Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Listen Now: 'Real-Talk on Opportunities for Security Teams to Fight AI with AI'

Do SOC 2 and ISO 27001 the Right Way with CSA STAR

Home
Industry Insights
Do SOC 2 and ISO 27001 the Right Way with CSA STAR

Blog Article Published: 06/21/2024

At the CSA Cloud Trust Summit 2024, CSA’s CEO Jim Reavis gave the presentation “Do SOC 2 and ISO 27001 the right way with CSA STAR.” In this condensed transcript of the presentation, Jim provides an overview of the SOC 2 and ISO 27001 frameworks and how they relate to the CSA STAR program. You can watch Jim’s full presentation here.


Two Cardinal Conformance Frameworks That Guide CSA STAR

I find that there's an awareness gap on what we’ve developed with CSA STAR. It leverages SOC 2 and ISO 27001, resulting in more efficient compliance and assurance. In this presentation, I want to provide an overview of cloud assessment, how it works with these different frameworks, what they mean, and then how it relates to what we're doing with STAR. Let’s start with understanding what SOC 2 and ISO 27001 are.


About SOC 2

Note that I'll be referring to AICPA SOC 2 Type 2 just as “SOC 2.”

SOC 2 was developed by AICPA to be used by service organizations of many types. Its forerunner, SAS 70, was developed in 1992 for auditing information security controls. In 2010, SSAE 16 was created and it replaced SAS 70 with SOC 2, which is when the internal controls for the Trust Services Criteria were articulated. The current version of this is SSAE 18. It's also important to know that SOC 2 reports are restricted use reports that cannot be released publicly.


About ISO/IEC 27001

This comes from British standard BS 7799 - a very long and esteemed heritage. ISO 27001 v1 was published in 2005, with a couple of revisions in 2013 and 2022. It was designed for traditional IT environments, focusing on very comprehensive information security management systems. It's the gold standard. It's applicable to any type of organization, not just IT companies or cloud service providers.


Critical Foundations for STAR

Very early on, when we were starting to create our own cloud-specific control frameworks, we looked at whether we needed to create our own conformance framework for auditing in the cloud.

And we came back and said absolutely not - the ISO tools and the AICPA SAS 70 were terrific. They were doing everything they needed to do. We didn't need to reinvent the wheel and create our own completely new audit framework and procedures. ISO and AICPA are good tools, but we think they have the wrong use in many cases.


The Key Elements Needed in a Cloud Security Assurance Program

Accounts for Complexity

It's very important to understand that modern SaaS applications are complex. You have an infrastructure provider, and you may have a lot of other services that are mashed up into a single cloud SaaS application. It can be a lot of players, a lot of vendors, and a lot of different technologies that make their way into it.


Clear Scope of Applicability

Then we go into the scope of an audit. We're thinking about the people, process, and technologies that interact and could impact the security of a system. We don't want to be too broad and we don't want to be too narrow. We want to be just right to make sure that we get the correct results. We don't want vulnerabilities and control weaknesses to go undetected because we just didn't feel they were in scope.


Transparency

Transparency is obviously really important as well. There's the phrase “don't do security by obscurity,” but it's extra important when you are a cloud customer. And maybe in previous generations, where it was all on-premise, you had it all in your purview. Now, the more transparency we have, the easier the evaluation and procurement phases are.


Shared Security Responsibility Model

It's really important that the service providers and the customers understand that shared responsibility. What's the provider responsible for? What am I responsible for? Where are there things that we're both responsible for?


Introducing the STAR Program

The CSA STAR program is something that's been around for a long time. We started it in 2011 and now we have over 2,500 registered provider entries. We have several countries that have adopted this, such as Italy, which requires STAR for cloud providers that provide services to government ministries. It's also required by a lot of enterprises before they'll do business. We see this referenced in many different industries, sectors, and countries around the world.

There are six pillars to the program. It's very comprehensive. I'm going to drill down a little bit on the Cloud Controls Matrix (CCM), our STAR Assessment Portfolio, and the STAR Registry.


The Cloud Controls Matrix

The CCM was first released in 2010. This is the industry standard for cloud control objectives. We have 197 controls and 17 domains. These are integrated with our CAIQ questionnaire, which has the questions that assessors use to determine the presence of controls that meet those 197 control objectives.


The STAR Assessment Portfolio

STAR Level 2 is our third-party assessment. It has different iterations: STAR Attestation is SOC 2 enhanced with CCM and cloud-specific guidelines, while STAR Certification is ISO 27001 enhanced with CCM and some other guidelines.

STAR Level 1 is our self-assessment, something that an organization can fill out themselves to describe their controls. For someone to qualify as a Level 2, not only do they have to do the third-party assessment, but they also have to have a companion self-assessment that is published on our STAR Registry. This is where the transparency aspect comes in. It becomes a very good companion for people to make sure that cloud providers are doing the right thing.

So again, STAR Certification is completely compliant with all of the ISO requirements you'd expect for a 27001 certification body. STAR Assessors have to have our Certificate of Cloud Security Knowledge (CCSK). We really make sure that they understand the cloud.

Similarly, with STAR Attestation we're combining the Trust Services Criteria with the CCM. The CPAs doing this have to have our CCSK.


Using the STAR Registry

To look at that Level 1 self-assessment, you can go here. You'll find all the leading cloud security companies, SaaS providers, and many more. You can drill down and understand their responses on a control-by-control basis. It's very rich information, but it gets even better than that. Because the Level 2 cloud providers are required to have that self-assessment, you can see what they believe their responsibilities are and what you're supposed to do.


Breaking Down STAR by Stakeholder

Enterprise Cloud Consumers

Instead of asking for a SOC 2 from your cloud service provider, ask for a STAR Attestation because then you essentially get both.

By the same token, instead of asking for an ISO 27001 certificate, ask for a CSA STAR Certification. Again, you're getting both.

Then use that companion STAR Level 1 self-assessment and the newly-released CCM Implementation Guidelines to really assure that the cloud service meets your exacting requirements and to understand the additional steps you must take to really lock it down.


Cloud Service Providers

Work with your auditor or your certification body to achieve STAR Level 2 instead of just a SOC 2 or an ISO 27001. It's not two full separate engagements. Your mileage may vary, but some say it was only 10 extra hours to make sure they covered CCM and the specific cloud requirements. Understand that it's a marginal and incremental cost that you would incur to provide this one engagement that meets both of these needs.


Auditors and Certification Bodies

Offer STAR Level 2 instead of just the more vanilla SOC 2 or ISO 27001. You'll be differentiated in the market and you'll be providing a more appropriate solution.


In Conclusion

To sum it up, ISO 27001 and SOC 2, they're terrific. We love them. We could not have done what we've done without them. However, you have this inappropriate scope of applicability. The shared security responsibility can be unclear. We lack transparency. STAR Level 2 is the answer to all of that.

CAIQCloud Controls MatrixComplianceStandardsSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Download the Guide to AI Governance & Risks
Register for the Zero Trust Summit 2024
Download: AI in Medical Research
Trending This Week
#1 How to Earn the Certificate in Cloud Security Knowledge (CCSK)
#2 The 6 Phases of Data Security
#3 CSA STAR Level 2: STAR Attestations and Certifications
#4 Fully Homomorphic Encryption vs. Confidential Computing
#5 Machine Learning for Threat Classification
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Implementing the Shared Security Responsibility Model in the Cloud

Published: 09/27/2024

What is the CSA STAR Program? An Intro for Beginners

Published: 09/24/2024

AI Regulation in the United States: CA’s ADMT vs American Data Privacy and Protection Act

Published: 09/24/2024

8 Ways to Reduce Data Storage Costs

Published: 09/24/2024