Cloud Security Alliance Publishes Guidelines for CSA STAR Attestation

Full specification for CPAs conducting independent cloud provider assessments using the AICPA SOC 2SM engagements plus CSA Cloud Controls Matrix

Seattle, WA – July 29, 2014 – The Cloud Security Alliance (CSA) and American Institute of CPAs (AICPA), today announced the release of official guidelines for CPAs in conducting Service Organization Controls (SOC) 2 engagements with the CSA’s Cloud Controls Matrix (CCM). Officially known as CSA Security Trust & Assurance Registry (STAR) Attestation, this specification for rigorous third party assessments of cloud providers, as well as additional program information, is available at

The CSA Attestation is the latest offering of Level 2 of the CSA STAR Program, a comprehensive set of offerings for cloud provider trust and assurance. STAR includes Level 1 Self-Assessment, which focuses upon transparency of security practices and Level 3 Continuous Monitoring, which will be available in 2015. STAR Attestation provides a framework for a CPA to express an opinion of several key factors related to service description, control suitability and control effectiveness within the cloud provider’s systems. .

“The AICPA is pleased to collaborate with CSA on STAR Attestation, which brings together best practices for Security Organization Control reporting via CPA-performed SOC 2 engagements, in conjunction with best practices specific to cloud security as covered by the CSA Cloud Controls Matrix. Security is of paramount importance in cloud computing, and the complementary frameworks put forth by AICPA and the CSA provide a comprehensive foundation for practitioners to follow in performing engagements in this space,” said Amy Pawlicki, AICPA Director of Business Reporting, Assurance and Advisory Services.

“Consumers have long looked to the CPA community as important stewards of trust as it relates to IT service providers,” said Jim Reavis, CEO of CSA. “As a result of our collaboration with the AICPA, both consumers and providers can count upon their CPAs to conduct SOC 2 engagements with leading edge security best practices for the cloud. STAR Attestation is a critical milestone in our effort to provide comprehensive trust in cloud computing.”

“SOC 2 has become a necessity for cloud providers serving enterprise customers,” said Mark Lundin, KPMG LLP’s Global SOC 2/SOC 3 Leader. “The combination of SOC 2 reporting with the industry recognized Cloud Controls Matrix represents a powerful option that cloud providers can now use to demonstrate the effectiveness of their controls as well as build fundamental trust with their customers. In working with some of the world’s largest cloud providers, we recognize that thorough SOC 2 reports represent a best practice, effectively showcasing the provider’s strategy to meet its customers’ evolving security and compliance needs.”

The objective and mission of CSA STAR Attestation is to improve trust in the cloud and in the Information and Communication Technology (ICT) market by offering transparency and assurance. It is based upon applicable criteria in Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP section 100, supplemented by the criteria in the Cloud Controls Matrix (CCM), and builds on the key strengths of SOC 2SM engagements performed in accordance with AT 101, Attest Engagements (AICPA, Professional Standards).

The guidelines for CPA’s participating in the CSA Star Attestation Program address the following:

  • Requirements for engagement and performance
  • Competency requirements
  • Scope of attestation
  • Criteria establishment and selection

“Cloud has been around for quite some time, but really in recent years, we are seeing increasing rate of cloud adoption. With the pressing needs from cloud customers for assurance, more and more organizations are seeking for and adopting international standards and best practices on cloud security, and many of them have come to us for attestation on CSA STAR, to give their customers independent assurance,” said Vincent Chan, Advisory Services Leader for Ernst & Young Hong Kong.

“The market acceptance of SOC 2 has been steadily increasing since the concept was introduced in 2011,” stated Chris Schellman, President of BrightLine CPAs & Associates, Inc., which completes more than 500 SOC examinations annually. “We believe that the STAR Attestation stands to complement the growing popularity of SOC 2 by providing additional subject matter related to security and content specific to cloud computing.”

The CSA STAR Program is designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is recognized by customers, providers, industries and governments around the world. Further information about CSA guidelines regarding STAR Attestation is available at

About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at, and follow us on Twitter @cloudsa.

Kari Walker for the CSA
ZAG Communications
[email protected]