In short, STAR Certification can be considered an evolution of ISO/IEC 27001. It follows the same auditing rules and approach, and it integrates the controls objectives included in ISO/IEC 27002 with the controls of the CSA Cloud Control Matrix (CCM). Moreover, it adds to the standard ISO audit a Maturity Model.
Note: ISO/IEC 27001 is considered a prerequisite for achieving STAR Certification.
The STAR Certification audit has to be conducted by an ISO/IEC 27001 Certification Body and the auditors need to have additional qualifications to show their competence in cloud security. The list of qualified STAR Certification auditors can be found on our website.
Typically STAR Certification and ISO/IEC27001 audits are conducted at the same time. The auditee simply makes an extension of the ISO/IEC 27001 Statement of Applicability so as to include the CCM controls.
In terms of auditing time, that is typically equal to 150% of the ISO/IEC 27001 auditing time. For instance, if it takes ten days to complete your ISO audit, it should take 15 days for the combined audit ISO/IEC 27001+STAR Certification. At the end of such a process, you would get both the ISO and the CSA certificates.