Keeping IT networks and data secure is critical to business. The need for more cost-effective storage and software solutions together with mobile access has led to a rise in the adoption of cloud computing – and while cloud computing has opened up many new opportunities, it also presents a number of new security risks to company information.  Through the implementation of CSA STAR Certification, in addition to a compliant ISO/IEC 27001 information security management system, organizations can ensure that they have a full understanding of the risks involved and the business impacts. This allows organizations to put controls in place to protect business critical information. 

As with all management system standards, ISO/IEC 27001 has been written in such a way that it can be applied to any organization, large or small, across all industries. As such, it is felt that there are special requirements specific to cloud computing that are either not covered or need to be covered more precisely.

Developed by the Cloud Security Alliance (CSA) the Cloud Controls Matrix (CCM) bridges this gap, by providing an additional set of controls for cloud service providers.

A joint agreement was signed by the CSA and BSI in August 2012 to develop a third party certification scheme for cloud security called STAR certification. The scheme incorporates the requirements of ISO 27001, and a maturity rating to indicate how well an organization is complying with the additional cloud specific requirements and also to drive optimization efforts by assessing the organizations capabilities and complexities as well.

This new scheme will assist in the adoption of cloud services by business by promoting greater transparency and allowing cloud service providers (CSPs) to provide their stakeholders with confidence that they have the necessary controls in place to secure the data they hold.

CSA STAR Certification brings big benefits to all companies of all sizes. Confidence, reputation and new business can come with CSA STAR Certification as more customers ask for proof of these measures. Plus it can help you as a cloud service provider: 

• Provide top management with visibility, so that they can evaluate the effectiveness of their management system in relation to expectations of the cloud security industry and ISO/IEC 27001
• Implement an audit that is designed to reflect how your organization’s objectives are aimed at optimizing the cloud services
• Demonstrate progress and performance levels via an independently validated award from an external certified body
• Benchmark your performance against your peers

Additionally for customers of cloud service providers, CSA STAR Certification will provide a greater understanding of the level of controls that are in place.

The scheme is available to any organization offering cloud services that has, or is in the process of certifying to ISO/IEC 27001. The scope of the ISO/IEC 27001 certification must not be less than the scope of the STAR certification.

While there are no regulatory drivers for companies to seek certification, Cloud Service Providers (CSP) are now seeking more robust certification arrangements. As their clients put a high level of trust in them, a CSP will need to demonstrate greater assurance that this trust is not misplaced. For IT suppliers, this is particularly important as their customers will often not be experts in IT security and therefore will look for independent third-party certification as an indication of the organizations competency to deliver cloud services.

STAR certification will provide reassurance as it requires the organization to address the specific issues that are critical to cloud security and the maturity model assesses how well managed the activities in the control areas are.