Q&A on CSA STAR Program

August 16, 2016 Ryan Mackie

Can an organization do a certification and an attestation?

Yes. The certification has the prerequisite that you have gone through the ISO 27001 certification, but the attestation does not have any prerequisites. The attestation and certification are two separate examinations, but you can do both at the same time for efficiency.

What’s the audit time for the certification and attestation?
There needs to be a distinction between external audit time and internal audit preparation. As for external audit time, it depends on the scope of each project. Some of the key factors that can determine the length of time needed for examination include:

  • What services are included in your examination
  • The locations that should be examined
  • The technological complexity of the scope

On average, it takes about six weeks for a STAR attestation. For the STAR certification, guidance from the CSA says the audit time should take 50 percent of whatever audit time is being applied for the ISO 27001 initial certification audit. For example, if your ISO 27001 scope includes ten audit days, the STAR Certification would require five audit days.  

Regarding the internal audit preparation time, the STAR certification typically requires less preparation than the STAR attestation. The STAR certification, requiring ISO 27001 certification as a prerequisite, relies heavily on the information security management system (ISMS) to support the demonstration of the organization’s maturity in relation to the Cloud Controls Matrix (CCM). As for the STAR attestation, given that the CSA requires a Type 2 examination (testing the controls over a review period to determine operating effectiveness), it is very important that the organization prepare as much as possible to ensure that the control set, which is the focus of the STAR attestation, is defined, designed, and ready for the related testing of operating effectiveness in meeting the criteria in the CCM and SOC 2. This may require an internal or external readiness assessment.

Does my organization need to keep the ISO 27001 certification after obtaining the CSA STAR certification?
Yes. You wouldn’t want to have either certification lapse. Having an ISO 27001 certification not only is a prerequisite to obtaining the CSA STAR certification, but it is also a requirement for maintaining it.

Maintenance of the ISO 27001 certification would be applied to the CSA STAR certification; by maintaining one, you’re maintaining both so the amount of effort you’d use to maintain both isn’t doubled.

Why are there more certifications than attestations for CSA STAR?
The CSA STAR certification program was introduced before the CSA STAR attestation program. The CSA is a global alliance, which means its members can have a global reach, making it easier for global cloud service providers that already had the ISO 27001 certification to get certified for CSA STAR.

We expect there to be an increase in STAR attestation as more people learn about the program.

Are a cloud service provider's customers usually willing to accept CSA STAR certification rather than perform their own assessment?
It would depend on the customer. Since the STAR certification has been in the market, the adoption rate has been high.

Cloud service provider customers that have a better understanding of the CCM and STAR certification may be more inclined to adopt or accept that certificate without having the service provider complete a questionnaire or undergo a third-party audit.

The deliverable of the STAR certification effort is a certification which demonstrates that the cloud service provider has met the requirements of the STAR certification program. However, the certificate does not contain the details of what was performed during the certification. An organization with bronze-level maturity would get the same certificate to give to customers that an organization with gold-level maturity would, without any distinction on the certificate.

The STAR attestation deliverable, though, includes the results of the control testing and control activities. If a customer’s concern is what controls are in operation, an attestation deliverable would answer those questions because it provides the data and details they want.

How intensive is the CSA STAR training for a third-party assessor firm?
For the STAR certification, the training includes two days to cover the program and methodology of the STAR certification process. Auditors enrolling into the STAR certification training must also have completed the ISO 27001 lead auditor training, so you won’t find STAR certification auditors that don’t have a good understanding of ISO 27001.

For STAR attestation, auditors are required to obtain a Certificate of Cloud Security Knowledge (CCSK). This CSA certificate includes an overview of the legal and regulatory landscape related to the cloud and cloud service providers as well as the administrative, technical, and process oriented cloud controls. Only auditors that have a CCSK can perform STAR attestation examinations.

About the Author

Ryan Mackie

Ryan Mackie is a Principal and ISO Certification Services Practice Director at Schellman & Company, LLC. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 18 years of experience. Ryan also is an active member of the CSA and site on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

More Content by Ryan Mackie
Previous Video
The CSA STAR Program
The CSA STAR Program

Next Article
Game Time: CSA STAR Certification vs. Attestation
Game Time: CSA STAR Certification vs. Attestation

The CSA Security, Trust and Assurance Registry (STAR) program was designed by the Cloud Security Alliance a...