Cloud Security Maturity Model (CSMM) Diagnostic


IANS logo
Securosis logo
CSA logo

IANS and Securosis have built the Cloud Security Maturity Model to help organizations understand what their cloud security journey looks like, and more importantly, to be able to consciously determine how mature they want to be for each category. IANS and Securosis are partnering with Cloud Security Alliance to integrate the CSMM into their cloud security research program as well as their certification and training initiatives.

What is the CSMM?

The CSMM is a set of guidelines, not all of which will work for every organization. Organizations should use the model as a starting point and a means to make decisions about how much investment in each category makes sense for their environment.

The CSMM diagnostic assesses the state of your cloud security program against 12 categories over three domains of the CSMM.

Mike Rothman
Mike Rothman, IANS Faculty & Securosis President

Is Your Cloud Security Optimized?

Security for cloud deployments is different from protecting traditional systems. With increased scrutiny on cloud security from large customers, Boards of Directors, and internal and external compliance assessors, all organizations need to consider the inherent security of their cloud stack and how they manage and control their access to it.

What will you get out of the diagnostic?

The CSMM diagnostic is designed to quickly determine your place on the maturity model. The point is to be able to pinpoint issues in your cloud security program and identify areas for improvement.

Take the Diagnostic Online
You will get maturity assessments across:
Entire Program Icon

Your Entire Program

You will get a score for your maturity across all three domains.

Each Domain Icon

Each Domain

You will get a score for each respective domain – Foundational, Structural, and Procedural.

Each Category Icon

Each Category

Finally, you will get a maturity score for each category within the model.


Discover your cloud security program’s maturity level...

Uncover your organization’s cloud maturity level with the IANS | Securosis Cloud Security Maturity Model (CSMM). Learn about the challenges that other organizations at your level face and our recommendations for your environment.

... and measure maturity over three security domains

To help gain value from this report, here we detail the 3 domains and their role in helping increase the maturity of your cloud security program.

Cloud Icon Outline

Foundational Domain

Represents the core, critical domains that ensure a secure baseline on which to build your cloud security environment. This is where you start laying the foundation for a strong cloud security program.

Cloud Security Assessment Icon

Structural Domain

Represents what would traditionally be considered security and become the building blocks of your cloud security program. This domain is about understanding the differences in how the technology of securing resources works and leveraging both automation and orchestration to enable all of the requisite controls to work in an agile, adaptive manner.

Cloud Architecture Icon

Procedural Domain

Represents many of the fundamental process and procedural changes required to protect your cloud environment(s) reliably and consistently. Each category highlights how the cloud is different than traditional datacenters and what you must do to embrace those differences.


Be Intentional About Decisions and Priorities

Our Cloud Security Maturity Model is not focused on telling organizations what they must do. Instead, it facilitates business-oriented discussions about cloud security requirements, priorities, and strategies, highlighting key decisions stakeholders must consider in their journey towards increased automation via Cloud Service Providers. This knowledge helps organizations assess their existing cloud security programs against their internal business requirements and those of industry peers, determine which of the maturity level is appropriate to the business, and make conscious and informed purchase and configuration decisions.

Mike Rothman
Mike Rothman, IANS Faculty & Securosis President

Cloud Security Maturity Model Diagnostic (CSMM)

Take the Diagnostic Online
IANS logo

About IANS

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk. We provide experience-based security insights for Chief Information Security Officers and their teams. The core of our value comes from the IANS Faculty, a network of seasoned practitioners. We support client decisions and executive communications with Ask-an-Expert inquiries, our peer community, deployment-focused reports, tools and templates, and consulting. For more information, visit

Securosis logo

About Securosis

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization. Following our guiding principle of totally transparent research, we provide nearly all our content for free. You can find out more about who we are, what we cover, and the services we offer at

CSA logo

About Cloud Security Alliance

Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For more information, visit


Want to know more? Let us know how we can help you.

Success! Thanks for filling out our form! Loading animation

* Required Fields