CSA STAR Levels

STAR Consists of 3 Levels of Assurance

STAR Levels

Open Certification Framework

LEVEL ONE

Self Assessment

LEVEL TWO

Third-Party Audit

LEVEL THREE

Continuous Auditing

ALL LEVELS

STAR Continuous

At level one organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the Cloud Controls Matrix to evaluate and document their security controls. The privacy assessment submissions are based on the GDPR Code of Conduct.

Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization’s location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.

Automate the current security practices of cloud providers. Providers publish their security practices according and customers and tool vendors can retrieve and present this information in avariety of contexts.

Each level of STAR has also has a continuous auditing option that allows you to increase your transparency. STAR Continuous can be attained by building upon the CSP’s current STAR level.

STAR Level 1: A CSP that uses a CAIQ to achieve Self-Assessment, a point-in-time assessment, can use a Continuous Self-Assessment to demonstrate effectiveness of controls over a period of time, to achieve STAR Continuous Level 1.

STAR Level 2: A CSP, who holds a third-party audit, can achieve STAR Level 2 Continuous by adding a Continuous Self-Assessment, which allows them to quickly inform customers of changes to their security programs, instead of communicating those until the next audit period in normal STAR Level 2.

STAR Level 3: A CSP is the most transparent through a continuous, automated process that ensures that security controls are monitored and validated at all times.

Each level of STAR has a continuous auditing option that allows you to increase your transparency. Learn more about STAR Continuous by downloading the Client Brochure or Technical Data Sheet.

Self-assessment

CSA STAR Level 1

CSA STAR Self-Assessment

CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed Consensus Assessments Initiative Questionnaire (CAIQ), or submit a report documenting compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.

GDPR Code of Conduct Self-Assessment

The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:

The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.

Third Party Certification

CSA STAR Level 2

Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.

CSA STAR Attestation

CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.

Approved assessment firms

CSA STAR Certification

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.

Approved assessment firms

CSA C-STAR Assessment

The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.

GDPR Code of Conduct Certification

The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR based off of the CSA Code of Conduct for GDPR.

After the publication of the relevant document on the Registry a company will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.

Full Cloud Assurance and Transparency

CSA STAR Level 3

If your organization operates in high-risk environment, then we recommend pursuing STAR Level 3.

CSA STAR CONTINUOUS MONITORING - Coming Soon

CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, which customers and tool vendors can then retrieve and present in a variety of contexts.