The STAR Certification Journey
The CSA STAR Program is a powerful tool for security assurance in the cloud. It encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings. The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores STAR, CSA best practices, research, and associated technologies and tools.
This blog is the first in a series where we’ll be editing key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Willibert Fabritius, Global Head of Information Security and Business Continuity for BSI Group, about the road to Level 2 STAR Certification. He answers common questions, such as: What does it look like to earn a STAR Certification? What are the steps? What should I know if my company is interested?
Listen to the full podcast here.
ISO 27001 Audit Process
John DiMaria: Today I have the pleasure of interviewing a gentleman with a long history in information security and business continuity, Willie Frabritius. He’s the Global Head of Information Security and Business Continuity for BSI Group, has a master's degree in computer science/computer technology, has been in the business for 25 years, and is a subject matter expert in the field of management system implementation and certification. He also has a long list of accolades in terms of his lead auditor status.
Today we want to cover the subject of STAR certification. CSA has the STAR Attestation, which is based on SOC 2, and the STAR Certification, which is based on ISO 27001. BSI has been in the auditing business for quite some time, and particularly in regards to STAR certification. Most of our audience understands that STAR Certification is a program that's based on the ISO 27001 standard but they're sometimes not familiar with the process of ISO 27001 auditing itself. Let's provide a high-level explanation of how a typical 27001 engagement is planned and carried out.
Willibert Fabritius: The very first thing is that an organization needs to familiarize themselves with the requirements of the standard. And that may sound trivial, but unfortunately we’ve seen organizations that don't really understand what these requirements are, and I personally have encountered organizations that literally were under the impression that they could buy a certification, like they can buy some kind of gadget on the internet. Organizations really need to understand that they have the obligation to implement the management system fulfilling the requirements of the standard.
After understanding the requirements, organizations need to engage with a certification body. We would offer an optional pre-assessment where our assessors come in and verify that the system is implemented, but without any implications on the certification process. If your organization chooses not to go for a pre-assessment, that's fine.
After that, a Stage 1 and Stage 2 audit are required. During the Stage 1 audit, the assessors verify that the key processes are defined and implemented. For example, that a risk assessment or a risk assessment methodology has been defined, and that suitable controls have been identified and documented in the Statement of Applicability. Then, it would be verified that these controls identified in the Statement of Applicability are justified for either exclusions or inclusions based upon Annex A of the standard.
During Stage 2, the auditors come in and verify that these processes have been implemented effectively by looking for objective evidence.
Once a certification is granted, the certificate will be valid for three years. Two surveillance audits in years one and two will be required. After three years, a recertification audit is required. A recertification audit is a mini Stage 1 and Stage 2 audit, where the auditors spend about two-thirds of the initial audit time assessing the management system.
Now, in terms of how an audit would be executed, let's look at HR security as an example. The standard says that the organization shall conduct background checks and shall continuously educate their employees with regard to information security. So, the auditors would say, "Show me an example of a successful background check and an example of a not-successful background check." That way we understand that the organization is indeed conducting background checks.
ISO 27001 and STAR Certification
JD: How is the Cloud Controls Matrix weaved into the 27001 assessment to then meet the level of a STAR Certification?
WF: There seems to be a belief in the marketplace that there are two different assessments. It's not two different assessments, it's one assessment where the auditors would first verify if there’s a process in place. That's a binary decision. Yes/no. Is the process effective? Yes/no. This is what we do during an ISO 27001 assessment. During a STAR assessment, the auditors would go a step further. The auditors would verify the level of maturity. This assessment is done in parallel with the 27001 assessment. That then helps the organization get an independent assessment of the maturity of the management system. So, it's an integrated audit, where at the same time the auditors would verify that the requirements of 27001 are implemented, as well as assessing the maturity level according to the CCM.
JD: How is the maturity model applied? And I guess more importantly, how is that an advantage to certified organizations?
WF: Intuitively, we know what is important and what is not important. We measure the things that are important to us, but organizations are on a regular basis challenged with that. The very first thing an organization really needs to do is make sure that they are measuring their processes. They also need to benchmark their processes by the activities of other organizations. So the maturity model really allows an organization to have an assessment of their processes, telling the organization what the maturity level of that particular process or domain is, so then going forward the organization can make the educated decision to further enhance those weak processes.
JD: Of course, BSI offers STAR certification. And of course, just like anything else, I'm sure you get clients that come in and say, "I have all these other certifications," and are trying to understand how STAR Certification fits into their processes. Why should they do it? What’s the value of adding a STAR Certification?
WF: STAR certification allows an organization to assess the maturity of the information security management system. Therefore, it allows us to set priorities for further improvements and demonstrates that an organization is willing to improve. By having their certification posted on the CSA website, it demonstrates to the organization's clients that the organization is looking for transparency and accountability. Trust is very, very crucial.
Scope Fit for Purpose
JD: We also need to discuss the scope, which is extremely important because with 27001 in particular, people try to skirt the scope of what they're certifying so that they can say they're certified. With STAR, it's a mandate that your scope is fit for purpose.
WF: Yes, I’ve seen all kinds of scope statements where one could argue that it's even misleading. So I always use the example: let's say you’re an engine manufacturer for vehicles, and part of the engine is obviously valves. The client I was auditing was ordering or getting these valves from a supplier, of course. And the supplier was certified “for the distribution of engine valves.” Well, honestly, distribution is the least important part. The question is about the manufacturing and design of those belts. If you're an engine manufacturer, are you really interested in the distribution of the valves or the manufacturing of the valves?
In the information security world, we’ve seen all kinds of things as well. There's somebody who says, "we’re responsible for the information security management system for operating the physical security at a data center." Well, physical security is definitely important, but is it the most important thing when it comes to a data center? It's really important that an organization is reviewing whether their own scope is fit for purpose.
STAR Certification Timeline
JD: What's the time commitment for STAR certification in terms of actually going through the process and getting certified?
WF: I can interpret that question from two angles. I can interpret it as: how long does it take between the decision to implement a system, getting it implemented, and getting it certified? That really depends upon the organization size and complexity, but for a medium to small organization, I would say something like a year is reasonable.
If the question is related to the audit duration itself, that depends upon the size and complexity of the organization, and is fundamentally ruled by ISO 27006, which tells us the duration depending upon the number of people in scope.
JD: Well, that's great stuff. Willy, thank you very much.
To carry on this conversation, contact Willibert at [email protected]
Click here for more information regarding STAR certification and the different levels of STAR.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.