标准简介
CSA STAR(安全、信任、保证和风险)是由云安全联盟(CSA)运营的云服务提供商安全评估和认证计划。该计划基于 CSA 云控制矩阵(CCM),提供三个保证级别:STAR Level 1(自我评估,发布 CAIQ 问卷或 CCM 评估)、STAR Level 2(第三方审计认证,与 ISO 27001 或 SOC 2 结合)和 STAR Level 3(连续审计/监控,基于持续自动化评估)。CSA STAR 注册表是一个公开可访问的数据库,允许任何人查看云服务提供商的安全状况。
CSA STAR Level 2 认证是最广泛采用的级别,要求云服务提供商在 ISO/IEC 27001 认证或 SOC 2 审计基础上额外满足 CCM 的云特定安全控制要求。CCM 涵盖 17 个控制域、197 个控制目标,包括应用和接口安全、审计保证和合规、业务连续性管理、变更控制、数据安全和隐私、加密和密钥管理、治理和风险管理、身份和访问管理、基础设施和虚拟化安全、供应链管理、威胁和漏洞管理等。CSA STAR 认证对于向企业和政府客户提供 SaaS、IaaS 或 PaaS 服务的云提供商日益重要,许多采购流程已将 CSA STAR 列为供应商安全评估的必要条件。
Three Assurance Levels
Offers Level 1 (self-assessment), Level 2 (third-party certification/attestation), and Level 3 (continuous monitoring) to match different risk appetites and maturity levels.
Cloud Controls Matrix
Built on the CCM framework with 197 cloud-specific control objectives mapped to ISO 27001, NIST, PCI DSS, and other standards for unified cloud governance.
Registry Transparency
All certified providers are listed in the public STAR Registry, enabling customers to compare cloud provider security postures before procurement.
list_alt CCM Control Domains
- Audit assurance & compliance
- Application & interface security
- Business continuity management & operational resilience
- Change control & configuration management
- Data security & privacy lifecycle management
- Encryption & key management
- Identity & access management
- Infrastructure & virtualization security
Who Needs to Comply?
Cloud service providers (IaaS, PaaS, SaaS) seeking to demonstrate security posture to enterprise customers, and organizations evaluating cloud providers during vendor due diligence.
Key Requirements
Cloud Controls Matrix Compliance
Implement controls across all applicable CCM domains covering 197 control objectives aligned with cloud-specific risks and mapped to ISO 27001 Annex A controls.
CAIQ Self-Assessment
Complete the Consensus Assessment Initiative Questionnaire (CAIQ) documenting how your organization addresses each CCM control objective for Level 1 registration.
Third-Party Audit (Level 2)
Engage an accredited auditor to perform an independent assessment combining CSA CCM with ISO 27001 certification or SOC 2 attestation for Level 2 STAR certification.
Continuous Monitoring (Level 3)
Implement continuous security monitoring and automated compliance verification to maintain real-time assurance of control effectiveness.
Penalties & Enforcement
No direct legal penalties — CSA STAR is a voluntary certification. However, lack of STAR certification can result in exclusion from enterprise procurement processes, especially in regulated industries like finance and healthcare.