Security, Trust, Assurance and Risk (STAR)
The industry's most powerful program for security assurance in the cloud.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.
Learn more about the different STAR assessments and certifications available below.
CSA Trusted Cloud Providers
Organizations listed as CSA Trusted Cloud Providers in the registry are CSA Corporate Members that have also fulfilled additional training and volunteer requirements with CSA. Fulfilling these requirements demonstrates a commitment to the professional development of their employees to achieve cloud security competency, and a commitment to the industry at large.
Levels of STAR
There are multiple levels of assurance for companies that submit to the STAR registry. Each level has a different set of requirements. You can also download the following information as a pdf here.
Level 1: Self-Assessment
At level one, organizations can submit the Consensus Assessments Initiative Questionnaire based on the Cloud Controls Matrix to evaluate and document their security controls.
Who should pursue level one?
Organizations should pursue this level if they are...
- Operating in a low-risk environment
- Wanting to offer increased transparency around the security controls they have in place.
- Looking for a cost-effective way to improve trust and transparency
Variations of Level 1
Security Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. STAR Self-Assessments are updated annually.
The CAIQ v4 has two versions:
- CCM + CAIQ v4: The CAIQ v4 bundled with CCM here is intended to be used as a reference only. You cannot use the spreadsheet that contains both the CAIQ and CCM to submit to the registry.
- STAR Level 1: Security Questionnaire (CAIQ v4): Use this version of CAIQ v4 to fill out and submit to the STAR registry.
- CCM Lite + CAIQ Lite: Streamlined versions of the CCM + CAIQ v4 tailored to meet the needs of SMEs and startups. These tools offer essential resources to enhance cloud security posture within resource constraints, serving as an initial step towards comprehensive Level 1 self-assessment.
Level 2: Third-Party Audit
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.
Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization’s location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.
Which organizations should pursue level 2?
Organizations should pursue this level if they are...
- Operating in a medium to high risk environment
- Already hold or adhere to the following: ISO27001, SOC 2, GB/T 22080-2008, or GDPR
- Looking for a cost-effective way to increase assurance for cloud security and privacy.
There are associated fees for STAR Level 2. CSA Corporate Members receive a price reduction on STAR Level 2 certifications and attestations.
Once you are ready to earn STAR Level 2, read the Code of Practice for Implementing STAR Level 2. This guide will explain both the practical steps as well as overall strategy you will need to implement to earn a STAR Certification or Attestation.
Variations of Level 2
STAR Attestation: For SOC 2
The CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. The STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.
STAR Certification: For ISO/IEC 27001
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.
C-STAR: For the Greater China Market
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.
Industry Support
STAR Podcast
Listen to case studies and interviews with organizations that have submitted to the STAR registry or used it to improve vendor procurement within their organization. In this series we interview both vendors and solution providers as well as customers looking for secure solutions. You can learn first hand what it takes to earn a STAR certification or attestation, what the process entails, and how it provides value to future customers.
STAR Enabled Solutions
STAR Enabled Solutions are organizations that have licensed the CCM or CAIQ for use in products and services that are sold to the public. Examples of STAR Enabled products and services are software based products (such as 3rd party risk assessment solutions) or services, such as consultancy assessment methodologies, audits and evaluation approaches, etc. Please contact us to learn more about becoming a STAR Enabled Solution.