Shared Assessments

Shared Assessments overview

The Shared Assessments Program (formerly known as BITS Shared Assessments) is used by many commercial, retail, and investment banks around the world as a proxy for managing their third-party vendor risk assessment process. Microsoft Azure aligns to the Program’s Standard Information Gathering (SIG) questionnaire and the Agreed Upon Procedures (AUP) by way of Azure’s CSA STAR Self-Assessment.

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) registry is a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

CSPs can submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the CCM. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

STAR provides two levels of assurance:

  • Level 1: Self-Assessment using the CAIQ
  • Level 2: Independent third-party certifications such as CSA STAR Certification and CSA STAR Attestation

For the CSA STAR Self-Assessment, Microsoft publishes CAIQ-based assessments for Azure, Dynamics 365, and Office 365.

The CCM maps to the Shared Assessments SIG v6.0 and AUP v5.0. Azure also maintains independent third-party certifications at the CSA STAR Level 2, including CSA STAR Certification and CSA STAR Attestation as documented in the STAR registry.

Note

CSA CCM v3.0.1 provides control mapping to SIG v6.0 and AUP 5.0. It is expected that the new CCM v4 will be updated to include this mapping as well.

Applicability

  • Azure

Attestation documents

Frequently asked questions

Which industry standards does the CSA CCM align with?
The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others. For the most current list, visit the CSA website.

Why is the CSA STAR self-assessment important?
It enables CSPs to document compliance with CSA published best practices in a transparent manner. Self-assessment reports are publicly available, thereby helping you gain visibility into the security practices of CSPs, and compare various CSPs using the same baseline.

Resources