10 Final Report Inshared SOC2 Type 1
No ratings yet
2020-08-10 Final Report Inshared SOC2 Type 1
229 pages
A Process Model To Improve Information Security Governance in Organisations
No ratings yet
A Process Model To Improve Information Security Governance in Organisations
314 pages
Scytale - PCI DSS Bible Campaign - Ebook - Web
No ratings yet
Scytale - PCI DSS Bible Campaign - Ebook - Web
13 pages
Reliability Analysis
100% (1)
Reliability Analysis
16 pages
BITS Vulnerability Management Maturity Model
No ratings yet
BITS Vulnerability Management Maturity Model
19 pages
Information Security Program
No ratings yet
Information Security Program
34 pages
ISO 27001 Information Security Policy Template - Secureframe
100% (1)
ISO 27001 Information Security Policy Template - Secureframe
4 pages
EDRM Security Questionnaire 1.1
100% (1)
EDRM Security Questionnaire 1.1
39 pages
FedRAMP Continuous Monitoring Template
No ratings yet
FedRAMP Continuous Monitoring Template
3 pages
AWS CJIS Policy Template
No ratings yet
AWS CJIS Policy Template
65 pages
Cybersecurity CISO Vital Part Operations
No ratings yet
Cybersecurity CISO Vital Part Operations
11 pages
Cism Glossary PDF
No ratings yet
Cism Glossary PDF
11 pages
Security and Control in The Cloud
No ratings yet
Security and Control in The Cloud
12 pages
SEARCHITSecurity Assessment Tool
100% (1)
SEARCHITSecurity Assessment Tool
80 pages
Secure SDLC Consideration With NIST SP 800 64
No ratings yet
Secure SDLC Consideration With NIST SP 800 64
27 pages
Frameworks and Assessment Tools
No ratings yet
Frameworks and Assessment Tools
2 pages
Cloud Octagon Model
No ratings yet
Cloud Octagon Model
35 pages
Information Security Handbook For Employees
No ratings yet
Information Security Handbook For Employees
13 pages
SWIFT CSP Security Controls Public 2022
No ratings yet
SWIFT CSP Security Controls Public 2022
30 pages
10 - Risk RASC
No ratings yet
10 - Risk RASC
2 pages
SP RMM Overview
No ratings yet
SP RMM Overview
16 pages
ISO-IEC 27001 Self Assessment Form
100% (2)
ISO-IEC 27001 Self Assessment Form
3 pages
NIST Privacy Framework Course Assessment
No ratings yet
NIST Privacy Framework Course Assessment
7 pages
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 On AWS
No ratings yet
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 On AWS
29 pages
2009 - Information Security Policy An Organizational-Level Process Model
No ratings yet
2009 - Information Security Policy An Organizational-Level Process Model
16 pages
BSIMM V Activities
No ratings yet
BSIMM V Activities
32 pages
Security Standards
No ratings yet
Security Standards
11 pages
Cyber Essentials Plus Illustrative Test Specification April 2020
No ratings yet
Cyber Essentials Plus Illustrative Test Specification April 2020
13 pages
Cloud Security Posture Management - Why You - Cloud Security Alliance PDF
No ratings yet
Cloud Security Posture Management - Why You - Cloud Security Alliance PDF
7 pages
GPCCaseStudy Eng 0221
No ratings yet
GPCCaseStudy Eng 0221
5 pages
13v4 Risk and Compliance
No ratings yet
13v4 Risk and Compliance
4 pages
Application Security Review Checklist
No ratings yet
Application Security Review Checklist
10 pages
Cybersecurity Posture Assessment Brochure - Hitachi Systems Security
No ratings yet
Cybersecurity Posture Assessment Brochure - Hitachi Systems Security
2 pages
GTAG 8 Application Control Testing
No ratings yet
GTAG 8 Application Control Testing
13 pages
Cobit Sox Hipaa and Glba Mapping Templates
No ratings yet
Cobit Sox Hipaa and Glba Mapping Templates
5 pages
Data Privacy and Security-Rev1
No ratings yet
Data Privacy and Security-Rev1
15 pages
Data Structure Course
No ratings yet
Data Structure Course
48 pages
NESA Compliance Service - Paladion Networks - UAE
No ratings yet
NESA Compliance Service - Paladion Networks - UAE
8 pages
FedRAMP Security Controls Preface
No ratings yet
FedRAMP Security Controls Preface
2 pages
Unit 5 - Part - 2 Limitations of Algorithm Power
No ratings yet
Unit 5 - Part - 2 Limitations of Algorithm Power
9 pages
JNCIS-SP Certification - Juniper Networks US
No ratings yet
JNCIS-SP Certification - Juniper Networks US
6 pages
0wning Antivirus: Alex Wheeler Neel Mehta
No ratings yet
0wning Antivirus: Alex Wheeler Neel Mehta
39 pages
O133932v89 SUPER 19003L EN 2951844 MPW 080221
No ratings yet
O133932v89 SUPER 19003L EN 2951844 MPW 080221
18 pages
Designer Interview Questionnaire
No ratings yet
Designer Interview Questionnaire
1 page
Quality Manager - Avery 05-11
No ratings yet
Quality Manager - Avery 05-11
3 pages
Rem Mark 50 Bagger
No ratings yet
Rem Mark 50 Bagger
64 pages
Nexans NYY 80-0-6 1 KV Single Core
No ratings yet
Nexans NYY 80-0-6 1 KV Single Core
6 pages
Numerical Diff and Integration
No ratings yet
Numerical Diff and Integration
56 pages
2022 Inspiring Profiles en Forster 0 Cat355cb804
No ratings yet
2022 Inspiring Profiles en Forster 0 Cat355cb804
32 pages
Grade 6 Performance Task: Taking A Field Trip
No ratings yet
Grade 6 Performance Task: Taking A Field Trip
24 pages
Remaining Work / Punch List (Issued by HTL-Mech)
No ratings yet
Remaining Work / Punch List (Issued by HTL-Mech)
3 pages
SaaS Vendor Evaluation Template
No ratings yet
SaaS Vendor Evaluation Template
12 pages
AMF-65 AMS RFT Partnership Range - CULT PDF
No ratings yet
AMF-65 AMS RFT Partnership Range - CULT PDF
46 pages
Title Page Certi Abstract Final PSSG 2
No ratings yet
Title Page Certi Abstract Final PSSG 2
5 pages
Tendering & Contracts: Process Flow
No ratings yet
Tendering & Contracts: Process Flow
6 pages
Aplikasi Ujian Online Masuk Universitas Merdeka Madiun Berbasis Android
No ratings yet
Aplikasi Ujian Online Masuk Universitas Merdeka Madiun Berbasis Android
12 pages
Chapter 4
No ratings yet
Chapter 4
7 pages
Optimization of Rocksdb For Redis On Flash: Keren Ouaknine Oran Agra Zvika Guz
No ratings yet
Optimization of Rocksdb For Redis On Flash: Keren Ouaknine Oran Agra Zvika Guz
7 pages
6.-SESSION-PLAN Sample
No ratings yet
6.-SESSION-PLAN Sample
9 pages
SinoGNSS A300 GNSS Receiver
No ratings yet
SinoGNSS A300 GNSS Receiver
2 pages
Installer Uninstaller Readme
No ratings yet
Installer Uninstaller Readme
2 pages
EEPROM Cross Reference (In Detail)
No ratings yet
EEPROM Cross Reference (In Detail)
11 pages
DCA Vantage Brochure
No ratings yet
DCA Vantage Brochure
2 pages
Pipeliner Mps 4000
No ratings yet
Pipeliner Mps 4000
4 pages
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Gordon
No ratings yet
Auditing Cloud Computing: A Security and Privacy Guide
From Everand
Auditing Cloud Computing: A Security and Privacy Guide
Ben Halpert
3/5 (2)
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Adam Gordon
No ratings yet
CCSP - Certified Cloud Security Professional Exam Success
From Everand
CCSP - Certified Cloud Security Professional Exam Success
SUJAN
No ratings yet