Home
Browse frameworks
Contact us
SAMMY premium
Login
SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cloud Controls Matrix
Browse Cloud Controls...
SAMM
OpenSAMM1.5
Cybersecurity Fundamentals
NIST CSF 2.0
NIST SSDF
NIST 800-34
BSIMM 14
Cloud Controls Matrix
ISO 27001:2022 CMMI
NIST 800-171 Rev 3
CIS Critical Security Controls
DSOMM
Secure Controls Framework
NIST 800-171 Rev 2
Audit and Assurance
Audit and Assurance Policy and Procedures
Independent Assessments
Risk Based Planning Assessment
Requirements Compliance
Audit Management Process
Remediation
Application and Interface Security
Application and Interface Security Policy and Procedures
Application Security Baseline Requirements
Application Security Metrics
Secure Application Design and Development
Automated Application Security Testing
Automated Secure Application Deployment
Application Vulnerability Remediation
Business Continuity Management and Operational Resilience
Business Continuity Management Policy and Procedures
Risk Assessment and Impact Analysis
Business Continuity Strategy
Business Continuity Planning
Documentation
Business Continuity Exercises
Communication
Backup
Disaster Response Plan
Response Plan Exercise
Equipment Redundancy
Change Management Policy and Procedures
Change Management Policy and Procedures
Quality Testing
Change Management Technology
Unauthorized Change Protection
Change Agreements
Change Management Baseline
Detection of Baseline Deviation
Exception Management
Change Restoration
People
Encryption and Key Management Policy and Procedures
CEK Roles and Responsibilities
Data Encryption
Encryption Algorithm
Encryption Change Management
Encryption Change Cost Benefit Analysis
Encryption Risk Management
CSC Key Management Capability
Encryption and Key Management Audit
Key Generation
Key Purpose
Key Rotation
Key Revocation
Key Destruction
Key Activation
Key Suspension
Key Deactivation
Key Archival
Key Compromise
Key Recovery
Key Inventory Management
Datacenter Security
Off-Site Equipment Disposal Policy and Procedures
Off-Site Transfer Authorization Policy and Procedures
Secure Area Policy and Procedures
Secure Media Transportation Policy and Procedures
Assets Classification
Assets Cataloguing and Tracking
Controlled Access Points
Equipment Identification
Secure Area Authorization
Surveillance System
Unauthorized Access Response Training
Cabling Security
Environmental Systems
Secure Utilities
Equipment Location
Data Security and Privacy Lifecycle Management
Security and Privacy Policy and Procedures
Secure Disposal
Data Inventory
Data Classification
Data Flow Documentation
Data Ownership and Stewardship
Data Protection by Design and Default
Data Privacy by Design and Default
Data Protection Impact Assessment
Sensitive Data Transfer
Personal Data Access, Reversal, Rectification and Deletion
Limitation of Purpose in Personal Data Processing
Personal Data Sub-processing
Disclosure of Data Sub-processors
Limitation of Production Data Use
Data Retention and Deletion
Sensitive Data Protection
Disclosure Notification
Data Location
Governance, Risk and Compliance
Governance Program Policy and Procedures
Risk Management Program
Organizational Policy Reviews
Policy Exception Process
Information Security Program
Governance Responsibility Model
Information System Regulatory Mapping
Special Interest Groups
Human Resources
Background Screening Policy and Procedures
Acceptable Use of Technology Policy and Procedures
Clean Desk Policy and Procedures
Remote and Home Working Policy and Procedures
Asset returns
Employment Termination
Employment Agreement Process
Employment Agreement Content
Personnel Roles and Responsibilities
Non-Disclosure Agreements
Security Awareness Training
Personal and Sensitive Data Awareness and Training
Compliance User Responsibility
Identity and Access Management
Identity and Access Management Policy and Procedures
Strong Password Policy and Procedures
Identity Inventory
Separation of Duties
Least Privilege
User Access Provisioning
User Access Changes and Revocation
User Access Review
Segregation of Privileged Access Roles
Management of Privileged Access Roles
CSCs Approval for Agreed Privileged Access Roles
Safeguard Logs Integrity
Uniquely Identifiable Users
Strong Authentication
Passwords Management
Authorization Mechanisms
Interoperability and Portability
Interoperability and Portability Policy and Procedures
Application Interface Availability
Secure Interoperability and Portability Management
Data Portability Contractual Obligations
Infrastructure and Virtualization Security
Infrastructure and Virtualization Security Policy and Procedures
Capacity and Resource Planning
Network Security
OS Hardening and Base Controls
Production and Non-Production Environments
Segmentation and Segregation
Migration to Cloud Environments
Network Architecture Documentation
Network Defense
Logging and Monitoring
Logging and Monitoring Policy and Procedures
Audit Logs Protection
Security Monitoring and Alerting
Audit Logs Access and Accountability
Audit Logs Monitoring and Response
Clock Synchronization
Logging Scope
Log Records
Log Protection
Encryption Monitoring and Reporting
Transaction/Activity Logging
Access Control Logs
Failures and Anomalies Reporting
Security Incident Management, E-Discovery, and Cloud Forensics
Security Incident Management Policy and Procedures
Service Management Policy and Procedures
Incident Response Plans
Incident Response Testing
Incident Response Metrics
Event Triage Processes
Security Breach Notification
Points of Contact Maintenance
Supply Chain Management, Transparency, and Accountability
SSRM Policy and Procedures
SSRM Supply Chain
SSRM Guidance
SSRM Control Ownership
SSRM Documentation Review
SSRM Control Implementation
Supply Chain Inventory
Supply Chain Risk Management
Primary Service and Contractual Agreement
Supply Chain Agreement Review
Internal Compliance Testing
Supply Chain Service Agreement Compliance
Supply Chain Governance Review
Supply Chain Data Security Assessment
Threat and Vulnerability Management
Threat and Vulnerability Management Policy and Procedures
Malware Protection Policy and Procedures
Vulnerability Remediation Schedule
Detection Updates
External Library Vulnerabilities
Penetration Testing
Vulnerability Identification
Vulnerability Prioritization
Vulnerability Management Reporting
Vulnerability Management Metrics
Universal Endpoint Management
Endpoint Devices Policy and Procedures
Application and Service Approval
Compatibility
Endpoint Inventory
Endpoint Management
Automatic Lock Screen
Operating Systems
Storage Encryption
Anti-Malware Detection and Prevention
Software Firewall
Data Loss Prevention
Remote Locate
Remote Wipe
Third-Party Endpoint Security Posture
Application Security Baseline Requirements
Application Security Baseline Requirements
AIS-02: Are baseline requirements to secure different applications established, documented, and maintained?
Control implemented
Not applicable - A “N/A” answer indicates that the portion of the control in question is out of scope of the assessment. The “SSRM control ownership” column is to be left blank (e.g., greyed out), and optionally the CSP may explain why it is the case (“CSP Implementation Description”).
No - A “No” answer indicates that the portion of the control in question is not implemented, while in scope of the assessment. The CSP has to assign the implementation responsibility of the control to the relevant party under column “SSRM control ownership”, and optionally elaborate on the “why” (has not been implemented), and “what” has to be done for its implementation by that party.
Yes - A “Yes” answer indicates that the portion of the control in question is implemented. The CSP indicates the responsible and accountable parties (SSRM control ownership), and optionally elaborates on the implementation “how-to” per relevant party CSP and/or CSC.
Not applicable
No
Yes
Control ownership
CSP-owned - The CSP is entirely responsible and accountable for the CCM control implementation.
CSC-owned - The Cloud Service Customer (CSC) is entirely responsible and accountable for the CCM control implementation.
Third-party - The third-party CSP in the supply chain (e.g., an IaaS provider) is responsible for CCM control implementation, while the CSP is fully accountable.
Shared CSP and CSC - Both the CSP and CSC share CCM control implementation responsibility and accountability.
Shared CSP and third party - Any CCM control implementation responsibility is shared between CSP and the third party, but the CSP remains fully accountable.
CSP-owned
CSC-owned
Third-party
Shared CSP and CSC
Shared CSP and third party
Description
Establish, document and maintain baseline requirements for securing different applications.