AuditXYZ

Compliance Framework

Cloud Security Alliance Security, Trust, Assurance, and Risk Registry

CSA STAR is the global cloud security assurance programme with three certification levels. This guide covers self-assessment, certification, attestation, and how STAR differentiates cloud providers.

$5,000–$100,0001–6 months2024 (continuous updates)
Request a ConsultationSee process
Issuing BodyCloud Security Alliance (CSA)
First Published2011-09-01
Latest Version2024 (continuous updates)
Typical Cost$5,000–$100,000
Typical Timeline1–6 months
Audit RequiredNo
Audit FrequencyLevel 1: Self-assessment, updated annually. Level 2: Third-party audit, follows ISO 27001 or SOC 2 cycle. Level 3: Continuous monitoring.
Geographyglobal

CSA STAR: Cloud Security Trust and Assurance Guide

The CSA Security, Trust, Assurance, and Risk (STAR) Registry is the world's most comprehensive cloud security assurance programme. It provides a three-tiered framework for cloud service providers to demonstrate their security posture, building on the Cloud Controls Matrix (CCM) with progressive levels of assurance from self-assessment through continuous monitoring. The STAR Registry is publicly accessible, enabling cloud consumers to evaluate provider security before procurement.

What CSA STAR Covers

CSA STAR operates at three levels. Level 1 (Self-Assessment) requires providers to complete the Consensus Assessments Initiative Questionnaire (CAIQ) documenting their compliance with CCM controls. The completed CAIQ is published on the STAR Registry for public review.

Level 2 provides two paths. STAR Certification combines ISO 27001 certification with additional CCM criteria assessed by a CSA-authorized auditor. STAR Attestation combines SOC 2 attestation with additional CCM criteria. Both provide independent, third-party validation of cloud security controls.

Level 3 (Continuous Monitoring) builds on Level 2 by adding automated, continuous assessment of cloud security controls — providing near-real-time assurance rather than point-in-time certification.

Who Should Pursue CSA STAR

Cloud service providers seeking to differentiate their security posture in a crowded market. CSP customers increasingly check the STAR Registry during vendor evaluation. STAR is particularly valuable for providers competing for enterprise and government contracts where cloud security assurance is a procurement requirement. Over 1,500 cloud providers are listed on the STAR Registry.

Implementation Approach

Start with Level 1 by completing the CAIQ against your cloud security controls. Publish your self-assessment on the STAR Registry. For Level 2, pursue ISO 27001 certification or SOC 2 attestation, then engage a CSA-authorized auditor to assess the additional CCM criteria. Maintain your STAR listing with annual updates and respond to any customer inquiries through the Registry.

Cost Considerations

Level 1 self-assessment is free (STAR Registry listing fee is minimal). Level 2 costs $30,000 to $100,000 on top of the underlying ISO 27001 or SOC 2 engagement, covering the additional CCM assessment by a CSA-authorized auditor. Level 3 continuous monitoring costs are still being established as the market develops. The STAR Registry listing provides significant marketing value as a public, searchable demonstration of cloud security maturity.

Get the CSA STAR starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

csa-ccmiso-27001soc-2

Get matched with a CSA STAR auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CSA CCM
Framework
The CSA Cloud Controls Matrix is the leading cloud security control framework. This guide covers CCM v4 domains, STAR assessment levels, and how to use CCM for cloud security governance.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
SOC 2
Framework
SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View