The Inner Circle

Expand all | Collapse all

How is CSA STAR Different From ISO 27001 and SOC 2?

  • 1.  How is CSA STAR Different From ISO 27001 and SOC 2?

    Posted Sep 03, 2021 11:45:00 AM
    CSA operates the Security, Trust, Assurance, & Risk (STAR) Registry. This is a three-tiered provider assurance program of self-assessment, 3rd-party audit and continuous monitoring. Attestation and certifications from CSA STAR can be used to build off of existing information security certification and audit programs. This allows organizations to assess their compliance to information security standards and cloud security standards at the same time. Learn how STAR is different from two popular compliance programs: ISO/IEC 27001 and SOC 2. Read here:

    #CloudSecurity #cloudcertification #cloudcompliance

    Orbert .

  • 2.  RE: How is CSA STAR Different From ISO 27001 and SOC 2?

    Posted Sep 03, 2021 12:49:00 PM

    Comparing security standards used to certify cloud solutions a while back (for which CSA representative were generous with their time & knowledge), we picked up various other aspects of CSA STAR (some found in other certifications) which we felt were really useful .

    The centralised registry of information, making it easy to check current status allows organisations to manage their risk more quickly and easily than trying to validate what an ISO 27001 certification really means, and is it still current. I believe CSA STAR has watered this down slightly since my examination, but it is still relevant. The big players usually have this on a website, but even with AWS you need to create a new account to access it, all barriers to easy checking. The point being ISO 27001 makes sure a management framework exists to assess the risk, and whilst auditors will likely note organisations with unusual risk appetites it doesn't necessarily mean they won't get certified.

    Similarly for users of cloud services the specific cloud focus of CSA STAR means that the certification is addressing risk relevant to the users of those cloud services.

    Even if you are a cloud provider you likely utilise more cloud services than you provide (well unless you are AWS, Microsoft or Google), so anything that makes the client risk management steps easier and clearer is useful. We found that most organisations who expect suppliers to have certain certification didn't correctly validate the certification at procurement stage, or effectively check it was being maintained after procurement, so making this step easy should be kept in mind.

    Some of the "certified for use" certifications also had mechanisms to notify users of services of relevant changes to certification status or documentation.

    The blog post undersells CSA STAR, but the market for standards isn't developed enough for these nuances to have much impact on what certifications people seek or request/expect. We certainly didn't find any cloud certification approaches markedly in advance of CSA STAR, although some of the government certifications that permit storage of classified data in clouds had more controls, but they are ceasing to be general purpose standards usable by all organisations when they start requiring data sovereignty, or nationality restrictions on personnel.

    Simon Waters
    Insufficient Entropy