Your firm already has an ISO/IEC 27001 certificate and is considering adding the certificate offered by Cloud Security Alliance, Security Trust and Assurance Registry (CSA STAR) for ISO/IEC 27001 because it feels that opportunities to gain new clients are being lost without having the CSA STAR certificate, and to provide an additional layer of comfort for your current clients. Your company’s cloud security services lend themselves to seeing the benefit of obtaining the CSA STAR certificate. The STAR Level 2 Certification is considered to be a scope extension to ISO/IEC 27001. Before jumping in with both legs, you need to understand the different considerations and components of the process.
Assuming that you are already familiar with ISO/IEC 27001, this article is going to focus on the CSA STAR certificate and achievement of the Level 2 Certificate.
STAR Level 1 Self-Assessment
You (the organization seeking certification) cannot jump directly into the Level 2 Certificate. The path offered by CSA STAR requires a Level 1 Self-Assessment to be completed first. The Level 1 Self-Assessment requires the organization to complete and submit the Consensus Assessments Initiative Questionnaire (CAIQ) based on the Cloud Controls Matrix (CCM) found on the CSA website. The CAIQ documents how your company’s controls align with the CCM. Once completed, the CAIQ is uploaded to the CSA website and is valid for one year. The CAIQ must be completed or updated again for surveillance years 2 and 3.
In all, there are over 280 questions to complete across a variety of categories, such as Audit & Assurance, Application & Interface Security, etc. In addition, ownership of each control is designated in accordance with the Shared Security Responsibility Model (SSRM) defined in the CAIQ. Completion of the CAIQ provides your firm with a good indicator of compliance with the CCM and, thus, the level of readiness for having the Level 2 Certification engagement performed.
Actions to Consider When Planning for the STAR Level 2 Certificate
Before contracting to have the STAR Level 2 Certificate audit performed by a firm accredited by the CSA, you need to go through several readiness and planning steps first.
- Define the scope: Identify which cloud services, organizational units, infrastructure, and physical locations are included. This should be similar to the ISO/IEC 27001 scope.
- If an ISO/IEC 27001 certificate has already been achieved, identify what additions to that scope there are with the CCM.
- Determine improvements or updates needed to be made to your company’s Information Security Management System (ISMS).
- Incorporate the CCM controls into your company’s Statement of Applicability (SoA).
- Assess the risk assessment created for the ISO/IEC 27001 and integrate cloud-specific risks into it so as to have one overall risk assessment.
As mentioned above, a firm accredited by the CSA must be engaged to perform the STAR Level 2 Certificate audit. This firm can be different from the firm performing the ISO engagement; however, in our professional experience, your best bet is to choose a firm that can perform both the ISO/IEC 27001 and STAR Level 2 Certificate. This will allow for a more seamless, integrated audit, including the sharing of resources and evidence.
Combining CSA STAR Level 2 & ISO 27001: The Audit Process
The Level 2 Certificate audit process is performed in much the same manner as an ISO/IEC 27001 audit. Performing both pieces at the same time offers the best use of your company’s and the auditor’s resources. As with the ISO/IEC 27001 process, the following stages occur:
- Year 1
- Stage 1 – Documentation Review
- Stage 2 – Effectiveness Testing and Maturity Model Scoring
- Surveillance year 2
- Surveillance year 3
A full recertification audit is required to be performed at the end of the three years, as with the ISO/IEC 17001.
Maturity model scoring is unique to the Level 2 Certificate. The auditor assigns a score from 1 to 15 for each control domain based on the CCM. Note that this score is not printed on the public-facing certificate.
Upon completion of a successful audit, the registrar issues an ISO/IEC 27001 certificate that includes a reference to the CSA STAR Certification. The auditor will then submit the results to the CSA, and your company’s status on the CSA STAR registry is updated to include the Level 2 Certificate status.
Maturity Model Scoring: The Key Differentiator
Maturity Model scoring is the big difference between the two engagements. The purpose of the Maturity Model is to assess the level of effectiveness with which the control areas are managed. With the CSA STAR Certification, the organization seeking the certification must demonstrate that the appropriate controls are in place and are operating effectively before assessing management capability. As part of the audit, assigned to each category in the CCM is a management capability score. Scoring is on a scale of 1-15, as defined in the following table provided by the CSA:
| Score | Descriptor |
| 1-3 | No formal approach |
| 4-6 | Reactive approach |
| 7-9 | Proactive approach |
| 10-12 | Improvement-based approach |
| 13-15 | Optimizing approach |
The applicable controls in the CCM are each given a management capability score in alignment with the above table. Any controls resulting in a major conformity can only receive a maximum score of six for that control area. The 17 control area scores are used to create an average score that is the overall maturity level for the organization seeking certification. Note that the overall management capability score is not noted on the CSA STAR certificate.
The maturity model award categories provided by the CSA are as follows:
| Award | Maturity Level |
| No award | An organization with an average score of less than 3 |
| Bronze award | An organization with an average score between 3 and 6 |
| Silver award | An organization with an average score between 6 and 9 |
| Gold award | An organization with an average score greater than 9 |
The awarded maturity level can be used as a guide for making improvements, as necessary, within the organization seeking certification’s control environment.
Completing a Successful CSA STAR Certification Audit
We have briefly discussed the steps needed to perform a CSA STAR Certification audit. As the organization seeking certification, you have the key step of proper planning and preparing the organization to be able to meet the control areas defined in the CCM. As mentioned, there are over 280 questions in the CCM that must be addressed, some of which overlap with the control areas identified in ISO/IEC 27001.
Linford & Company is a CPA firm that is accredited to perform both ISO/IEC 27001 and CSA STAR Certification audits. We can assist you in navigating both audits and work to provide a consolidated audit approach that encompasses both audits, allowing for time and cost savings. Please reach out to Linford & Company for additional information.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1, SOC 2, HIPAA, ISO, and CMMC audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.