Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

CSA STAR Certifications: What are They?

Home
Industry Insights
CSA STAR Certifications: What are They?

Blog Article Published: 11/03/2023

The CSA Security, Trust, Assurance, and Risk (STAR) program is the largest cloud assurance program in the world that constitutes an ecosystem of the best practices, standards, technology, and auditing partners. Any organization operating or providing cloud services can benefit from completing the certifications under the STAR program. These certifications are based on the Cloud Controls Matrix (CCM), the STAR program’s framework of essential cloud security controls. In this blog, learn more about the various STAR certifications and what’s required to complete them.


What are the certifications under the STAR program?

Under the STAR program, CSA offers various certifications to assess and validate the security practices of cloud service providers. These certifications are designed to enhance transparency and build trust between cloud service providers and their customers. They are divided into two basic levels:

  • Level 1, self-attestation of self-assessment
  • Level 2, third-party certification


What is STAR Level 1?

STAR Level 1 is a complimentary offering. At Level 1, organizations evaluate and document the security controls that apply to their organization using the Consensus Assessment Initiative Questionnaire (CAIQ), a framework that helps organizations assess the security capabilities of cloud service providers with a standardized set of questions. Completed CAIQs are submitted to the STAR Registry. This information then becomes publicly available, providing customer visibility into specific provider security practices.

Organizations should pursue Level 1 if they are:

  • Operating in a low-risk environment
  • Wanting to offer increased transparency around the security controls they have in place
  • Looking for a cost-effective way to improve trust and transparency


What is STAR Level 2?

STAR Level 2 consists of two different third-party independent assessments: STAR Certification and STAR Attestation. The Code of Practice for Implementing STAR Level 2 guide explains the practical steps to earn a STAR Certification or Attestation. There are associated fees for STAR Level 2.

The STAR Certification is a technology-neutral certification that leverages the requirements of the ISO/IEC 27001 management system standard together with CCM. STAR Certification certificates follow normal ISO/IEC 27001 protocol.

The STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA and CCM. For international engagements outside the US, ISAE 3000 is the equivalent and acceptable.

Organizations should pursue Level 2 if they are:

  • Operating in a medium to high-risk environment
  • Already hold or adhere to ISO 27001 or SOC 2 (or ISAE 3000)
  • Looking for a cost-effective way to increase assurance for cloud security and privacy


What are the scopes of the certificates?

Both STAR Level 1 and Level 2 focus on cloud services. A typical scope should include the following:

  • List of processes and services included
  • List of departments or other organizational units included
  • List of physical locations included
  • Exclusions


What are the prerequisites for obtaining a certificate?

For STAR Level 1, there are no prerequisites. For Level 2, the prerequisite is to have STAR Level 1. Additionally, organizations seeking STAR Level 2 typically need a certain level of security controls already in place.


What types of organizations receive STAR certificates?

CSA STAR is intended for various types of cloud services, including Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) providers, as well as managed security service providers and other cloud-related services.


Who issues the certificates?

STAR assessments are typically conducted by CSA-accredited third-party assessors trained to evaluate an organization's security controls against CCM. The requirements and guidelines for STAR Auditors can be found on the CSA website:


What are the certificate validity periods?

STAR Self-Assessments (Level 1) are valid for one year. STAR Certifications (Level 2) are valid for three years. During the validity period, surveillance audits are conducted once a year, with a recertification performed in the third year. STAR Attestation (Level 2) is valid for one year, at which time a complete re-evaluation is performed.


Learn more about the STAR program and STAR certifications here.

CAIQCloud Controls MatrixComplianceSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Certificate of Cloud Auditing Knowledge (CCAK)
The industry's first global auditing credential.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How DSPM Can Help Solve Healthcare Cybersecurity Attacks

Published: 04/30/2024

Your Ultimate Guide to Security Frameworks

Published: 04/29/2024

The Future of Cloud Cybersecurity

Published: 04/29/2024

CPPA AI Rules Cast Wide Net for Automated Decisionmaking Regulation

Published: 04/26/2024