Cloud Security Alliance (CSA) STAR Self-Assessment
![Cloud Security Alliance (CSA) STAR Self-Assessment](/web/20170129151427im_/https://www.microsoft.com/en-us/CMSImages/CSA.png?version=551083bc-867e-e05a-a067-17f353032f25)
The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud.
In 2010, the CSA published a suite of tools to assess cloud IT operations: the CSA Governance, Risk Management, and Compliance (GRC) Stack. It was designed to help cloud customers assess how cloud service providers (CSPs) follow industry best practices and standards, and comply with regulations.
In 2013, the CSA and the British Standards Institution launched the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry in which CSPs can publish their CSA-related assessments.
CSA STAR is based on two key components of the CSA GRC Stack:
- Cloud Controls Matrix (CCM): a controls framework covering fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a CSP.
- The Consensus Assessments Initiative Questionnaire (CAIQ): a set of more than 140 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.
STAR provides three levels of assurance; CSA STAR Self-Assessment is the introductory offering at Level 1, which is free and open to all CSPs. Going further up the assurance stack, Level 2 of the STAR program involves third-party assessment-based certifications, and Level 3 involves certifications based on continuous monitoring.
As part of the STAR Self-Assessment, CSPs can submit two different types of documents to indicate their compliance with CSA best practices: a completed CAIQ, or a report documenting compliance with CCM. For the CSA STAR Self-Assessment, Microsoft publishes both a CAIQ and a CCM-based report for Microsoft Azure, and CCM-based reports for Microsoft Dynamics 365 and Microsoft Office 365.
Frequently asked questions
Audit-related reports
Microsoft in-scope cloud services
Covered services for Azure, Dynamics 365, and Office 365 are specified in the corresponding CSA STAR Self-Assessments.
Recommended resources
Contact Trust Center
Need help evaluating our products? Can’t find the information you need?
- Current cloud services customers
Contact your Microsoft account representative.
- Not a cloud services customer?