Build trust with CSA STAR in 2024

Demonstrate Best-in-Class Cloud Security with CSA STAR Level Two Accreditation.


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


We work with more than 500 fast-growing companies across 20+ countries, ranging in size from 2 to 26,000+ employees.

CSA STAR Level Two Accreditation

Is this the year you

grow with CSA STAR?

CSA STAR Level Two demonstrates a high standard of cloud security.

Level two CSA STAR is an independent third-party assessment that combines the cloud security framework with criteria specified in the cloud controls matrix (CCM). 

AssuranceLab is a Certified CSA STAR audit firm ready to help you earn trust with CSA STAR audits globally. We provide audit pre-assessments through to certification that can be combined with other global standards to remove the usual duplication of multi-standard audits.

Ready to get started with CSA STAR?



Four Steps to CSA STAR

left arrow right arrow
CSA STAR Readiness Assessment

CSA STAR Readiness Assessment

Integrating with many compliance platforms, we provide a tailored view of your controls and any gaps to help you prepare for your audit.

Remediation Support

Remediation Support

We guide you as you address any gaps and implement fit-for-purpose processes that align with your culture and the CSA STAR control objectives. Our flexible and responsive team helps you work through it at your own pace.

CSA STAR Type 1 Audit

CSA STAR Type 1 Report

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback help you stay on track and achieve real operational benefits for your company. Type 1 reports earn your initial CSA STAR Level Two accreditation.

CSA STAR Type 2 Audit

CSA STAR Type 2 Report

We conduct the Type 2 audits at your pace within a defined timeline to suit your preference and increase confidence in your compliance.

Ready to get started on your compliance journey?


Clear reasons to act


International credibility

A globally recognised accreditation to build
trust at scale


Customer comfort and trust

A detailed report addressing crucial
customer due diligence questions


Minimal business disruption

Agile and flexible audits that help minimise the disruption while meeting client deadlines


Rigorous standard

A challenging and comprehensive standard that earns
a high level of trust


Multi-standard compliance

Combine CSA STAR with several other global
standards to do more with less


Levels of Accreditation

CSA STAR has three levels of accreditation to
recognise partial progress


Your questions answered

What is CSA STAR?

The Cloud Security Alliance (CSA) is a nonprofit organisation. It's dedicated to defining best practices to help ensure a more secure cloud computing environment. Security, Trust, Assurance and Risk (STAR) was launched as a publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). The CAIQ contains more than 250 questions based on the cloud controls matric (CCM) that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM. The CCM covers 17 domains and 197 control objectives related to best practice cloud security.

What are the three levels of accreditation?

Level One accreditation is based on completing questionnaires to provide information that may or may not have been independently verified into the online CSA register for third-party review. 

Level Two is a certification or attestation report that has been independently audited and submitted to the CSA. 

Level Three is a level of continuous assurance for the higher standard of cloud security and third-party assurance.

Do I need to do Level One before Level Two?

Yes, but you can do both together. Level One is a completed questionnaire that’s submitted to the CSA registry covering the same details as what’s audited for Level Two accreditation covering the cloud controls matrix. 

Do I need to comply with all 197 control objectives of the CCM?

Yes. You either need to show how your cloud security practices meet each of the 197 objectives or substantiate why they are not applicable. The number of objectives sounds daunting but there is a lot of overlap in the controls that cover each. We see clients have an average of 220 controls to satisfy the 197 objectives. 

What are Type 1 and Type 2 reports?

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the CSA STAR regulatory clauses.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period between 3-12 months to show your systems and processes have been operated consistently to satisfy the CSA STAR regulatory clauses.

Usually, a Type 1 report is issued first to baseline compliance. That marks the start of the live and recurring Type 2 audit periods for reports issued annually.

Does CSA STAR replace the need for SOC 2 or ISO 27001?

No. CSA STAR is designed to be complementary. Level Two accreditation offers pathways through SOC 2 or ISO 27001 so that you can leverage all your compliance efforts on those more common standards. CSA STAR can be built on top of either SOC 2 or ISO 270001 following a certification or attestation report approach so that it is compatible with those two global leading standards and the associated audit firm and/or certification body credentials that accredit those standards. 

Can we reduce the audit work by using a compliance platform?

Yes. Many of the controls required or expected for CSA STAR are supported with automation by security compliance platforms. AssuranceLab has built the CSA STAR cloud controls matrix and associated controls for different compliance platforms that can be imported and continuously monitored for our clients pursuing CSA STAR accreditation. Our audit platform Pillar can be used as a stand-alone platform, or integrated with a large number of automation platforms. 


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.



A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

Get started your way

We’re ready when you are