STAR Certification

About CSA STAR Certification

The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.

Organizations that outsource services to cloud service providers have a number of concerns about the security of their data and information. By achieving the STAR Certification, cloud providers of every size will be able to give prospective customers a greater understanding of their levels of security controls.

The STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined in the Cloud Controls Matrix.

The independent assessment by an accredited CSA certification body will assign a ‘Management Capability’ score to each of the CCM security domains. Each domain will be scored on a specific maturity and will be measured against five management principles.

The internal report will show organizations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. These levels will be designated as either “No”, “Bronze”, “Silver” or “Gold” awards. Certified organizations will be listed on the CSA STAR Registry as “STAR Certified”.

STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope, processes and objectives are “Fit for Purpose” and helps organizations prioritize areas for improvement and lead them towards business excellence.

It also enables effective comparison across other organizations in the applicable sector and it is focused on the strategic and operational business benefits as well as effective partnership relationships.

CSA STAR Certification enables the auditor to assess a company’s performance, on long-term sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year.

To be consistent with international standards, the STAR certification scheme is designed to comply with:

  • ISO/IEC 17021:2015, Conformity assessment – Requirements for bodies providing audit and certification of management systems
  • ISO/IEC 27006:2015, Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
  • ISO 19011, Guidelines for auditing management systems

CSA STAR Certification assessments are based on CCM v3.0.1 and ISO/IEC 27001:2013.

Why Certify?

Whether you use cloud services, provide cloud services, audit/certify cloud services, or secure cloud services, you have a vested interest in knowing more about cloud security from an objective, third-party source. You need the right tools to ensure that you are playing your part in securing the cloud ecosystem while supporting industry standards.

For users of cloud services, CSA STAR helps:

  • Get a clear view of cloud provider security practices
  • Speed acquisition and improve procurement by accelerating the due diligence process
  • Understand which providers complement existing infrastructure
  • Maximize long-term investments with vendor transparency
  • Gain from lessons learned by a community of cloud users

For cloud service providers, CSA STAR helps:

  • Find tools that help build, establish and maintain a robust security program
  • Assess their own security with a complementary level one certification
  • Educate potential clients on good practices
  • Accelerate your sales cycle
  • Demonstrate increased cloud computing maturity via additional certification
  • Solidify your position as a trusted provider of cloud services to clients

For IT auditors and certification bodies, CSA STAR helps:

  • Gain access to guidance to build on existing reporting/standards (SOC2, ISO/IEC 27001) with a cloud specific overlay
  • Grow their IT assurance business as a certified leader in cloud-specific security assurance
  • Demonstrate expertise by remaining current on best practices, regulations and standards
  • Stay apprised of varying maturity levels across the cloud provider and consumer landscape

For security solution providers and consultants, CSA STAR helps:

  • Expand business by helping customers successfully navigate secure cloud adoption
  • Extend offerings to include data and best practices that support trusted cloud environments
  • Become a trusted advisor to your clients for security across the enterprise
  • Collaborate with clients as they explore new business models to grow their business

Strategic Benefits:

  • A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization.
  • A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organizations manage their business.
  • A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organization's performance to enabling senior management to the identify action areas needed.
  • A set of improvement targets to encourage an organization to move beyond compliance toward continued improvement.
  • Operational Benefits

  • Scalable to organizations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition.
  • A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs
  • Independent reassurance to prove to senior management where the risks, threats and opportunities lie within a business
  • Detailed information about the schema can be found:

    The official launch of the STAR Certification program is the 25th of September 2013.

    Example Certificate

    Submit a Question

    Have questions you would like to see answered? Please direct them to [email protected] or through the form below:

    STAR Certification Question

    Having read and understood the CSA’s Privacy Policy,

    I specifically consent to receive marketing messages via the following channels:

    Certificate pricing: rules and explanations

    Certificate Fee will apply. Price is based on the 'number of employees' in the scope of certification. The fee is payable by you through your Certification Body to CSA for the issuance of a Certificate and to cover administration of the program and databases. Please contact your Certifying Body to ascertain the exact fee for your organization.

    Become an Auditor

    Requirements on a Certification Body

    A certification body conducting CSA STAR Certification assessments shall be accredited to ISO 27006 by an IAF member accreditation body for delivery of ISO 27001 assessments.

    • A certification body shall comply with all the requirements of ISO 27006 as well as the document “Requirements for Bodies Providing STAR Certification” in order to qualify as a CSA STAR Certification Body.
    • The document “Auditing the Cloud Controls Matrix” adds greater clarity for areas specific to auditing the CCM but does not relieve a Certification Body in its obligation to comply with 27006 when conducting an assessment.

    Competency Requirements

    Certified Auditors

    Certified Auditors Contact Info
    British Standards Institution
    British Standards Institution

    BSI Global HQ
    389 Chiswick High Road London W4 4AL United Kingdom [email protected] +44 20 8996 9000

    BSI Americas
    12110 Sunset Hills Road, Suite 200 Reston, VA 20190-5902 [email protected] Telephone: 1.800.862.4977

    International offices
    BSI has 58 offices serving over 80,000 clients in 150 countries To find the office closest to you visit:

    Coalfire ISO
    Coalfire ISO

    Coalfire ISO HQ
    12735 Morris Road, Suite 250 Alpharetta, GA 30004
    (P) 303.554.6333

    Coalfire ISO has locations across the United States and in the United Kingdom. Coalfire ISO is one of a handful of fully-qualified certification bodies in North America accredited by the ANSI-ASQ National Accreditation Board (ANAB). Coalfire ISO is committed to being a value-added, competent, and cost-effective provider of assessment services to national and international standards with the highest integrity and in a timely manner. For more information, please visit


    ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments. ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC1, SOC2, SOC3, HIPAA/HITRUST™, ISO 27001/2, SSAE16, PIPEDA, FERC/NERC, Sarbanes Oxley (SOX), GLBA, CoBIT, BITS FISAP and EI3PA.

    USA +1.703.483.6383
    Canada +1.416.900.1272
    Europe, Middle East and Africa +44.2035145389
    India +91.7506610917
    Asia Pacific +66-21056164
    Email: [email protected]


    Driven by our purpose of safeguarding life, property and the environment, DNV GL enables organizations to advance the safety and sustainability of their business. DNV GL is a leading provider of classification, certification, verification and training services. With our origins stretching back to 1864, our reach today is global. Operating in more than 100 countries, our 14,000 professionals are dedicated to helping our customers make the world safer, smarter and greener.

    As a world-leading certification body, DNV GL helps businesses assure the performance of their organizations, products, people, facilities and supply chains through certification, verification, assessment, and training services. We also deliver deep insight and pragmatic support to major companies enabling them to build effective sustainability strategies. Partnering with our customers, we build sustainable business performance and create stakeholder trust.

    Veritasveien 1 1363
    Høvik Norway
    Telephone: +47 67 57 99 00

    To find the office closest to you visit or contact us at [email protected].

    EY CertifyPoint
    EY CertifyPoint

    EY CertifyPoint HQ
    Antonio Vivaldistraat 150 1083 HP Amsterdam The Netherlands [email protected]

    International offices
    Founded in 2002, EY CertifyPoint is an accredited independent and impartial certification institute with experienced auditors all over the world certifying some of the top international organizations. Being related to the global EY organization, EY CertifyPoint is able to provide you with a local contact person in nearly every country world-wide. For more information, please visit


    Nixu Corporation is a cybersecurity company. We work to improve our clients’ cybersecurity in solution areas of Corporate IT, Digital Business and Industrial Internet. Our clients trust Nixu in projects where developing, implementing or assessing of information security is a must. We ensure the confidentiality of our clients' data, business continuity and ease-of-access to digital services through planning and mitigation of cybersecurity risks.

    Phone number: +358 9 478 1011
    E-mail: [email protected]

    Twitter: @nixutigerteam


    NSF International is an independent, global organization that protects human health by facilitating the development of public health and safety standards, and providing certification and testing services.

    Our cybersecurity audit services can help you leverage best practices to reduce organizational risk, improve business performance, successfully address customer expectations and meet or exceed corporate and organizational objectives.


    PricewaterhouseCoopers Certification BV (hereafter: PwCC), part of the worldwide PwC network is a legal entity accredited for verification and certification services globally. PwCC is focused on building digital trust, by providing certification services for (Cloud) information security management (ISO27000 series and CSA STAR), business continuity (ISO22301), quality management (ISO9001) and information technology service management (ISO20000).

    PwCC is committed to delivering our certification engagements to the highest quality standards. As such, PwCC is accredited to issue ISO27001, ISO9001and ISO22301 certificates by the Dutch accreditation body ‘Raad voor Accreditatie’. Our certification engagements are conducted according to the ISO17021-1 standard for certification of management systems, a standardised approach used by all accredited certification bodies. The actual overview of standards PwCC is accredited for can be found on the website of the ‘Raad voor Accreditatie’.

    Organizations in a business-to-business environment are increasingly subject to requirements from customers, regulators and other stakeholders to demonstrate that information security, quality control and business continuity is up to standard from both a management system and controls perspective. PwCC is one of the few organisations that is capable of leveraging synergies resulting from overlaps between attestation frameworks (e.g. SOC1, SOC2, IRAP, HIPAA, GBLA, BSI C5, FDA, GXP, TISAX), management systems and different territories.


    QSCert, spol. s r.o.
    E. P. Voljanského 1, 960 01 Zvolen,+960+01+Zvolen&entry=gmail&source=g
    Tel: 045 - 54 00 717
    Tel/Fax: 045 - 54 00 718
    Phone number: 0905 - 977 200
    E-mail: [email protected]

    QSCert® is an international Certification Body based in Prague (Czech Republic). Its core business is certification of management systems according to several international standards. QSCert® has established the net of branch offices all over the world. QSCert® is accredited by the Czech Accreditation Institute. QSCert® differs from other certification bodies mainly by pragmatic approach to an audit without emphasis on bureaucracy. A quality management system which QSCert® requires from its clients is established also in QSCert®. QSCert® audit gives added value to the client not only by examining the compliance with the standard requirements but also by suggesting opportunities for improvement of the management system. QSCert auditors are people who worked as quality managers or consultants in the past – they are able to understand certification audits from the auditee point of view. It enables them to conduct audits in correct and pragmatic way.

    Schellman & Company, LLC
    Schellman & Company, LLC

    Schellman & Company, LLC HQ
    4010 W Boy Scout Boulevard, Suite 600
    Tampa, FL 33607
    Telephone: 1.866.254.0000 Outside of the United States, please dial: +1.973.854.4684

    We are setting the pace and blazing new trails. We are the only company in the world capable of providing our clients the rare opportunity to achieve multiple compliance objectives through a single independent assessor — using experienced teams dedicated to delivering the highest quality.

    For more information visit

    Société Générale de Surveillance (SGS)
    Société Générale de Surveillance (SGS)

    SGS HQ
    1 Place des Alpes P.O. Box 2152 Geneva, 1211 Switzerland

    SGS Taiwan (East Asia HQ)
    4F, No.125, Wu Kung Road, New Taipei Industrial District, New Taipei City, 24886 Taiwan (R.O.C.)

    International offices
    SGS has 1,400 offices serving over 120,000 clients certification services in 150 countries. To find the office closest to you visit:

    TÜV Austria
    TÜV Austria

    Certification Competence Center
    TÜV AUSTRIA Deutschland GmbH (TAD)
    Tel: +49 (0)711 7223360140
    Fax: +49 (0)711 7223360149
    E-Mail: [email protected]
    Falkenweg 1 D- 70794 Filderstadt

    The TÜV AUSTRIA Deutschland GmbH (TAD) represents the offical Certification-Office of the TÜV AUSTRA GROUP concerning the certification of management-systems for IT-Security like ISO 27001 or CSA STAR. The TÜV AUSTRIA Group is an international group of companies with branches in more than 40 countries and with 1,400 employees worldwide. Services range from testing elevators and pressure equipment, plant safety, training & further education, medical devices, electric engineering, environmental protection, IT security, loss adjustment, certifications, calibrations, technical due diligence, legal compliance checks, and product testing through to the testing of stage and photovoltaic systems as well as wind turbines.

    Key Links & Resources

    Requirements for Bodies Providing STAR Certification

    Requirements for Bodies Providing STAR Certification

    This document outlines how to conduct a STAR certification assessments to the Cloud Controls Matrix (CCM) as part of an ISO 27001 assessment.

    Release Date: 02/22/2019
    CSA STAR Certification Intake Form

    CSA STAR Certification Intake Form

    The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.

    Release Date: 06/07/2018
    STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

    STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

    There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. This 2nd version release includes alignment with the CCM v1.4 and v3.X.

    Release Date: 05/16/2014
    Publicizing Your STAR Certification

    Publicizing Your STAR Certification

    The following guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders, including staff, customers and business partners, and to the general public.

    Release Date: 09/03/2013
    OCF Vision Statement

    OCF Vision Statement

    The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

    Release Date: 08/17/2012

    Marketing Collateral