Open Certification Framework
At level one organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the Cloud Controls Matrix to evaluate and document their security controls. The privacy assessment submissions are based on the GDPR Code of Conduct.
Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization’s location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.
Automate the current security practices of cloud providers. Providers publish their security practices according and customers and tool vendors can retrieve and present this information in avariety of contexts.
Each level of STAR has also has a continuous auditing option that allows you to increase your transparency. STAR Continuous can be attained by building upon the CSP’s current STAR level.
STAR Level 1: A CSP that uses a CAIQ to achieve Self-Assessment, a point-in-time assessment, can use a Continuous Self-Assessment to demonstrate effectiveness of controls over a period of time, to achieve STAR Continuous Level 1.
STAR Level 2: A CSP, who holds a third-party audit, can achieve STAR Level 2 Continuous by adding a Continuous Self-Assessment, which allows them to quickly inform customers of changes to their security programs, instead of communicating those until the next audit period in normal STAR Level 2.
STAR Level 3: A CSP is the most transparent through a continuous, automated process that ensures that security controls are monitored and validated at all times.
CSA STAR Level 1
CSA STAR Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit a completed Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
STAR Self-Assessments are updated annually.
A CSP that uses a CAIQ to achieve Self-Assessment, a point-in-time assessment, can use a Continuous Self-Assessment to demonstrate effectiveness of controls over a period of time by updating the self-assessment every 30 days as opposed to the annual requirement, to achieve STAR Continuous Level 1.
GDPR Code of Conduct Self-Assessment
The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:
- Code of Conduct Statement of Adherence
- PLA Code of Practice (CoP) Template - Annex 1 self-assessment results
The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Third Party Certification
CSA STAR Level 2
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.
CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.
CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.
A CSP, who holds a third-party certification or attestation can achieve STAR Level 2 Continuous by adding a Continuous Self-Assessment as in STAR Level 1. The assessor will also ensure that the scope of the assessment includes STAR Continuous and assess the CSP’s submissions of the CAIQ over the term from the previous surveillance or re-certification visit. For STAR Attestation, a Limited Assurance Report will be conducted to bridge the period between 2 attestation reports and provide a narrative in the audit report regarding the activities performed by the assessor that confirms the CSP met the STAR Continuous requirements.
CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.
GDPR Code of Conduct Certification
The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR based off of the CSA Code of Conduct for GDPR.
After the publication of the relevant document on the Registry a company will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Full Cloud Assurance and Transparency
CSA STAR Level 3
If your organization operates in high-risk environment, then we recommend pursuing STAR Level 3.
CSA STAR CONTINUOUS MONITORING - Coming Soon
A CSP is the most transparent through a continuous, automated process that ensures that security controls are monitored and validated at all times. Each control framework consists of multiple controls, which are designed to give assurance on the fulfillment of a requirement.
When preparing for continuous auditing, each one of those controls will be described via its characterizing objectives namely Service Level Objective (SLO) and Service Qualitative Objective (SQO).
Collection of data is driven by the metric that has been chosen to provide input about an attribute. Automated assessment is mostly driven by monitoring tools like log analytics, network statistics and monitoring, process statistics or resource utilization.
In the evaluation phase the compliance status with the certification goal is determined by evaluating the controls. The result of the evaluation will be published and affirmed according to the targeted level of assurance by a third party. It will result in the issuing of a certificate.