CCC Methodology and Mapping Annex en
CCC Methodology and Mapping Annex en
This marking protocol is widely used around the world. It has four colors (traffic lights):
White – No Restriction
Table of Contents
List of Tables
The CCC was designed to provide controls to both CSPs and CSTs.
The CCC was designed as a modular extension to ECC, to provide controls to both CSPs and CSTs.
Both CSPs and CSTs shall comply with ECC controls first, and then the additional controls provided by
the CCC. In other words, compliance with ECC is required as a pre-requisite to compliance to CCC.
Cloud Cybersecurity
Controls
The international cloud computing standards and guideline formed the foundation for the cloud
cybersecurity controls. The five leading standards used were:
• ISO/IEC 27001
• The Federal Risk and Authorization Management Program (FedRAMP (FR))
• The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
• German Government-backed Cloud Computing Compliance Controls Catalog (C5)
• The Multi-Tier Cloud Security (MTCS SS) Singapore standard
To accomplish the cloud cybersecurity controls aims, the design methodology reviewed existing
and anticipated regulations, and international cloud computing standards and guidelines. Informed by
this baseline data, the NCA designed the CCC as an extension to the ECC in terms of both depth and
outreach through the cloud computing sector.
In developing the cloud cybersecurity controls, security controls across a consolidated domain list
were distilled from the five cloud security reference standards described in section “Relationship to
other International Standards” into a consolidated stack of cloud controls.
Figure 2: International Cloud Computing Standards Distilled to the Consolidated Control List
Relationship to ECC
Main domains and subdomains of the ECC and the cloud cybersecurity controls in the CCC are
aligned in a structure. Four of the five ECC domains are in the CCC. In addition, 20 of the ECC
subdomains are CCC subdomains (shown in white in Figure 3). Four new subdomains were added as
they were specific to cloud computing services (shown in dark blue in Figure 3). Eight ECC domains
do not have specific controls for cloud and are not part of CCC (shown in grey in Figure 3).
Cybersecurity Cybersecurity Cybersecurity Policies Cybersecurity Roles and Cybersecurity Risk Cybersecurity in Information
Cybersecurity Strategy Management and Procedures Responsibilities Management and Technology Projects
Governance
Compliance with Cybersecurity Periodical Cybersecurity Cybersecurity in Human Cybersecurity Awareness Cybersecurity in Change
Standards, Laws and Regulations Review and Audit Resources and Training Program Management
Cybersecurity
Cybersecurity Resilience Aspects of Business Continuity Management (BCM)
Resilience
Third-party
Third-Party Cybersecurity Cloud Computing and Hosting Cybersecurity
Cybersecurity
Figure 3: Main Domain and Subdomain Basis of the CCC Cloud Cybersecurity Controls
Cybersecurity
Cybersecurity Resilience Aspects of Business Continuity Management )BCM(
Resilience
Third-party
Supply Chain and Third-Party Cybersecurity
Cybersecurity
Figure 4: CCC Cloud Cybersecurity Controls Main Domain and Subdomain Stack
In case of a discrepancy between the cloud cybersecurity controls domains and the five international
standards referenced, the CCC description shall take precedence.
Third-party 4-1 Supply Chain and Third-Party Security A.15 SA SCM 12 - DLL 9
Cybersecurity
In case of a discrepancy between the cloud cybersecurity controls in the CCC and the five
international standards referenced, the CCC controls shall take precedence.
Please note that Standard reference ‘original’ implies that it was not mentioned in the five international
standards and developed by NCA.
1 Cybersecurity Governance
2 Cybersecurity Defense
2-11-P-1-3 C5-RB-15
2-11-P-1-4 ISO27001 A.18.1.3
3 Cybersecurity Resilience
Cybersecurity in Information
1-6
Technology Projects
Cybersecurity
Governance Compliance with Cybersecurity Compliance with Cybersecurity
1-7 1-3
Standards, Laws and Regulations Standards, Laws and Regulations
Cybersecurity in Change
1-5
Management
2-2 Identity and Access Management 2-2 Identity and Access Management
2-7 Data and Information Protection 2-6 Data and Information Protection
This section shows a sample of the applicability of the CCC controls (for both the CSP and the
CST) on different cloud service models (Software as a Service “SaaS”, Platform as a Service “PaaS”,
Infrastructure as a service “IaaS”). The applicability of each control may differ from what is shown in
this section as it depends on the type of the service and the relationship between CSP and CST.