CSA STAR Accreditation

Level 1: CSA STAR Level 1 is a self-assessed entry point into the STAR registry that involves completing the Consensus Assessments Initiative Questionnaire (CAIQ)—a standardized set of 250+ questions built on the Cloud Controls Matrix (CCM). By sharing your responses publicly, you demonstrate transparency around your cloud security practices and controls.

Level 2: Level Two offers third-party assurance through either:
• CSA STAR Attestation (based on AICPA SOC 2)
• CSA STAR Certification (based on ISO/IEC 27001)

These assessments validate your implementation of the 197 CCM control objectives across 17 security domains, providing clients and partners with confidence in your operational excellence.

Level 3: Continuous Monitoring (Planned) This advanced level, under development, will provide ongoing, real-time assurance for CSPs with mature, continuously monitored security environments.

• Boost Customer Confidence: Independent verification signals maturity and commitment to best practices.
• Streamline Procurement: Many enterprise buyers and regulators favor or require STAR-accredited providers.
• Leverage Existing Frameworks: If you already follow SOC 2 or ISO/IEC 27001, CSA STAR builds on those efforts without adding duplicate work .
• Gain a Competitive Edge: Demonstrating compliance with CSA’s globally recognized framework sets your company apart.

Yes, but both can be completed together. Level One is a foundational self-assessment; Level Two builds on the same cloud control requirements and adds third-party validation.

Yes. To achieve CSA STAR accreditation, you’ll need to show how your cloud security practices align with each of the 197 control objectives in the Cloud Controls Matrix, or explain any exclusions. While that number may sound daunting, many objectives overlap. In practice, most organizations meet these requirements with roughly 220 well-structured internal controls.

Type 1 reports assess your security posture at a point in time, verifying that the right systems and processes are in place.

Type 2 reports validate that those controls have been operating effectively over a defined period (typically 3–12 months).

Most organizations start with a Type 1 report, then move to recurring Type 2 assessments for ongoing assurance.

No. CSA STAR is meant to enhance, not replace, existing certifications. It’s often layered on top of SOC 2 or ISO/IEC 27001, adding an extra level of transparency and assurance for cloud security. Think of CSA STAR as a way to showcase your commitment to industry-leading practices with added visibility in the Cloud Security Alliance’s registry.

Controls Matrix (CCM) into your environment to enable real-time monitoring and streamline your audit.

Whether you’re using a leading automation tool or our proprietary platform, Pillar, we make it easy to align your controls, streamline documentation, and reduce manual workload. Pillar can operate as a stand-alone solution or connect with your existing compliance stack, giving you flexibility and control at every step.