Cloud Security Alliance (CSA) STAR Self-Assessment

CSA STAR Self-Assessment overview

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It's dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust, Assurance, and Risk (STAR) registry, a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

CSPs can submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the CCM. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

STAR provides two levels of assurance:

  • Level 1: Self-Assessment using the CAIQ
  • Level 2: Independent third-party certifications such as CSA STAR Certification and CSA STAR Attestation

For the CSA STAR Self-Assessment, Microsoft publishes CAIQ-based assessments for Azure, Dynamics 365, and Office 365.


CSA has released CCM v4, a major update to the CCM that has 197 control objectives structured in 17 domains. CCM and CAIQ have been combined in version 4. The Azure CSA STAR Self-Assessment has been updated to use the new CAIQ v4. CSA has also provided a CCM v4 transition timeline for cloud service providers and other organizations to start using version 4.

Audit reports and certificates

Frequently asked questions

Which industry standards does the CSA CCM align with?
The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others. For the most current list, visit the CSA website.

Why is the CSA STAR Self-Assessment important?
It enables CSPs to document compliance with CSA published best practices in a transparent manner. Self-assessment reports are publicly available, thereby helping cloud customers gain visibility into the security practices of CSPs, and compare various CSPs using the same baseline.