Security Standards Selection

Image Credit: CSA

The Cloud Security Alliance (CSA) divides the Security, Trust & Assurance Registry (STAR) program into three levels:

  1. CSA STAR Level 1: Self-assessment
  2. CSA STAR Level 2: Third-Party Certification
    • CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix.
    • The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider.
  3. CSA STAR Level 3: Full Cloud Assurance and Transparency

The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.

Source: Google

System and Organization Controls (SOC)

According to the AICPA, “System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.” (AICPA)

SOC 3 refers to “system and organization controls (SOC) for service organizations: trust services criteria for general use report.” SOC 3 reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed. (AICPA: SOC3)

Service Organization Control (SOC)
Service Organization Control (SOC)

ISO/IEC 27001:2013

“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.” (ISO)


Self-assessment and NIST CSF

Self-declaration based on self-assessment seems silly. However, it is a legitimate means and does provide some extent or low degree of assurance. Moreover, and it is a common practice. NIST Cybersecurity Framework (CSF) is a voluntary framework, initiated by Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. There is no certification program to assess the compliance of NIST CSF so far, so it’s reasonable to use self-assessment and self-declaration.

Assurance, Attestation, and Audit (Image Credit: CheggStudy)

What is Assurance?

For security engineering, “assurance” is defined as the degree of confidence that the security needs of a system are satisfied. … Confidence is realized by reviewing the assurance evidence gained through assessment processes and activities during development, deployment and operation and through experience gained in using the IT system. Any activities that can reduce uncertainty by producing evidence attesting to the correctness, effectiveness and quality of the IT system’s attributes are useful in determining security assurance.

Source: Haris Hamidovic

Assurance Services

The International Federation of Accountants (IFAC) definition of an assurance engagement:

An engagement in which a practitioner aims to obtain sufficient, appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information.

Assurance Methods

Assurance methods produce specific types of assurance depending on their technical and life-cycle focus. Some of the more widely known assurance methods for a given focus include:

ISO/IEC 21827—Assurance focus on quality and development process
Developer’s pedigree—Assurance focus on branding; recognition that a company produces quality deliverables (based on historical relationship or data)
Warranty—Assurance focus on insurance, supported by a manufacturer’s promise to correct a flaw in a deliverable
Supplier’s declaration—Assurance focus on self-declaration
Professional certification and licensing—Assurance focus on personnel expertise and knowledge
ISO/IEC 14598-1 Information technology—Software product evaluation—Part 1: General overview—Assurance focus on direct assessment of deliverable
ISO/IEC 27001—Assurance focus on security management

Source: Haris Hamidovic



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

Leave a Reply