The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.
Learn more about the different STAR assessments and certifications available below.
CSA Trusted Cloud Providers
Organizations listed as CSA Trusted Cloud Providers in the registry are CSA Corporate Members that have also fulfilled additional training and volunteer requirements with CSA. Fulfilling these requirements demonstrates a commitment to the professional development of their employees to achieve cloud security competency, and a commitment to the industry at large.
Levels of STAR
There are multiple levels of assurance for companies that submit to the STAR registry. Each level has a different set of requirements. You can also download the following information as a pdf here.
Level 1: Self-Assessment
At level one organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the Cloud Controls Matrix to evaluate and document their security controls. The privacy assessment submissions are based on the GDPR Code of Conduct.
Who should pursue level one?
Organizations should pursue this level if they are...
- Operating in a low-risk environment
- Wanting to offer increased transparency around the security controls they have in place.
- Looking for a cost-effective way to improve trust and transparency
Variations of Level 1
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. STAR Self-Assessments are updated annually.
The CAIQ v4 has two versions:
- CCM + CAIQ v4: The CAIQ v4 bundled with CCM here is intended to be
used as a reference only. You cannot use the spreadsheet
that contains both the CAIQ and CCM to submit to the registry.
STAR Level 1: Security Questionnaire (CAIQ v4): Use this version of CAIQ v4 to fill out and submit to the STAR registry.
*Starting in July 2022 CSA will no longer be accepting CAIQ v3.1. You can learn more about the transition timeline from CAIQ v3.1 to v4 in this blog.
The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:
- Code of Conduct Statement of Adherence
- PLA Code of Practice (CoP) Template - Annex 1 self-assessment results
The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Level 2: Third-Party Audit
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.
Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization’s location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.
Which organizations should pursue level 2?
Organizations should pursue this level if they are...
- Operating in a medium to high risk environment
- Already hold or adhere to the following: ISO27001, SOC 2, GB/T 22080-2008, or GDPR
- Looking for a cost-effective way to increase assurance for cloud security and privacy.
There are associated fees for STAR Level 2. CSA Corporate Members receive a price reduction on STAR Level 2 certifications and attestations.
Once you are ready to earn STAR Level 2, read the Code of Practice for Implementing STAR Level 2. This guide will explain both the practical steps as well as overall strategy you will need to implement to earn a STAR Certification or Attestation.
Variations of Level 2
STAR Attestation: For SOC 2
The CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. The STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.
STAR Certification: For ISO/IEC 27001:2013
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.
C-STAR: For the Greater China Market
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.
Coalfire and Coalfire Certification, the accredited certification body arm of Coalfire, began offering STAR™ attestation and certification services as part of its product catalog in response to increasing customer requests. As part of feedback reviews, Coalfire determined that many of our clients were seeking guidance pertaining to assurance programs that would address compliance in the cloud. While other baseline security standards can be vague when addressing shared responsibilities between the cloud provider and cloud user, the Cloud Controls Matrix (CCM) understands that relationship and enforces design requirements for both parties before rating the degree of conformity for any given objective.
Vice President, Coalfire
The STAR program is the absolute benchmark on cloud provider security -- covering a full range of aspects together in a leveled scale, allowing cloud providers to differentiate on their cloud security in a transparent manner. Ultimately, transparency at the cloud provider communicates the risks faced by the cloud user to the cloud user, which in turn enables the cloud user to prioritize resources in fulfilling their own requirements and responsibilities. The STAR program effectively facilitates a better relationship between cloud providers and cloud users: this is a unique aspect that cannot be replicated by other cloud security schemes.
Founder and CEO, Ribose Inc.
CSA STAR Certification is an assurance framework, enabling cloud service providers to embed cloud-specific security controls. The maturity model brings a continual focus on addressing the changing risk of this technology, which aligns with BSIs commitment to helping clients make excellence a habit. Our work with the CSA helps us drive the cloud security agenda and ensure STAR Certification remains aligned with the fast-moving industry developments.
Global Product Champion, Information Security, Business Continuity, BSI Group
Listen to case studies and interviews with organizations that have submitted to the STAR registry or used it to improve vendor procurement within their organization. In this series we interview both vendors and solution providers as well as customers looking for secure solutions. You can learn first hand what it takes to earn a STAR certification or attestation, what the process entails, and how it provides value to future customers.
STAR-Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR-Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR-Enabled Solution.