Game Time: CSA STAR Certification vs. Attestation
The CSA Security, Trust and Assurance Registry (STAR) program was designed by the Cloud Security Alliance as a method for providing assurance regarding the security of a cloud service provider (CSP). The program consists of the STAR Certification and the STAR Attestation, both of which utilize the Cloud Controls Matrix (CCM) as the control framework; however, there are important differences to note between the two. So which is a better fit for your organization? Perhaps the following information will help you decide, since there are important differences to note between the two.
The STAR Certification is an independent, third party assessment of the security of a CSP that leverages the requirements of the ISO/IEC 27001:2013 (ISO 27001) management system standard in conjunction with the CCM. In order to achieve the STAR Certification, a CSP must already have an active ISO 27001 certification or have the STAR Certification assessment performed in tandem with an ISO 27001 certification review.
Benefits of the STAR Certification Program
- Complements ISO 27001 certification
- Increased market confidence
- Provides a base maturity level and process improvement opportunities
Challenges of the STAR Certification Program
- ISO 27001 is a prerequisite
- Focuses on management principles
- No external deliverable highlighting the controls in place and their operating effectiveness
- Scoring is subjective
The STAR Attestation is an independent, third party assessment of the security of a CSP that leverages the requirements of the SOC 2 framework (based on the AICPA Trust Services Principles (TSP)) in conjunction with the CCM. To pursue the STAR Attestation allows organizations to demonstrate the suitability of the design and operating effectiveness of their controls over a period of time, rather than as of a point in time. The deliverable consists of a detailed report that demonstrates the controls in place to meet both the CCM and SOC 2 criteria, thus allowing the reader to clearly delineate the level of security in place to meet their level of expectation.
Benefits of the STAR Attestation Program
- Review of both the design and operating effectiveness of controls
- Covers a review period of at least six months
- A stand-alone/detailed report is provided
- No prerequisites
Challenges of the STAR Attestation Program
- Full disclosure of testing exceptions/deviations is listed within the report
- The report is regressive-looking by design (i.e., covering a review period in the past)
In summary, the path that a service organization takes will be highly dependent upon their circumstances (industry-specific requirements, current examinations, customer demand, etc.); however, the information provided above should provide a solid baseline to assess the differences between each.
About ROB TYLKA
Robert Tylka is a Manager at Schellman & Company, LLC. Rob has over 13 years of experience in compliance and technology audits and assessments, including Service Organization Controls (SOC) reporting projects, Sarbanes-Oxley 404 compliance reviews and ERP controls evaluations. Rob currently oversees the Chicago market and is dedicated to providing Service Organization Controls (SOC) reporting projects for clients. To date, Robert has provided services to clients in the financial services, governmental, human resources, information technology, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies.