What is CSA STAR Certification and Why it is Important for ISO/IEC 27001 Certified Organizations?
This blog was originally published by MSECB here.
What is CSA STAR Certification?
Building security and data protection into the DNA of an organization’s management system and operations is very important considering the intensive use of cloud computing by all organizations nowadays.
CSA STAR (Security, Trust, Assurance, and Risk) Certification presents a strong proof of a cloud service provider’s security practices. By obtaining the CSA STAR Certification, Cloud Service Providers (CSPs) show to their clients that they are using best practices to protect data in cloud applications.
The CSA STAR program has two levels of certification/attestation:
Level 1: Self-Assessment
- Security Self-Assessment: The CSA STAR Self-Assessment is free of charge and lists the security measures offered by various cloud computing offerings. Thus, it helps users evaluate the security of cloud providers they now use or are considering using.
- GDPR Self-Assessment: The CSP’s services that follow the CSA GDPR Code of Conduct attest to their compliance to GDPR of the service(s) offered by a CSP. An organization will be issued a Compliance Mark that is effective 1 year after the publication of the pertinent document on the Registry.
Level 2: Third-Party Audit
- STAR Attestation – For SOC 2: As a collaboration between CSA and the AICPA, the CSA STAR Attestation offers guidelines for CPAs to conduct SOC engagements through the applied criteria from the AICPA (Trust Service Principle, AT 101) and the Cloud Controls Matrix of CSA. The STAR Attestation offers thorough, unbiased third-party evaluations of cloud service providers. If it is not updated, the STAR Attestation will expire after a year.
- STAR Certification – For ISO/IEC 27001: The security of a cloud service provider is rigorously evaluated by an impartial third party through the CSA STAR Certification. This technology-neutral certification makes use of the CSA Cloud Controls Matrix and the requirements of the ISO/IEC 27001:2013 management system standard. If not updated, this certification, just like ISO/IEC 27001, will expire after three years.
As the market and the need for cloud security is growing, Level 2 is the most dominant of the STAR levels. It combines the controls and best practices of one of the most widely used information security standards, ISO/IEC 27001, and CSA Cloud Controls Matrix, which is the exclusive Cybersecurity Control Framework that covers all aspects of cloud technology.
Who is it for?
The CSA STAR Certification is for every organization that provides cloud computing services, such as:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a service (SaaS)
CSA STAR Certification is important for these organizations and for their customers, as it helps prevent several security issues. The Cloud Security Alliance in their recent research declared that the number one security issue is insufficient identity, credentials, access, and key management, and it is followed by another 10 security issues. After identifying the top 11 threats, the committee analyzed in detail each of the threats and provided more information on who owns the security responsibility, where it might be found within the cloud stack, and the type of cloud service (SaaS, PaaS, IaaS, or SPI) model.
Benefits of CSA STAR Certification for Cloud Service Providers and Customers
- Decreases the security risks for all parties involved, CSPs, customers, and data owners.
- CSA STAR Certification allows CSPs and their customers to be more closely linked and more transparent to their security practices and protection of data.
- Being CSA STAR-certified serves as a great advertising tool that can bring in new business and as a great differentiator between cloud vendors.
- You get to be listed in the STAR Registry, which enables potential customers to find you as a CSP easily.
- It eases the process of signing new partnership deals.
- Reduces the data breach risk for CSPs and their customers.
ISO/IEC 27001:2013 + CSA STAR Certification
Having an ISO/IEC 27001 Certification together with a CSA STAR Certification is a great combination for CSPs to be in conformity with the best security practices there are.
It involves the requirements of the ISO/IEC 27001 standard and the CSA Cloud Controls Matrix (CCM) which consists of 197 control objectives that are constructed in 17 domains. It can be used as a tool for the systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.
Incorporating the CSA’s CCM into an ISO/IEC 27001 certified organization’s information security management system (ISMS) boosts the organization’s ISMS as ISO/IEC 27001 presents the minimum-security requirements for CSPs. Thus, CSA STAR Certification is considered an added value. Furthermore, by being in conformity with the two, CSPs show that their security is built on a rigid assessment and exceeds expectations of data protection.
How do the combined audits work?
The assessment cycle of the CSA STAR Certification follows the same assessment cycle as ISO/IEC 27001.
If an organization adds the CSA STAR Certification to an already active ISO/IEC 27001, the total applicable control set is going to be audited on the initial visit. Whereas, for organizations that obtain both the ISO/IEC 27001 and CSA STAR Certification in parallel, the audit will include a 2-part initial assessment while including the requirements of both.
After the initial certification, surveillance audits will follow. During a 3-year period, these audits will go through all the requirements of ISO/IEC 27001 and the CSA STAR Certification.
What you need to get CSA STAR Level 2 certified?
In order for you to be eligible for CSA STAR Level 2 Certification, you must have or obtain an ISO/IEC 27001 certificate from an accredited certification body. The validity of a CSA STAR certificate is the same as that of the ISO/IEC 27001 certificate.
As per the CSA STAR Certification Program, the steps an organization needs to follow for Level 2 Certification are:
Step 1: The organization will need to complete a Level 1 Self-Assessment submission prior to applying for CSA STAR Certification. For this, the organization will need to download and fill out the Consensus Assessment Initiative Questionnaire (CAIQ). The CAIQ is the questionnaire associated with the Cloud Controls Matrix (CCM). The CAIQ provides a set of questions to determine if the CCM controls have been implemented.
Step 2: The organization must submit the completed CAIQ to the STAR Registry.
Step 3: The organization will need to prepare for the assessment against the Cloud Controls Matrix (CCM). Download the Cloud Controls Matrix (CCM) and be sure to read it and understand the content and requirements. You will have to comply with the controls to earn your certification.
Step 4: Choose a CSA Approved Assessment Firm to conduct your audit. They will provide you with details regarding pricing, audit days required and process. After the successful conclusion the certification body you select will submit your certification to the STAR Registry for you.
Step 5: Once your STAR Certifying Body makes your submission, both your certification body and the point of contact from your organization will receive a confirmation email.
Step 6: Promote your certification to potential customers by displaying the STAR Level 2 logo on your website. Oftentimes companies will create a page to display their badges and certifications and promote their certification with a hyperlink that goes directly to their submission.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.