In this document, Microsoft provides a detailed overview of how Office 365 maps to the security, privacy, compliance, and risk management controls defined in version 3.0.1-11-24-2015 of the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM). The CSA is a not-for-profit, member-driven organization of leading industry practitioners focused on helping customers make the right decisions when moving to the cloud. The CCM provides a listing of security and privacy controls across 16 domains. On the following pages, Office 365 security practices are mapped to the control guidance provided by the CCM. The first two columns (CCM Control Domain and ID and CCM v3.0.1 Control Specification) consist of content directly from the CCM identifying relevant controls. The third column (Office 365 Response) consists of short explanations of how Office 365 controls satisfy the CSA recommendations.

Download it from here: