Cloud Security Alliance (CSA) STAR Certification

CSA STAR Certification overview

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust, Assurance, and Risk (STAR) registry, a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

STAR provides two levels of assurance:

  • Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.
  • Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.

Note

CSA has released CCM v4, a major update to the CCM that has 197 control objectives structured in 17 domains. CCM and CAIQ have been combined in version 4. Azure CSA STAR Attestation will be updated based on CCM v4 during the next Azure audit cycle. CSA has also provided a CCM v4 transition timeline for cloud service providers and other organizations to start using version 4.

CSA STAR Certification involves a rigorous independent third-party assessment of a cloud provider’s security posture. It is based on achieving ISO 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM). CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.

During the assessment, an accredited CSA certification auditor assigns a Management Capability score to each of the CCM security domains. Each domain is scored on a specific maturity and measured against five management principles. The internal report shows organizations how mature their processes are and what areas they need to consider improving to reach an optimum maturity level.

Applicability

  • Azure
  • Azure Government

Services in scope

The scope of the CSA STAR Certification is aligned to the scope of the ISO/IEC 27001 information security management system (ISMS) supporting Azure, Dynamics 365, Microsoft 365, and Power Platform online services.

Audit reports and certificates

Frequently asked questions

Which industry standards does the CSA CCM align with?
The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others. For the most current list, visit the CSA website.

Where can I see the CSA STAR certificate for Azure and other Microsoft online services?
You can download the CSA STAR certificate for Azure directly from the CSA STAR registry. For detailed insight into services in scope, see the ISO/IEC 27001 certificate.

Resources