Level 2 Submissions: Attestation
All STAR submissions, including CAIQ forms, Certifications, Attestations and others are submitted through our STAR Submission form here. The form fields will update to reflect the correct fields when the type of submission is selected.
The Attestation submission form should be completed by the representative of the Organization who is being audited and not by the Auditor.
As part of the process, the Auditor should provide the information that needs to be submitted on the form to the Organization contact representative.
Note: You must have completed a Level 1 Self-Assessment submission prior to submitting a STAR Attestation.
Name and Email: We require that you use your name and your company email for these fields in order to keep the submissions for your organization secure. The email needs to be legitimate. Please note that the domain of your personal account and the company you are submitting for have to match.
Note: Your STAR account will be created within Cloud Security Alliance’s STAR Platform. If you already have an account under the provided name and email, your preexisting account will be associated with your submission.
Type of Registry Entry: Select the type of submission you are making (Attestation).
Specification: Select the specification for your type of registry entry (CCM).
Number of Employees in the Scope of the Audit: The number of employees in the scope of the audit is required for invoicing purposes. Select the appropriate range for the auditing organization.
Document Upload: No primary or supporting documentation is required for Attestation submissions. SOC reports should not be uploaded to the STAR registry and will be removed from the submission prior to posting to the STAR Registry.
Level 2 Submissions: Certification
Please fill out each section to completion.
Note: You must have completed a Level 1 Self-Assessment submission prior to submitting a STAR Certification.
The Level 2 Certification should be completed by the Auditor who is reviewing the Organization that is being submitted to the STAR Registry.
Certification Body: This information pertains to you, the submitter and employee of the certification body.
Name, Phone, and Email: We require that you use your name and your company email for these fields in order to keep the submissions for organizations secure. The email needs to be legitimate in order to receive a confirmation email from CSA. You will need to respond to the confirmation email in order for the entry to be posted to the registry.
Title: This is your official title within your organization (e.g. Information Security Officer).
Organization: This information pertains to the organization whom you are submitting on behalf of.
Please request an adequate organization name, website, and description from the company before submitting.
Organization Name: This is the name of the organization you are making the submission for.
Organization Contact Name and Email: You must provide a point of contact for the organization for whom you are making the submission. The contact is the person who will “own” the registry entry and be contacted for any future questions concerning the entry. Their email needs to be a valid company email in order to receive a confirmation email from CSA.
Organization Website: This should be the URL of the main website of the organization you are making the submission for.
Organization Description: Please request an adequate organization description from the company before submitting. The description should be a brief summary of the organization itself. For example: “The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.”
Cloud Service: Please request an adequate cloud service name, website, and description from the company before submitting.
Cloud Service Name: This is the name of the cloud service provided by the organization you are submitting for. The name can be the same as the company, but if the organization has a specific name for the service, we recommend using this instead.
Cloud Service Website (optional): This should be the URL for a page specific to the cloud service of the organization you are making the submission for. If there is not a specific site or page for the cloud service, this field can be left empty.
Cloud Service Description: The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch: “Cloud Security Alliance STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA practices.”
Specification: The specification for the type of registry entry you are submitting (i.e. STAR Certification or CSTAR Certification).
Number of Employees in the Scope of the Audit: The number of employees in the scope of the audit is required for invoicing purposes. Select the appropriate range for the auditee organization.
Primary Document: The primary document for Level 2 submissions must be the CSA STAR https://cloudsecurityalliance.org/artifacts/csa-star-certification/ or CSTAR Intake Form. It must be filled out to completion. Be sure to use MM/DD/YYYY date formatting.
Supporting Document(s): We recommend that you attach your company STAR or CSTAR Certificate as a supplement to the CSA Intake Form. However, the certificate is not required in order for the entry to be posted to the registry.
Certification Body and Organization Confirmation: Once you have made your submission, both yourself and the point of contact from the organization will receive a confirmation email. You must respond to this email to confirm that this entry may be posted to the registry.
CSA Confirmation: Once all of these steps have been completed, your submission will be sent to the CSA STAR team for review. The STAR team will ensure that you have submitted using valid company emails, your submission has adequate descriptions of the organization and cloud service, and that your primary CSA STAR Certification Intake Form document complies with the outlined standards. If there are any issues with your submission, you will receive an email from a member of the STAR team with requested changes. Once the team has received your submission, your entry will typically be reviewed and posted within five business days, barring any errors with the submission.
Level 2 Submissions: CoC for GDPR
You can find the instructions for submitting CoC for GDPR Self-Assessments here: https://cloudsecurityalliance.zendesk.com/knowledge/articles/11884527615639/en-us?brand_id=360003554053