Cloud Security Alliance Open Certification Framework

Name of the programme: Open Certification Framework – STAR

Governing of the standard: Cloud Security Alliance

Accreditation Body/Bodies: Cloud Security Alliance, British Standard Institution (for STAR Certification), AICPA (for STAR Attestation)

Scope: Security and Privacy

The standard underlying the CSA OCF/STAR Programme Cloud Control Matrix (CCM).

CCM is composed of 133 controls, structured in 16 domains and covers the following areas:

  • Application & Interface Security
  • Audit Assurance & Compliance
  • Business Continuity Management & Operational Resilience
  • Change Control & Configuration Management
  • Data Security & Information Lifecycle Management
  • Datacenter Security
  • Encryption & Key Management
  • Governance and Risk Management
  • Human Resources
  • Identity & Access Management
  • Infrastructure & Virtualization Security
  • Interoperability & Portability
  • Mobile Security
  • Security Incident Management, E-Discovery & Cloud Forensics
  • Supply Chain Management, Transparency and Accountability
  • Threat and Vulnerability Management

The CCM is considered as meta framework since is mapped against the most relevant information security controls framework: ISO/IEC 27001:2013, NIST SP 800-53, FedRAMP, PCI DSS, Cobit v5.0, AICPA Trust Principles, ENISA Information Assurance Framework, German BSI Cloud Security Catalogue, Directive 95/46/EC, etc.

Cloud-relevance: Cloud specific

Type of certifiable organisation: SaaS, PaaS, IaaS

Type of trust models applicable:

  • Self-Assessment: CSA STAR Self Assessment
  • Third party independent audit: CSA STAR Certification and CSA STAR Attestation
  • Continuous monitoring based certification: CSA STAR Continuous (not operational yet)

Is the certification proprietary or open: Open

Programme, status (operational, in development): Operational


The following text is based on information received from Cloud Security Alliance:

  • The CSA Open Certification Framework can be described as an industry initiative to allow global, accredited, trusted certification of cloud providers.
  • The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s security guidance and control objectives:
  • Consensus Assessments Initiative Questionnaire (CAIQ).
  • Cloud Controls Matrix (CCM).

The program integrates with popular third-party assessment (ISO27001) and attestation statements (SOC2) developed within the public accounting community to avoid duplication of effort and cost.

The CSA Open Certification Framework is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects.

The CSA Open Certification Framework is structured in three tiers in order to address varying assurance requirements and maturity levels of providers and consumers. These range from the CSA STAR Self-assessment to high-assurance specifications that are continuously monitored.

The three levels of the OCF Programme are:

  • Level 1 – CSA STAR Self-Assessment
  • Level 2 – CSA STAR Certification/Level 2 – CSA STAR Attestation
  • Level 3 – CSA STAR Continuous


STAR Self-Assessment

CSA STAR Self Assessment is a self-assessment due diligence process based on CSA best practice Consensus Assessments Initiative Questionnaire (CAIQ)  and Cloud Controls Matrix (CCM).

The results of the self-assessment are voluntarily published by the CSP on the CSA STAR web site that is freely available and open to all cloud providers.

Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:

  • The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire.
  • The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.


STAR Certification

The CSA STAR Certification  is a third party independent assessment of the security of a cloud service provider.  A technology-neutral certification that leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Control Matrix.

The independent assessment is conducted by certification body (such as the British Standard Institution) accredited CSA. The assessment assigns a ‘Management Capability’ score to each of the CCM security domains. Each domain is scored on a specific maturity and will be measured against 5 management principles.

The internal report shows organizations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. These levels will be designated as either “No”, “Bronze”, “Silver” or “Gold” awards. Certified organization will be listed on the CSA STAR Registry as “STAR Certified”.

CSA STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope, processes and objectives are “Fit for Purpose”, and helps organizations prioritize areas for improvement and lead them towards business excellence.

It also enables effective comparison across other organizations in the applicable sector and it is focused on the strategic & operational business benefits as well as effective partnership relationships.

CSA STAR Certification enables the auditor to assess a company’s performance, on long-term sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year.

The STAR certification scheme is designed to comply with:

  • ISO/IEC 17021:2011, Conformity assessment – Requirements for bodies providing audit and certification of management systems.
  • ISO/IEC 27006:2011, Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems.
  • ISO 19011, Guidelines for auditing management systems.


STAR Attestation

The STAR Attestation  is positioned as STAR Certification at Level 2 of the Open Certification Framework and is likewise STAR Certification a third party independent assessment of the security of a cloud service provider.

Star Attestation is based on type 2 SOC attestations supplemented by the criteria in the Cloud Controls Matrix (CCM). This assessment:

  • Builds on the key strengths of SOC 2 (AT 101).
  • Provides for robust reporting on the service provider’s description of its system, and on the service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance.
  • Evaluation over a period of time rather than a point in time.
  • Recognition with an AICPA Logo.


STAR Continuous

CSA STAR Continuous  will be based on a continuous auditing/assessment of relevant security properties.
It will built on the following CSA best practices/standards:

  • Cloud Control Matrix (CCM).
  • Cloud Trust Protocol (CTP).
  • CloudAudit (A6).

CSA STAR Continuous is currently under development and the target date of delivery is 2015.