Shared Assessments overview
The Shared Assessments Program (formerly known as BITS Shared Assessments) is used by many commercial, retail, and investment banks around the world as a proxy for managing their third-party vendor risk assessment process. Microsoft Azure aligns to the Program’s Standard Information Gathering (SIG) questionnaire and the Agreed Upon Procedures (AUP) by way of Azure’s CSA STAR Self-Assessment.
The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) registry is a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.
For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.
CSPs can submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the CCM. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.
STAR provides two levels of assurance:
- Level 1: Self-Assessment using the CAIQ
- Level 2: Independent third-party certifications such as CSA STAR Certification and CSA STAR Attestation
For the CSA STAR Self-Assessment, Microsoft publishes CAIQ-based assessments for Azure, Dynamics 365, and Office 365.
The CCM maps to the Shared Assessments SIG v6.0 and AUP v5.0. Azure also maintains independent third-party certifications at the CSA STAR Level 2, including CSA STAR Certification and CSA STAR Attestation as documented in the STAR registry.
- To download Azure, Dynamics 365, and Office 365 CSA STAR Self-Assessments, see the CSA STAR registry for Microsoft.
Frequently asked questions
Which industry standards does the CSA CCM align with? The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others. For the most current list, visit the CSA website.
Why is the CSA STAR self-assessment important? It enables CSPs to document compliance with CSA published best practices in a transparent manner. Self-assessment reports are publicly available, thereby helping you gain visibility into the security practices of CSPs, and compare various CSPs using the same baseline.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Shared Assessments
- Shared Assessments Standard Information Gathering (SIG) questionnaire
- Shared Assessments Agreed Upon Procedures (AUP)
- Cloud Security Alliance (CSA)
- CSA Cloud Controls Matrix (CCM)
- CSA Consensus Assessments Initiative Questionnaire (CAIQ)
- CSA Security, Trust, Assurance, and Risk (STAR) registry
- Azure, Dynamics 365, and Office 365 CAIQ reports