Cloud Security

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Customer Responsibility Matrix (CRM)

A document published by a cloud service provider mapping each compliance framework control to one of four categories: fully inherited, partially inherited, not inherited, or not applicable. The CRM is the primary artifact auditors use to verify inherited control documentation.

From the library

The full analysis on Customer Responsibility Matrix (CRM).

The article is where the term meets the practitioner. Read how this concept actually shows up in audit, in remediation, and in the boardroom.

Read the analysis →
The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.