CSA STAR Certifications: What are They?
Published 11/03/2023
The CSA Security, Trust, Assurance, and Risk (STAR) program is the largest cloud assurance program in the world that constitutes an ecosystem of the best practices, standards, technology, and auditing partners. Any organization operating or providing cloud services can benefit from completing the certifications under the STAR program. These certifications are based on the Cloud Controls Matrix (CCM), the STAR program’s framework of essential cloud security controls. In this blog, learn more about the various STAR certifications and what’s required to complete them.
What are the certifications under the STAR program?
Under the STAR program, CSA offers various certifications to assess and validate the security practices of cloud service providers. These certifications are designed to enhance transparency and build trust between cloud service providers and their customers. They are divided into two basic levels:
- Level 1, self-attestation of self-assessment
- Level 2, third-party certification
What is STAR Level 1?
STAR Level 1 is a complimentary offering. At Level 1, organizations evaluate and document the security controls that apply to their organization using the Consensus Assessment Initiative Questionnaire (CAIQ), a framework that helps organizations assess the security capabilities of cloud service providers with a standardized set of questions. Completed CAIQs are submitted to the STAR Registry. This information then becomes publicly available, providing customer visibility into specific provider security practices.
Organizations should pursue Level 1 if they are:
- Operating in a low-risk environment
- Wanting to offer increased transparency around the security controls they have in place
- Looking for a cost-effective way to improve trust and transparency
What is STAR Level 2?
STAR Level 2 consists of two different third-party independent assessments: STAR Certification and STAR Attestation. The Code of Practice for Implementing STAR Level 2 guide explains the practical steps to earn a STAR Certification or Attestation. There are associated fees for STAR Level 2.
The STAR Certification is a technology-neutral certification that leverages the requirements of the ISO/IEC 27001 management system standard together with CCM. STAR Certification certificates follow normal ISO/IEC 27001 protocol.
The STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA and CCM. For international engagements outside the US, ISAE 3000 is the equivalent and acceptable.
Organizations should pursue Level 2 if they are:
- Operating in a medium to high-risk environment
- Already hold or adhere to ISO 27001 or SOC 2 (or ISAE 3000)
- Looking for a cost-effective way to increase assurance for cloud security and privacy
What are the scopes of the certificates?
Both STAR Level 1 and Level 2 focus on cloud services. A typical scope should include the following:
- List of processes and services included
- List of departments or other organizational units included
- List of physical locations included
- Exclusions
What are the prerequisites for obtaining a certificate?
For STAR Level 1, there are no prerequisites. For Level 2, the prerequisite is to have STAR Level 1. Additionally, organizations seeking STAR Level 2 typically need a certain level of security controls already in place.
What types of organizations receive STAR certificates?
CSA STAR is intended for various types of cloud services, including Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) providers, as well as managed security service providers and other cloud-related services.
Who issues the certificates?
STAR assessments are typically conducted by CSA-accredited third-party assessors trained to evaluate an organization's security controls against CCM. The requirements and guidelines for STAR Auditors can be found on the CSA website:
- Flowchart for Becoming a CSA STAR Accredited Assessment Firm
- Auditors Guidance Document STAR Certification: Auditing the Cloud Controls Matrix
- Guidelines for CPAs Providing CSA STAR Attestation v3
- Requirements for Bodies Providing STAR Certification
What are the certificate validity periods?
STAR Self-Assessments (Level 1) are valid for one year. STAR Certifications (Level 2) are valid for three years. During the validity period, surveillance audits are conducted once a year, with a recertification performed in the third year. STAR Attestation (Level 2) is valid for one year, at which time a complete re-evaluation is performed.
Learn more about the STAR program and STAR certifications here.
Related Articles:
Why You Should Have a Whistleblower Policy for AI
Published: 10/07/2024
How to Maximize Alignment Between Security and Compliance Teams
Published: 10/04/2024
AI Legal Risks Could Increase Due to Loper Decision
Published: 10/03/2024
What ‘Passwordless’ Really Means for Privileged Access Management
Published: 10/03/2024