CSA STAR

Cloud Security Alliance Security, Trust, Assurance and Risk Program

apartmentPublishing Organization:Cloud Security Alliance (CSA)

Global Technology Finance & Banking Healthcare Government Services

Standard Introduction

CSA STAR (Security, Trust, Assurance and Risk) is a cloud security assurance program developed by the Cloud Security Alliance. It provides a comprehensive framework for evaluating the security posture of cloud service providers through three levels of assurance: self-assessment, third-party certification, and continuous monitoring. The program is built on the Cloud Controls Matrix (CCM), which defines 197 cloud-specific security control objectives.

CSA STAR has become a widely recognized benchmark for cloud security, with thousands of providers listed in the public STAR Registry. Level 2 certification combines the CCM assessment with either ISO/IEC 27001 certification or SOC 2 attestation, providing a comprehensive evaluation of both general and cloud-specific security controls. The program helps enterprise customers compare cloud providers during procurement and vendor risk management processes.

cloud

Three Assurance Levels

Offers Level 1 (self-assessment), Level 2 (third-party certification/attestation), and Level 3 (continuous monitoring) to match different risk appetites and maturity levels.

grid_view

Cloud Controls Matrix

Built on the CCM framework with 197 cloud-specific control objectives mapped to ISO 27001, NIST, PCI DSS, and other standards for unified cloud governance.

verified_user

Registry Transparency

All certified providers are listed in the public STAR Registry, enabling customers to compare cloud provider security postures before procurement.

list_alt CCM Control Domains

Audit assurance & compliance
Application & interface security
Business continuity management & operational resilience
Change control & configuration management
Data security & privacy lifecycle management
Encryption & key management
Identity & access management
Infrastructure & virtualization security

Who Needs to Comply?

groups

Cloud service providers (IaaS, PaaS, SaaS) seeking to demonstrate security posture to enterprise customers, and organizations evaluating cloud providers during vendor due diligence.

Key Requirements

Cloud Controls Matrix Compliance

Implement controls across all applicable CCM domains covering 197 control objectives aligned with cloud-specific risks and mapped to ISO 27001 Annex A controls.

CAIQ Self-Assessment

Complete the Consensus Assessment Initiative Questionnaire (CAIQ) documenting how your organization addresses each CCM control objective for Level 1 registration.

Third-Party Audit (Level 2)

Engage an accredited auditor to perform an independent assessment combining CSA CCM with ISO 27001 certification or SOC 2 attestation for Level 2 STAR certification.

Continuous Monitoring (Level 3)

Implement continuous security monitoring and automated compliance verification to maintain real-time assurance of control effectiveness.

Penalties & Enforcement

warning

No direct legal penalties — CSA STAR is a voluntary certification. However, lack of STAR certification can result in exclusion from enterprise procurement processes, especially in regulated industries like finance and healthcare.