Security, Trust, Assurance and Risk (STAR)

The industry's most powerful program for security assurance in the cloud.

STAR
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) and CAIQ. Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.

Learn more about the different STAR assessments and certifications available below.

Ask your cloud service provider to submit to the registry
Auditors and Consultants

CSA Trusted Cloud Providers

Organizations listed as CSA Trusted Cloud Providers in the registry are CSA Corporate Members that have also fulfilled additional training and volunteer requirements with CSA. Fulfilling these requirements demonstrates a commitment to the professional development of their employees to achieve cloud security competency, and a commitment to the industry at large.

Levels of STAR

There are multiple levels of assurance for companies that submit to the STAR registry. Each level has a different set of requirements. You can also download the following information as a pdf here.

Level 1: Self-Assessment

At level one organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the Cloud Controls Matrix to evaluate and document their security controls. The privacy assessment submissions are based on the GDPR Code of Conduct.

Who should pursue level one?

Organizations should pursue this level if they are...

  • Operating in a low-risk environment
  • Wanting to offer increased transparency around the security controls they have in place.
  • Looking for a cost-effective way to improve trust and transparency

Variations of Level 1

Security Self-Assessment

CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit a completed Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. STAR Self-Assessments are updated annually.

GDPR Self-Assessment

The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:

The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.

Level 2: Third-Party Audit

Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.

Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization’s location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.

Which organizations should pursue level 2?

Organizations should pursue this level if they are...

  • Operating in a medium to high risk environment
  • Already hold or adhere to the following: ISO27001, SOC 2, GB/T 22080-2008, or GDPR
  • Looking for a cost-effective way to increase assurance for cloud security and privacy.

There are associated fees for STAR Level 2. CSA Corporate Members receive a price reduction on STAR Level 2 certifications and attestations.

Variations of Level 2

STAR Attestation: For SOC 2

The CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. The STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.

View approved assessment firms

STAR Certification: For ISO/IEC 27001:2013

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.

View approved assessment firms

C-STAR: For the Greater China Market

The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.

Submit to the Registry

Industry Support

STAR Podcast

Listen to case studies and interviews with organizations that have submitted to the STAR registry or used it to improve vendor procurement within their organization. In this series we interview both vendors and solution providers as well as customers looking for secure solutions. You can learn first hand what it takes to earn a STAR certification or attestation, what the process entails, and how it provides value to future customers.

STAR-Enabled Solutions

STAR-Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR-Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR-Enabled Solution.

Contact Us