Help us improve our website. Provide feedback to [email protected]

CSA Security Trust
Assurance and
Risk (STAR)

Security on the Cloud Verified.


Cloud Service Providers

STAR enables solution providers to validate their cloud security and offer proof to current and future customers of the controls in place.


Cloud Customers

STAR lets cloud customers assess which organizations meet the level of assurance they require and gain insight into the controls in place to protect their data.


Auditors & Consultants

With STAR auditors can grow IT assurance business as a certified leader in cloud-specific security assurance.


About the STAR Program

The industry's most powerful program for security assurance in the cloud.

The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.

Introducing STAR Continuous

STAR Continuous is the continuous compliance assessment program for cloud services. It promotes trust by ensuring that a cloud service’s necessary security and privacy requirements are continuously met.

Improving on the traditional point-in-time certification, STAR Continuous increases both trust and transparency. A cloud security certification is granted to a cloud service relying on trust that the security posture between audits is maintained. However, point-in-time audits often contain a considerable time gap between audits, and by adopting continuous auditing with an increased audit frequency, chances of deviation of the security posture becomes less. This empowers cloud service providers to make precise statements on compliance status of their cloud services covered by the continuous audit process, achieving an “always up-to-date” compliance status.

A STAR Level 1 Self-Assessment has a validity of 12 months, after which the self-assessment documentation shall be re-submitted. All submissions of self-assessment documentation will be visible in the STAR Registry, and non-current documentation will be marked as “deprecated”.

Learn more about how to implement STAR Continuous within your organization or for your cloud service provider by downloading the Technical Guidance or Client Brochure.

STAR Foundation Tools


Cloud Controls Matrix

The only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations, CCM is currently considered a de-facto standard for cloud security assurance and compliance.



CAIQ is a set of Yes/No questions for cloud consumers and auditors to assess the security capabilities of a cloud service provider. Cloud providers fill this in to complete the STAR Level 1 Self-Assessment.



GDPR Code of Conduct

Contains all the necessary requirements a Cloud Service Provider has to satisfy in order to comply with the EU GDPR. Created in collaboration with representatives from the EU national data protection authorities, this code assists organizations in adhering to the European General Data Protection Regulation.