ISO 27017 vs CSA STAR & CCM: Mapping and Positioning

Overview

When positioning your cloud security posture, two frameworks frequently appear alongside SOC 2: ISO 27017 (as part of ISO 27001) and CSA STAR with the Cloud Controls Matrix (CCM). While some organizations view these as alternatives, they are actually highly complementary frameworks that, when combined, provide the strongest cloud security positioning available.

This article explains what each framework provides, how they map to each other, and the optimal strategy for pursuing them based on your market and customer requirements.

What is CSA STAR?

CSA STAR (Security Trust Assurance and Risk) is a cloud security assurance program developed by the Cloud Security Alliance (CSA). It provides a framework for cloud service providers to demonstrate their security posture through a tiered certification program.

Key characteristics of CSA STAR:

• Cloud-focused: Designed exclusively for cloud service providers and their security practices
• Tiered approach: Three levels of assurance from self-assessment to continuous monitoring
• Public registry: Certified providers are listed on the publicly searchable CSA STAR Registry
• Built on existing frameworks: Levels 2 and 3 build on ISO 27001 or SOC 2 rather than replacing them
• Industry-driven: Developed by the CSA, a leading cloud security industry organization with broad industry participation

What is the Cloud Controls Matrix (CCM)?

The Cloud Controls Matrix (CCM) is the control framework that underpins CSA STAR. Currently in version 4, the CCM provides a comprehensive set of cloud security controls organized into 17 domains:

CCM v4 Control Domains

1. Audit & Assurance (A&A) — Independent audit, compliance, and assurance processes
2. Application & Interface Security (AIS) — Secure development and API security
3. Business Continuity Management (BCM) — Resilience and recovery planning
4. Change Control & Configuration Management (CCC) — Change processes and configuration baselines
5. Cryptography, Encryption & Key Management (CEK) — Cryptographic controls and key lifecycle
6. Datacenter Security (DCS) — Physical security of data center facilities
7. Data Security & Privacy Lifecycle Management (DSP) — Data classification, protection, and lifecycle
8. Governance, Risk & Compliance (GRC) — Governance structures and risk management
9. Human Resources (HRS) — Personnel security and awareness
10. Identity & Access Management (IAM) — Access control and identity lifecycle
11. Interoperability & Portability (IPY) — Data portability and service interoperability
12. Infrastructure & Virtualization Security (IVS) — Virtual infrastructure and network security
13. Logging & Monitoring (LOG) — Security event logging and monitoring
14. Security Incident Management (SEF) — Incident response and forensics
15. Supply Chain Management (STA) — Third-party and supply chain security
16. Threat & Vulnerability Management (TVM) — Vulnerability management and threat intelligence
17. Universal Endpoint Management (UEM) — Endpoint security management

The CCM is designed as a meta-framework — it maps to multiple standards and regulations including ISO 27001, ISO 27017, ISO 27018, SOC 2, NIST CSF, PCI DSS, and GDPR. This cross-mapping capability is one of its greatest strengths.

CSA STAR Certification Levels

Side-by-Side Comparison

CCM to ISO 27017 Control Mapping

CSA CCM v4 includes explicit mapping to ISO 27001 and ISO 27017. Here are the key alignments between ISO 27017 CLD controls and CCM domains:

This mapping demonstrates significant overlap. Organizations that have implemented ISO 27017 controls will find that a substantial portion of CCM requirements are already addressed. The incremental effort to achieve CSA STAR Level 2 is therefore relatively modest.

How ISO 27017 and CSA STAR Complement Each Other

ISO 27017 Provides the Certification Foundation

ISO 27001 with ISO 27017 provides a globally recognized, accredited certification. This carries the weight of an ISO standard — universally understood and accepted in procurement, regulation, and governance. It provides:

• Formal management system certification with 3-year validity
• Accredited third-party audit by a certification body
• Cloud-specific controls audited as part of the ISMS
• Global recognition and regulatory acceptance

CSA STAR Adds Cloud-Specific Visibility

CSA STAR adds several dimensions that ISO certification alone does not provide:

• Public registry: The CSA STAR Registry is a searchable directory where buyers actively look for cloud provider security information. Your listing appears alongside major cloud providers.
• CAIQ transparency: The published CAIQ responses provide buyers with detailed answers to cloud security questions without requiring NDA-protected reports.
• Cloud-specific brand: The CSA brand is synonymous with cloud security, adding cloud-focused credibility beyond what "ISO 27001" conveys.
• Maturity scoring: CSA STAR provides a maturity model that allows organizations to demonstrate improvement over time.

Together: Complete Cloud Security Positioning

The combination of ISO 27001 + ISO 27017 + CSA STAR Level 2 provides:

• Formal management system certification (ISO 27001)
• Cloud-specific security controls (ISO 27017)
• Public registry visibility (CSA STAR)
• Detailed cloud security transparency (CAIQ/CCM)
• Cross-framework coverage for diverse buyer requirements

Which to Pursue: Decision Framework

Scenario 1: You Already Have ISO 27001

Recommended path: Add ISO 27017 controls to your SoA at the next surveillance or recertification audit. Then pursue CSA STAR Level 2, which builds directly on your ISO 27001 certification.

Incremental effort: Low to moderate. ISO 27017 adds 2-4 months of preparation; CSA STAR Level 2 adds 1-2 months beyond that.

Scenario 2: You Have Neither

Recommended path: Start with ISO 27001 + ISO 27017 as an integrated implementation. Once certified, add CSA STAR Level 1 (self-assessment) immediately for public registry presence, then pursue Level 2 at the next audit cycle.

Total timeline: 6-12 months for ISO 27001 + ISO 27017, then 1-3 months to add STAR Level 2.

Scenario 3: You Primarily Serve US Markets

Recommended path: Prioritize SOC 2 for US buyer requirements, then add CSA STAR Level 2 (attestation track) which builds on SOC 2. Consider ISO 27001 + ISO 27017 when international expansion is planned.

Scenario 4: You Need Maximum Credibility Fast

Recommended path: Pursue ISO 27001 + ISO 27017 and register for CSA STAR Level 1 (self-assessment) immediately. The self-assessment provides public STAR Registry presence while the ISO certification is in progress. Upgrade to STAR Level 2 once ISO 27001 is achieved.

Market Positioning Strategy

For Cloud Service Providers

The optimal cloud security positioning stack for CSPs serving global markets:

1. Foundation: ISO 27001 certification — management system credibility
2. Cloud Layer: ISO 27017 controls in SoA — cloud-specific security assurance
3. Visibility Layer: CSA STAR Level 2 — public registry and cloud brand association
4. US Market Layer: SOC 2 Type II — North American buyer satisfaction

This four-layer approach covers every major buyer requirement globally. Each layer builds on the previous one, making the incremental effort for each subsequent certification relatively modest.

For Cloud Service Customers

CSCs can use these frameworks as evaluation criteria when assessing providers:

• Minimum bar: ISO 27001 certification with cloud services in scope
• Better: ISO 27001 + ISO 27017 controls referenced on the certificate
• Best: ISO 27001 + ISO 27017 + CSA STAR Level 2 listing on the registry
• US-focused: SOC 2 Type II with Security + Availability criteria

The STAR Registry is a particularly useful tool for cloud service customers. It provides a centralized, searchable directory where you can evaluate potential providers' cloud security posture before engaging in formal procurement. Use it early in vendor evaluation to shortlist providers.

Frequently Asked Questions