CSA STAR: The Future of Cloud Trust and Assurance
CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.
STAR consists of three levels of assurance, which currently cover four unique offerings all based upon a succinct yet comprehensive list of cloud-centric control objectives in the CSA’s Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
The STAR program includes a complimentary registry that documents the security controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.
CSA STAR is based upon two key research components of the CSA GRC Stack:
Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
The Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.
CSA STAR PROGRAM ASSESSMENT AND CERTIFICATIONS
LEVEL ONE: CSA STAR Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
LEVEL TWO: CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.
LEVEL TWO: CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix.
LEVEL TWO: CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.
LEVEL THREE: CSA STAR Continuous Monitoring
Currently under development, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts.
Key Links & Resources
For More Information
General Inquiries: [email protected]
CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors
CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors
Add your Service to the CSA STAR Registry
CSA STAR is open to all Cloud Providers
Eligibility for listing on the STAR Registry requires an
official and authorized submission of one or more documents
asserting compliance to CSA-published best practices. The
registry is intended to allow potential cloud customers to
review the security practices of providers, accelerating their
due diligence and leading to higher quality procurement
Companies can be listed on the STAR Registry by submitting
their STAR Self-Assessment (Level 1) and/or their Third Party
based certification (Level 2).
For more information about the CSA STAR Program please see:
The STAR Level 1 (Self-Assessment) is based on a report showing the
adherence of a service and/or provider to one of the following
CSA best practices:
In order to streamline the process of performing—and
maintaining over time—their CSA STAR Self-Assessment,
companies are recommended to use
The STAR Level 2 (third-party-based
certification) instead offers companies with the possibility to
comply with CSA best practices according to three different
Submitting Reports to CSA is Simple
Fill out the form below and attach any supporting security
control documents. For assistance with Level 2 requests, please
contact us at
When you are finished, click the “Submit my Entry”
button. We will review your submission for accuracy and follow
up via email to verify. If you have questions about your
submission, please contact
CSA STAR Registry Terms and Conditions
Your submission is subject to the
CSA STAR Terms and Conditions.
We encourage you to review these Terms and Conditions, which
govern your use of the CSA STAR Registry.