Cloud Security Alliance (CSA) STAR certification
CSA STAR certification overview
The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with the control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.)
- Level 1: STAR Self-Assessment
- Level 2: STAR Certification, STAR Attestation, and C-STAR Assessment
- Level 3: STAR Continuous Monitoring (program requirements are still under development by CSA)
Microsoft and CSA STAR certification
Microsoft Azure, Microsoft Intune, and Microsoft Power BI have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider’s security posture. This STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
During the assessment, an accredited CSA certification auditor assigns a Maturity Capability score to each of the 16 CCM control areas. The average score is then used to assign the overall level of maturity and the corresponding Bronze, Silver, or Gold award. Azure, Intune, Power BI, and Microsoft Cloud App Security were awarded Cloud Security Alliance (CSA) STAR Certification at the Gold level.
Learn how to accelerate your CSA STAR Certification deployment with our Azure Security and Compliance Blueprints: Download the Microsoft Azure Responses to CSA Consensus Assessments Initiative Questionnaire
Microsoft in-scope cloud services
- Azure, Azure Government, and Azure Germany
- Microsoft Cloud App Security
- Microsoft Graph
- Microsoft Healthcare Bot
- Microsoft Managed Desktop
- Microsoft Defender Advanced Threat Protection
- OMS Service Map
- Power Automate (formerly Microsoft Flow): cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- PowerApps cloud service: either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI: The cloud service portion of Power BI offered as a standalone service or as included in an Office 365 branded plan or suite
- Power BI Embedded
- Microsoft Stream
Audits, reports, and certificates
Frequently asked questions
Which industry standards does the CSA CCM align with?
The CCM corresponds to industry-accepted security standards, regulations, and control frameworks, such as ISO 27001, PCI DSS, HIPAA, AICPA SOC 2, NERC CIP, FedRAMP, NIST, and many more. For the most current list, visit the CSA website.
Where can I view the CSA STAR Certification for Microsoft cloud services?
You can view the CSA STAR Certification for Azure, which also covers Dynamics 365, Intune and, Power BI from the CSA Registry.
What maturity level did Microsoft cloud services achieve?
Azure, Microsoft Cloud App Security, Intune, and Power BI have achieved the highest possible Gold Award for the Maturity Capability assessment.
Which CSA STAR levels of assurance have Microsoft business cloud services attained?
- Level 1: CSA STAR Self-Assessment: Azure, Dynamics 365, and Office 365. The Self-Assessment is a complimentary offering from cloud service providers to document their security controls to help customers assess the security of the service.
- Level 2: CSA STAR Certification: Azure, Microsoft Cloud App Security, Intune, and Power BI. STAR Certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It is awarded after a rigorous third-party assessment of the security controls and practices of a cloud service provider.
- Level 2: CSA STAR Attestation: Azure and Intune. CSA and the AICPA have collaborated to provide guidelines for CPAs to use in conducting SOC 2 engagements, using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA CCM. STAR Attestation is based on these guidelines and is awarded after rigorous independent assessments of cloud providers.
- Azure standard response for request for information
- Azure Cloud Security Alliance CAIQ
- Office 365 Mapping of CSA Cloud Control Matrix
- Cloud Security Alliance
- CSA Security, Trust & Assurance Registry (STAR)
- About CSA STAR certification
- Cloud Controls Matrix (CCM)
- ISO/IEC 27001
- Microsoft Common Controls Hub Compliance Framework
- Compliance on the Microsoft Trust Center