Home
arrow_forward_ios
Frameworks
arrow_forward_ios
CSA STAR (CCM v4.0.1)
Cloud Security
DETAIL

CSA STAR — Security, Trust, Assurance, and Risk Program

SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting.
Framework text may require a separate license unless explicitly provided.

Overview

CSA STAR (Security, Trust, Assurance, and Risk) is a cloud security assurance program providing transparency and independent verification of cloud service provider security practices through self-assessment, third-party certification, and continuous monitoring.

Why it Matters

  • Demonstrate cloud security transparency

Provide customers and auditors with structured visibility into cloud security controls and practices.

  • Enable customer trust

Show prospective cloud customers that security practices have been independently assessed against the CSA CCM.

  • Support procurement decisions

Help organizations evaluate and compare cloud provider security postures through standardized assessment.

  • Reduce customer audit burden

Allow customers to rely on STAR assessments reducing individual security assessment requests.

How it Works

CSA STAR has three levels: Level 1 (self-assessment via CAIQ), Level 2 (third-party certification based on ISO 27001 or SOC 2 with CSA CCM), and Level 3 (continuous monitoring). Cloud providers submit assessments to the publicly accessible STAR Registry.

Key Elements

  • Cloud Controls Matrix (CCM)

Provides the security control framework used for STAR assessments covering 17 cloud security domains.

  • Consensus Assessments Initiative Questionnaire (CAIQ)

Enables Level 1 self-assessment through standardized cloud security questionnaire.

  • STAR Registry

Public registry where cloud providers publish their STAR assessments for customer review.

Framework Scope

CSA STAR applies to cloud service providers seeking to demonstrate security transparency and organizations evaluating cloud provider security for procurement decisions.

Framework Objectives

  • Provide transparent cloud security assurance through standardized assessment
  • Enable customer trust through independent verification of cloud security controls
  • Support cloud procurement decisions with comparable security information
  • Reduce duplicate security assessment requests through shared STAR registry
At a Glance
CSA STAR (CCM v4.0.1)
  • checklist
    Classicifation
    Category
    info
    Cloud Security
    Domain
    info
    Cloud Security
    Framework Family
    info
    CSA STAR
  • info
    Regulatory Context
    Type
    info
    Certification / Assurance Program
    Legal Instrument
    info
    Program
    Sector
    info
    Technology Sector
    Industry
    info
    Cloud & Technology Providers
  • arrow_upload_ready
    Region / Publisher
    Region
    info
    Global
    Region Detail
    info
    United States
    Publisher
    info
    Cloud Security Alliance (CSA)
  • published_with_changes
    Versioning
    Version
    info
    Current CSA STAR Program
    Effective Date
    info
    2013
    Issue Date
    info
    2011
  • graph_3
    Adoption
    Adoption Model
    info
    Risk Management
    Implementation Complexity
    info
    High
  • captive_portal
    Official Reference
    Source
    info
    Open Link in New Tab
License Information

License included / downloadable: Yes

CSA STAR program documentation and registry information are publicly available through the Cloud Security Alliance.

Official Resources
CSA STAR Self-Assessment
Provides a structured format for cloud providers to document security controls implementation.
chevron_forward
CSA STAR Certification
Outlines the third-party certification process for evaluating cloud service providers.
chevron_forward
CSA Cloud Controls Matrix (CCM)
Defines a controls framework aligned with CSA STAR requirements and standards.
chevron_forward
CSA STAR Program Overview
Describes the structure and benefits of participating in the CSA STAR assurance program.
chevron_forward
CSA STAR Attestation
Guidance describing the attestation process and benefits for cloud service organizations.
chevron_forward
SMARTSUITE

How SmartSuite Supports CSA STAR

Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.

CCM-to-STAR Mapping Structure

Map CCM controls to STAR requirements with clear ownership and evidence.

Provider Assurance Artifact Repository

Centralize policies, reports, and technical proof used for STAR submissions.

Customer Questionnaire Response Workflow

Standardize responses and attach reusable evidence to reduce repeat work.

Findings and Remediation Tracking

Manage gaps, corrective actions, and closure evidence to strengthen assurance.

Renewal Cadence and Continuous Improvement

Track renewals, recurring reviews, and program improvements over time.

Submission Readiness Reporting

Report submission readiness, open issues, and evidence coverage for stakeholders.

Related frameworks

ISO 27001:2022

ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.

Learn More
arrow_forward
ISO 27017

ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.

Learn More
arrow_forward
ISO 27018

ISO/IEC 27018 provides guidelines for protecting personally identifiable information processed in public cloud services.

Learn More
arrow_forward
ISO 27701

ISO/IEC 27701 extends ISO/IEC 27001 to help organizations manage privacy and protect personally identifiable information.

Learn More
arrow_forward
NIST CSF 2.0

NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.

Learn More
arrow_forward
NIST 800-53 Rev.5

NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.

Learn More
arrow_forward
SOC 2

SOC 2 assesses and reports on a service organization's controls for security, availability, processing integrity, confidentiality, and privacy.

Learn More
arrow_forward
ONBOARDING FAQS

Frequently Asked Questions For CSA STAR (Security, Trust, Assurance, and Risk)

What is CSA STAR used for?

CSA STAR is used to assess, validate, and demonstrate the security and compliance posture of cloud service providers. It provides a structured methodology for evaluating cloud controls and facilitating trust between providers, customers, and third-party assessors.

Is CSA STAR certification mandatory?

CSA STAR certification is not mandatory but is increasingly requested by customers and regulators as part of supplier due diligence and cloud risk management. Organizations may choose between self-assessment and independent third-party certification depending on their compliance needs and market demands.

What is the scope of CSA STAR and who should use it?

CSA STAR applies to cloud service providers and organizations seeking to evaluate or assure cloud security practices. It covers a broad range of security domains including data protection, privacy, governance, and operational resilience across all cloud deployment models.

What are the key components or artifacts of CSA STAR?

Key artifacts include the Cloud Controls Matrix (CCM), which lists required controls, the Consensus Assessments Initiative Questionnaire (CAIQ) for self-assessment, and entries within the CSA STAR Registry. These facilitate structured assessment and transparent reporting of cloud security practices.

How does CSA STAR implementation work in practice?

Organizations implement CSA STAR by mapping their cloud security controls to the CCM, completing the CAIQ for self-assessment, and pursuing third-party audits if seeking higher assurance levels. Continuous control monitoring, regular risk assessments, and evidence collection are integral to ongoing program maintenance.

How does CSA STAR relate to other frameworks like ISO 27001 or NIST?

CSA STAR is designed to align with industry standards such as ISO 27001 and NIST by mapping CCM controls to these frameworks. This approach allows organizations to leverage their existing compliance efforts and streamline cloud-specific reporting and assessments.

What are the ongoing compliance requirements for CSA STAR?

Ongoing compliance involves periodically reviewing control effectiveness, updating risk assessments, maintaining accurate CAIQ documentation, and addressing identified gaps. Third-party certifications typically require annual surveillance or recertification to ensure continual adherence to evolving standards.

How would SmartSuite support CSA STAR?

SmartSuite supports CSA STAR by providing control libraries mapped to CCM, risk register management, and automated evidence collection processes. The platform facilitates CAIQ completion, tracks audit artifacts, and enables remediation workflows, audit readiness, and real-time compliance reporting for regulatory and executive oversight.

NEXT STEP

Put CRI Profile into action with SmartSuite

Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.

Explore in SmartSuite
chevron_forward
View all Frameworks
chevron_forward