Enterprise procurement teams increasingly expect cloud service providers to demonstrate their security posture through independent, verifiable evidence. A SOC 2 report or an ISO 27001 certificate tells part of the story. CSA STAR tells the cloud-specific part. The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) programme is the most widely adopted framework for assessing cloud-specific security controls, and the STAR Registry is where buyers go to verify claims before shortlisting a provider. This guide explains what CSA STAR is, how the three levels work, what the audit process involves, and how to determine which level your organisation needs.
What Is CSA STAR?
CSA STAR is a cloud security assurance programme developed by the Cloud Security Alliance (CSA). It provides a structured framework for cloud service providers to document, assess, and validate their security controls against a standardised set of criteria.
The programme is built on two foundational tools: the Cloud Controls Matrix (CCM), which defines the control objectives, and the Consensus Assessments Initiative Questionnaire (CAIQ), which translates those controls into a standardised question-and-answer format. Together, these tools create a common language for cloud security assessment that both providers and customers can use.
CSA STAR differs from general-purpose security frameworks because it was designed exclusively for cloud computing environments. While ISO 27001 provides a broad information security management system and SOC 2 evaluates trust services criteria, CSA STAR adds a cloud-specific layer that addresses the unique risks of multi-tenant architectures, shared responsibility models, and virtualised infrastructure.
The programme operates through the STAR Registry, a publicly accessible directory where organisations publish their assessment results. This transparency is the point: buyers can verify a provider’s security posture before engaging in a sales cycle.
The Cloud Controls Matrix
The Cloud Controls Matrix (CCM) is the technical backbone of the entire CSA STAR programme. It is a cybersecurity controls framework specifically designed for cloud computing environments.
The current version, CCM v4, contains 197 control objectives organised across 17 security domains. These domains cover everything from application and interface security to supply chain management, encryption and key management, and identity and access management.
The 17 domains were designed to align with and complement existing frameworks. Organisations that already maintain controls for ISO 27001 certification will find significant overlap, which reduces the incremental effort of adding CSA STAR. The CCM explicitly maps to ISO 27001, NIST SP 800-53, COBIT, PCI DSS, and several other frameworks, making it a useful cross-reference tool even outside the STAR programme.
Each control objective in the CCM specifies applicability to three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). It also clarifies whether the control responsibility falls on the cloud service provider, the cloud service customer, or both. This shared-responsibility mapping is what makes the CCM cloud-specific rather than simply another generic controls list.
The Three Levels of CSA STAR
CSA STAR operates on three levels. Each level represents a higher degree of assurance, from self-reported documentation to continuous, real-time validation.
Level 1: Self-Assessment
Level 1 is a self-assessment. The organisation completes the Consensus Assessments Initiative Questionnaire (CAIQ), which contains questions mapped to each CCM control objective, and submits the completed questionnaire to the CSA for publication on the STAR Registry.
This is the entry point for most organisations. There is no external auditor involved and no certification issued. The value is transparency: by publishing the completed CAIQ, the organisation gives prospective customers a structured view of its cloud security posture that can be compared directly against other providers on the Registry.
Level 1 is free. There is no fee for submitting the self-assessment or for maintaining the listing. Organisations must update their submission annually to remain current.
CSA also offers a Valid-AI-ted option, introduced in 2025, which uses AI-powered validation to check the completeness and consistency of CAIQ responses. The Valid-AI-ted submission carries a fee but provides a higher confidence signal than a standard self-assessment.
Level 2: Third-Party Audit
Level 2 introduces independent, third-party evaluation. This is where CSA STAR becomes a certification or attestation programme rather than a self-reported exercise.
Level 2 comes in three variants, each built on top of an existing audit standard:
- CSA STAR Certification is based on ISO/IEC 27001. An accredited certification body assesses the organisation’s information security management system against ISO 27001 requirements and the CCM criteria simultaneously. The resulting certificate is valid for three years, with annual surveillance audits.
- CSA STAR Attestation is based on a SOC 2 engagement. A licensed CPA firm evaluates the organisation’s controls using the AICPA Trust Services Criteria alongside the CCM. The attestation report is valid for one year.
- C-STAR is a variant based on the Chinese national standard GB/T 22080-2008, designed for the Greater China market. It follows a similar structure to the Certification path but uses the local standard as its foundation.
The most common paths for organisations selling into European and North American enterprise markets are Certification (for those already ISO 27001 certified) and Attestation (for those already SOC 2 attested). Organisations that already hold both ISO 27001 and SOC 2 can choose either path, though the Certification route is more common internationally.
Level 3: Continuous Monitoring
Level 3 represents the highest level of assurance in the STAR programme. It requires organisations to implement continuous monitoring of their security controls, providing near real-time evidence of compliance rather than a periodic snapshot.
Level 3 is designed for large cloud service providers operating in high-risk environments where point-in-time audits are insufficient. The continuous monitoring requirement means that controls are validated on an ongoing basis, and the STAR Registry listing reflects the current state of the provider’s security posture.
This level is less commonly pursued. Most organisations find that Level 2 satisfies the assurance requirements of their customer base.
CSA STAR Certification vs CSA STAR Attestation
The choice between Certification and Attestation at Level 2 depends on which audit standard the organisation already holds.
If the organisation is ISO 27001 certified, the Certification path is the natural extension. The audit is conducted by an ISO certification body that is also accredited for CSA STAR. The auditor evaluates the management system against ISO 27001 and the CCM simultaneously, producing a single combined certificate. The certificate is valid for three years.
If the organisation holds a SOC 2 report, the Attestation path builds on that foundation. A CPA firm conducts the SOC 2 engagement and adds the CCM criteria as an additional evaluation layer. The result is a SOC 2 report with CSA STAR attestation. This report is valid for one year.
Both paths produce a Level 2 listing on the STAR Registry. The difference is the underlying standard, the audit body type, and the validity period. Neither is inherently better; the choice is determined by what the organisation already has in place.
| CSA STAR Certification | CSA STAR Attestation | |
|---|---|---|
| Base standard | ISO/IEC 27001 | SOC 2 (AICPA Trust Services Criteria) |
| Audit body | Accredited ISO certification body | Licensed CPA firm |
| Validity | 3 years (annual surveillance) | 1 year |
| Best for | Organisations with existing ISO 27001; European and international markets | Organisations with existing SOC 2; North American markets |
For organisations that hold neither base certification, the decision should start with which standard better serves their market. ISO 27001 is the more common starting point for organisations selling into European enterprise markets, while SOC 2 is the standard request in North American procurement.
The STAR Registry
The STAR Registry is the public database where all CSA STAR assessments are published. It is freely searchable and available to anyone.
Each listing shows the organisation name, the level of assessment (Level 1 or Level 2), the assessment type (self-assessment, certification, or attestation), the date of the assessment, and the status. For Level 1, the completed CAIQ is available for download. For Level 2, the listing confirms the certification or attestation but does not publish the full audit report.
Enterprise buyers use the Registry as part of their cloud provider evaluation process. A listing provides immediate, verifiable evidence that the provider has undergone a structured cloud security risk assessment against recognised criteria, which simplifies the procurement due diligence cycle.
Who Needs CSA STAR?
CSA STAR is most relevant for organisations that provide cloud-based services to enterprise customers. The programme is particularly valuable in three situations.
Cloud service providers selling to regulated industries. Financial institutions, healthcare organisations, and government agencies increasingly require cloud providers to demonstrate compliance with cloud-specific security frameworks. CSA STAR satisfies this requirement directly. A Level 2 Certification or Attestation provides the independent verification these buyers need.
SaaS platforms entering enterprise sales cycles. Enterprise procurement teams routinely ask for evidence of security controls during vendor evaluation. A STAR Registry listing provides a standardised, independently verified answer to cloud security questions in security questionnaires and compliance reviews.
Multi-cloud and infrastructure providers. Organisations that operate cloud infrastructure for other businesses, whether as IaaS, PaaS, or managed services, need to demonstrate that their infrastructure meets the security expectations of their customers. CSA STAR provides a framework that is purpose-built for this.
Organisations that do not operate cloud services, or that provide only on-premises solutions, will generally find that ISO 27001 or SOC 2 alone is sufficient.
How to Get CSA STAR Certified
The path to CSA STAR depends on the target level.
For Level 1, the process is straightforward. Download the CAIQ from the CSA website, complete the questionnaire by documenting your controls against each CCM control objective, and submit the completed questionnaire to the CSA for publication on the STAR Registry. The entire process can be completed in two to four weeks if the organisation has its security controls well documented.
For Level 2, the process is more involved and follows the audit cycle of the underlying standard:
- Confirm the base certification. Ensure the organisation holds a current ISO 27001 certificate (for the Certification path) or a current SOC 2 report (for the Attestation path). If neither is in place, achieving the base certification is the first step.
- Select an accredited auditor. Choose a certification body or CPA firm that is accredited for CSA STAR assessments. The CSA maintains a list of recognised assessment bodies.
- Scope the assessment. Define which cloud services and supporting infrastructure are within the scope of the CSA STAR assessment. This should align with the scope of the base ISO 27001 or SOC 2 engagement.
- Map controls to the CCM. Document how the organisation’s existing controls satisfy each relevant CCM control objective. Organisations with strong ISO 27001 control frameworks for cloud environments will find that many CCM objectives are already covered.
- Undergo the audit. The auditor evaluates the organisation’s controls against both the base standard and the CCM criteria. For the Certification path, this typically occurs during the ISO 27001 certification or surveillance audit. For the Attestation path, it occurs during the SOC 2 engagement.
- Publish the results. Once certified or attested, the organisation’s listing appears on the STAR Registry.
The total timeline for Level 2 depends heavily on whether the base certification is already in place. For organisations that already hold ISO 27001 or SOC 2, the incremental effort for CSA STAR is typically three to six months. For organisations starting from scratch, plan for twelve to eighteen months to achieve the base certification and the STAR assessment together.
Frequently Asked Questions
What is the difference between CSA STAR Level 1 and Level 2?
Level 1 is a self-assessment where the organisation completes and publishes the Consensus Assessments Initiative Questionnaire (CAIQ) on the STAR Registry. There is no external audit and no certification issued. Level 2 is a third-party audit conducted by an accredited certification body or CPA firm. It results in a formal Certification (ISO 27001-based) or Attestation (SOC 2-based) that is published on the Registry. Level 2 provides significantly stronger assurance because the controls are independently verified.
Does CSA STAR replace ISO 27001 or SOC 2?
No. CSA STAR Level 2 is built on top of ISO 27001 or SOC 2. The Certification path requires a current ISO 27001 certificate, and the Attestation path requires a SOC 2 engagement. CSA STAR adds a cloud-specific evaluation layer using the Cloud Controls Matrix. It complements rather than replaces the base framework.
How much does CSA STAR cost?
Level 1 is free. Level 2 costs depend on the scope of the assessment, the audit body selected, and whether the base certification is already in place. For organisations that already hold ISO 27001, the incremental cost of adding CSA STAR Certification to a surveillance or recertification audit typically ranges from several thousand to tens of thousands of euros, depending on organisational complexity.
How long is a CSA STAR certification valid?
CSA STAR Certification (ISO 27001-based) is valid for three years, with annual surveillance audits. CSA STAR Attestation (SOC 2-based) is valid for one year. Level 1 self-assessments must be updated annually to remain current on the Registry.
How Copla Supports Cloud Security Compliance Programmes
Achieving CSA STAR alongside ISO 27001 or SOC 2 means managing multiple control frameworks with significant overlap. Copla’s platform maps controls across standards, so documentation and evidence collected for ISO 27001 automatically satisfies corresponding CCM control objectives. The onboarding process begins with scoping the relevant frameworks, populating control registers, and generating the policy and procedure documentation through Copla’s structured intake process. Copla’s consultants then support control implementation and coordinate with audit firms for the certification engagement. For organisations pursuing CSA STAR as an extension of an existing ISO 27001 programme, the cross-mapping capability reduces the incremental effort to the cloud-specific controls that do not already have coverage.
Schedule a call with Copla to walk through how this would look for your team.
