Cloud Security Alliance (CSA) STAR Certification
CSA STAR Certification overview
The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It's dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust, Assurance, and Risk (STAR) registry, a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.
For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.
STAR provides two levels of assurance:
- Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.
- Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.
CSA has released CCM v4, a major update to the CCM that has 197 control objectives structured in 17 domains. CCM and CAIQ have been combined in version 4. CSA has also provided a CCM v4 transition timeline for cloud service providers and other organizations to start using version 4.
CSA STAR Certification involves a rigorous independent third-party assessment of a cloud provider’s security posture. It's based on achieving ISO 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM). CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
During the assessment, an accredited CSA certification auditor assigns a Management Capability score to each of the CCM security domains. Each domain is scored on a specific maturity and measured against five management principles. The internal report shows organizations how mature their processes are and what areas they need to consider improving to reach an optimum maturity level.
- Azure Government
Services in scope
The scope of the CSA STAR Certification is aligned to the scope of the ISO/IEC 27001 information security management system (ISMS) supporting Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.
Audit reports and certificates
- To download the Azure CSA STAR certificate, see the CSA STAR registry for Microsoft.
Frequently asked questions
Which industry standards does the CSA CCM align with? The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others. For the most current list, visit the CSA website.
Where can I see the CSA STAR certificate for Azure and other Microsoft online services? You can download the CSA STAR certificate for Azure directly from the CSA STAR registry. For detailed insight into services in scope, see the ISO/IEC 27001 certificate.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Cloud Security Alliance (CSA)
- CSA Cloud Controls Matrix (CCM)
- CSA Consensus Assessments Initiative Questionnaire (CAIQ)
- CSA Security, Trust, Assurance, and Risk (STAR) registry
- Azure, Dynamics 365, and Office 365 CAIQ reports