CSA STAR
cloud security assurance levels, registry, and evidence

CSA STAR explained for cloud security and GRC programmes

CSA STAR (Security, Trust, Assurance, and Risk) is the Cloud Security Alliance assurance programme cloud providers publish their security posture against and that enterprise buyers read against the provider longlist during procurement. STAR sits on top of the CSA Cloud Controls Matrix (CCM) and the paired Consensus Assessments Initiative Questionnaire (CAIQ). The CCM is the control catalogue. The CAIQ is the assessment companion. STAR is the publishing and certification regime where the assessment evidence lands publicly, in three levels (self-assessment, third-party certification or attestation, and continuous self-assessment), so customers, regulators, and procurement teams have a registered, dated, scoped record they can read against the provider rather than reconstructing the assurance per deal.

For cloud security teams, GRC and compliance teams, vendor risk functions, internal audit, CISOs, security architects, and enterprise buyers, STAR is the framework that turns the cloud-provider assurance from a bespoke security questionnaire response into a public, levelled, scoped, dated registry entry. For cloud providers, STAR is the buyer-facing artefact that pairs with the operating programme already running: ISO/IEC 27001 for STAR Certification, SOC 2 for STAR Attestation, the CCM layered on at Level 2, and the published cadence at Level 3.

The STAR programme: framework, questionnaire, registry

STAR does not sit in isolation. It is one part of a four-part CSA assurance programme buyers and regulators read together: the framework (CCM), the assessment questionnaire (CAIQ), the publishing and certification regime (STAR), and the public registry that holds the assurance evidence. The four together carry the procurement, audit, and continuous-assurance shape the enterprise cloud-buying motion expects.

The three STAR assurance levels in detail

STAR ships three levels that map onto progressively higher assurance commitments. Each level carries a different audience, a different underlying assurance, a different cost shape, and a different cadence. Programmes deciding which level to operate against pin the level to the buyer commitment the provider has made: Level 1 for entry-tier procurement, Level 2 for regulated and enterprise procurement, Level 3 for regulator-aligned and federal-adjacent relationships.

STAR Level 1 vs Level 2 vs Level 3

The level comparison reads cleanly across five dimensions. The matrix below names what each level is built for, what the underlying assurance looks like, what the cost shape is, what the refresh cadence is, and how a buyer reads the registry entry against the responsibility split. Programmes deciding which level to operate use these dimensions to pin the level commitment to the deal and procurement cycle the assurance has to carry.

How buyers read STAR posture

Enterprise procurement, vendor risk teams, audit committees, regulator-aligned buyers, and the customer-side cloud security programme each read the STAR posture differently. The patterns below are the ones that recur across enterprise buyer-side practice.

How providers operate the STAR posture

On the provider side, the STAR posture is part of the buyer-facing assurance the security and GRC functions operate against. The level commitment, the cadence, and the renewal cycle are programme decisions; the underlying record is the operating discipline already running.

Recurring failure modes the registry surfaces

STAR is forgiving on the underlying programme shape and on the specific tooling that backs the controls. It is unforgiving about a small number of patterns that make the registry entry cosmetic rather than substantive. The patterns below are the recurring ones that erode the buyer-side trust the registry was designed to carry.

Operating cadence: from scope to a Level 2 entry

A defensible STAR programme runs as a continuous cycle rather than an annual submission. The cadence below names the steps that take a provider from cloud services without a published assurance to a STAR Level 1 entry, a Level 2 certification or attestation, and a Level 3 cadence the regulator-aligned buyer reads against. The cycle compounds: the per-cycle evidence carries from cycle to cycle, the CCM mapping refines as the cloud estate evolves, and the buyer-facing assurance reads consistently across releases.

1. 1Scope the cloud services in scope of the STAR posture. The scope decision determines which CCM domains read against the provider responsibility and which read against the customer responsibility. Programmes that operate multiple cloud services typically maintain a STAR Registry entry per service or per service group, with the scope documented per entry.
2. 2Complete the CAIQ accurately, with evidence references. Each CAIQ answer ties back to evidence in the underlying programme: the ISMS record (ISO 27001), the trust services criteria control (SOC 2), the configuration baseline (BAI10 in COBIT vocabulary), the scan output (vulnerability management), the incident response record, the encryption key management evidence, the access control record. The CAIQ is the index; the evidence pack is the substance.
3. 3Publish the Level 1 entry in the STAR Registry. The registry submission goes through the CSA submission process; the published entry includes the CAIQ, the scope, and the validity period. The submission itself is a controlled document with a named owner.
4. 4Schedule the Level 2 path on the cadence buyer demand requires. ISO/IEC 27001 certification reads against a three-year cycle with annual surveillance audits. SOC 2 Type II reads against the examination period (typically annual). The CCM cross-walk is the layered scope addition on top of the underlying audit; programmes plan the CCM scope and the CCM evidence pack so the audit firm reads consistently across the regime and the CCM.
5. 5Operate the STAR Level 3 cadence if the buyer commitment requires it. The Level 3 cadence reads against the specific CCM control specifications the provider commits to monitor continuously. The cadence is published in the registry; the per-cycle evidence is submitted on the cadence. Programmes that adopt Level 3 typically pair it with the per-cycle internal operating record (configuration baseline checks, vulnerability scan output, access reviews, change records) so the cadence reads from the live programme rather than from a separate continuous-attestation workstream.
6. 6Refresh the registry entries on the validity period. Every STAR Registry entry has a validity period. The renewal cadence is part of the programme commitment; programmes that miss a renewal lose the registry entry and the buyer-side trust the entry carried. The renewal cycle is tied to the underlying regime cycle (ISO 27001, SOC 2) where Level 2 is in play.

The STAR evidence pack

The STAR evidence pack reads well when it is built as a side effect of the operating work rather than reconstructed at submission time. The minimum set below maps to the artefacts the audit firm, the buyer-side reviewer, and the regulator each pull when they examine the STAR posture against the underlying programme. The same artefacts feed parallel reads under ISO/IEC 27001, SOC 2, NIST SP 800-53, FedRAMP, PCI DSS, HIPAA, and the regulator-aligned cloud regimes when the underlying record is structured.

What an auditor or buyer reads against

A STAR Level 2 assessment, a customer security questionnaire response, a vendor risk review, a regulator examination, or an audit committee briefing each read the STAR record against a small set of lenses. The lenses below are the shape the conversation takes; programmes that produce the evidence pack with these lenses in mind shorten the assurance cycle and reduce the bespoke follow-up to a manageable residual.

How STAR relates to adjacent assurance regimes

STAR is the cloud-specific assurance overlay; the underlying regimes carry the certifiable management system or the assurance examination. The relationships below are the ones cloud security programmes most often read together. Programmes that try to operate STAR in isolation rebuild the same evidence multiple times; programmes that thread STAR through the underlying regimes carry one evidence pack across several buyer-side and regulator-side reads.

Where STAR sits next to other framework pages

STAR is one regime in a wider stack of cloud and management-system frameworks programmes read against. The pages below cover the adjacent regimes most cloud security programmes operate alongside STAR.

• The CSA Cloud Controls Matrix framework page covers the underlying control catalogue STAR sits on. CCM is the framework; STAR is the assurance overlay; the CAIQ is the assessment companion.
• The ISO/IEC 27001 framework page covers the certifiable ISMS standard. STAR Certification reads against ISO/IEC 27001 with the CCM layered on at the same audit.
• The SOC 2 framework page covers the AICPA Trust Services Criteria. STAR Attestation reads against SOC 2 with the CCM layered on at the same examination.
• The ISO/IEC 27017 framework page covers the cloud-specific extension to ISO 27002. CCM cross-walks to ISO/IEC 27017 explicitly; STAR Level 2 evidence often pairs the ISO 27001 certificate with the ISO 27017 extension.
• The ISO/IEC 27018 framework page covers the privacy-extension for personal data in public cloud. CCM domain DSP cross-walks to ISO 27018; STAR Level 2 evidence for providers processing personal data in public cloud reads ISO 27018 alongside the ISO 27001 certification.
• The FedRAMP framework page covers the US federal cloud authorisation programme. STAR and FedRAMP are adjacent; many providers publish both a FedRAMP authorisation (for federal customers) and a STAR Level 2 entry (for commercial enterprise customers) from the same underlying security programme.
• The NIST SP 800-53 framework page covers the federal-side control catalogue underlying FedRAMP. CCM cross-walks to NIST SP 800-53 Rev. 5 directly; the cross-walk reads against the federal-side cloud-control evidence the STAR Level 2 evidence pack covers.
• The NIST SP 800-161 framework page covers cybersecurity supply chain risk management. CCM domain STA (Supply Chain Management, Transparency, and Accountability) cross-walks to NIST SP 800-161; cloud providers running mature supply-chain programmes read the two together to evidence the cloud-side third-party obligations.
• The Cloud Security Posture Management explainer covers the operational tool category for cloud-control enforcement. CSPM evidence (configuration baselines, drift detection, public exposure register) feeds the CCM IVS, CCC, and IAM domain evidence the STAR Level 2 audit and the STAR Level 3 cadence both read against.
• The cloud security assessment guide covers the operational assessment cadence cloud security programmes run against the cloud estate. The assessment cadence feeds the CCM evidence pack the STAR posture publishes.

Where SecPortal fits in a STAR programme

SecPortal is the operating layer for the cloud-side security evidence the STAR posture reads against, not a STAR Registry submission engine, not a CAIQ auto-completion tool, and not a STAR Certification or STAR Attestation audit firm. The platform handles the workstreams that produce the underlying evidence the CAIQ references and the STAR Level 2 audit reads through: engagement structure for the per-cycle STAR posture work, finding intake from external scanning, authenticated DAST, code scanning, and pentest reads, severity scoring under CVSS 3.1, retest evidence paired to the original finding, exception register with named owner and expiry, document management for the CAIQ and the audit deliverables, and the activity log audit firms and buyer-side reviewers read against. The same workspace that hosts the engagement record hosts the scan-side evidence the CCM TVM, AIS, IVS, and LOG domains read against, so the line from artefact to CAIQ answer to the published STAR Registry entry stays traceable across cycles.

What SecPortal does not do

The STAR programme is a publishing and certification regime that depends on the provider operating the underlying programme well. SecPortal is the operating record, not the certifying body, not the registry, and not the customer-facing trust portal. The honest scope below reads against the STAR boundary so the platform commitment is unambiguous.

The day-to-day cloud security operating work is where the CCM evidence the STAR Level 1 CAIQ and the Level 2 audit both read against gets produced. The cloud security assessment workflow covers the per-cycle cloud security examination that produces the CCM-domain finding evidence. The control mapping crosswalks workflow keeps the CCM mapping readable under ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2, NIST SP 800-53, FedRAMP, PCI DSS, HIPAA, and the regulator-aligned cloud regimes from one underlying record. The vendor security questionnaire response workflow covers the buyer-side questionnaire load the published STAR posture deflects. The audit evidence retention workflow covers the retention and disposal discipline the CAIQ evidence pack and the Level 2 audit record both read against.

For cloud security teams carrying the per-cycle STAR posture work, the cloud security teams workspace bundles the platform with the engagement structure the buyer-side review reads against. For the GRC function that owns the cross-framework evidence pack and the STAR submission cycle, the GRC and compliance teams workspace covers the audit firm liaison and the cross-walk record. For CISOs and security leaders carrying the board-side third-party-risk cadence, the CISOs and security leaders workspace covers the audit committee read against the third-party assurance posture per critical vendor.

For deeper reading on the disciplines this assurance regime supports, the cloud security assessment guide covers the operational cloud security examination cadence the CCM evidence pack reads against. The third-party vendor risk assessment guide covers the buyer-side third-party risk discipline that reads the STAR Registry as the provider-side assurance signal. The cloud security posture management explainer covers the operational tool category whose evidence feeds the CCM IVS, CCC, IAM, and LOG domain reads the STAR Level 3 cadence depends on. The board-level security reporting guide covers the cadence and structure the audit committee read against third-party-risk posture per critical vendor follows.