STAR Certification Arrow to Content

About CSA STAR Certification

The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.

Organizations that outsource services to cloud service providers have a number of concerns about the security of their data and information. By achieving the STAR Certification, cloud providers of every size will be able to give prospective customers a greater understanding of their levels of security controls.

The STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined in the Cloud Controls Matrix.

The independent assessment by an accredited CSA certification body, such as British Standard Institution (BSI), will assign a ‘Management Capability’ score to each of the CCM security domains. Each domain will be scored on a specific maturity and will be measured against five management principles.

The internal report will show organizations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. These levels will be designated as either “No”, “Bronze”, “Silver” or “Gold” awards. Certified organizations will be listed on the CSA STAR Registry as “STAR Certified”.

STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope, processes and objectives are “Fit for Purpose” and helps organizations prioritize areas for improvement and lead them towards business excellence.

It also enables effective comparison across other organizations in the applicable sector and it is focused on the strategic and operational business benefits as well as effective partnership relationships.

CSA STAR Certification enables the auditor to assess a company’s performance, on long-term sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year.

To be consistent with international standards, the STAR certification scheme is designed to comply with:

  • ISO/IEC 17021:2011, Conformity assessment – Requirements for bodies providing audit and certification of management systems
  • ISO/IEC 27006:2011, Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
  • ISO 19011, Guidelines for auditing management systems

IMPORTANT NOTE: currently CSA STAR Certification assessment are conducted based on CCM v1.4 and ISO/IEC 27001:2005.

Starting from March 2014, customers will be able to decide if they want to be assessed against CCM v1.4 or CCM v3.

The use of the "double standards" will be in place for 12 months, until February 2015. This measure is taken to facilitate the transition to CCM v3 for adopters of CCM v1.4.

Beginning in March 2015 all the customers will be audited against CCM v3.

Strategic Benefits:

  • A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization.
  • A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organizations manage their business.
  • A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organization's performance to enabling senior management to the identify action areas needed.
  • A set of improvement targets to encourage an organization to move beyond compliance toward continued improvement.
  • Operational Benefits

  • Scalable to organizations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition.
  • A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs
  • Independent reassurance to prove to senior management where the risks, threats and opportunities lie within a business
  • Detailed information about the schema can be found:

    The official launch of the STAR Certification program is the 25th of September 2013.

    Example Certificate

    Certificate pricing: rules and explanations

    1. The STAR Certification Certificate price is based on the ‘effective number of employees’ in the scope of registration.

      This is because:

      1. It is a fairly objective measure: every Certification Body will record the information on the number of employees as they use it for calculating ISO 27001 durations.
      2. The amount a Certification Body will charge a client closely links to it because it is the base number from which audit durations are calculated.  Therefore the Certification fee would be roughly proportionate to the audit fee.
      3. We believed that a flat rate wouldn’t be fair,  and it would have eventually penalized small and medium companies.
    1. The certificate fee covers the issuing of a certificate for a 3-year period.  If a certificate is being issued for less than a 3-year period the certification fee will be pro rata to the nearest whole month.

      This means that a client can join half way through a ISO 27001 certification cycle without any penalty and then we can align their 27k and STAR Certificates easily

    2. If a client wishes to increase the number of people in the scope of registration the difference between the fee that would be levied for the existing number of employees and the fee due for the new number of employees will be levied but prorate on the remaining duration of the certificate.
    3. No refund will be given if the number of people in the scope of registration is reduced.

    Certificate Pricing

    Effective Employees Fee (Euros)
    1 to 10 500
    11 to 25 1000
    26 to 75 1750
    76 to 250 3000
    251 to 700 5000
    701 to 1500 7000
    1500 + 10000
    1. CSA will apply price reduction based on the World Bank classification.
    2. CSA will apply a 20% price reduction for CSA Corporate Members.
    3. The World Bank scale and CSA Members discount cannot be cumulated.

    Explanation on the STAR Certificate fee

    The revenues from the certificates go to the Cloud Security Alliance that is the governing body of the Open Certification Framework and STAR Program.

    The Cloud Security Alliance is a not for profit organization that covers its cost though memberships, sponsorships and royalties generated by the third party commercial exploitation of CSA’s Intellectual Properties and brand.

    Through the STAR Certification Certificate fee, the Cloud Security Alliance will:

    1. cover the cost already sustained in the development of the OCF – STAR Certification,
    2. manage the STAR web site, which will be the portal where information related to STAR Certification will be displayed. The STAR web site will be also the public window for organization that will obtain the STAR Certificate,
    3. organize educational campaigns (conference, educational material, etc.) to support the penetration of STAR Certification in the market),
    4. support the improvement and update of Cloud Control Matrix,
    5. support the development of OCF Level 3  - STAR Continuous.

    Become an Auditor

    Requirements on a Certification Body

    A certification body conducting CCM assessments shall be accredited to ISO 27006 by an IAF member accreditation body for delivery of ISO 27001 assessments.

    • A certification body shall comply with all the requirements of ISO 27006 as well as this documents requirements when conduct a CCM assessment.
    • This document adds greater clarity for areas specific to auditing the CCM but does not relive a Certification Body in its obligation to comply with 27006 when conducting an assessment.
    • This document adds greater clarity for areas specific to auditing the CCM but does not relive a Certification Body in its obligation to comply with 27006 when conducting an assessment.

    Competency Requirements

    • All assessors must be able to present evidence of passing an accredited lead auditor course for ISO 27001 or be a qualified and experienced ISO 27001 assessor for an IAF member accredited ISO 27001 certification body. Ref c in ISO 27006.
    • All assessors must have completed a BSI/CSA CCM course. Ref c in ISO 27006. For more information on the CSA STAR Certification Training please see:
    • All assessors must have a minimum of 2 years of experience working in Information Security. Ref e in ISO 27006.
    • The requirement expressed in the previous clause (2 year of experience working in Info Sec) is not necessary if the assessor has gained the CSA’s Certificate in Cloud Security Knowledge (CCSK) or alternative course that gives a similar level of grounding in cloud computing or information security applications.

    Certified Auditors

    Certified Auditors Contact Info
    BrightLine CPAs & Associates, Inc.

    BrightLine HQ
    1300 N. West Shore Blvd
    Suite 240
    Tampa, FL 33607
    Telephone: 1-866-254-0000
    Outside the US: +1.973.854.4684
    [email protected]

    BrightLine performs attestation, audit and certification services both nationally and internationally. For more information visit

    The British Standards Institution (bsi)

    BSI Global HQ
    389 Chiswick High Road
    W4 4AL
    United Kingdom
    [email protected]
    +44 20 8996 9000

    BSI Americas
    12110 Sunset Hills Road, Suite 200
    Reston, VA 20190-5902
    [email protected]
    Telephone: 1.800.862.4977

    International offices
    BSI has 58 offices serving over 65,000 clients in 150 countries
    To find the office closest to you visit:

    Key Links & Resources

    Publicizing Your STAR Certification

    Publicizing Your STAR Certification

    The following guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders, including staff, customers and business partners, and to the general public.

    Release Date: September 03, 2013

    Requirements for Bodies Providing STAR Certification

    Requirements for Bodies Providing STAR Certification

    This document outlines how to conduct a STAR certification assessments to the Cloud Controls Matrix (CCM) as part of an ISO 27001 assessment.

    Release Date: September 03, 2013

    STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

    STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

    There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. To decide what the score is each control area will be considered against 5 capability factors.

    Release Date: September 03, 2013

    OCF Vision Statement

    OCF Vision Statement

    The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

    Release Date: August 17, 2012

    Page Dividing Line