Cloud Security Maturity Model Version 2.0

IANS logo
Securosis logo
CSA logo

Developed with Securosis and administered in partnership with the Cloud Security Alliance

What is the Cloud Security Maturity Model

The Cloud Security Maturity Model (CSMM) was co-developed by IANS and Securosis and is administered in partnership with the Cloud Security Alliance. It is designed to help organizations understand what their cloud security journey looks like and, more importantly, to consciously determine how mature they want to be for each category and gain recommendations to increase maturity. Version 2.0 greatly expands the CSMM with updated categories, key performance indicators, and sample technical controls to improve an organization’s ability to measure and plan maturity.

Mike Rothman
Rich Mogull, IANS Faculty & Securosis CEO

CSMM Benefits

Security for cloud deployments differs from protecting traditional systems. With increased scrutiny on cloud security from large customers, boards of directors, and internal and external compliance assessors, all organizations need to consider the inherent security of their cloud stack and how they manage and control access to it using a cloud-native security framework.

Completing the CSMM diagnostic generates an individualized report based on your answers to provide a quick qualitative assessment of your current maturity level. It assesses the state of your organization’s cloud security program against 12 categories over the three domains of the model. Organizations use the model as a starting point and a means to determine the required investment in each category.

Cloud Icon Outline

Foundational Domain

Represents the core, critical infrastructures.

Cloud Security Assessment Icon

Structural Domain

Represents what would traditionally be considered security.

Cloud Architecture Icon

Procedural Domain

Represents many of the fundamental process and procedural changes required.

Take the Diagnostic

Complete the survey to quickly determine your maturity within different areas of the model, pinpoint areas of focus, identify areas for improvement, and gain insight to build a plan to increase cloud maturity within your environment.

Take the Diagnostic Online

You will get maturity assessments across:

Entire Program Icon

Your Entire Program

You will get a score for your maturity across all three domains.

Each Domain Icon

Each Domain

You will get a score for each respective domain: Foundational, Structural
and Procedural.

Each Category Icon

Each Category

You will get a maturity score for each category within the model.

Assets to Expedite Your Journey

Download the following key assets to accelerate your cloud security maturity journey:

Contact IANS Consulting

Need support in using the CSMM to increase your cloud security? Get in touch with the IANS Consulting team to discuss how we can help you prioritize your deployments (e.g., production vs. development), build a roadmap for implementing required controls, and support you along that implementation journey. IANS Consulting services are managed and scoped by the IANS team and delivered by IANS Faculty, so your internal teams stay focused on their day-to-day.


Be Intentional About Decisions and Priorities

The Cloud Security Maturity Model is not focused on telling organizations what they must do. Instead, it facilitates business-oriented discussions about cloud security requirements, priorities and strategies, highlighting key decisions stakeholders must consider in their journey toward increased automation via cloud service providers. This knowledge helps organizations assess their existing cloud security programs against their internal business requirements and those of industry peers, determine which maturity level is appropriate to the business, and make conscious and informed purchase and configuration decisions.

Mike Rothman
Mike Rothman, IANS Faculty & Securosis President
IANS logo

About IANS

For the security practitioner caught between rapidly evolving threats and demanding executives, IANS Research is a clear-headed resource for decision making and articulating risk. We provide experience-based security insights for Chief Information Security Officers and their teams. The core of our value comes from the IANS Faculty, a network of seasoned practitioners. We support client decisions and executive communications with Ask-an-Expert inquiries, our peer community, deployment-focused reports, tools and templates, and consulting. For more information, visit

Securosis logo

About Securosis

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization. Following our guiding principle of totally transparent research, we provide nearly all our content for free. You can find out more about who we are, what we cover, and the services we offer at

CSA logo

About Cloud Security Alliance

Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For more information, visit


Want to know more? Let us know how we can help you.

* Required Fields