CSA STAR (Security, Trust, Assurance and Risk) is a cloud assurance program from the Cloud Security Alliance. It is built on the Cloud Controls Matrix (CCM) — currently CCM v4, with around 197 control objectives across 17 domains — and the Consensus Assessment Initiative Questionnaire (CAIQ). Results are published on the public CSA STAR registry.

What are STAR Levels 1 and 2?

STAR Level 1 is a self-assessment in which an organization completes the CAIQ or a CCM-based self-assessment and publishes it to the registry. STAR Level 2 is a third-party assessment — a certification or attestation performed by an accredited assessor, often combined with an ISO 27001 or SOC 2 audit.

What is the Cloud Controls Matrix?

The CCM is a cybersecurity control framework for cloud computing, organized into domains covering areas such as identity and access management, data security, and supply-chain management. It is a meta-framework with built-in mappings to ISO 27001, ISO 27017/27018, SOC 2, NIST CSF, PCI DSS, and more.

How does STAR relate to ISO 27001 and SOC 2?

STAR Level 2 is frequently pursued alongside ISO 27001 or SOC 2 because the CCM maps to both, letting a single body of evidence support multiple cloud-assurance outcomes at once.

Cloud assurance, on the STAR registry

Run the CSA STAR program with CCM v4

The Cloud Controls Matrix v4 as a living control library and the CAIQ as a guided questionnaire — Level 1 self-assessment or Level 2 third-party assurance — mapped to ISO 27001 and SOC 2.

Start free trial Book a demo

What is CSA STAR?

CSA STAR — Security, Trust, Assurance and Risk — is the Cloud Security Alliance's cloud assurance program. It gives cloud providers a recognized way to document and publish their security posture, and gives cloud customers a public registry to evaluate them. STAR is built on two artifacts: the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ).

CCM v4 and the CAIQ

The current CCM v4 organizes roughly 197 control objectives across 17 domains of cloud security — identity and access management, data security and privacy, application security, supply-chain management, and more — with the shared-responsibility model built in. The CAIQ is the questionnaire form of the CCM: a standardized set of yes/no questions that maps to each control, designed to replace the endless bespoke security questionnaires that cloud buyers send.

STAR Levels

Level 1 — Self-Assessment. Complete the CAIQ (or a CCM-based self-assessment) and publish it to the free, public CSA STAR registry.
Level 2 — Third-Party Assessment. An accredited assessor verifies your controls, often as a STAR Certification (paired with ISO 27001) or STAR Attestation (paired with SOC 2).

How episki helps

episki ships the CCM v4 catalog as living controls, generates consistent CAIQ v4 answers from your real evidence, and cross-maps every CCM control to ISO 27001, SOC 2, and NIST CSF. Reach STAR Level 1 from your existing program, or assemble the Level 2 package without rebuilding a thing.

CSA STAR outcomes with episki

Quantify the impact security and compliance brings to your business.

CCM v4

~197 control objectives across 17 cloud security domains.

CAIQ

The Consensus Assessment Initiative Questionnaire, answered from live controls.

STAR L1 / L2

Self-assessment or third-party certification on the public STAR registry.

Why teams choose episki for CSA STAR

Framework-specific automation, collaboration, and reporting in one workspace.

CCM v4 control library

The Cloud Controls Matrix implemented as living episki controls.

17 domains of cloud security control objectives
Shared-responsibility model captured per control
Built-in mappings to ISO 27001, SOC 2, and more

CAIQ, answered from evidence

Complete the Consensus Assessment Initiative Questionnaire from real controls.

CAIQ v4 responses generated from your controls
Consistent answers across customer questionnaires
Publish to the CSA STAR registry

One effort, many programs

CCM is a meta-framework — its controls map almost everywhere.

Crosswalk to ISO 27001 / 27017 / 27018
Crosswalk to SOC 2 and NIST CSF
Reuse for PCI DSS and GDPR mapping

CSA STAR readiness inside episki

What a cloud provider needs to reach the STAR registry.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ CCM v4 control library scoped to your services
✓ Shared-responsibility documentation per control
✓ CAIQ v4 questionnaire completed from evidence
✓ STAR Level 1 self-assessment package
✓ STAR Level 2 third-party certification readiness
✓ Crosswalks to ISO 27001 and SOC 2

CSA STAR accelerators

Cloud assurance accelerators

Get listed on the STAR registry and stop re-answering the same questionnaires.

CAIQ builder

Generate consistent CAIQ v4 answers from your live controls.

CCM crosswalk

Map CCM controls to ISO 27001, SOC 2, and NIST CSF automatically.

STAR submission pack

Assemble the Level 1 or Level 2 package for the STAR registry.

CSA STAR frequently asked questions

Reach the STAR registry from episki

Implement CCM v4 once, answer the CAIQ from evidence, and reuse it across ISO 27001 and SOC 2.

Start free trial Book a walkthrough