CSA STAR

International

6 domains

35 controls

CSA Security Trust Assurance and Risk (STAR) program: L1 Self-Assessment, L2 Certification/Attestation, L3 Continuous.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

CAIQ Question

12 controls

Controls in the CAIQ Question domain of CSA STAR — 12 controls
Code	Title	Description
CAIQ-AIS-01	Application & Interface Security (AIS) Domain	The AIS domain in CAIQ v4 covers secure application design, application security testing, customer access to vulnerabili...
CAIQ-BCR-01	Business Continuity & Resilience (BCR) Domain	The BCR domain in CAIQ v4 covers business impact analysis, RTO/RPO targets, disaster recovery testing, and customer noti...
CAIQ-CCC-01	Change Control & Configuration Management (CCC) Domain	The CCC domain covers change management approvals, configuration baselines, infrastructure as code, and customer notific...
CAIQ-DSP-01	Data Security & Privacy Lifecycle (DSP) Domain	The DSP domain covers data classification, encryption at rest and in transit, key management, data retention, secure del...
CAIQ-GRC-01	Governance, Risk & Compliance (GRC) Domain	The GRC domain covers policy framework, risk assessment cadence, internal audit, third-party governance, and exception m...
CAIQ-IAM-01	Identity & Access Management (IAM) Domain	The IAM domain in CAIQ v4 addresses identity lifecycle, MFA, privileged access, role-based authorisation, and federated...
CAIQ-IVS-01	Infrastructure & Virtualization Security (IVS) Domain	The IVS domain covers hypervisor hardening, network segmentation, tenant isolation, and traffic inspection. Responses mu...
CAIQ-NA-1	Not Applicable Justifications	CAIQ answers marked Not Applicable must include a written justification explaining why the control does not apply to the...
CAIQ-SEF-01	Security Incident Management, eDiscovery & Forensics (SEF) Domain	The SEF domain in CAIQ v4 covers incident response procedures, customer notification timelines, forensic readiness, and...
CAIQ-STA-01	Supply Chain Management, Transparency & Accountability (STA) Domain	The STA domain covers third-party risk management, sub-processor inventory, shared responsibility model communication, a...
CAIQ-STRUCT-1	CAIQ v4 Structure and Domain Coverage	CAIQ v4 contains approximately 261 yes/no questions organised across the 17 CCM v4 control domains. Each question maps d...
CAIQ-TVM-01	Threat & Vulnerability Management (TVM) Domain	The TVM domain covers vulnerability scanning frequency, penetration testing, threat intelligence integration, and patch...

L1 Self-Assessment

3 controls

Controls in the L1 Self-Assessment domain of CSA STAR — 3 controls
Code	Title	Description
STAR-L1-1	Level 1 Self-Assessment Submission	STAR Level 1 is a free self-assessment where the provider completes the CAIQ v4 or submits a CCM-aligned self-assessment...
STAR-L1-2	Level 1 Refresh Cadence	Level 1 self-assessments must be refreshed at least annually to remain valid on the STAR Registry. Providers are expecte...
STAR-L1-3	Level 1 Signed Attestation Letter	The Level 1 submission requires a signed attestation from a senior executive accepting accountability for the accuracy o...

L2 Attestation

3 controls

Controls in the L2 Attestation domain of CSA STAR — 3 controls
Code	Title	Description
STAR-L2-ATT-1	Level 2 STAR Attestation (SOC 2 Type II + CCM)	STAR Attestation is a third-party engagement based on a SOC 2 Type II report extended to cover the CCM control domains....
STAR-L2-ATT-2	Level 2 Attestation Period of Coverage	STAR Attestation reports must cover a continuous period of at least six months for the initial engagement and twelve mon...
STAR-L2-ATT-3	Level 2 CPA Firm Qualifications	STAR Attestation engagements must be performed by a licensed CPA firm with cloud security competence and adherence to AI...

L2 Certification

3 controls

Controls in the L2 Certification domain of CSA STAR — 3 controls
Code	Title	Description
STAR-L2-CERT-1	Level 2 STAR Certification (ISO 27001 + CCM)	STAR Certification is a third-party audit that combines an ISO 27001 certification with a CCM maturity assessment. The a...
STAR-L2-CERT-2	Level 2 Certification Auditor Qualifications	STAR Certification audits must be conducted by a certification body accredited under ISO 17021 and authorised by CSA. Le...
STAR-L2-CERT-3	Level 2 CCM Maturity Scoring	STAR Certification rates each CCM control domain on a maturity scale (No, Bronze, Silver, Gold) reflecting how well the...

L3 Continuous

3 controls

Controls in the L3 Continuous domain of CSA STAR — 3 controls
Code	Title	Description
STAR-L3-CONT-1	Level 3 STAR Continuous Monitoring	STAR Continuous (Level 3) requires near real-time, automated submission of security control attributes to the STAR Regis...
STAR-L3-CONT-2	Level 3 Continuous Evidence Sources	Level 3 submissions draw from continuous control monitoring systems including configuration management databases, SIEM,...
STAR-L3-CONT-3	Level 3 Third-Party Validation of Continuous Data	STAR Continuous still requires periodic third-party assurance to validate that the continuously published telemetry accu...

Program

11 controls

Controls in the Program domain of CSA STAR — 11 controls
Code	Title	Description
STAR-CCAK-1	Certificate of Cloud Auditing Knowledge (CCAK) Alignment	CCAK is the CSA and ISACA joint credential for cloud auditing. Providers preparing for STAR audits benefit from internal...
STAR-CUST-1	Customer Due Diligence Use	Customers use STAR Registry entries to short-list providers, populate vendor risk assessments, and reduce custom questio...
STAR-EVID-1	CCM Control Evidence Cross-Reference	STAR submissions benefit from an evidence cross-reference linking each CCM control identifier to the underlying policies...
STAR-LEVEL-COMP-1	Level Selection and Customer Expectations	Selecting the appropriate STAR level depends on customer expectations, regulatory drivers, and competitive positioning....
STAR-MAINT-1	Listing Maintenance and Withdrawal	Listings may be withdrawn or marked expired if the underlying certification expires, the provider fails to refresh the s...
STAR-PROG-1	STAR Program Foundation on CCM and CAIQ	The Security Trust Assurance and Risk (STAR) program is built on the Cloud Controls Matrix (CCM) and the Consensus Asses...
STAR-REG-1	STAR Registry Public Listing	The STAR Registry is a free, publicly accessible directory of cloud provider security postures. Listings include the ass...
STAR-SCOPE-1	Scope Statement Requirements	All STAR submissions require a scope statement identifying the cloud services covered (service name, deployment model, g...
STAR-SCOPE-2	Sub-Service and Carve-Out Treatment	Sub-services such as underlying IaaS providers, payment processors, and managed security services must be disclosed and...
STAR-SUB-1	Submission Package Contents	A complete STAR submission package contains the completed CAIQ workbook, signed cover letter, scope statement, supportin...
STAR-SUB-2	CSA Review and Listing Timeline	CSA reviews STAR submissions for completeness before publishing on the registry. Review timelines vary by level: Level 1...

Frequently Asked Questions

What is CSA STAR?

CSA STAR is a compliance framework from International with 6 domains and 35 controls. CSA Security Trust Assurance and Risk (STAR) program: L1 Self-Assessment, L2 Certification/Attestation, L3 Continuous. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does CSA STAR have?

CSA STAR has 35 controls organised across 6 domains. The largest domains are CAIQ Question (12 controls), Program (11 controls), L1 Self-Assessment (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does CSA STAR map to?

CSA STAR does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with CSA STAR compliance?

Start your CSA STAR compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CSA STAR requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 35 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required