CSA C-STAR评估是OCF框架下Level2方案的一部分，主要用于大中华地区。C-STAR是针对云服务提供商安全管理的一种严格的第三方独立评估。该评估主要参考GB/T 22080-2008管理体系标准及CSA云控制矩阵（Cloud Control Matrix）的要求，以及29个选自中国国家标准GB/T 22239-2008（信息安全技术—信息系统安全等级保护基本要求）和GB/Z 28828-2012(信息安全技术—公共及商用服务信息系统个人信息保护指南)的相关控制措施
C-STAR评估依据GB/T 22080-2008和云控制矩阵中的控制措施，以及GB/T 22239-2008和GB/Z 28828-2012中的部分相关要求。
C-STAR的评估将由CSA认可的评估机构（如赛宝认证中心）开展，评估机构将依据评估的发现对每个CCM安全领域（包括选自GB/T 22239-2008和GB/Z 28828-2012的29条要求）进行评价，并给予一个“管理能力”成熟度分数。
- CNAS CC01:2011 IDT ISO/IEC 17021:2011，管理体系审核和认证机构要求,
- CNAS CC17:2012 IDT ISO/IEC 27006:2011，信息安全管理体系认证机构要求
- CNAS SC18:2012，信息安全管理体系认证机构认可方案
- GB/T 19011:2013 IDT ISO19011:2011 管理体系审核指南
About CSA C-STAR Assessment
The CSA C-STAR Assessment is part of the OCF level2 scheme, and mainly used in the Greater China region. C-STAR is a rigorous third party independent assessment of the security management of a cloud service provider. The technology-neutral assessment leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service, plus 29 related controls selected from China’s national standard GB/T 22239-2008(Information security technology — Baseline for classified protection of information system) and GB/Z 28828-2012(Information security technology – Guideline for personal information protection within information system for public and commercial services).
Figure 1 C-STAR Assessment Framework
Organizations that outsource services to cloud service providers have a number of concerns about the security of their data and information. By passing the C-STAR Assessment, cloud providers, regardless of the size of their operation, will be able to give prospective customers a greater understanding of their security management status.
The C-STAR Assessment is based on GB/T 22080-2008 and the specified set of criteria outlined in the Cloud Controls Matrix, plus related requirements of GB/T 22239-2008 and GB/Z 28828-2012.
The independent assessment by an accredited CSA certification body, such as CEPREI Certification Body (http://www.ceprei.org/), will assign a ‘Management Capability’ score to each of the CCM security domains (including requirements selected from GB/T 22239-2008 and GB/Z 28828-2012). Each domain will be scored on a specific maturity and will be measured against the assessors’ grid.
The assessment report will show organizations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. Certified organizations will be listed on the CSA STAR Registry as “C-STAR Assessed”.
C-STAR Assessment enables effective comparison across other organizations in an applicable sector and it is focused on strategic and operational business benefits as well as effective partner relationships.
C-STAR Assessment enables the assessor to assess a company’s performance in long-term sustainability and risks management, in addition to ensuring that the company is SLA-driven, allowing senior management to quantify and measure improvement year on year.
To be consistent with China national requirements, the C-STAR Assessment scheme is designed to comply with:
- CNAS CC01:2011 IDT ISO/IEC 17021:2011, Requirements for bodies providing audit and certification of management systems
- CNAS CC17:2012 IDT ISO/IEC 27006:2011, Requirements for Information Security Management System Certification Body
- CNAS SC18:2012, Accreditation Scheme for ISMS Certification Bodies
- GB/T 19011:2013 IDT ISO19011:2011 Management System Audit Guidance
- A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization.
- A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organizations manage their business.
- A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organization's performance to enabling senior management to the identify action areas needed.
- A set of improvement targets to encourage an organization to move beyond compliance toward continued improvement.
- Scalable to organizations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition.
- A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs.
- Independent reassurance to prove to senior management where the risks, threats and opportunities lie within a business.
CSA Corporate Members Providing C-STAR Assessment Service
The following CSA corporate members have qualified employees to carry out C-STAR assessment.
|Certified Auditors||Contact Info|
CEPREI Certification Body
CEPREI HQ No.110 Dongguan Zhuang RD. Guangzhou, P.R.China Telephone: +86-20-87236606 [email protected] As a leading provider of management system certification body in China and the first Executive Member of CSA in Asia, CEPREI Certification Body Provides information security related professional services such as ISO20000 & ISO27001 certification, risk assessment, IT governance, Business Continuity Management etc. Also, newly launched C-STAR assessment scheme is provided to help our client fully understand cloud security issues they’re facing and how to put the appropriate controls in place. CEPREI Certification Body with unique legal status is a registrar authorized and accredited by national department and/or accreditation bodies home and abroad, to conduct third-party certification. It grew out of Inspection Division of China Electronic Product Reliability and Environmental Research Institute （the Fifth Electronic Institute） established in 1956, which is the first scientific research organization at national level engaged in product quality and reliability research in China. As early as 1979, CEPREI Certification Body introduced the concept of Certification into China. Ever since then CEPREI has issued more than ten thousand certificates of various types to its clients. It sets foot in all administrative regions in mainland China and other countries and regions including Hongkong Special Administration Region, Taiwan, USA, German, Holland, Denmark, Australia, Japan, Korea, Malaysia, Thailand and Singapore. As one of the most authoritative accreditation bodies in the world, America National Standard Institute-Registrar Accreditation Board (ANAB) has authorized CEPREI Certification Body to issue ISO9000, ISO14000 and ISO27001 certificates with ANAB logo since 2001. The certificate will be helpful for your products and services in improving reputation and enhancing competitiveness home and abroad.
Assessment pricing: rules and explanations
- The C-STAR Assessment price is based on the ‘effective number of employees’ in the scope of registration.
- The assessment fee covers the issuing of a certificate for a 3-year period. If a certificate is being issued for less than a 3-year period the certification fee will be prorated to the nearest whole month. This means that a client can join half way through a GB/T 22080 certification cycle without any penalty and allows us to align the client’s 22080 and C-STAR Assessment more easily
- If a client wishes to increase the number of people in the scope of registration the difference between the fee that would be levied for the existing number of employees and the fee due for the new number of employees will be levied, prorated on the remaining duration of the certificate.
- No refund will be given if the number of people in the scope of registration is reduced.
|1 to 10||4275|
|11 to 25||8550|
|26 to 75||14963|
|76 to 250||25650|
|251 to 700||42750|
|701 to 1500||59850|
CSA will apply a 20% price reduction for CSA Corporate Members.
Explanation on the C-STAR Assessment fee
The revenues from the assessments go to the Cloud Security Alliance that is the governing body of the Open Certification Framework and Level2 STAR Program.
The Cloud Security Alliance is a not for profit organization that covers its cost though memberships, sponsorships and royalties generated by the third party commercial exploitation of CSA’s Intellectual Properties and brand.
Through the C-STAR Assessment fee, the Cloud Security Alliance will:
- cover the cost already sustained in the development of the OCF – C-STAR Assessment,
- manage the STAR web site, which will be the portal where information related to C-STAR Assessment will be displayed. The STAR web site will be also the public window for organizations that will obtain the C-STAR Assessment Certificate,
- organize educational campaigns (conferences, educational material, etc.) to support the penetration of C-STAR Assessment in the market,
- support the improvement and update of Cloud Controls Matrix,
- support the development of OCF Level 3 - STAR Continuous.
Please direct them to [email protected].