Cyber Horizon
Back to Blog
CSA STARCloudAssurance

CSA STAR: Cloud Security Assurance Explained

25 May 2026·7 min read·Cyber Horizon Team

How does a cloud customer know their provider is secure? The Cloud Security Alliance’s STAR programme (Security, Trust, Assurance and Risk) is one of the most widely used answers — a way for cloud providers to demonstrate their security against a cloud-specific control framework.

Built on the Cloud Controls Matrix

STAR is anchored to the Cloud Controls Matrix (CCM) — a control framework written specifically for cloud, covering domains from identity and encryption to supply chain and incident response. It maps to other standards (ISO 27001, SOC 2, NIST), so a CCM assessment does double duty.

The STAR levels

LevelWhat it involves
Level 1 — Self-AssessmentPublish a completed CAIQ / CCM self-assessment to the public STAR Registry (free).
Level 2 — Third-PartyIndependent certification (STAR Certification on top of ISO 27001) or attestation (STAR Attestation on top of SOC 2).
ContinuousOngoing, automated monitoring of control status rather than point-in-time.

The CAIQ

The Consensus Assessment Initiative Questionnaire (CAIQ) is the practical centrepiece — a standardised set of yes/no questions mapped to the CCM. Customers send it to providers during due diligence; publishing a completed CAIQ on the STAR Registry pre-empts a lot of bespoke questionnaire work.

How to use it

  • Complete a CCM/CAIQ self-assessment and publish it to the STAR Registry (Level 1).
  • Where ISO 27001 or SOC 2 is in flight, add STAR Certification/Attestation (Level 2) on top.
  • Reuse your existing ISO/SOC 2 evidence — CCM maps across them.
  • Keep the CAIQ current so it answers customer security questionnaires for you.

The bottom line

CSA STAR turns cloud security from a trust-us claim into a published, comparable assessment. Start with the free self-assessment, build toward third-party STAR on top of your ISO 27001 or SOC 2, and let the CAIQ shoulder your security-questionnaire load.

Run CSA STAR on your existing evidence

Cyber Horizon supports the CCM/CSA STAR and maps it to ISO 27001 and SOC 2 — so your cloud assurance reuses the evidence you already have, and Questionnaire AI handles the CAIQ.

Book a Demo