How is CSA STAR Different From ISO 27001 and SOC 2?
The STAR Registry lists cloud solution providers and security providers that have earned a cloud compliance certification from CSA or submitted a cloud security self-assessment questionnaire. While STAR Level 1 is a basic Yes/No or N/A question set to self-declare your compliance with the Cloud Control Matrix (CCM), STAR Level 2 or third-party assessment builds off of the requirements in ISO/IEC 27001 and SOC 2 by assessing an organization against the CCM additional cloud-specific criteria.
Organizations and their associated services are all listed in the registry. For each service, the registry indicates whether they completed a self-assessment or a third-party audit or attestation. This allows cloud consumers to easily assess the cloud security posture of multiple service providers based on the same criteria provided by CSA.
STAR vs. SOC 2 and ISO/IEC 27001
Attestation and certifications from CSA STAR can be used to build off of existing information security certification and audit programs. This reduces complexity and allows organizations to assess their compliance to information security standards and cloud security standards at the same time. Below we explain how STAR is different from two popular compliance programs - ISO/IEC 27001 and SOC 2.
How is STAR different from SOC 2?
The CSA STAR Attestation is actually a combination of SOC 2 plus additional cloud security criteria from the CSA CCM. It provides guidelines for CPAs to conduct the SOC 2 engagements using criteria from both the AICPA (Trust Service Principles, AT 101) and additional cloud-specific criteria from the CSA Cloud Controls Matrix.
How is STAR different from ISO/IEC 27001?
Similarly, the CSA STAR Certification leverages the regular requirements of the ISO/IEC 27001:2013 management system standard together with the cloud-specific requirements from the CSA Cloud Controls Matrix. In addition, the STAR Certification path includes a maturity model assessment that measures the maturity of the organization against CSA’s proprietary maturity model criteria pointing out the strengths and weaknesses of the processes using the CCM domains as the measurables. This is an internal report for the client only and facilitates the continual improvement process.
If you are interested in learning more or have additional questions, you can reach out to us at [email protected].