CSA STAR Certification – Supporting Cloud Trust
Originally published by MSECB.
Written by Mark Lundin, MSECB.
Value of CSA STAR Certification for CSPs
Cloud Security Alliance (CSA) STAR Certification is a strong tool to help cloud service providers evaluate and improve their cybersecurity controls while certifying against a well-respected industry framework that was designed specifically for cloud computing, the Cloud Controls Matrix (CCM). CSA STAR Certification has gained solid adoption among cloud service providers of various sizes globally, and it is also very complementary to SOC 2, ISO/IEC 27001, and other security frameworks and standards used by cloud service providers.
For cloud service providers that are building their trust programs, the CCM is a good reference framework, and CSA STAR Certification can be helpful to address areas of enterprise customer and prospect focus. Highly mature cloud service providers with robust common control frameworks and security programs may also be well-positioned to add CSA STAR Certification to their trust programs, building upon completed self-assessments.
Importance of the CCM
Proactively developed when cloud computing was first gaining momentum, CCM has been maintained and refined over time by the CSA.
The current CCM version 4.05 is a solid set of cybersecurity requirements that are tailored to cloud computing and a significant enhancement over the prior version. Many organizations participate in the CSA, perform CCM self-assessments, use its guidance internally, and support their vendor security management programs with CSA’s Consensus Assessment Initiative Questionnaire (CAIQ), which is based on CCM. CCM has also been methodically mapped to a variety of other security frameworks, highlighting the commonalities and differences.
CSA STAR Certification Requirements
CSA STAR Certification requires and builds upon ISO/IEC 27001 certification. ISO/IEC 27001 establishes the core information security management system (ISMS) requirements and the supporting set of Annex A control objectives and controls. CSA STAR leverages the ISMS and adds a detailed set of 197 control specifications that are tailored to focus on cybersecurity topics that are highly relevant to cloud environments. Comparing the CCM controls with the corresponding ISO/IEC 27001:2013 Annex A controls, 35% are equivalent, 45% are more detailed, and 12% are unique based on CSA’s analysis. As organizations adopt ISO/IEC 27001:2022, they will find a similar alignment between CCM, and the Annex A controls.
The CCM requirements are organized into the 17 control domains listed below, and the current version incorporates important details, particularly for the topics marked with an asterisk.
- Audit and Assurance
- Application and Interface Security
- Business Continuity Management and Operational Resilience
- Change Control and Configuration Management
- Cryptography, Encryption and Key Management*
- Datacenter Security
- Data Security and Privacy Lifecycle Management*
- Governance, Risk and Compliance
- Human Resources
- Identity and Access Management
- Interoperability and Portability
- Infrastructure and Virtualization Security*
- Logging and Monitoring
- Security Incident Management, E-Discovery, and Cloud Forensics*
- Supply Chain Management, Transparency, and Accountability*
- Threat and Vulnerability Management*
- Universal Endpoint Management
CSA STAR Certification Audit Process
The CSA STAR certification audit process is comparable to the traditional ISO certification process, with some specific considerations. Like ISO/IEC 27701, ISO/IEC 27017, and ISO/IEC 27018, CSA STAR certification requires that ISO/IEC 27001 certification already be in place or completed in parallel. The cloud service provider’s statement of applicability, security processes, and the auditor’s testing should consider both the ISO/IEC 27001 Annex A and CCM controls, noting that there are some common requirements. The audit process also provides maturity scoring by the control domain for internal purposes to help identify areas for continuous improvement. The lead auditor must have CSA’s Certificate of Cloud Security Knowledge (CCSK), and at the conclusion of a successful certification audit, the CSA STAR certificate is issued in coordination with CSA, and the cloud service provider may be listed in CSA’s STAR Registry.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.