CSA STAR: What you need to know

Cloud Security Alliance covers modern cloud security practices to address a broad set of expectations and requirements of your enterprise customers.

The Cloud Security Alliance is an organisation best known for its Consensus Assessment Initiative Questionnaire (CAIQ). Anyone in the  cloud software industry will know the pain involved of working through enterprise customer compliance requirements.


These compliance requirements can be referred to as due diligence, security questionnaires, or a range of profanities that also sums it up. Each enterprise sets its own compliance framework that applies to their assessment of third-party providers. That's driven by their own compliance and their risk management team's judgement on the best way to manage that. Unfortunately, what that means for the average software company that wants to license their software to those enterprise; there's a broad range of differing requirements that's usually hundreds, sometimes over a thousand "questions".


The CAIQ was an initiative to standardise this, by providing a BIG template of all the things those enterprise may want to know and mapping it across various existing standards. Sadly, for the companies that spent many hours populating this CAIQ template thinking it would be the last of these ad-hoc questionnaires, many enterprise still enforce their own bespoke questionnaires.


Standards, attestations and certifications, are generally the best way to reduce or remove these bespoke questionnaires, because they're subject to third-party audits and validation by qualified providers. Accordingly, CSA created their own CSA STAR program that covers this broad range of cloud security practices, and can therefore bypass due diligence requirements once it's achieved. 


How does CSA STAR work?


The CSA Cloud Controls Matrix (CCM) covers the broad set of security practices that demonstrates an effective security and compliance posture. The publicly available register is published to recognise organisations that achieve CSA STAR by meeting each of the requirements, and that can be used to alleviate the due diligence questions from enterprise customers. There are two levels:

  • CSA STAR Level 1: Achieved through self-assessment, documenting the controls that meet the CCM objectives, and sharing those activities with the CSA to demonstrate CSA STAR compliance for review and publishing.
  • CSA STAR Level 2: Achieved through a certification or attestation by a qualified CSA practitioner. The CSA STAR audit reviews the controls that meet each of the CCM objectives and issues the certification or attestation for CSA to publish Level Two status on the registry.

Enterprise customers would rarely accept Level One as satisfying their requirements alone. It's common to see Level Two as either a mandate imposed by enterprise customers, or an optional path to satisfying their requirements. It's sometimes listed with other options like HITRUST, SOC 2 or ISO 27001, potentially with an additional questionnaire or audit process. 


Which is best: Certification or Attestation?


CSA STAR conveniently offers the certification or attestation method for reaching Level Two status. CSA STAR Certification follows the approach of certifications like ISO 27001. Each control is selected, assessed, non-conformities are raised as applicable, and a certification is issued if there is sufficient conformity to the CCM control objectives. CSA STAR Attestation follows the approach of assurance reports like SOC 2. That offers more flexibility in the way controls are defined, which can help for covering multiple standards together. Each control is mapped to the control objectives and an assurance report is prepared that describes how those objectives are met, with an auditor opinion and sign-off to verify those controls are effective. From a CSA recognition or outcome perspective; there's no difference between the two approaches. They are offered to allow broader compatibility with existing compliance programs and flexible pathways to achieving Level Two. Perhaps the more important difference is whether you deal with an assurance firm (CPA, CA firms), or a certification body (CB). There's a lot of overlap between the two, like AssuranceLab that sits in both camps.


Is CSA STAR Right for us?


We see CSA STAR as the next rising standard that will become widespread and beneficial for businesses to adopt. Like all optional standards, it had a slow start with a few early adopters, and has since shown signs of exponential growth. It's now a common topic of conversation. Three years ago, it was almost never spoken of by our clients.


Where CSA STAR excels is specialising in cloud security, covering broader topics like API security, data portability, and virtualisation security, as well as comprehensive coverage of important modern security practices like managing endpoint devices, and the human element of security. Standards like SOC 2 and ISO 27001 are already widespread and less comprehensive and rigorous. The rise in so-called compliance automation of these standards has to some degree undermined the real level of rigour they represent. Large enterprise use these standards as minimum baselines and look to higher standards like CSA STAR for their moderate to higher risk third-party providers.


How do I get started?


Get in touch if you want to discuss a CSA STAR Level Two plan for your business. Our latest readiness software includes CSA STAR, alongside 11 other standards so you can mix-and-match standards you already meet or plan to in the future, without the usual duplication involved. Our recommended approach is the SOC 2+ CSA attestation method, that may or may not include GDPR coverage if it's applicable to your goals. If you already have ISO 27001 certification then we can also follow that CSA STAR Level Two certification approach to leverage the existing ISO 27001 certification.


About AssuranceLab


AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

Some additional information in one line