For instructions on how to submit a STAR Level 2 Certification on Attestation, please see this page.
Level 1 Submissions: Self-Assessments
STAR Submission Form
All STAR submissions, including CAIQ forms, Certifications, Attestations, and others are submitted through our STAR submission form here.
Please fill out each section to completion
Name and Email: We require that you use your name and your company email for these fields in order to keep the submissions for your organization secure. The email needs to be legitimate. Only use lower-case letters in your email. Please note that the domain of your personal account and the company you are submitting for have to match. For further information please see section: First STAR Registry Submission.
Type of Registry Entry: Select the type of submission you are making (i.e. Level 1: STAR Self-Assessment, STAR Continuous Self-Assessment, GDPR CoC Self-Assessment).
Specification: Select the specification for your type of registry entry. For example, is your self-assessment a CAIQ self-assessment? Or is it a CoC for GDPR self-assessment?
DOCUMENT UPLOAD SPECIFICATIONS:
CAIQ Questionnaire Self-Assessment:
CAIQ is the questionnaire associated with the Cloud Control Matrix. The CAIQ provides a set of questions to determine if the CCM controls have been implemented.
All self-assessments must be submitted in the original format that Cloud Security Alliance provides. CCM self-assessments will not be accepted. Do not add or remove any columns or rows. The primary document must be submitted with the .xlsx extension. If you would like to submit an assessment in a modified PDF format, you may do so as a supporting document in addition to the required XLSX primary document.
Note: The information reported self-assessment must be truthful and not misleading.
First STAR Registry Submission:
Email Validation: Once you have submitted the primary submission form, you will receive an email to confirm your email address. By confirming your email, you agree to the creation of a STAR user account with the name and email provided. Once confirmed, you will be redirected to an organization selection form. If you choose to reject this email, your entry will not be submitted, and the account will not be created.
Create/Select Organization: You will notice a drop-down menu from which you can select your organization. Since you have never submitted to our registry before, it is likely that your organization will not be listed on the drop-down. Select the option to create a new organization.
Please completely fill the organization form. The description should be a brief summary of your organization itself (max 300 characters). For example:
“The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.”
Service Selection: Once you have created and/or selected your organization, you will be redirected to a cloud service selection form. Please completely fill the cloud service form. The name can be the same as your company, but if you have a specific name for the service, we recommend using this instead. The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch:
“Cloud Security Alliance STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA practices.”
Organization Confirmation: You must complete all of these steps in order to submit your entry. Since this is your first submission to our registry, you will be automatically added to your organization’s employment record, and your entry will continue through to CSA confirmation.
Please see the instructions for a Level 1 Submission: CAIQ Self-Assessment. The process is identical but should be repeated monthly rather than annually
CoC for GDPR Self-Assessments:
The primary document must be the CSA PLA Code of Practice Template Annex 1. The supporting document must be the CSA PLA Code of Conduct (CoC): Statement of Adherence Self-Assessment. More information about CoC for GDPR can be found here: https://gdpr.cloudsecurityalliance.org/.
To ensure completeness of critical sections of the CoC and to facilitate the approval process, please make sure you have read through Part 2 of the CoC and the Q&A document, and ensure that your answers meet the recommendations made within. It is important that you not only call out that you comply with that section of the CoC and reference a standard, certification, or procedure, but that you also provide objective evidence. In particular, when addressing the security requirements (Data Security Measures) it is important that sophistication levels are declared, and that the submitter explains – if only at a high level – the measures the organization has put in place to meet the sophistication level they have identified, covering the points listed in the corresponding tables within the ENISA Technical Guidelines.