Why Your Cloud Services Need the CSA STAR Registry Listing

Originally published by CAS Assurance.

What is the CSA STAR Registry?

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry maintained by CSA and it documents the security, privacy and compliance postures of the cloud services offered by the Cloud Service Providers (CSPs) listed in the Registry. Maintaining the Registry as an independent body, CSA provides a reasonable level of public trust in the reliability of information provided in the registry by Cloud Service Providers.

What purposes does the STAR Registry serve?

The Registry serves important purposes in the industry, both for CSPs and their customers (current and prospective).

• The Registry provides transparent and easily accessible information on CSPs' security commitments and security assurance capabilities for the services they offer.
• It provides transparent, clarifying, and easily accessible information on the shared security responsibilities between CSPs and cloud service customers concerning the cloud services being offered.
• The Registry provides a central platform maintained by an independent body (CSA) for CSPs to demonstrate the security capabilities of their cloud services, and for current and prospective cloud service customers to review those documented security capabilities and responsibilities.
• Listing at Level 2 of the Registry provides access to information on third party independent attestation or certification of CSP’s security capabilities based on the globally acclaimed cloud focused CCM framework plus either the AICPA TSC for SOC 2 or the ISO/IEC 27001 management system standard.

How is listing in the STAR Registry achieved?

There are two levels of listing in the Registry – Level 1 and Level 2.

Level 1. Achieving Level 1 listing is through a self-assessment process that requires the CSP to complete and submit the CSA Consensus Assessments Initiative Questionnaire (CAIQ). Completing the CAIQ documents the level to which a CSP security capabilities comply with the control specifications of the CSA Cloud Controls Matrix (CCM) Framework. The current version of the CAIQ that is acceptable for listing is Version 4. The questions require Yes/No answers.

Level 1 listing can also be achieved by a CSP to demonstrate their cloud services compliance with the GDPR requirements. The privacy self-assessment questionnaire is based on the CSA Code of Conduct for GDPR Compliance. A Level 1 listing for both security and privacy is valid for a 12 month period.

Level 2. Achieving Level 2listing requires a third party independent attestation or certification of the CSP’s security controls compliance with the CCM security control specifications plus either:

• the requirements of the AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (SOC 2 attestation), or
• the requirements of ISO/IEC 27001:2013 management system standard (ISO27001 Certification).

There is also a Level 2 listing specifically for the Greater China market, referred to as C-STAR. This also requires a third party independent assessment of the CSP’s security controls compliance with the requirements of the GB/T 22080-2008 management system standard and the CCM, plus additional related controls from GB/T 22239-2008 and GB/Z 28828-2012.

Level 2 Attestation and Certification are performed only by approved STAR auditors. A STAR Attestation based on SOC 2 type 2 report is valid for 12 months, while an attestation based on SOC 2 type 1 report is valid for only six months. A STAR Certification (i.e., ISO27001 + CCM) is valid for a three year period, but requires surveillance visits within the three year cycle.

What are the benefits of listing in the STAR Registry?

There are obvious benefits of being listed in the Registry, both for you as CSP and for your cloud service customers. Here are a few of those benefits:

• Listing in the Registry can serve as a big market differentiator, allowing a CSP to showcase their security capabilities and compliance posture to provide reasonable level of assurance and comfort to current and potential customers in a transparent manner.
• It affords potential customers performing their due diligence on your cloud services an easy access to needed information related to your security and compliance capabilities.
• It streamlines the process of providing security and compliance capabilities information to multiple prospective customers without having to complete multiple customers questionnaires.
• It demonstrates to current and prospective customers your adherence to and value for best practices related to security and privacy.