CSA STAR: The Future of Cloud Trust and Assurance

CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

STAR consists of three levels of assurance, which currently cover four unique offerings all based upon a succinct yet comprehensive list of cloud-centric control objectives in the CSA’s Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.

The STAR program includes a complimentary registry that documents the security controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.

CSA STAR is based upon two key research components of the CSA GRC Stack:

Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.


The Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.



OCF Structure

LEVEL ONE: CSA STAR Self-Assessment

CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.



CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.


LEVEL TWO: CSA STAR Certification

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix.



The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.


LEVEL THREE: CSA STAR Continuous Monitoring

Currently under development, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts.


Key Links & Resources

STAR Overview PDF

The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.

Release Date: April 20, 2015

For More Information

General Inquiries: [email protected]

CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors

CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors


If you have not been redirected after 3 seconds, please click here.

Add your Service to the CSA STAR Registry

CSA STAR is open to all Cloud Providers

Eligibility for listing on the STAR Registry requires an official and authorized submission of one or more documents asserting compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.

The CSA STAR Information Center provides an FAQ, Support Forum and more.

Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:

Submitting Reports to CSA is Simple

Fill out the form below and attach any supporting security control documents. Please request the STAR Entry Template from CSA at [email protected]. When you are finished, click the “Submit my Entry” button. We will review your submission for accuracy and follow up via email to verify. If you have questions about your submission, please contact [email protected].

CSA STAR Registry Terms and Conditions

Your submission is subject to the CSA STAR Terms and Conditions. We encourage you to review these Terms and Conditions, which govern your use of the CSA STAR Registry.

STAR Registry Entry Submission

Notice: All of the fields in this form are required.

Contact Name

Contact Email

Billing Contact

Billing Address


Organization Name

Organization Public Email

Organization Website

Organization Description

Cloud Service

Cloud Service Name

Cloud Service Website

Cloud Service Description

Supporting Security Control Document(s)

STAR Registry Entry Type

For Level 2 Certification and C-STAR, it is mandatory to attach the STAR Entry Template. CSA recommends to also attach the STAR Certification or C-STAR Certificate. The Audit report should NOT be submitted.

For Level 2 Attestation ONLY, the STAR Entry Template is required. The Audit report should NOT be submitted.

Attach your File(s)

Types permitted: pdf, txt, xls, xlsx, doc, docx, zip, ods

Primary Document

Supporting Document (optional)

I have a pre-existing STAR Registry Entry and would like to attach this submission to my pre-existing entry.
By submitting this form, I agree to the STARWatch Terms and Conditions and the Cloud Security Alliance Website Terms and Conditions.

Read our STAR Terms and Conditions here and our CSA Terms and Conditions here.

If you have difficulty using this form, please contact: [email protected]

STAR Registry Entries

ALL | 0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z