Cloud Security Alliance Updates Internet of Things (IoT) Controls Matrix with New Incident Management Domain and Enhanced Technical Clarity and Referencing

Expanded Matrix aimed at enterprise IoT systems that incorporate multiple types of connected devices, cloud services, and networking technologies

SEATTLE–(BUSINESS WIRE)–#CCM–The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today announced the Internet of Things (IoT) Controls Matrix Version 3 and the accompanying Guide to the CSA IoT Controls Matrix Version 3. Created by the CSA IoT Working Group, Version 3 of the Matrix builds upon previous iterations, increasing the number of controls to 199 while adding a new incident management domain and improving technical clarity and referencing. Together with the guide, the Matrix will help users – especially those with enterprise IoT systems that incorporate multiple types of connected devices, cloud services, and networking technologies – identify appropriate security controls and allocate them to specific architectural components, including devices, networks, gateways, and cloud services.

“The IoT market continues to expand with newly introduced advances in connectivity and autonomy across industry sectors. But relying on IoT-generated data and features requires organizations that adopt these new technologies to plan for accessible, secure, and resilient deployments. Given the rapid evolution of connected technologies and the constant flow of new threats, it can be challenging without a roadmap on how to move forward,” said Aaron Guzman, IoT Working Group Co-chair and one of the paper’s lead authors.

Version 3 of the Matrix can be used across numerous IoT domains from systems processing only “low-value” data with limited impact potential to highly sensitive systems that support critical services. The companion guide explains how to use the Matrix to evaluate and implement an IoT system, and provides a column-by-column description and explanation. Additionally, it has been updated to include industry profiles, which represent starting points for securing industry-specific IoT devices, such as medical devices, vehicles, and autonomous systems.

“Creating a safe IoT environment requires security engineering that addresses unique risks and employs appropriate mitigation measures. The IoT Controls Matrix offers up a starting point for organizations looking to better understand and implement security controls within their IoT architecture,” said Michael Roza, Risk, Audit Control and Compliance Professional and one of CSA’s Research Fellows and a lead author of all three versions of the IoT Controls Matrix.

The IoT Controls Matrix (formerly called the IoT Security Controls Framework), first released in early 2019, introduced 155 base-level security controls required to mitigate many of the risks associated with an IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies. Today, it continues to be used by system architects, developers, and security engineers along with auditors and penetration testers in evaluating their implementations’ security as they progress through the development lifecycle to ensure they meet industry-specified best practices.

The IoT Controls Matrix complements the CSA Cloud Controls Matrix, CSA Enterprise Architecture, and other best practices as part of a holistic approach to securing the cloud ecosystem. The Matrix and accompanying guide are free resources and are available for download now.

The CSA IoT Working Group develops frameworks, processes and best practices for securing connected systems. The Working Group addresses topics including data privacy, safety and security at the edge and in the cloud. Individuals interested in becoming involved in future IoT research and initiatives are invited to visit the Join page.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.


Kristina Rundquist

ZAG Communications for CSA