Client Portal
| Become a Client

Cloud Security Maturity Model

The Cloud Security Maturity Model (CSMM) is co-developed by IANS and Securosis and administered in partnership with the Cloud Security Alliance.

Rich Mogull, IANS Faculty & Securosis CEO

What is the Cloud Security Maturity Model?

The CSMM helps organizations understand what their cloud security journey looks like and, more importantly, to consciously determine how mature they want to be for each category.
Take the diagnostic now

Why complete the CSSM Diagnostic?

Completing the CSMM diagnostic generates an individualized report based on your answers to provide a quick qualitative assessment of your current maturity level. It assesses the state of your organization's cloud security program against 12 categories over the three domains of the model. Organizations use the model as a starting point and a means to determine the required investment in each category.

Foundational Domain

Represents the core, critical infrastructures.

Structural Domain

Represents what would traditionally be considered security.

Procedural Domain

Represents many of the fundamental process and procedural changes required.

Levels of cloud security maturity

CSMM-Levels

Assets to expedite your journey

Download the report
Download the following key assets to accelerate your cloud security maturity journey:

Intro to the CSSM 2.0

A 5-page overview of the updated Cloud Security Maturity model and how to use it.

Download Now

CSSM Poster

A pdf visual representation of the Cloud Security Maturity Model 2.0

Download Now

Cloud Security Maturity Model 2.0

A detailed excel spreadsheet with control objectives specified for each maturity level.

Download Now

Need support increasing your cloud security?

Assess your cloud maturity

Determine your maturity within the CSSM model, identify areas for improvement, gain insights to help you increase your organization's cloud maturity.

Start the diagnostic now

Frequently Asked Questions

Securosis & Cloud Security Alliance

Feb 6, 2025, 14:13 PM
Question : Can you tell me more about the partners on this project, Securosis and the Cloud Security Alliance?
Securosis logo

About Securosis

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization. Following our guiding principle of totally transparent research, we provide nearly all our content for free. You can find out more about who we are, what we cover, and the services we offer at https://securosis.com/services.

CSA logo

About Cloud Security Alliance

Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For more information, visit https://www.cloudsecurityalliance.org.

Be intentional about decisions and priorities

The Cloud Security Maturity Model is not focused on telling organizations what they must do. Instead, it facilitates business-oriented discussions about cloud security requirements, priorities and strategies, highlighting key decisions stakeholders must consider in their journey toward increased automation via cloud service providers. This knowledge helps organizations assess their existing cloud security programs against their internal business requirements and those of industry peers, determine which maturity level is appropriate to the business, and make conscious and informed purchase and configuration decisions.
Start the free diagnostic
Mike Rothman, IANS Faculty & Securosis President