Knowledge Center / CSA CCM / STAR
Cloud Security Alliance · Global

CSA CCM & STAR

The Cloud Controls Matrix and STAR programme for cloud security assurance.

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a cybersecurity control framework specifically for cloud computing, and the STAR (Security, Trust, Assurance and Risk) programme provides a registry and certification/attestation for cloud providers’ security posture.

The Cloud Controls Matrix (CCM)

  • A comprehensive set of cloud-specific control objectives across domains such as identity & access, data security & privacy, application security, infrastructure & virtualisation, logging & monitoring, and supply-chain management.
  • Maps to ISO 27001/27017/27018, SOC 2, NIST, PCI DSS and more, so one assessment supports many.
  • Defines shared-responsibility guidance between cloud provider and customer.

CAIQ and STAR levels

ElementWhat it is
CAIQConsensus Assessments Initiative Questionnaire — a self-assessment aligned to the CCM
STAR Level 1Self-assessment (CAIQ) published in the CSA STAR Registry
STAR Level 2Third-party certification/attestation (e.g., STAR Certification built on ISO 27001, or STAR Attestation built on SOC 2)

How to use it

  1. Complete the CAIQ against the CCM to baseline your cloud security posture.
  2. Publish to the STAR Registry (Level 1) for transparency to customers.
  3. For higher assurance, pursue STAR Level 2 (certification/attestation) atop ISO 27001 or SOC 2.
  4. Use the CCM mappings to satisfy overlapping frameworks.
How CyberSigma helps
We assess your cloud environment against the CSA CCM, complete the CAIQ, and integrate STAR with your ISO 27001 or SOC 2 work for third-party cloud assurance.

Frequently asked questions

Is CSA STAR a certification?
STAR Level 1 is a self-assessment; STAR Level 2 offers third-party certification (built on ISO 27001) or attestation (built on SOC 2).

Need help with CSA CCM / STAR?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.