CSA STAR (Security, Trust, Assurance, and Risk)

International

vCCM v4.0 (2021)

6 domains

24 controls

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) programme provides a comprehensive framework for cloud security assurance. Based on the CSA Cloud Controls Matrix (CCM), STAR offers three levels of assurance: self-assessment (Level 1), third-party audit (Level 2 - SOC 2 or ISO 27001 based), and continuous monitoring (Level 3). The CCM provides 197 control objectives across 17 domains mapped to major standards and regulations.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

CSA STAR: Assurance Quality and Lifecycle

4 controls

Controls in the CSA STAR: Assurance Quality and Lifecycle domain of CSA STAR (Security, Trust, Assurance, and Risk) — 4 controls
Code	Title	Description
STAR-INTERNAL-01	Internal audit coverage of STAR scope	The provider performs internal audit or self-assessment of the CCM controls in the STAR scope between external assessmen...
STAR-NONCONF-01	Nonconformity and corrective action management	Nonconformities identified during assessment or surveillance are recorded, root-caused, and remediated through correctiv...
STAR-RETIRE-01	Status withdrawal and suspension	Where the provider no longer meets the requirements, or on request, its STAR status is suspended or withdrawn and the re...
STAR-RISK-01	Risk treatment alignment with CCM	The provider's risk treatment decisions for the assessed service are aligned with the CCM control objectives, with resid...

CSA STAR: Level 1 Self-Assessment (CAIQ)

4 controls

Controls in the CSA STAR: Level 1 Self-Assessment (CAIQ) domain of CSA STAR (Security, Trust, Assurance, and Risk) — 4 controls
Code	Title	Description
STAR-CAIQ-01	CAIQ response accuracy and completeness	Each CAIQ response must accurately and completely reflect the provider's implementation of the corresponding CCM control...
STAR-CCM-01	CCM control mapping completeness	The assessment covers the full set of applicable CCM control domains, with any not-applicable controls justified, so the...
STAR-L1-01	Level 1 CAIQ self-assessment submission	At Level 1 the provider completes the Consensus Assessments Initiative Questionnaire (CAIQ) self-assessment against the...
STAR-L1-02	Self-assessment refresh cadence	The provider refreshes and resubmits its Level 1 self-assessment on a regular basis so that the published assurance refl...

CSA STAR: Level 2 Third-Party Assurance

6 controls

Controls in the CSA STAR: Level 2 Third-Party Assurance domain of CSA STAR (Security, Trust, Assurance, and Risk) — 6 controls
Code	Title	Description
STAR-L2-01	STAR Certification (ISO/IEC 27001 + CCM)	STAR Certification is a third-party independent assessment that integrates the requirements of ISO/IEC 27001 with the CC...
STAR-L2-02	STAR Attestation (SOC 2 + CCM)	STAR Attestation, developed in collaboration with the AICPA, is a third-party attestation that combines a SOC 2 examinat...
STAR-L2-03	C-STAR assessment (Greater China market)	C-STAR is a third-party independent assessment of a cloud service provider for the Greater China market, harmonising the...
STAR-L2-04	Accredited assessor / auditor selection	Level 2 assessments must be performed by assessors that are appropriately accredited or qualified (certification body, l...
STAR-L2-05	Maturity model scoring	STAR Certification includes a maturity capability assessment that scores the management of CCM control areas beyond a pa...
STAR-L2-06	Surveillance and recertification cycle	STAR Certification and Attestation are maintained through periodic surveillance and recertification activities, consiste...

CSA STAR: Level 3 Continuous

2 controls

Controls in the CSA STAR: Level 3 Continuous domain of CSA STAR (Security, Trust, Assurance, and Risk) — 2 controls
Code	Title	Description
STAR-L3-01	Continuous auditing capability	STAR Continuous provides ongoing, automated validation of security controls between point-in-time assessments, enabling...
STAR-L3-02	Continuous evidence publication	Continuous assurance evidence (such as STARWatch / STAR Continuous outputs) is maintained and made available to support...

CSA STAR: Program, Scope and Shared Responsibility

4 controls

Controls in the CSA STAR: Program, Scope and Shared Responsibility domain of CSA STAR (Security, Trust, Assurance, and Risk) — 4 controls
Code	Title	Description
STAR-PROG-01	STAR Program eligibility and assurance-level selection	The cloud service provider determines its eligibility for the STAR program and selects the appropriate assurance level (...
STAR-SCOPE-01	Service scope definition for the assessment	The provider defines the boundary of the cloud service(s) covered by the STAR self-assessment or certification, includin...
STAR-SHARED-01	Shared responsibility disclosure	The provider documents and discloses the shared security responsibility model for the service, identifying which CCM con...
STAR-SUPPLY-01	Subservice and supply chain disclosure	The provider identifies subservice organisations and supply chain dependencies relevant to the assessed service, and ref...

CSA STAR: Registry and Customer Transparency

4 controls

Controls in the CSA STAR: Registry and Customer Transparency domain of CSA STAR (Security, Trust, Assurance, and Risk) — 4 controls
Code	Title	Description
STAR-COMM-01	Customer communication of assurance status	The provider communicates its STAR assurance status and the associated reports/certificates to customers and prospects i...
STAR-INCIDENT-01	Incident notification to registry users	Where the program or customer commitments require, the provider notifies affected customers/registry users of security i...
STAR-REG-01	STAR Registry listing	The provider's assurance status (Level 1 self-assessment, Level 2 certification/attestation, or continuous) is published...
STAR-REG-02	Registry update process	The provider keeps its STAR Registry entry current, updating it on reassessment, recertification, scope change, or withd...

Your Compliance Coverage

If you comply with CSA STAR (Security, Trust, Assurance, and Risk), you already cover:

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

46%

11 controls mapped

Compare →

ISO/IEC 42001:2023

2 controls mapped

Compare →

ISO 22301:2019

2 controls mapped

Compare →

+ 11 more: ISO 9001:2015 (8%), ISO 31000:2018 (4%)

See all 14 mapped frameworks ↓

Maps to 14 other frameworks

24 total controls

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

11 source controls mapped|4 target controls covered

46%

ISO/IEC 42001:2023

2 source controls mapped|2 target controls covered

ISO 22301:2019

2 source controls mapped|2 target controls covered

ISO 9001:2015

2 source controls mapped|2 target controls covered

ISO 31000:2018