An Introduction to CSA STAR and ISO 27001
When making decisions about the kind of compliance your organization needs, the process can be akin to creating an ice cream sundae (albeit, less fun).
No doubt your customers and prospects want to see comprehensive assurance from you and that means selecting a framework that can deliver that. The ice cream within the sundae, if you will—a strong basis.
But once you’ve achieved and provided that, you don’t have to stop there. Perhaps there are other applicable standards that work well for your organization and those same customers might appreciate their resting a little bit easier after you’ve undergone another evaluation. Toppings always do make the sundae a little more special.
The relationship between ISO 27001 and CSA STAR Certification is much like the ice cream and the extras—separate, though they’re different, both have their merits. And served together, they’re definitely more powerful.
As providers of both ISO 27001 certification assessments and those for the CSA STAR program, we’ve gone through the process of each and both with clients. We understand the relationship between these two initiatives well, and now we want to help you do the same.
In Q&A format, what follows is a brief overview of these two compliance frameworks that will address the relationship and differences between them, as well as baseline particulars of the CSA STAR Certification program. After reading, you’ll know more about said STAR program, as well as how it can work with an achieved ISO 27001 certification.
What is ISO 27001?
Internationally recognized, ISO 27001 is a security framework made up of a combination of policies and processes any organization can choose to implement to protect their information in a holistic way—that combination is called an information security management system (ISMS).
The ISO 27001 requirements are primarily concerned with 3 facets of protected information:
- Confidentiality: In a similar vein, only those authorized can access information.
- Integrity: Changes to protected data can only be made by those authorized to do so.
- Availability: While remaining secure, data must be accessible to authorized personnel whenever necessary.
In getting assessed against these requirements and becoming ISO 27001 certified, your organization can prove to your customers and other stakeholders that you’re safeguarding their information well, among other benefits.
What is the CSA STAR Program?
CSA STAR stands for Cloud Security Alliance, Security Trust and Assurance Registry—this program is specifically geared toward validating the security of cloud service providers (CSPs).
Separate from ISO 27001, this program includes 3 different levels of assurance:
- Self-Assessment (Level 1): The simplest option, where a CSP can submit their Consensus Assessment Initiative Questionnaire (CAIQ) to the CSA, free of charge, to appear on the registry.
- Third-Party Audit (Level 2): For this kind of assurance, you can pursue either STAR Certification or STAR Attestation (which we’ll get into in a moment).
- Continuous Auditing (Level 3): Geared to high-risk environments and full-service CSPs, this will allow the highest transparency into your cloud security.
There are also 2 different directions you could take within Level 2 of this program—the STAR Certification and the STAR Attestation, both of which utilize the Cloud Controls Matrix (CCM) as part of their control framework.
What is the Relationship Between ISO 27001 and CSA STAR Certification?
If you’re a cloud service provider, you can return to our ice cream metaphor when you consider these two compliance initiatives in this way: ISO 27001 the ice cream base of your sundae, and CSA STAR is the toppings.
More technically, CSA STAR certification is designed to work as a complement to ISO 27001 for cloud computing providers:
- As your base, ISO 27001 certification indicates you’ve implemented an ISMS with the structure and general security controls.
- CSA STAR certification, then, is an acknowledgment that your organization also features the particular security controls as covered by the CSA Cloud Controls Matrix.
CSPs that acquire both these certifications indicate to customers and others that they meet a higher level of security. There’s certainly a value-add argument to be made to adding STAR certification to your ISO 27001, as you’d be sending the message that you go above and beyond to protect data from attacks. However, acquiring both would mean putting yourself through two separate, rigorous assessment processes.
What’s the Difference Between a STAR Certification and a STAR Attestation?
We wrote more extensively about the differences between these two and their benefits here, but here’s the gist. Both are third-party assessments, but:
- STAR Certification leverages ISO 27001 management system requirements in conjunction with the CCM, whereas
- The STAR Attestation instead uses requirements of the SOC 2 framework together with the CCM.
Also, we should mention that, should you choose to obtain STAR certification, this includes a maturity model assessment, which could assist in the continual improvement of your security.
Can You Do a STAR Certification and an Attestation?
Yes. Just know that the attestation and certification are two separate examinations, though you can do both at the same time for efficiency.
Before you can get started on both, just know that:
- STAR certification requires that you be ISO 27001 certified.
- However, the STAR attestation does not have any prerequisites.
- Both STAR Certification and Attestation require a STAR Level 1 submission prior to a Level 2 assessment.
How Long Does Going Through the CSA STAR Program Take?
We’ll break this down by Attestation vs. Certification, but first, we must establish a distinction between actual audit time and your internal audit preparation.
Let’s start with the former, which depends on your scope. Key factors that can affect the length of time needed to complete your STAR Program project include:
- Services included in the assessment
- Locations to be examined
- The technological complexity of the scope
On average, here’s how long your actual STAR audit should take:
- STAR attestation: 6 weeks
- STAR certification: Guidance from the CSA estimates it should take 50% of however long your ISO 27001 initial certification audit took.
- So, if your ISO 27001 assessment required ten audit days, your STAR certification would need five audit days.
Regarding how long it’ll take you to prepare, the STAR certification typically requires less preparation than the STAR attestation:
- That’s because STAR certification requires ISO 27001 certification as a prerequisite, which in itself will need plenty of ramp-up time. Because you’ll have done most of the work back at that point, your planning specific to your STAR certification assessment should take less time.
- As for the STAR attestation, the CSA allows for an initial Type 1 examination but then requires a Type 2 examination thereafter, which means testing your controls over an examination period to determine operating effectiveness. That makes it very important that you prepare as much as possible to ensure that everything is defined, designed, and ready to meet the criteria for SOC 2 and the CCM.
- You may need to conduct an internal or external readiness assessment to be absolutely prepared.
Do You Need to Keep Your ISO 27001 Certification after Obtaining CSA STAR Certification?
Yes, you wouldn’t want to have either certification lapse. Especially since having an ISO 27001 certification is not only a prerequisite to obtaining the CSA STAR certification, but it’s also a requirement for maintaining it.
The good news is that maintenance of your ISO 27001 certification would be applied to the CSA STAR certification; so, by maintaining one, you’re maintaining both in a single effort.
Will Your Customers Prefer Their Own Assessment to Your CSA STAR Certification?
From what we’ve seen, the adoption rate of STAR certification has been high since it hit the market, but it really depends on the customer.
Those that have a better understanding of the CCM and STAR certification may be more inclined to adopt or accept that certificate without having you complete a separate questionnaire or undergo another third-party audit.
However, we should mention why one would ask you for more than the STAR certification in the first place. It’s because the deliverable—while it is a certificate demonstrating you’ve met the requirements of the STAR certification program—does not contain the details of what was performed during the certification.
(You do get a summary report of your audit activities, as well as a maturity assessment, but it's internal and will also contain nonconformities and other information you may consider confidential.)
You can see how this could become precarious for your customers: an organization with bronze-level maturity would get the same certificate to hand out that an organization with gold-level maturity would without any distinction on the certificate.
On the other side of the program, though, the STAR attestation deliverable does include the results of the control testing and control activities. So, if a customer’s concerned about what controls are in operation, an attestation deliverable would provide the details they’d like.
Moving Forward with the CSA STAR Program
Now, you understand the groundwork for the CSA STAR program, as well as its relationship to ISO 27001 certification. Though STAR provides options—like toppings on an ice cream sundae—ISO 27001 is the more holistic compliance framework that STAR can complement.
Of course, we only covered the basics in this Q&A, so if you find you have more questions about CSA STAR, please feel free to reach out to our team. Whether you’re ready to undergo certification or an attestation or not, we’d be happy to help you address any concerns you may have about your next steps.
About RYAN MACKIE
Ryan Mackie is a Principal at Schellman & Company, LLC, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.