Back to Resources | Blogs

CSA to Release Updated Cloud Control Matrix: What You Need to Know about CCM v4.1

October 28, 2025 | CSA STAR

The Cloud Security Alliance (CSA) has announced that an updated version of the CSA Cloud Control Matrix (CCM) will be released on Thursday, Nov. 6, 2025.

The CCM, which underpins the CSA Security, Trust, Assurance, and Risk (CSA STAR) program, provides a comprehensive set of cloud-specific security domains and control specifications that help organizations assess risk and demonstrate compliance with global standards.

In the fall of 2025, the CSA announced the latest update to the CCM, which introduces enhancements to address new and evolving security requirements while improving usability for both implementers and certification bodies.

What’s Changing in CCM v4.1?

The new CCM v4.1 builds on past versions by incorporating updated security requirements and aligning with current regulatory and industry developments. The framework has been refined to make implementation and auditing more straightforward both for certification bodies and for organizations undergoing CSA STAR certification in conjunction with ISO 27001.

Some of the major improvements in the new version include clearer structure, enhanced security controls, and updated mapping to modern cybersecurity frameworks.

What’s the Deadline?

Organizations will have two years to transition to CCM v4.1. The transition period ends in November 2027, according to the CSA.

In the meantime, the CSA has requested that certification bodies like BARR begin working on transition plans. Those plans should include a breakdown of:

  • Changes in CCM v4.1;
  • Specific actions organizations must take to implement those changes;
  • A timeframe for completing those actions;
  • Assigned personnel responsible for each actions; and,
  • A process to monitor progress and ensure completion.

Beginning in July 2027, all new CSA STAR assessments must use CCM v4.1.

The Bottom Line

The release of CCM v4.1 marks an important evolution in cloud security assurance. By updating and refining the control framework, the CSA continues to strengthen trust, consistency, and accountability across the cloud ecosystem.

Organizations and certification bodies should begin planning now to meet the transition requirements and ensure a seamless move to CCM v4.1 before the 2027 deadline.

Need help preparing for CCM v4.1 or your next CSA STAR assessment? Contact our expert team for a free consultation.

Let's Talk