Cloud Security Alliance (CSA) STAR attestation
CSA STAR attestation overview
The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers (CSPs) can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.):
- Level 1: STAR Self-Assessment
- Level 2: STAR Attestation, STAR Certification, and C-STAR Assessment (which are based on audits by third parties)
- Level 3: STAR Continuous Monitoring (program requirements are still under development by CSA)
STAR Attestation involves a rigorous independent audit of a cloud provider's security posture based on a SOC 2 Type 2 audit with CCM criteria. The independent auditor that evaluates a cloud provider's offerings for STAR Attestation must be a certified public accountant (CPA) and is required to have the CSA Certificate in Cloud Security Knowledge (CCSK).
A SOC 2 Type 2 audit is based on American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, and processing integrity, and the criteria in the CCM. STAR Attestation provides an auditor's findings on the design suitability and operating effectiveness of SOC 2 controls in Microsoft cloud services. The objective is to meet both the AICPA criteria mentioned above and requirements set forth in the CCM.
Microsoft in-scope cloud services
Microsoft Azure and Microsoft Intune have been awarded CSA STAR Attestation. STAR Attestation provides an auditor's findings on the design suitability and operating effectiveness of SOC 2 controls in Microsoft cloud services.
- Azure and Azure Government
- Azure Germany
- Microsoft Cloud App Security
- Microsoft Graph
- Microsoft Managed Desktop
- Power Automate (formerly Microsoft Flow) cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI
Audits, reports, and certificates
Frequently asked questions
Which industry standards does the CSA CCM align with?
The CCM corresponds to industry-accepted security standards, regulations, and control frameworks such as ISO/IEC 27001, PCI DSS, HIPAA, AICPA SOC 2, NERC CIP, FedRAMP, NIST, and many more. For the most current list, visit the CSA website.
Where can I see the CSA STAR Attestation for Microsoft cloud services?
You can download the CSA STAR Attestation for Azure, which also covers Intune, from the CSA Registry.
Which CSA STAR levels of assurance have Microsoft business cloud services attained?
- Level 1: CSA STAR Self-Assessment: Azure, Microsoft Dynamics 365, and Microsoft Office 365. The Self-Assessment is a complimentary offering from cloud service providers to document their security controls to help customers assess the security of the service.
- Level 2: CSA STAR Certification: Azure, Microsoft Cloud App Security, Intune, and Microsoft Power BI. STAR Certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It is awarded after a rigorous third-party assessment of the security controls and practices of a cloud service provider.
- Level 2: CSA STAR Attestation: Azure and Intune. CSA and the AICPA have collaborated to provide guidelines for CPAs to use in conducting SOC 2 engagements, using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA CCM. STAR Attestation is based on these guidelines and is awarded after rigorous independent assessments of cloud providers.
Use Microsoft Compliance Manager to assess your risk
Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.
- Azure standard response for request for information
- Azure Cloud Security Alliance CAIQ
- Office 365 Mapping of CSA Cloud Control Matrix
- Cloud Security Alliance
- CSA Security, Trust & Assurance Registry (STAR)
- SOC 1, 2, and 3 Reports
- Cloud Controls Matrix (CCM)
- Microsoft Common Controls Hub Compliance Framework
- Compliance on the Microsoft Trust Center