Cloud Security Alliance (CSA) STAR certification

CSA STAR certification overview

The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with the control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.)

  • Level 1: STAR Self-Assessment
  • Level 2: STAR Certification, STAR Attestation, and C-STAR Assessment
  • Level 3: STAR Continuous Monitoring (program requirements are still under development by CSA)

Microsoft and CSA STAR certification

Microsoft Azure, Microsoft Intune, and Microsoft Power BI have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider’s security posture. This STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.

During the assessment, an accredited CSA certification auditor assigns a Maturity Capability score to each of the 16 CCM control areas. The average score is then used to assign the overall level of maturity and the corresponding Bronze, Silver, or Gold award. Azure, Intune, Power BI, and Microsoft Cloud App Security were awarded Cloud Security Alliance (CSA) STAR Certification at the Gold level.

Learn about the benefits of CSA STAR Certification on the Microsoft Cloud: Download the CSA STAR Certification backgrounder

Learn how to accelerate your CSA STAR Certification deployment with our Azure Security and Compliance Blueprints: Download the Microsoft Azure Responses to CSA Consensus Assessments Initiative Questionnaire

Microsoft in-scope cloud services

  • Azure, Azure Government, and Azure Germany
  • Cloud App Security
  • Genomics
  • Graph
  • Health Bot
  • Intune
  • Microsoft Managed Desktop
  • Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • OMS Service Map
  • PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI: The cloud service portion of Power BI offered as a standalone service or as included in an Office 365 branded plan or suite
  • Stream

Audits, reports, and certificates

Frequently asked questions

Which industry standards does the CSA CCM align with?

The CCM corresponds to industry-accepted security standards, regulations, and control frameworks, such as ISO 27001, PCI DSS, HIPAA, AICPA SOC 2, NERC CIP, FedRAMP, NIST, and many more. For the most current list, visit the CSA website.

Where can I view the CSA STAR Certification for Microsoft cloud services?

You can download the CSA STAR Certification for Azure, which also covers Intune and Power BI, from the CSA Registry.

What maturity level did Microsoft cloud services achieve?

Azure, Cloud App Security, Intune, and Power BI have achieved the highest possible Gold Award for the Maturity Capability assessment.

Which CSA STAR levels of assurance have Microsoft business cloud services attained?

  • Level 1: CSA STAR Self-Assessment: Azure, Dynamics 365, and Office 365. The Self-Assessment is a complimentary offering from cloud service providers to document their security controls to help customers assess the security of the service.
  • Level 2: CSA STAR Certification: Azure, Cloud App Security, Intune, and Power BI. STAR Certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It is awarded after a rigorous third-party assessment of the security controls and practices of a cloud service provider.
  • Level 2: CSA STAR Attestation: Azure and Intune. CSA and the AICPA have collaborated to provide guidelines for CPAs to use in conducting SOC 2 engagements, using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA CCM. STAR Attestation is based on these guidelines and is awarded after rigorous independent assessments of cloud providers.

Resources

Download the offering backgrounder

Do you need the backgrounder document for this offering? Download the PDF.