This area of the site is under heavy construction.  You can learn about CSA efforts from the website source, and you should also join the LinkedIn CSA community.

To get started, we suggest reading the following resources:

Download GRC Stack:

Also recommending this slideshare  Governing in the Cloud

Please visit the CSA Site for more details:

Cloud Security Alliance Unveils Governance, Risk Management and Compliance (GRC) Stack

CSA GRC Stack Training

Outsourcing critical business functions into the Cloud can result in challenges of maintaining assurance and control over legal and regulatory obligations for data management and protection. The Cloud Security Alliance is offering a training session to show you how to leverage the CSA GRC (Governance, Risk Management & Compliance) Stack, a toolkit designed for peeling back and revealing those layers of accountability and responsibility between Cloud Service Providers and their Tenants, applying measurable risk-based decision making for both assessing and attesting to governance, risk and compliance best practices. Download the: original (Feb. 2011) CSA GRC Stack Training Documents or the updated (March 2011) CSA GRC Stack Training Documents

CSA GRC Stack Integration & Implementation

The four initiatives have been developed through a collaborative effort and contain out-of-the-box integration. CloudAudit includes the Cloud Controls Matrix as an included namespace, while the Consensus Assessments Initiative Questionnaire was specifically designed to identify the presence or lack of CCM controls and other key practices identified in the CSA guidance. Some of the uses of the GRC stack include the following:

Cloud Providers – Assess your own systems with CAIQ to measure alignment with CCM. Implement CloudAudit to automate CCM assertions, enabling third parties to independently analyze your GRC capabilities against their needs. This generates significant cost savings in audit response, reduces customer sales cycles and leads to increased trust of provider’s solutions.

Enterprise Organizations – Use CCM to align your information security program with emerging cloud security requirements. Use CAIQ and CCM together to assess your cloud providers against industry supported criteria. Use CloudAudit to instrument your own private cloud to simplify IT audits.

Solution Providers – Integrate the CSA GRC stack into your own products and services, including management consoles, reporting systems, and system agents to provide “out-of-the-box” compatibility and relevance to the leading cloud security guidance.

Consultants and Independent Auditors – Integrate the CSA GRC stack into your own processes and tool sets to provide cloud assurance services aligned with customer and provider requirements.

GRC Stack Provides Toolkit for Key Stakeholders to Implement and Assess Security of Cloud Environments.

The Cloud Security Alliance (CSA) has announced the availability of the CSA Governance, Risk Management and Compliance (GRC) Stack, a suite of enabling tools for GRC in the cloud, now available for free download at

Achieving GRC goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute-as-a-service presents new challenges across the spectrum of GRC requirements. The CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards, and critical compliance requirements.

“When cloud computing is treated as a governance initiative, with broad stakeholder engagement and well-planned risk management activities, it can bring tremendous value to an enterprise,” said Emil D'Angelo, CISA, CISM, international president of ISACA, a founding member of the Cloud Security Alliance and a co-developer of the GRC stack.

"Gaining visibility into service provider environments and governing them according to overall enterprise GRC strategy have emerged as major concerns for organizations when considering the use of public cloud services," said Eric Baize, Senior Director of Cloud Security Strategy at RSA, The Security Division of EMC. "The Cloud Security Alliance has acted in a timely manner to enable a concrete cloud GRC stack that will foster transparency and confidence in the public cloud. RSA will build these standards into its own RSA Archer eGRC platform, the foundation for the RSA Solution for Cloud Security and Compliance which will allow organizations to assess cloud service providers using the same tool that is used widely to manage risk and compliance across the enterprise.”

The Cloud Security Alliance GRC Stack is an integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire:

CloudAudit: aims to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.

Cloud Controls Matrix (CCM): provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.

Consensus Assessments Initiative Questionnaire (CAIQ): The CSA Consensus Assessments Initiative (CAI) performs research, creates tools and creates industry partnerships to enable cloud computing assessments. The CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. The questionnaire (CAIQ) provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.

“Cloud computing brings tremendous benefits to business, but these models also raise questions around compliance and shared responsibility for data protection,” said Scott Charney, Corporate Vice President for Microsoft’s Trustworthy Computing Group. “With the Cloud Security Alliance’s guidance, providers and enterprises can use a common language to ensure the right security issues are being considered and addressed for each type of cloud environment.”

The three initiatives have been developed through a collaborative effort and contain out-of-the-box integration. CloudAudit includes the Cloud Controls Matrix as an included namespace, while the Consensus Assessments Initiative Questionnaire was specifically designed to identify the presence or lack of CCM controls and other key practices identified in the CSA guidance.

“The Cloud Security Alliance GRC Stack is a major step allowing Cloud Computing vendors to document to their subscribers the level of Security and Compliance they maintain,” said Philippe Courtot, chairman and CEO of Qualys. “As Cloud Computing is rapidly changing the way we do business, such a framework is essential to ensuring that our data is secure and that Cloud Computing vendors adhere to privacy and regulatory requirements.”

Use cases for cloud providers, enterprises, solution providers and independent auditors/consultants interested in using the GRC stack can be found at: