Game Time: CSA STAR Certification vs. Attestation

July 12, 2016

The CSA Security, Trust and Assurance Registry (STAR) program was designed by the Cloud Security Alliance as a method for providing assurance regarding the security of a cloud service provider (CSP).  The program consists of the STAR Certification and the STAR Attestation, both of which utilize the Cloud Controls Matrix (CCM) as the control framework; however, there are important differences to note between the two.  So which is a better fit for your organization?  Perhaps the following information will help you decide, since there are important differences to note between the two.

STAR Certification

The STAR Certification is an independent, third party assessment of the security of a CSP that leverages the requirements of the ISO/IEC 27001:2013 (ISO 27001) management system standard in conjunction with the CCM.  In order to achieve the STAR Certification, a CSP must already have an active ISO 27001 certification or have the STAR Certification assessment performed in tandem with an ISO 27001 certification review.

Benefits of the STAR Certification Program

  • Complements ISO 27001 certification
  • Increased market confidence
  • Provides a base maturity level and process improvement opportunities

Challenges of the STAR Certification Program

  • ISO 27001 is a prerequisite
  • Focuses on management principles
  • No external deliverable highlighting the controls in place and their operating effectiveness
  • Scoring is subjective

STAR Attestation

The STAR Attestation is an independent, third party assessment of the security of a CSP that leverages the requirements of the SOC 2 framework (based on the AICPA Trust Services Principles (TSP)) in conjunction with the CCM.  To pursue the STAR Attestation allows organizations to demonstrate the suitability of the design and operating effectiveness of their controls over a period of time, rather than as of a point in time.  The deliverable consists of a detailed report that demonstrates the controls in place to meet both the CCM and SOC 2 criteria, thus allowing the reader to clearly delineate the level of security in place to meet their level of expectation.

Benefits of the STAR Attestation Program

  • Review of both the design and operating effectiveness of controls
  • Covers a review period of at least six months
  • A stand-alone/detailed report is provided
  • No prerequisites

Challenges of the STAR Attestation Program

  • Full disclosure of testing exceptions/deviations is listed within the report
  • The report is regressive-looking by design (i.e., covering a review period in the past)

In summary, the path that a service organization takes will be highly dependent upon their circumstances (industry-specific requirements, current examinations, customer demand, etc.); however, the information provided above should provide a solid baseline to assess the differences between each.

Previous Article
Corporate Culture that Makes Schellman Standout
Corporate Culture that Makes Schellman Standout

Being involved with talent recruitment for Schellman, I am asked countless times about our Firm’s corporate...

Next Article
The Danger Inside: Tips for Preventing Insider Threats
The Danger Inside: Tips for Preventing Insider Threats

Originally published in the @ISACA Newsletter