Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Join Cohesity Catalyst on Tour at the data security and AI summit in NYC, Paris, or Singapore →

CCM v4.1 Transition Timeline

Published 02/19/2026

Home
Industry Insights
CCM v4.1 Transition Timeline
Written by Eleftherios Skoutaris, AVP of GRC Solutions, CSA EMEA.

This blog was published on February 19, 2026 with the latest information regarding the release of CCM v4.1.

On January 28, CSA released version 4.1 of the Cloud Controls Matrix (CCM), succeeding CCM v4.0.13. This latest version strengthens the framework by incorporating requirements arising from emerging cloud technologies, introducing new and updated controls, and enhancing interoperability and alignment with other leading standards and regulatory frameworks.

CCM v4.1 reflects CSA’s continued commitment to ensuring that the framework remains current, comprehensive, and responsive to the evolving cloud risk landscape. For additional details on the updates and their impact, please refer to the official release blog.

Here we will discuss the transition timeline for when organizations using the CCM in other CSA programs will need to start using version 4.1. We will also answer questions around how the new version will affect:

  • Mappings with standards
  • Security Trust and Assurance Registry (STAR)
  • Consensus Assessment Initiative Questionnaire (CAIQ)
  • Certificate of Cloud Security Knowledge (CCSK)

 

What are the key changes between CCM v4.0.13 and CCM v4.1?

CCM v4.1 introduces 11 new control specifications across critical domains, including Datacenter Security (DCS), Logging and Monitoring (LOG), Security Incident Management (SEF), Supply Chain Management (STA), and Threat & Vulnerability Management (TVM). One control within the Identity and Access Management (IAM) domain was removed.

The update also includes further enhancements to existing control objectives, with both minor and major revisions to expand the CCM’s depth and precision, improve coverage, introduce new requirements, and strengthen alignment with the evolving risk landscape. Control language has been refined to improve clarity and consistency, making interpretation and auditing more straightforward.

In addition, supporting components have been updated. The Consensus Assessments Initiative Questionnaire (CAIQ) v4.1 now includes 283 questions aligned with the latest controls. Corresponding updates have also been made to the Implementation and Auditing Guidelines, CCM-Lite, and CAIQ-Lite.

 

When will the implementation and auditing guidelines be released?

The CCM Implementation Guidelines were originally released with CCM v4 and have been updated to align with CCM v4.1. As a core component of the framework, the Implementation Guidelines explain how to use the CCM and support users in understanding and effectively implementing its controls. Please note that implementation within specific technological environments (e.g., AWS, Azure, GCP) is beyond the scope of the Guidelines. For platform-specific discussions and peer collaboration, users are encouraged to participate in the dedicated SCC WG calls discussion. The updated Implementation Guidelines are available for download alongside the CCM v4.1 release.

The CCM Auditing Guidelines, also introduced with CCM v4, have likewise been updated to reflect the changes incorporated in CCM v4.1. These Guidelines provide direction on how to approach the auditing and assessment of CCM controls and support both auditors and auditees in evaluating proper control adoption. The updated Auditing Guidelines are available together with the CCM v4.1 standard.

 

When will CCM Lite be released? Will there be a CAIQ Lite assessment questionnaire with it?

CCM Lite has already been updated to version 4.1, in alignment with the CCM v4.1 release.

CCM Lite is a streamlined version of the CCM that includes the foundational controls every cloud service provider (CSP) should implement, regardless of delivery model, size, or operational complexity. These controls serve as the baseline for establishing a strong security posture.

Yes, CAIQ-Lite is also available. Derived from the full Consensus Assessments Initiative Questionnaire (CAIQ), it provides a simplified approach to vendor assessments, enabling more efficient and focused engagement between cloud providers and cybersecurity professionals.

 

When will the CCM v4.1 mappings to other leading standards be available for usage?

CSA and the SCC WG are currently collaborating with industry partners to update the mappings originally published with CCM v4.0.13 and align them with the changes introduced in CCM v4.1.

CSA will also continue expanding the mapping portfolio by incorporating additional mappings into CCM v4.1 over time.

 

STAR Program Transition Timeline

Item

Release Date

CCMv4.1 & CAIQv4.1 are officially released

January 2026

Start accepting both V4.1 and V4.0 submissions for both STAR levels 1 and 2 to CSA Registry.

March 2026

Only STAR Level 1 submissions based on version 4.1 will be accepted. (All surveillance audits and recertifications must be carried out using CAIQ v4.1)

December 2027

Only STAR Level 2 submissions based on version 4.1 will be accepted.

(All CBs have transitioned and ready to deliver STAR level 2 based on CCMv4.1)

December 2027

CCMv4.0.x and CAIQv4.0.x will be withdrawn. (Withdrawn means it is no longer relevant. No further work will be done to maintain or update a withdrawn standard. Withdrawn standards are therefore still available in the CSA archives for reference only.)

January 2028

 

 

When will it be possible to use version 4.1 of the CAIQ and CCM for STAR Submissions? When will previous versions no longer be accepted?

CCM v4.1 and CAIQ v4.1 are available for use, and the STAR Registry is ready to accept Level 1 and Level 2 submissions based on CCM v4.1.

Until December 2027 we'll accept both versions of the CAIQ and CCM. After December 2027, all the new STAR submissions (i.e. those services that are joining the STAR Registry) shall be done using V4.1. The companies/services that were in the registry prior to v4.1 release, have a two year transition period to switch to the new version.

 

Will CCM v4.1 be used now for the STAR attestation or Certifications? Or is CCM v4.0 still accepted?

Yes, CCM v4.1 will be adopted as part of the STAR Level 2 program for both STAR Attestation and STAR Certification. While both versions are currently accepted, we strongly encourage organizations to adopt V4.1 as soon as possible.

 

Will CCM v4.1 impact the CCSK?

For the time being the CCSK curriculum and exam will remain as is, and CCM v4.1 won't affect it in any way.

StandardsCAIQCCSKCloud Controls MatrixSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Introductory Guidance to CCM
DLP and DSPM in Healthcare: AI-Enhanced Security and Privacy
Register for RSAC 2026
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
AI Governance and ISO 42001 FAQs: What Organizations Need to Know in 2026

Published: 02/17/2026

How CSA STAR Helps Cloud-First Organizations Tackle Modern Identity Security Risks

Published: 02/13/2026

Bridging the Gap Between Cloud Security Controls and Adversary Behaviors: A CSA–MITRE CTID Collaboration

Published: 02/02/2026

Leveling Up Autonomy in Agentic AI

Published: 01/28/2026