CSA STAR (Cloud Security Alliance Security, Trust, Assurance, and Risk)

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program is the leading cloud-specific assurance mechanism, structured around the CSA Cloud Controls Matrix (CCM) — currently CCM v4.0. STAR offers three levels: Level 1 (Self-Assessment, free), Level 2 (Third-Party Assessment: STAR Certification based on ISO 27001 + CCM, or STAR Attestation based on SOC 2 + CCM), and Level 3 (Continuous Monitoring, the CSA Continuous Auditing certification). The CCM v4.0 organizes 197 control specifications across 17 domains including Audit & Assurance, Change Control & Configuration Management, Cryptography, Data Security & Privacy Lifecycle Management, Governance, Risk & Compliance, Identity & Access Management, Infrastructure & Virtualization Security, and Supply Chain Management.

CSA STAR Level 2 Certification is the most commonly pursued by cloud service providers. It combines ISO 27001 certification scope with an additional audit layer assessing CCM controls, resulting in a single certificate issued by an accredited certification body covering both ISO 27001 and STAR. The additional CCM controls require cloud-specific technical evidence: Control AIS-04 requires application security testing to be documented per a defined methodology; Control CCC-04 requires separation of production and non-production environments with documented controls; Control DSP-07 requires data classification policies with technical enforcement; Control IVS-03 requires network security groups and virtual network configurations to be documented and reviewed. STAR certificates are published in the CSA STAR Registry, providing market transparency.

The Consensus Assessments Initiative Questionnaire (CAIQ) — the self-assessment instrument corresponding to CCM — is widely used by enterprise customers conducting vendor due diligence. Completing a CAIQ requires responses to all 197 CCM v4.0 control questions with evidence pointers. For buyers, mapping CAIQ responses to their own control requirements allows side-by-side comparison of CSP security postures without bespoke RFP processes. CCM v4.0 includes explicit mappings to ISO 27001:2013, ISO 27017, ISO 27018, NIST SP 800-53 Rev 5, GDPR, PCI DSS, HIPAA, and CSA CCM v3.0.1, allowing organizations to use CCM assessments as evidence across multiple regulatory frameworks simultaneously.

We support CSA STAR Level 2 Certification for cloud service providers by scoping the combined ISO 27001 + CCM audit, pre-populating CAIQ responses from our ISO 27001 control evidence repositories, and mapping CCM domains to existing control implementations to minimize duplicative effort. Our vendor due diligence process includes automated CAIQ analysis against client-specific control requirements.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.