ISO 27001 and CSA STAR are both frameworks designed to assess information security, though the latter relates specifically to cloud computing. Though they are designed to achieve similar goals, the two frameworks have some significant structural and procedural differences.
ISO 27001 is one of a series of standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission.
STAR is published by the Cloud Security Alliance, an industry body promoting security in cloud computing. It works with input from the cloud industry, governments and other relevant organisations.
Scope, Context and Purpose
ISO 27001 is part of a wider series of standards which all relate to information security in organisations. The three most important are:
- ISO 27000: an overview of the entire set of standards on the subject
- ISO 27001: a framework for establishing an information security management system (ISMS)
- ISO 27002: a list of specific security controls which might be relevant to include in the ISMS
STAR, which stands for the Security, Trust and Assurance Registry, is an industry-based assurance program. The Cloud Security Alliance promotes it as a way of checking an organisation’s security practices based on guidelines and goals that are specifically designed for, and relevant to, the cloud computing industry.
ISO 27001 has 13 sections in total. Several of these are administrative such as one covering terms and definitions, and another which is an explanation that an ISMS can fit the context of an organization. The remaining sections detail the key things the organization must do to make the ISMS compliant, namely:
- Have top management lead the way on the ISMS.
- Have adequate plans for identifying and addressing risks.
- Have adequate resources to support the ISMS.
- Document the steps taken under the ISMS.
- Monitor the performance of the ISMS.
- Identify and implement any necessary improvements.
ISO 27001 deals with the fundamentals of the ISMS, how the ISMS should be structured and the relevant security controls that should be considered by the organisation.
CSA Star is based around two main documents. The Consensus Assessments Initiative Questionnaire (CAIQ) is a checklist of around 300 “yes or no” questions designed to cover all relevant aspects of a cloud computing provider’s security.
The Cloud Controls Matrix is a detailed set of security controls. These cover the following categories:
- Application & Interface Security
- Audit Assurance & Compliance
- Business Continuity Management & Operations Resilience
- Change Control & Configuration
- Data Security & Information Lifecycle Management
- Datacenter Assess Management
- Encryption & Key Management
- Governance and Risk Management
- Human Resources
- Identity & Access Management
- Infrastructure & Virtualisation Security
- Interoperability & Portability
- Mobile Security
- Security Incident Management
- Supply Chain Management, Transparency and Accountability
- Threat & Vulnerability Management
Like most ISO standards, ISO 27001 assessment works through certification from an accredited registrar (the term for which may vary from country to country). Technically speaking it is the ISMS which is certified rather than the organisation. There’s no grading system: either the ISMS is certified or it is not.
Some countries have a recognised variant of ISO 27001 built into their own standards system. As long as the certification body is internationally recognised, an ISMS that achieves this national standard is treated as if it had been certified for ISO 27001.
CSA Star has three levels of certification, offering increasing degrees of. For levels one and two, organizations can choose different variants designed to interact with other regulations and standards.
Level one involves self-assessment, which requires the organization to either complete the Consensus Assessments Initiative Questionnaire or produce a report showing how it complies with the Cloud Controls Matrix. In both cases the document is made public so that third-parties can examine the self-assessment.
The standard version of level one self-assessment is free of charge, while an optional variant that carries a fee can be used to show compliance with the relevant areas of the European Union’s General Data Protection Regulation.
Level two involves third-party examination of the organization’s security. This comes in three variants, each based on the Cloud Controls Matrix but designed to incorporate elements from another standard or framework:
- The ”Attestation” variant incorporates elements of SOC 2 (Service Organization Control) from the American Institute of Certified Public Accountants.
- The “Certification” variant incorporates elements of ISO 270001.
- The “Assessment” variant incorporates elements of numerous Chinese national standards.
Level three involves continuous monitoring rather than a one-off assessment. At the time of writing level three was still being developed.
CSA STAR certification is designed to work as a customised variant of ISO 27001 for cloud computing providers. The idea is that the organization has an ISMS with the structure and general features covered by ISO 27001 and also the specific security controls covered by the CSA Cloud Controls Matrix.
An independent and accredited CSA certification body will audit the provider. In public terms, either the provider gets CSA STAR certified (and publicly listed as such) or it doesn’t.
However, the provider will also receive a more detailed report that includes a rating (No Rating, Bronze Silver, Gold) for each of the categories in the Cloud Control Matrix. This gives the provider insight into where it can make further improvement beyond simply achieving the certification.