CSA
The Ultimate Guide to

Cloud Security Alliance’s Security Trust Assurance and Risk (CSA STAR)

What is CSA STAR?

With so much sensitive information now being stored in the cloud, keeping it safe weighs heavily on the minds of both cloud service providers (CSP) and cloud customers. Offered by the Cloud Security Alliance (CSA), the Security Trust Assurance and Risk (STAR) program is considered a gold standard in cloud security assurance.

CSA Security Trust, Assurance and Risk is the most powerful security assurance program for the cloud. Its program encompasses important principles of rigorous auditing, transparency, and a combination of standards. Organizations who use CSA STAR show that they are dedicated to best practices and validate the secure posture of their cloud offerings. It also enables solution providers to offer proof to current and future customers of the controls in place.

This program is based on three foundational tools which bring instant credibility in security circles. The first, CSA’s Cloud Control Matrix (CCM), is considered the de facto standard for cloud security and compliance and outlines all cloud-specific security controls. The second, the Consensus Assessments Initiative Questionnaire (CAIQ), provides a list of 295 questions for cloud customers to ask their providers to gauge CCM compliance. The third, the CSA’s Code of Conduct for GDPR Compliance, is a robust guide created to assist organizations in GDPR adherence.

Blog

CSA STAR: The Cloud’s Most Powerful Security Assurance Program

Read Now

What Are the Benefits of CSA STAR Compliance?

Cloud service providers obtaining a CSA STAR certification can expect to better build, establish, and maintain robust security programs while solidifying their position as trusted cloud vendors. They can expect to see accelerated sales cycles and to grow their business helping new customers navigate secure cloud adoption. STAR-certified CSPs enjoy being part of a global database that’s viewed as a trusted marketplace by cloud customers.

Equally important is that the CSA STAR program can be leveraged as an organization’s integrated security system—demonstrating an advanced level of cloud governance and compliance. CSA STAR maps to multiple standards and regulations, effortlessly blending multiple frameworks for an integrated security system that helps eliminate compliance gaps and avoid unmitigated risks. If your organization already holds other compliance initiatives such as ISO 27001, SOC 2, or GB/T22080-2008n, you can add STAR certification to make any of these specific to cloud environments. Hyperproof’s crosswalks feature allows you to do this dramatically faster and with ease.

Overview of the CSA STAR framework

The Registry is a fundamental feature of the STAR program—CSPs can demonstrate security and privacy best practices by listing on the Registry, which provides an effective means of evaluation for consumers. 

The STAR program’s open certification framework contains three levels: self-assessment (Level 1), third-party audit (Level 2), and continuous auditing (Level 3). The level of certification will also be displayed on the registry.

Determining Which STAR Level is Right for Your Business

The level your organization pursues should depend on how much transparency and security assurance you desire. By this, Level 1 (Self-Assessment) is best for organizations operating in lower-risk environments. Level 2 (Third-party auditing) is best for organizations operating in medium to high-risk environments and who already have ISO 27001, SOC 2 or GB/T22080. Level 3 (Continuous Auditing) is best for full-service CSP enterprises operating in high-risk environments who want to display the highest level of transparency and security assurance in cloud environments.

Level 1

Self-Assessment is best for organizations operating in lower-risk environments.

Level 2

Third-party auditing is best for organizations operating in medium to high-risk environments and who already have ISO 27001, SOC 2 or GB/T22080.

Level 3

Continuous Auditing is best for full-service CSP enterprises operating in high-risk environments who want to display the highest level of transparency and security assurance in cloud environments.

Benchmark Report
Want to Know How Other Organizations Handle IT Risks and Compliance?

Check out how over 1,000 compliance and IT security professionals responded in our Benchmark survey

Read More

CSA STAR: Frequently Asked Questions

The cost of CSA STAR certification varies depending on several factors, including the level of certification being sought, the size and complexity of the organization, the scope of the assessment, and the certifying body selected. Costs can range from a few thousand to tens of thousands of dollars. 

For Level 1 (self-assessment), the cost is relatively low, as it primarily involves internal resources. 

However, Level 2 (third-party certification) and Level 3 (continuous monitoring) require engagement with a certifying body and possibly ongoing assessments, which can significantly increase the overall cost.

There are three CSA STAR levels:

  • Level 1: Self-Assessment: A free, introductory level that’s best for organizations in lower-risk environments. This level is based on the CSA Cloud Controls Matrix (CCM).
  • Level 2: Third-Party Certification: A certification level best for organizations in medium- to high-risk environments. This level is also based on the CSA CCM, plus additional requirements, and involves an independent third-party assessment.
  • Level 3: Continuous Monitoring: A level that’s best for full-service CSP enterprises in high-risk environments. This level will provide real-time continuous auditing and eventually continuous certification. It’s currently under construction and was scheduled for release in late 2023

Each level builds upon the previous one, offering increasing rigor and assurance to cloud service providers and their customers.

CSA STAR and SOC 2 are both frameworks designed to assess and assure cloud security, but they have distinct differences:

  • CSA STAR: Focuses on cloud-specific security, privacy, and compliance requirements. It incorporates the Cloud Controls Matrix (CCM) and is designed to address the unique challenges of cloud service providers.
  • SOC 2: A broader framework developed by the AICPA, SOC 2 applies to any service organization, not just cloud providers. It focuses on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

While both frameworks aim to ensure security and compliance, CSA STAR is more cloud-centric, while SOC 2 has a wider application.

CSA STAR and ISO 27001 are both recognized standards for information security, but they serve different purposes:

  • ISO 27001: An international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
  • CSA STAR: Specifically tailored for cloud security, building on ISO 27001 by adding cloud-specific controls defined in the Cloud Controls Matrix (CCM). CSA STAR is often seen as an extension or enhancement of ISO 27001, providing a more focused approach to cloud environments.

Essentially, CSA STAR complements ISO 27001 by addressing the unique challenges of cloud computing.

CSA STAR Level 1 deals with STAR self-assessment. Organizations complete a self-assessment using the Consensus Assessments Initiative Questionnaire (CAIQ) or by documenting their adherence to the Cloud Controls Matrix (CCM). This level is designed to provide transparency and assurance to customers and stakeholders.

Yes, CSA STAR Level 1 is free. Organizations can complete the self-assessment and submit their results to the CSA STAR Registry without any cost. This makes it an accessible entry point for organizations looking to demonstrate their cloud security practices.

The key differences between CSA STAR Level 1 and Level 2 are:

  • Level 1: Self-assessment, where organizations assess their own security controls using the CAIQ or CCM and submit the results to the CSA STAR Registry.
  • Level 2: Involves third-party certification, where an independent auditor conducts an in-depth assessment of the organization’s security controls against the CSA STAR criteria. Level 2 offers a higher level of assurance due to the involvement of an external auditor.

Level 2 is more rigorous and provides greater credibility compared to the self-assessment of Level 1.

The benefits of CSA STAR include:

  • Enhanced trust: Demonstrates a commitment to cloud security and compliance, building trust with customers and stakeholders.
  • Cloud-specific focus: Tailored controls and assessments specifically for cloud environments, addressing unique challenges and risks.
  • Market differentiation: CSA STAR certification can differentiate an organization in the competitive cloud market by showcasing your commitment to security.
  • Continuous improvement: Encourages ongoing monitoring and improvement of cloud security practices, particularly at Level 3.
  • Alignment with global standards: CSA STAR aligns with ISO 27001 and other frameworks, providing a comprehensive approach to cloud security.

The highest level of CSA STAR is Level 3: Continuous Monitoring. This level involves ongoing monitoring of cloud security practices, with real-time reporting and continuous assessments. It provides the highest level of assurance and is designed for organizations that require the most stringent security and compliance measures.

CSA STAR maps to following frameworks: 

Hyperproof for CSA STAR Compliance

Hyperproof’s compliance operations platform can provide an excellent starting point for organizations looking to obtain their CSA STAR certification, as it contains all CCM requirements in addition to all the requirements outlined in the CSA Code of Conduct for GDPR Compliance. Our platform makes it easy to scale up and harmonize multiple requirements across multiple information security standards, expediting the timeline to getting listed in the Registry and becoming CSA STAR certified for all size organizations.

CSA

Hit the ground running

Hyperproof comes with a CSA STAR “starter compliance template” designed to help organizations accelerate their journey to compliance. The template comes with all CSA STAR requirements. Once you’ve implemented the template, you can upload your existing evidence files, link them to the right controls and requirements, and iterate from there (e.g. tailor certain controls or collect additional pieces of evidence). For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.

Streamline the evidence collection and management processes

Instead of developing your own file system and using spreadsheets to track updates, you can store all of your evidence in Hyperproof and link each piece of evidence to the right control and requirement. Hyperproof provides the ability to link one evidence file to multiple requirements/controls, so you don’t have to pull the same evidence files again and again if you’re preparing for multiple audits.

Hyperproof also makes it easy for compliance professionals to collect evidence from business stakeholders. A compliance project owner can assign tasks to business stakeholders (e.g. submit this type of evidence) and remind people to complete their tasks on a cadence. Business stakeholders do not need to learn the language of compliance or any new tools. They can receive notifications to complete tasks through the tools they are already using (e.g. Outlook, Slack, Gmail), complete the tasks in those tools, and have information routed back and reflected in Hyperproof in near real-time.

Know exactly where you stand with an audit

Hyperproof provides real-time feedback on your audit preparedness and control evaluation efforts. It comes with dashboards to help you identify what controls are already in place vs. what’s missing in real-time, so you can put solutions in place to close those gaps well ahead of an auditor’s visit.

When you’re ready to share your work with your auditor, you can invite your auditor to review your work in Hyperproof—so no one has to spend their precious time uploading/downloading files and sending emails back and forth. Additionally, Hyperproof provides a central place for compliance process owners and auditors to communicate with one another.

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CSA STAR ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader