Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What is CSA STAR Certification and Why it is Important for ISO/IEC 27001 Certified Organizations?

Home
Industry Insights
What is CSA STAR Certification and Why it is Important for ISO/IEC 27001 Certified Organizations?

Blog Article Published: 07/27/2022

This blog was originally published by MSECB here.

What is CSA STAR Certification?

Building security and data protection into the DNA of an organization’s management system and operations is very important considering the intensive use of cloud computing by all organizations nowadays.

CSA STAR (Security, Trust, Assurance, and Risk) Certification presents a strong proof of a cloud service provider’s security practices. By obtaining the CSA STAR Certification, Cloud Service Providers (CSPs) show to their clients that they are using best practices to protect data in cloud applications.

The CSA STAR program has two levels of certification/attestation:

Level 1: Self-Assessment
  • Security Self-Assessment: The CSA STAR Self-Assessment is free of charge and lists the security measures offered by various cloud computing offerings. Thus, it helps users evaluate the security of cloud providers they now use or are considering using.
  • GDPR Self-Assessment: The CSP’s services that follow the CSA GDPR Code of Conduct attest to their compliance to GDPR of the service(s) offered by a CSP. An organization will be issued a Compliance Mark that is effective 1 year after the publication of the pertinent document on the Registry.
Level 2: Third-Party Audit
  • STAR Attestation – For SOC 2: As a collaboration between CSA and the AICPA, the CSA STAR Attestation offers guidelines for CPAs to conduct SOC engagements through the applied criteria from the AICPA (Trust Service Principle, AT 101) and the Cloud Controls Matrix of CSA. The STAR Attestation offers thorough, unbiased third-party evaluations of cloud service providers. If it is not updated, the STAR Attestation will expire after a year.
  • STAR Certification – For ISO/IEC 27001: The security of a cloud service provider is rigorously evaluated by an impartial third party through the CSA STAR Certification. This technology-neutral certification makes use of the CSA Cloud Controls Matrix and the requirements of the ISO/IEC 27001:2013 management system standard. If not updated, this certification, just like ISO/IEC 27001, will expire after three years.

As the market and the need for cloud security is growing, Level 2 is the most dominant of the STAR levels. It combines the controls and best practices of one of the most widely used information security standards, ISO/IEC 27001, and CSA Cloud Controls Matrix, which is the exclusive Cybersecurity Control Framework that covers all aspects of cloud technology.

Who is it for?

The CSA STAR Certification is for every organization that provides cloud computing services, such as:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a service (SaaS)

CSA STAR Certification is important for these organizations and for their customers, as it helps prevent several security issues. The Cloud Security Alliance in their recent research declared that the number one security issue is insufficient identity, credentials, access, and key management, and it is followed by another 10 security issues. After identifying the top 11 threats, the committee analyzed in detail each of the threats and provided more information on who owns the security responsibility, where it might be found within the cloud stack, and the type of cloud service (SaaS, PaaS, IaaS, or SPI) model.

See Top 11 Threats

Benefits of CSA STAR Certification for Cloud Service Providers and Customers

  • Decreases the security risks for all parties involved, CSPs, customers, and data owners.
  • CSA STAR Certification allows CSPs and their customers to be more closely linked and more transparent to their security practices and protection of data.
  • Being CSA STAR-certified serves as a great advertising tool that can bring in new business and as a great differentiator between cloud vendors.
  • You get to be listed in the STAR Registry, which enables potential customers to find you as a CSP easily.
  • It eases the process of signing new partnership deals.
  • Reduces the data breach risk for CSPs and their customers.

ISO/IEC 27001:2013 + CSA STAR Certification

Having an ISO/IEC 27001 Certification together with a CSA STAR Certification is a great combination for CSPs to be in conformity with the best security practices there are.

It involves the requirements of the ISO/IEC 27001 standard and the CSA Cloud Controls Matrix (CCM) which consists of 197 control objectives that are constructed in 17 domains. It can be used as a tool for the systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Incorporating the CSA’s CCM into an ISO/IEC 27001 certified organization’s information security management system (ISMS) boosts the organization’s ISMS as ISO/IEC 27001 presents the minimum-security requirements for CSPs. Thus, CSA STAR Certification is considered an added value. Furthermore, by being in conformity with the two, CSPs show that their security is built on a rigid assessment and exceeds expectations of data protection.

How do the combined audits work?

The assessment cycle of the CSA STAR Certification follows the same assessment cycle as ISO/IEC 27001.

If an organization adds the CSA STAR Certification to an already active ISO/IEC 27001, the total applicable control set is going to be audited on the initial visit. Whereas, for organizations that obtain both the ISO/IEC 27001 and CSA STAR Certification in parallel, the audit will include a 2-part initial assessment while including the requirements of both.

After the initial certification, surveillance audits will follow. During a 3-year period, these audits will go through all the requirements of ISO/IEC 27001 and the CSA STAR Certification.

What you need to get CSA STAR Level 2 certified?

In order for you to be eligible for CSA STAR Level 2 Certification, you must have or obtain an ISO/IEC 27001 certificate from an accredited certification body. The validity of a CSA STAR certificate is the same as that of the ISO/IEC 27001 certificate.

As per the CSA STAR Certification Program, the steps an organization needs to follow for Level 2 Certification are:

Step 1: The organization will need to complete a Level 1 Self-Assessment submission prior to applying for CSA STAR Certification. For this, the organization will need to download and fill out the Consensus Assessment Initiative Questionnaire (CAIQ). The CAIQ is the questionnaire associated with the Cloud Controls Matrix (CCM). The CAIQ provides a set of questions to determine if the CCM controls have been implemented.

Step 2: The organization must submit the completed CAIQ to the STAR Registry.

Step 3: The organization will need to prepare for the assessment against the Cloud Controls Matrix (CCM). Download the Cloud Controls Matrix (CCM) and be sure to read it and understand the content and requirements. You will have to comply with the controls to earn your certification.

Step 4: Choose a CSA Approved Assessment Firm to conduct your audit. They will provide you with details regarding pricing, audit days required and process. After the successful conclusion the certification body you select will submit your certification to the STAR Registry for you.

Step 5: Once your STAR Certifying Body makes your submission, both your certification body and the point of contact from your organization will receive a confirmation email.

Step 6: Promote your certification to potential customers by displaying the STAR Level 2 logo on your website. Oftentimes companies will create a page to display their badges and certifications and promote their certification with a hyperlink that goes directly to their submission.

GDPRSecurity as a ServiceSTAR

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024

CSA STAR Level 2: All About STAR Attestations and Certifications

Published: 03/23/2024

Cybersecurity Regulations and the Impact on Consumers

Published: 03/13/2024

Adhere to the EU Cloud CoC through the CSA

Published: 03/05/2024