BARR Advisory is excited to announce the addition of a new certification to our suite of services—Cloud Security Alliance’s (CSA) Security, Trust, Assurance, and Risk (STAR). As one of the industry’s most powerful programs for security assurance in the cloud, CSA STAR serves as a globally recognized public registry for cloud service providers (CSPs). BARR’s recent accreditation to certify in accordance with CSA STAR provides an efficient way for CSPs to demonstrate their commitment to security and privacy best practices.
Let’s take a closer look at how CSA STAR can benefit your organization.
Why CSA STAR for My Organization?
According to CSA, the STAR program encompasses “key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Control Matrix (CCM).” As an assurance framework, CSA STAR is a benchmark for CSPs, helping organizations align with the industry’s ever-evolving developments.
“For CSPs that have already completed assessments through other compliance frameworks, CSA STAR is a seamless addition that brings with it a unique opportunity to hone in on the security principles that are most relevant in cloud environments,” said BARR Advisory founder and president Brad Thies.
Organizations who certify to CSA STAR are invited to publish to the CSA STAR registry, a publicly accessible registry of more than 2,000 providers that documents the security and privacy controls provided by popular cloud computing offerings. Publishing to the registry allows organizations to establish their security and compliance posture, building trust with potential and current customers. Ultimately, this visibility reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.
CSA STAR’s Proven Process
There are two levels of assurance for companies that submit to the CSA STAR registry, each with a different set of requirements. As an accredited certification body, BARR will perform rigorous, independent security assessments of CSPs seeking to achieve CSA STAR Level 2 certification.
Level 1—Self-Assessment: The self-assessment phase is a good fit for organizations who operate in a low-risk environment and want to offer increased transparency around their established security controls. Organizations can submit one or both security and privacy self-assessments.
- Security: During the security assessment, organizations use the CCM to evaluate and document their security controls.
- Privacy: The privacy assessment is based on the GDPR Code of Conduct.
STAR Self-Assessments are updated annually. After publishing all necessary documents to the CSA STAR Registry, CSPs will receive a Compliance Mark that’s valid for one year.
Level 2—Attestation and Certification: Level 2 of CSA STAR allows organizations to build off of other industry certifications and standards, making them specific for the cloud. These certifications are performed by a third-party auditor and ideal for organizations who operate in a medium- to high-risk environment and already hold or adhere to the following: ISO27001, SOC 2, GB/T 22080-2008, or GDPR.
Within Level 2, you can accomplish two types of achievements:
- Attestation: The CSA STAR Attestation is a combination of CSA and AICPA Trust Service Criteria that are used for SOC 2 engagements. STAR Attestations last one year with a minimum period of six months.
- Certification: Certification under CSA STAR program is an assessment of the security of a CSP. The certification process leverages requirements of ISO/IEC 27001 with the CCM. STAR certifications last three years, and once complete, CSPs can register as “STAR Certified” under the CSA STAR Registry.
Getting Started with CSA STAR
While taking the first step toward CSA STAR certification may seem like a challenge, know that BARR is here to simplify the process. We’ll work with you to address your cloud-specific concerns and determine which level will initially benefit your organization.
Here are a few steps for getting started:
- Determine the level of transparency and assurance your organization would like to pursue
- Download and read the CCM and CAIQ to fully understand their requirements
- Visit the CSA STAR website for detailed information on steps toward CSA STAR certification
- Meet with a BARR consultant to answer any questions related to your CSA STAR journey
“In 2023, we’re staying laser-focused on our mission of building a world of trust through cyber resilience,” Thies said. “Expanding our global network of industry partners to provide clients with a more robust ecosystem of security and compliance resources and growing our Attest Services practice with the addition of frameworks like CSA STAR are just some of the steps we’re taking to make security and transparency more accessible to organizations of all sizes.”
Interested in learning more about CSA STAR certification? Contact us to speak with a consultant.