CSA2 Certification: A Complete Guide to Cloud Security
Alexander Sverdlov
Security Analyst
💫 Key Takeaways
- CSA STAR Level 2 requires a foundation of ISO 27001 or SOC 2 — you cannot skip straight to Level 2
- The Cloud Controls Matrix (CCM) v4 contains 197 control objectives across 17 domains — but not all will apply to your scope
- The CAIQ (Consensus Assessments Initiative Questionnaire) v4 maps directly to the CCM and is the primary evidence framework
- If you already have ISO 27001, expect 2–4 months of incremental preparation for the STAR assessment
- The most common pitfall is treating CCM controls as a checkbox exercise instead of demonstrating operational maturity
- Combined audits (ISO 27001 + CSA STAR) are the most cost-effective path and reduce total audit time by 30–40%
- Preparation costs range from €10,000–€40,000; audit fees from €15,000–€60,000 depending on scope
I have guided over a dozen organizations through CSA STAR Level 2 certification. Some sailed through in under three months. Others struggled for nearly a year. The difference was never about the size of the company or the budget — it was about preparation. The companies that understood what the assessment actually evaluates, and planned accordingly, moved quickly. The companies that treated it as “just another audit” ran into surprises that cost them time and money.
This guide is everything I wish someone had written before my first CSA STAR engagement. It covers the framework, the process, the gotchas, and the practical details that make the difference between a smooth certification and a painful one. No marketing fluff, no theoretical overviews — just what you actually need to know.
If you want to understand why CSA STAR Level 2 matters before diving into the how, read our companion article: What is CSA STAR Level 2 and Why Does It Matter for Your Business?
The Framework
The Cloud Controls Matrix (CCM) v4: What You Need to Know
The Cloud Controls Matrix is the backbone of everything CSA STAR. It is a cybersecurity controls framework specifically designed for cloud computing. Version 4 (the current version as of 2026) contains 197 control objectives organized into 17 domains. Understanding these domains is essential because they define the scope of your assessment.
| Domain ID | Domain Name | Key Focus Areas |
|---|---|---|
| A&A | Audit & Assurance | Internal audit, compliance monitoring, independent assessments |
| AIS | Application & Interface Security | Secure SDLC, API security, application hardening |
| BCR | Business Continuity & Operational Resilience | DR planning, resilience testing, service continuity |
| CCC | Change Control & Configuration Management | Change management, baseline configurations, version control |
| CEK | Cryptography, Encryption & Key Management | Encryption standards, key lifecycle, certificate management |
| DSP | Data Security & Privacy Lifecycle Management | Data classification, retention, privacy controls, cross-border transfers |
| DCS | Datacenter Security | Physical security, environmental controls, authorized access |
| GRC | Governance, Risk & Compliance | Policies, risk management, regulatory compliance |
| HRS | Human Resources | Security training, background checks, role-based access |
| IAM | Identity & Access Management | Authentication, authorization, privileged access, federation |
| IPY | Interoperability & Portability | Data portability, vendor lock-in mitigation, API standards |
| IVS | Infrastructure & Virtualization Security | Network security, hypervisor hardening, segmentation |
| LOG | Logging & Monitoring | Security event logging, monitoring, SIEM, alerting |
| SEF | Security Incident Management | Incident response, forensics, breach notification |
| STA | Supply Chain Management | Third-party risk, vendor assessments, service agreements |
| TVM | Threat & Vulnerability Management | Vulnerability scanning, penetration testing, threat intelligence |
| UEM | Universal Endpoint Management | Endpoint security, device management, mobile security |
One of the most important things to understand about the CCM is that it was designed to map to existing frameworks. Each CCM control objective includes cross-references to ISO 27001 Annex A controls, NIST SP 800-53 controls, SOC 2 Trust Services Criteria, PCI DSS requirements, and GDPR articles. This means that if you already have ISO 27001 or SOC 2, a significant portion of the CCM is already covered by your existing control environment.
💡 Practical Tip
Before you start preparing, download the CCM v4 spreadsheet from the CSA website and run a mapping exercise against your existing ISO 27001 Statement of Applicability or SOC 2 control matrix. In our experience, companies with a mature ISO 27001 ISMS typically find that 60–75% of CCM controls are already addressed. The gap is usually concentrated in cloud-specific areas: multi-tenancy isolation, encryption key management for cloud workloads, container security, and data portability.
The Assessment Tool
The CAIQ v4: Your Evidence Roadmap
The Consensus Assessments Initiative Questionnaire (CAIQ) is the operational companion to the CCM. While the CCM defines what controls you need, the CAIQ asks how you implement them. Each CAIQ question maps directly to a CCM control objective.
For Level 1, you complete the CAIQ yourself and submit it. For Level 2, the CAIQ responses become the basis for the auditor's assessment. The auditor will review your CAIQ responses, request supporting evidence for each answer, and test whether your stated controls actually work as described.
Here is what makes the CAIQ different from a typical security questionnaire:
- It demands specificity. “Yes, we do encryption” is not sufficient. The CAIQ asks which encryption algorithms, at what key lengths, how keys are managed, where they are stored, and how they are rotated.
- It covers shared responsibility. For each control, you must indicate whether it is your responsibility, your cloud provider's responsibility, or shared. This forces you to think carefully about your shared responsibility model — a common gap area in assessments.
- It includes maturity scoring. Level 2 assessments do not just ask whether a control exists — they evaluate how mature it is. A control that exists as a documented policy but is not consistently implemented or monitored will score lower than one that is fully automated and continuously verified.
⚠️ Common Mistake
Many companies complete the CAIQ at the last minute, treating it as a form to fill out rather than a tool to prepare with. This is backwards. Complete your CAIQ early in the preparation process — ideally 3–4 months before the audit. The act of answering the questions will reveal gaps in your controls, missing documentation, and areas where your stated practices do not match reality. It is far better to discover these gaps during preparation than during the audit itself.
Choose Your Path
Certification Track vs. Attestation Track
CSA STAR Level 2 offers two distinct paths, each building on a different foundation. Your choice depends on what you already have and who your primary customers are.
| Aspect | STAR Certification (ISO 27001-based) | STAR Attestation (SOC 2-based) |
|---|---|---|
| Foundation | ISO 27001:2022 ISMS certification | SOC 2 Type II attestation |
| Assessed By | CSA-approved certification body (e.g., BSI, TUV, Bureau Veritas) | Licensed CPA firm with CSA STAR attestation scope |
| Output | CSA STAR Certificate with maturity model rating | SOC 2 + CCM attestation report |
| Validity | Up to 3 years with annual surveillance audits | 12 months (must be renewed annually) |
| Best For | European market, EU public sector, DORA/NIS2 alignment | North American market, US financial services, tech buyers |
| Maturity Model | Yes — rated on 15 management and operational capability levels | Incorporated into SOC 2 additional criteria |
For European companies selling primarily in the EU market, the certification track (ISO 27001-based) is almost always the right choice. ISO 27001 is the lingua franca of European information security, and adding CSA STAR Level 2 Certification on top of it creates the strongest possible cloud security posture for EU procurement.
If your company already has SOC 2 Type II and your primary market is North America (or a mix of EU and US), the attestation track may be more efficient. You can also pursue both tracks if your customer base spans both markets, though most companies choose one and reference it globally.
The Process
Step-by-Step: How to Achieve CSA STAR Level 2
Here is the practical roadmap, based on the certification track (ISO 27001-based). The attestation track follows a similar structure but with SOC 2-specific audit procedures.
Phase 1: Foundation Check (Week 1–2)
Before anything else, confirm your foundation is solid:
- Is your ISO 27001 certificate current and in good standing?
- When is your next surveillance or recertification audit? (Ideal timing: combine ISO 27001 and STAR audits)
- Does your ISO 27001 scope cover the cloud services you want to certify under STAR?
- Is your Statement of Applicability (SoA) up to date?
If you do not yet have ISO 27001, that is your first priority. A virtual CISO can help you build and implement the ISMS in parallel with CSA STAR preparation, but expect a longer timeline of 9–14 months total.
Phase 2: CCM Gap Analysis (Week 2–6)
This is the most important preparation phase. Systematically compare your existing controls against each applicable CCM domain:
- Download CCM v4 and map each control objective to your existing ISO 27001 controls
- Identify gaps — controls required by the CCM that are not addressed by your current ISMS
- Assess maturity — for controls that do exist, evaluate whether they are documented, implemented, monitored, and optimized
- Define the shared responsibility model — for each control, clarify whether it is your responsibility, your cloud provider's (AWS, Azure, GCP), or shared
💡 Where We Typically Find Gaps
Based on our consulting experience, the CCM domains where ISO 27001-certified companies most commonly have gaps are:
- CEK (Cryptography) — key management lifecycle is rarely documented to CCM's expected level of detail
- IVS (Infrastructure & Virtualization) — container security and network segmentation in cloud environments
- IPY (Interoperability & Portability) — data portability and vendor lock-in mitigation are often overlooked
- LOG (Logging & Monitoring) — while logging exists, cloud-specific monitoring (CloudTrail, Azure Monitor) may not meet CCM requirements
- DSP (Data Security & Privacy) — data classification and cross-border transfer controls need cloud-specific documentation
Phase 3: Remediation and Control Implementation (Week 6–14)
Based on the gap analysis, implement or strengthen the controls needed to close the identified gaps. This typically involves:
- Policy and procedure updates: Extend existing security policies to cover cloud-specific controls. Your encryption policy may need a dedicated section on cloud key management. Your change management procedure may need to address infrastructure-as-code deployments.
- Technical controls: Enable and configure cloud-native security tools (AWS Config, Azure Security Center, GCP Security Command Center). Implement encryption at rest and in transit where gaps exist. Configure network segmentation and micro-segmentation.
- Process improvements: Formalize the shared responsibility model documentation. Implement cloud-specific incident response procedures. Create data portability runbooks.
- Evidence collection: Start collecting evidence of control operation from day one. The auditor will want to see that controls have been operating for a reasonable period, not just implemented the week before the audit.
Phase 4: CAIQ Completion and Internal Review (Week 12–16)
Complete the CAIQ v4 questionnaire with detailed, evidence-backed responses. For each question:
- Describe what you do, how you do it, and where it is documented
- Specify the tools and technologies involved
- Identify the responsible person or team
- Reference the evidence available (logs, reports, screenshots, configurations)
Conduct an internal review by someone who was not involved in completing the CAIQ. Fresh eyes will catch inconsistencies, vague responses, and areas where the stated control does not match what is actually implemented.
Phase 5: Select Your Audit Body (Week 8–12)
Start this process early — good audit firms book out months in advance. Key considerations:
- The certification body must be on the CSA-approved list
- If possible, use the same certification body as your ISO 27001 auditor for a combined audit
- Ask about the auditor's experience with your cloud provider (AWS, Azure, GCP) and your service model (SaaS, PaaS, IaaS)
- Request a pre-assessment or readiness review if your audit body offers one — this identifies issues before the formal audit
Phase 6: The Audit (Week 16–20)
The Level 2 assessment typically involves:
- Document review: The auditor reviews your CAIQ, policies, procedures, and supporting documentation
- Interviews: Key personnel are interviewed about their roles and how controls operate in practice
- Evidence testing: The auditor verifies that controls operate as described by examining logs, configurations, reports, and other artifacts
- Maturity assessment: Each control domain is rated on a maturity scale
- Findings report: Non-conformities and observations are documented. Minor non-conformities can usually be resolved within a defined corrective action period
Phase 7: Certification and Registration (Week 20–22)
Once all findings are resolved, the certification body issues your CSA STAR Level 2 certificate. The certificate and your maturity scores are published on the CSA STAR Registry — a public, searchable database that procurement teams and regulators use to verify cloud security certifications.
Budget Planning
Realistic Timeline and Costs
Let me be direct about what this costs, because vague answers here waste everyone's time.
| Scenario | Timeline | Preparation Cost | Audit Fees |
|---|---|---|---|
| Mature ISO 27001 + experienced team | 2–3 months | €10,000–€20,000 | €15,000–€30,000 |
| ISO 27001 certified + some gaps | 3–5 months | €20,000–€35,000 | €20,000–€45,000 |
| Starting from scratch (no ISO 27001) | 9–14 months | €30,000–€60,000+ | €25,000–€60,000 |
| Combined ISO 27001 recert + STAR (most cost-effective) | 3–4 months incremental | €10,000–€25,000 | €20,000–€35,000 (combined) |
These figures are based on a mid-sized SaaS or cloud service provider (50–500 employees) with 1–3 cloud services in scope. Larger organizations with complex multi-cloud environments will be at the higher end or above these ranges.
💡 ROI Perspective
If CSA STAR Level 2 helps you close even one enterprise deal that was previously blocked by procurement requirements, the certification has paid for itself. In our experience, the first deal closed after certification typically exceeds the total cost of the certification program by a factor of 5–10x.
Lessons Learned
Common Pitfalls and How to Avoid Them
Over the years, I have seen the same mistakes repeated across CSA STAR engagements. Here are the most common ones and how to avoid them:
Pitfall 1: Treating CCM as a checkbox exercise
The CCM includes a maturity model. Assessors do not just check whether a control exists — they evaluate how well it operates. A company that answers “yes” to every CAIQ question but cannot demonstrate operational evidence will score poorly. Solution: For each control, prepare evidence of consistent operation over time — not just a policy document, but logs, reports, and records showing the control working in practice.
Pitfall 2: Ignoring the shared responsibility model
Many companies assume that because AWS or Azure handles physical security, they can mark datacenter controls as “not applicable.” But the CCM requires you to document the shared responsibility model and explain how you verify that your cloud provider fulfills their side. Solution: Reference your cloud provider's compliance documentation (AWS SOC 2 report, Azure compliance offerings), document how you monitor their status, and map each CCM control to the responsible party with clear justification.
Pitfall 3: Underestimating cloud-specific controls
Companies with strong ISO 27001 programs sometimes assume the CCM gap will be trivial. It is not. Cloud-specific controls around container security, serverless function governance, API security, encryption key management in multi-tenant environments, and data portability are often genuinely new territory. Solution: Conduct the gap analysis early and honestly. Budget adequate time for implementing and testing cloud-specific controls that your existing ISMS does not cover.
Pitfall 4: Not aligning scope properly
Your CSA STAR scope must align with your ISO 27001 scope. If your ISO 27001 certificate covers only your corporate IT environment but not your cloud service delivery platform, you will need to extend the ISO scope first. Solution: Verify scope alignment at the very beginning of the project. If scope changes are needed, factor in the additional time and cost for the ISO 27001 scope amendment.
Pitfall 5: Starting evidence collection too late
Auditors want to see that controls have been operating consistently, not just implemented days before the assessment. A control that has been in place for three months with documented evidence is far more credible than one implemented three weeks ago. Solution: Begin evidence collection as soon as controls are implemented. Set up automated evidence gathering wherever possible — scheduled vulnerability scan reports, automated access review exports, CloudTrail log summaries.
Integration Strategy
Integrating CSA STAR with Your Existing Compliance Program
If you already have ISO 27001 and/or SOC 2, you are not starting from zero — you are extending an existing program. Here is how to make that extension as efficient as possible.
ISO 27001 + CSA STAR Level 2 (Most Common European Path)
The CCM v4 maps directly to ISO 27001:2022 Annex A controls. Your existing Statement of Applicability (SoA) is the starting point for identifying which CCM controls are already addressed. Here is the practical approach:
- Extend your SoA to include CCM-specific controls that are not already covered by Annex A
- Update your risk assessment to include cloud-specific threats and scenarios referenced in the CCM
- Add CCM-specific procedures to your existing process documentation (rather than creating entirely new documents)
- Reuse evidence from your ISO 27001 internal audits and management reviews
- Schedule combined audits with your certification body to minimize disruption and cost
SOC 2 + CSA STAR Level 2 (Attestation Track)
If your foundation is SOC 2 Type II, the integration works differently. The CCM criteria are incorporated as additional subject matter in your SOC 2 examination. Your CPA firm evaluates the CCM controls alongside the Trust Services Criteria. This requires a CPA firm that has experience with CSA STAR attestations — not all do.
EU Cloud Code of Conduct Alignment
The EU Cloud Code of Conduct (EU Cloud CoC) is a GDPR code of conduct approved under Article 40, specifically for cloud service providers. If you are pursuing the EU Cloud CoC alongside CSA STAR, there is significant overlap in the data protection, security governance, and transparency requirements. We recommend mapping both frameworks simultaneously to identify shared controls and avoid duplicate documentation.
The Optimal Compliance Stack for European Cloud Providers
Based on our experience advising European SaaS and cloud companies, the most effective compliance stack for the current regulatory environment is: ISO 27001 + CSA STAR Level 2 + SOC 2 Type II. This combination covers European procurement requirements (ISO 27001 + STAR), North American buyer expectations (SOC 2), and cloud-specific security assurance (CCM). Adding ISO 27017 (cloud security) and ISO 27018 (cloud privacy) as extensions provides additional regulatory alignment with minimal incremental effort since they build on the same ISMS.
Common Questions
Frequently Asked Questions
How many CCM controls will actually apply to my organization?
It depends on your service model. A SaaS provider will typically have 120–160 of the 197 control objectives in scope. IaaS providers tend to have broader applicability since they manage more infrastructure layers. Some domains like DCS (Datacenter Security) may be largely inherited from your cloud provider (AWS, Azure) and require documentation of the shared responsibility model rather than direct implementation. Your gap analysis will determine the exact count.
Can I fail a CSA STAR Level 2 assessment?
Yes. If the assessor identifies major non-conformities — critical controls that are missing, non-functional, or significantly below the expected maturity level — they may not issue the certification until those findings are resolved. Minor non-conformities can typically be addressed through a corrective action plan within a defined timeframe. The key to avoiding failure is thorough preparation: a proper gap analysis, honest self-assessment, and sufficient time for remediation before the audit.
Do I need to hire a consultant, or can we prepare internally?
It depends on your team's experience. If you have someone who has been through a CSA STAR assessment before, internal preparation is feasible. If this is your first time, engaging a consultant for at least the gap analysis phase will save you significant time and reduce the risk of surprises during the audit. A virtual CISO with CSA STAR experience can guide the entire process while building your internal team's capability for future recertifications.
What is the maturity model, and how is it scored?
The STAR certification uses the CSA maturity model, which evaluates your controls across capability levels ranging from ad hoc (no formal process) to optimized (continuously improved based on metrics). Each CCM domain receives a maturity score. These scores are published on the STAR Registry, so potential customers can see not just that you are certified but how mature your controls are. This transparency is both a strength and a risk — a low maturity score is public. This is why genuine preparation matters more than rushing to get the certificate.
How does CSA STAR Level 2 relate to the upcoming EUCS scheme?
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is being developed under the EU Cybersecurity Act. While the final scheme is not yet published, early drafts reference the CCM and align with CSA STAR's control framework. Organizations that achieve CSA STAR Level 2 today will be well-positioned to transition to EUCS when it is finalized, as much of the groundwork — policies, controls, evidence collection processes — will transfer directly.
Can I use automation tools to prepare for CSA STAR Level 2?
Yes, and you should. Compliance automation platforms like Vanta, Drata, Secureframe, and Sprinto support CCM mapping and can automate evidence collection for many controls. However, automation tools cover the “what” but not the “how” or “why.” The assessor will still interview your team, test controls manually, and evaluate maturity. Automation speeds up preparation and ongoing compliance but does not replace the need for well-designed processes and knowledgeable people.
What happens after certification? What are the ongoing obligations?
For the certification track, your CSA STAR Level 2 certificate is valid for up to three years, with annual surveillance audits (similar to ISO 27001). You must maintain your controls, continue collecting evidence, and address any findings from surveillance audits. For the attestation track, the SOC 2 + CCM report must be renewed annually. In both cases, the CSA STAR Registry listing must be kept current. If your certificate lapses, your listing is removed from the registry — which procurement teams will notice.
Published: March 2026 · Author: Alexander Sverdlov
This article is for informational purposes only and does not constitute legal or professional advice. Certification requirements and timelines can vary based on your specific environment and chosen audit body. For personalized guidance on CSA STAR Level 2 certification, please consult a qualified security professional.
Alexander Sverdlov
Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.