標準簡介
CSA STAR(安全、信任、保證與風險)是由雲端安全聯盟開發的雲端安全保證計畫。它透過三個保證級別(自我評估、第三方認證和持續監控)為評估雲端服務供應商的安全狀況提供了全面框架。該計畫基於雲端控制矩陣(CCM)構建,定義了 197 個雲端運算特定的安全控制目標。
CSA STAR 已成為廣泛認可的雲端安全基準,數千家供應商在公開的 STAR 登錄冊中列出。二級認證將 CCM 評估與 ISO/IEC 27001 認證或 SOC 2 鑑證相結合,對通用和雲端特定安全控制進行全面評估。該計畫幫助企業客戶在採購和供應商風險管理過程中比較雲端服務供應商。
Three Assurance Levels
Offers Level 1 (self-assessment), Level 2 (third-party certification/attestation), and Level 3 (continuous monitoring) to match different risk appetites and maturity levels.
Cloud Controls Matrix
Built on the CCM framework with 197 cloud-specific control objectives mapped to ISO 27001, NIST, PCI DSS, and other standards for unified cloud governance.
Registry Transparency
All certified providers are listed in the public STAR Registry, enabling customers to compare cloud provider security postures before procurement.
list_alt CCM Control Domains
- Audit assurance & compliance
- Application & interface security
- Business continuity management & operational resilience
- Change control & configuration management
- Data security & privacy lifecycle management
- Encryption & key management
- Identity & access management
- Infrastructure & virtualization security
Who Needs to Comply?
Cloud service providers (IaaS, PaaS, SaaS) seeking to demonstrate security posture to enterprise customers, and organizations evaluating cloud providers during vendor due diligence.
Key Requirements
Cloud Controls Matrix Compliance
Implement controls across all applicable CCM domains covering 197 control objectives aligned with cloud-specific risks and mapped to ISO 27001 Annex A controls.
CAIQ Self-Assessment
Complete the Consensus Assessment Initiative Questionnaire (CAIQ) documenting how your organization addresses each CCM control objective for Level 1 registration.
Third-Party Audit (Level 2)
Engage an accredited auditor to perform an independent assessment combining CSA CCM with ISO 27001 certification or SOC 2 attestation for Level 2 STAR certification.
Continuous Monitoring (Level 3)
Implement continuous security monitoring and automated compliance verification to maintain real-time assurance of control effectiveness.
Penalties & Enforcement
No direct legal penalties — CSA STAR is a voluntary certification. However, lack of STAR certification can result in exclusion from enterprise procurement processes, especially in regulated industries like finance and healthcare.