STAR Registry: Security on the Cloud Verified

Introducing CAIQ-Lite (Beta Version)

We are excited to announce the creation and launch of the Consensus Assessments Initiative Questionnaire (CAIQ) Lite. CAIQ-Lite can be accessed by CSA members for free on CSA as well as from our industry partner Whistic.

Based upon months of analyzing feedback, conducting research & testing, and applying proper weighting and selection; CSA & Whistic are collaboratively releasing CAIQ-Lite.

In order to accommodate the shift to cloud procurement models, CSA and Whistic identified the need for a streamlined assessment questionnaire to better arm cybersecurity professionals to efficiently engage their cloud vendors. CAIQ-Lite was developed to match the rapid pace inherent within the cybersecurity environment, placing increased importance on vendor security questionnaire adoption.

The whitepaper providing further detail on CAIQ-Lite is available for download here.

Download Now

Below is a brief CAIQ-Lite overview:

  • 73 Questions
  • 16 Control Domains remain (CCM 3.0.1)
  • Leveraged panel of hundreds of IT security professionals
  • CSA Member testing & feedback
  • Whistic Customer testing & feedback
  • Utilization of proprietary scoring algorithm
  • Free CSA Member Access

Additionally, If you already have a CAIQ on STAR, a CAIQ-Lite will automatically be created on the Whistic Platform.

STAR for Cloud Service Providers

The Security, Trust, Assurance and Risk (STAR) registry is a cost effective solution that decreases complexity while increasing trust and transparency. Demonstrate your adherence to security and privacy best practices to future and current customers by submitting to the registry.

Benefits for Cloud Service Providers

  • Accelerate sales cycle
  • Solidify position as a trusted provider of cloud services
  • Better build, establish and maintain a robust security program
  • Expand business by helping customers navigate secure cloud adoption
  • Be part of a global database that is becoming the marketplace for providers used by cloud users

Enhance Industry Standards

Demonstrate increased cloud computing maturity via additional certification. If your organization is already compliant with one of the following you can use STAR to add on to previous compliance initiatives to make them specific to the cloud:

  • ISO27001
  • SOC 2
  • GB/T 22080-2008n

Which Level of STAR is Right for Your Organization?

Figure: CSA STAR Open Certification Framework Diagram

The level you should pursue depends on the level of responsibility you have in the shared responsibility model and the levels of assurance and transparency you need to provide.

Level 1

  • Operating in a low-risk environment
  • Want to offer increased transparency into the security controls in place
  • Looking for a cost-effective way to improve trust and transparency

Level 2

  • Operating in a medium-high risk environment
  • Already hold the following: ISO27001, SOC 2, or GB/T 22080-2008
  • Looking for a cost-effective way to increase assurance for cloud security and privacy

Level 3

  • Operating in a high risk environment
  • Want to offer a high-level of transparency
  • Your organization is full service CSP

Your requirements may change depending on your risk level, along with associated regulations, contracts and mandates.
If you need additional help, please feel free to
contact us.

How to Get Started

  1. Download the Cloud Control Matrix (CCM) and read it; understand the content and requirements.
  2. Discover information on our website, including the CSA Cloud Controls Matrix (CCM), Consensus Assessments Initiative Questionnaire (CAIQ) and Open Certification Framework.
  3. Utilize the self-assessment (CAIQ) tool to analyze where you are relative to the STAR requirements .
  4. Contact us to discuss next steps and how to best improve your business and obtain the benefits for CSA and the STAR Registry.
  5. Submit to the STAR Registry.

STAR for Cloud Customers

Improve the security and privacy program within your organization. STAR lets you gain insight into the controls in place to protect your data. Assess both your internal level of assurance, and the level of assurance offered by your cloud providers. Whether you moved to the cloud or are considering migrating in the near future, STAR can help you manage your security and privacy programs more effectively.

With STAR you can leverage:

  • The STAR registry as a trusted source of information on the security and privacy posture of CSPs. It enforces accountability and lets you build a coherent GRC program.
  • The STAR compliance program which lets you select the level of transparency and assurance you require from CSPs.
  • The STAR Foundation tools (CCM, CAIQ, GDPR CoC) to support your own GRC approach and ensure language alignment between you and your CSP.

STAR offers different levels of transparency & assurance. After you've selected the appropriate level for your organization you can check your cloud service provider's status in the STAR registry.

CSA STAR Levels and Scheme Requirements

Learn more about the requirements for the 3 levels of trust, transparency & privacy by downloading the guide to the CSA STAR Level and Scheme Requirements.

How to Get Started with STAR

Determine Level of Trust & Transparency Required

  • Low-Risk Organizations: Level 1 is a good place to start. If it is decided later that you require greater assurance from your provider you can request them to complete level 2.
  • Medium-Risk Organizations: Level 2 is good for organizations with a moderate amount of risk. You can request a self-assessment along with a 3rd-party certification to provide your management with both transparency and assurance.
  • High-Risk Organizations: Level 3 is designed for organizations operating in high-risk environments (examples: finance, healthcare, government, etc.). Continuous auditing offers organizations the highest level of both transparency and assurance to keep your organization safe on the cloud. span for guidance).

Learn more about STAR levels >

Browse Registered Cloud Providers in the CSA STAR Registry

The CSA STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.

View the CSA STAR registry >

Resources & STAR Foundation Tools

STAR Foundation Tools

STAR is based upon the following CSA frameworks and tools. Click the links below to download these tools and start using them to improve your security and privacy program:

Free Vendor Risk Management Tool

The CSA-OneTrust VRM tool lets you automate the entire vendor management lifecycle, including onboarding and offboarding vendors, triaging vendors, populating vendor information and monitoring the vendor risk lifecycle, all while maintaining records for accountability and compliance purposes. It comes pre-populated with the STAR foundation tools.

Submit Complaint

Click the link below to submit a complaint for cloud service providers with inaccurate information listed on the STAR Registry.

STAR for Auditors & Consultants

With STAR you can grow your business as a leader in cloud-specific security and privacy assurance services. As a CSA STAR Auditor, you can build on existing auditing standards (SOC2, ISO/IEC 27001, GDPR) with a cloud specific overlay. As a CSA Global Consultant, you can help users and providers implement effective governance and compliance programs for the cloud.

Learn more about partnering with CSA

Contact Us

STAR Benefits for Auditors

  • Build on existing certification and attestation standard (SOC2, ISO/IEC 27001) with a cloud specific overlay based on CSA best practices.
  • Remain current on cloud best practices, regulations and standards.
  • Build the future of compliance based on the continuous auditing approach.

STAR Benefits for Consultants

  • Expand business by helping customers successfully navigate secure and privacy compliant cloud adoption.
  • Extend offerings to include best practices that support trusted cloud environments.
  • Collaborate with clients as they explore new business models to grow their business.
  • Become a global consultant

Offer cloud providers a higher level of assurance through an independent third-party assessment.

STAR Certification

A technology-neutral certification leveraging the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix.

STAR Attestation

Based on type 1 or type 2 SOC attestations supplemented by the criteria in the Cloud Controls Matrix (CCM).

C-STAR Assessment

A third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards.

GDPR Code of Conduct Certification

The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR.

Learn more about the different levels of STAR >

Leveraging STAR for Privacy & Security

Guide your customers in adopting the STAR Program for both privacy and security. STAR offers a complete program that covers both operational security (CCM/CAIQ) and privacy legal compliance (GDPR CoC).

  • Help your customer implement a governance, risk & compliance program based on CSA security and privacy best practices based on the CCM, CAIQ, and GDPR CoC.
  • Use the STAR registry to help your customers improve their vendor management/procurement process.
  • Offer your customers access to the free CSA-OneTrust Vendor Risk Management tool.


Learn more about partnering with CSA

Become a Security Assessment Firm

Are you interested in partnering with CSA to offer third-party certifications or attestations? Read the following documents to get started:

Then contact us to learn more about becoming a STAR approved auditor or certification body.

Become a GDPR Assessment Firm

Ensure your organization understands the principles of CSA GDPR CoC and the roles individuals in your organization will need to play. Then contact us to discuss the next steps in becoming a CSA GDPR assessment firm.

STAR Contact

Topic(s) that Interest You:

Having read and understood the CSA’s Privacy Policy,

I specifically consent to receive marketing messages via the following channels:

Validating Authenticity of STAR Registry Files

File attachments in the CSA STAR Registry are compressed and digitally signed with gpg (GnuPG) 2.2.3. The below key can be used to v erifyeach file’s authenticity.

Signature Details

Username: "CloudSecurityAlliance STARWatch"
Fingerprint: 0795 5495 94D1 0ACF 2F9B 3EC1 D9C7 ECF0 7A82 41C6

-----begin pgp public key block-----


-----end pgp public key block-----

The industry's most powerful program for security assurance in the cloud.

The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.

STAR Continuous

STAR Continuous is the continuous compliance assessment program for cloud services. It promotes trust by ensuring that a cloud service’s necessary security and privacy requirements are continuously met.

Improving on the traditional point-in-time certification, STAR Continuous increases both trust and transparency. A cloud security certification is granted to a cloud service relying on trust that the security posture between audits is maintained. However, point-in-time audits often contain a considerable time gap between audits, and by adopting continuous auditing with an increased audit frequency, chances of deviation of the security posture becomes less. This empowers cloud service providers to make precise statements on compliance status of their cloud services covered by the continuous audit process, achieving an “always up-to-date” compliance status.

A STAR Level 1 Self-Assessment has a validity of 12 months, after which the self-assessment documentation shall be re-submitted. All submissions of self-assessment documentation will be visible in the STAR Registry, and non-current documentation will be marked as “deprecated”.

Learn more about how to implement STAR Continuous within your organization or for your cloud service provider by downloading the Technical Guidance or Client Brochure.

Open Certification Framework

The STAR Program is founded on the Open Certification Framework displayed below. The framework provides a flexible, incremental and multi-layered cloud provider certification according to CSA’s industry leading security guidance and control objectives.

Figure: CSA STAR Open Certification Framework Diagram

Self-assessment - CSA STAR Level 1

CSA STAR Self-Assessment

CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed Consensus Assessments Initiative Questionnaire (CAIQ), or submit a report documenting compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.

GDPR Code of Conduct Self-Assessment

The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:

The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.

Third Party Certification - CSA STAR Level 2

Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.

CSA STAR Attestation

CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.

CSA STAR Certification

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.

CSA C-STAR Assessment

The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.

GDPR Code of Conduct Certification

The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR based off of the CSA Code of Conduct for GDPR.

After the publication of the relevant document on the Registry a company will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.

Full Cloud Assurance and Transparency - CSA STAR Level 3

If your organization operates in high-risk environment, then we recommend pursuing STAR Level 3.

CSA STAR Continuous Monitoring

CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Each level of STAR has a continuous monitoring option to offer increased transparency on a regular basis. It provides the opportunity to frequently (monthly) update a self-assessment and supports a third party based certification (e.g. STAR Certification) with additional, regularly updated information on the CSP security posture. Providers publish their security practices according to CSA specifications, which customers and tool vendors can then retrieve and present in a variety of contexts.

Increasing reliability of results, transparency and ease of use of the CSP’s assurance reports is a competitive advantage in today’s environment. However, in the near future this will be a barrier to entry for those who have not made the investment. If you’re a cloud service provider that will hold sensitive corporate data, must be compliant with GDPR, or provide business critical applications, having a comprehensive story around how the data and systems are protected and having that story validated by an independent audit, will reduce the apprehension customers have to move their business to you.

Learn more about how STAR can help your organization by downloading the Client Brochure. For more details on the specifications for implementing STAR Continuous download the STAR Technical Guidance.


If you have not been redirected after 3 seconds, please click here.

Add your Service to the CSA STAR Registry

CSA STAR is open to all Cloud Providers

Eligibility for listing on the STAR Registry requires an official and authorized submission of one or more documents asserting compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security and privacy practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.

Companies can be listed on the STAR Registry by submitting their STAR Self-Assessment or Code of Conduct for GDPR Compliance Self Assessment (Level 1) and/or their Third Party based certification (Level 2).

For more information about the CSA STAR Program please see:

For more information about the Code of Conduct for GDPR Compliance please see:

Ready to Submit?

For Cloud Service Providers

  • Proceed below to submit your CSA STAR Level 1 submission.
  • CSA STAR Level 2 Attestation requires completion of the STAR Attestation Template .

Cloud Service Providers proceed here

For Certification Bodies

Certification Bodies proceed here

STAR Registry Entries

0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z