Criteria and Scoring
CSA STAR uses a “technology-neutral” approach leveraging the ISO/IEC 27001 control criteria and adding Cloud-specific controls from best practices and leading standards and regulations. All these controls are mapped in the Cloud Control Matrix or CCM.
The requirement controls are classified into 16 Control Areas in the CCM:
- Audit Assurance and Compliance
- Application & Interface Security
- Business Continuity Management
- Change Control Management
- Data Center Security
- Data Security & Information Lifecycle
- Encryption and Key Management
Governance and Risk Management
- Human Resources
- Identity and Access Management
- Interoperability & Portability
- Infrastructure and Virtualization Security
- Mobile Security
- Security Incident Management
- Supply Chain, Transparency & Accountability
- Threat and Vulnerability Management
CCM is currently the most widely used standard for Cloud security assurance and compliance, and it provides organizations with the required structure, detail, and clarity regarding information security for their Cloud service.
CSPs can either choose to perform a Certification or an Attestation. The difference is the following:
- CSA STAR Certificates are issued for a period of 3 years and it is required that an ISO/IEC 27001 Certification be current when issuing a CSA STAR Certification.
- The certification process follows the same protocol as ISO/IEC 27001. Thus ‘a point in time’ audit.
- The STAR Attestation is an independent, third-party assessment of the security of a CSP that leverages the requirements of the SOC 2 framework (based on the AICPA Trust Services Principles (TSP)) in conjunction with the CCM. By pursuing the STAR Attestation, it allows organizations to demonstrate the suitability of the design and operating effectiveness of their controls over a period of time, rather than at a point in time.
How Does Elevate Assist CSPs
We already help many CSPs perform the readiness towards ISO 27001 and SOC 2 and know how to integrate CSA STAR to:
- Perform the Gap Analysis
- Provide recommendations and assist with implementation to increase the scoring
- Perform remediation activities (from policy development to technical configuration advisory)
- Be Your ‘Go To’ security trusted advisor to improve your contract environment