INTRODUCTION
With the fully transparent publication of every audit process and results, EuroCloud StarAudit delivers valuable, relevant and reliable information concerning the quality of a StarAudit certified cloud service.
A published StarAudit Certificate and assessment report provide a profound decision basis for cloud customers that seek mature cloud services and therefore require a full scope of written, transparent and confirmed audit documentation.
The publication of these documents is one of the main differences compared to all other available cloud quality seals and a unique value proposition. It has been a core quality of EuroCloud StarAudit since the very beginning.
EUROCLOUD STARAUDIT - AUDIT EXECUTION
A EuroCloud StarAudit must be performed by accredited StarAudit Auditors (AA) in the name of an accredited StarAudit Audit Organisation (AAO). Only AA and AAO listed at staraudit.org/valid/ are eligible to perform audits.
EUROCLOUD STARAUDIT - AUDIT DOCUMENTATION
The relevant and obligatory documents for a EuroCloud StarAudit Audit-Documentation are the full version of the Assessment Report (AR), and the Public Audit Report (PAR), the Confirmation if Compliance (CoC-AA) signed by each involved auditor, The Confirmation of Compliance (CoC-AAO) signed by a representative of the responsible Audit Organisation and the StarAudit Certification - CSP Approval Process (CSP-AP).
All documents (templates) can be downloaded in its most current version from the StarAudit download interface staraudit.org/home/downloadinterface/ using the download code: STAR-AAO1-DOCS. All documents are delivered as digitally signed pdf documents only.
EUROCLOUD STARAUDIT - AUDIT PUBLICATION
The relevant and obligatory documents for a EuroCloud StarAudit publication are the EuroCloud StarAudit Certificate, the full version of the Assessment Report (AR), and the Public Audit Report (PAR).
EUROCLOUD STARAUDIT - AUDIT CERTIFICATE
A EuroCloud StarAudit Certificate is granted only if all relevant audit documents are made available by the AAO in their final versions without errors, have been approved and signed by the AAO and CSP, have been approved by the EuroCloud StarAudit directorate and are ready for publication online at staraudit.org/all-certificates/
REVIEW PROCESS
Once the EuroCloud StarAudit directorate has received all certification-relevant documents from the AAO, the REVIEW PROCESS begins. The AAO must submit the full audit documentation (all documents and all references) at the same time (as a bundle) and already quality checked and signed. These documents are: all AA-CoC, AAO-CoC, PAR, AR and all reference documents. The EuroCloud StarAudit directorate will then review all submitted information within a period of two weeks. The StarAudit directorate will inform the AAO in case of any issues, questions or errors. This is done with the document Checklist StarAudit Certification Process. If there are errors in the audit documentation, the certification process begins anew with the submission of the updated audit documentation by the AAO.
CERTIFICATION PROCESS
Once the EuroCloud StarAudit directorate has fully reviewed and accepted the audit documentation, the CERTIFICATION PROCESS begins. A draft certificate will be issued and the AAO can start the approval process with the CSP by using the document StarAudit Certification - CSP Approval Process (CSP-AP).
APPROVAL PROCESS
Both the CSP and the AAO must sign the document StarAudit Certification - CSP Approval Process (CSP-AP) in order to approve the correct version, date and content of the StarAudit Assessment Report (AR) (in a final version) and the StarAudit Certificate (in a draft version). Signatures must be performed either as qualified digital signatures (government-confirmed) or manually. Scanned (image) signatures are not accepted.
PUBLICATION PROCESS
EuroCloud will issue and publish the StarAudit Certificate (final version) online at staraudit.org/all-certificates/ together with the Public Audit Report (PAR) and the full Assessment Report (AR). EuroCloud neither issues a StarAudit Self-Assessment Seal nor a EuroCloud StarAudit Certificate without full publication of all three approved and signed documents online.
VALIDATION DATES
The certificate is issued with a date (beginning of validity of certificate) no later than 1 week after the EuroCloud StarAudit directorate has received the signed document StarAudit Certification - CSP Approval Process (CSP-AP).
Should the period between the end of the activity of the auditors (which is documented in the CoC-AA) and the beginning of the CERTIFICATION PROCESS be longer than one month, the validity of the EuroCloud StarAudit Certificate for the first year will be reduced accordingly.
Example 1: Activity of the auditors: 15 January - 15 February. Finalization of audit documentation by AAO, Review Process, Certification Process: 15 February - 1 March. Beginning of validity of the StarAudit Certificate: 15 March. End of validity of the StarAudit Certificate: 14 March of the following year.
Example 2: Activity of the auditors: 15 January - 15 February. Finalization of audit documentation by AAO, Review Process, Certification Process: 15 February - 1 April. Beginning of validity of the StarAudit Certificate: 15 April. End of validity of the StarAudit Certificate: 14 March of the following year.
DOCUMENTATION
The certification process (between AAO and the EuroCloud StarAudit directorate) is documented using the document Checklist StarAudit Certification Process, which like all other documents can be downloaded in its most current version from the StarAudit download interface staraudit.org/home/downloadinterface/ using the download code: STAR-AAO1-DOCS. All documents are delivered as digitally signed pdf documents only.
CHECKLIST STARAUDIT CERTIFICATION PROCESS
The full process of a StarAudit certificate is documented in the file [SA] Checklist_StarAudit-Certification-Process, which is available for download in the Secure Data Room.
SECURE DATA ROOM
AAO are required to report every commissioned certification to the StarAudit Directorate. A secure area along with access to the Brainloop Secure Data Room will then be configured for the AAO for the commissioned certification process.
ASSESSMENT REPORT
A complete StarAudit Assessment Report must be transmitted to achieve certification, and the Assessment Report must be generated using the latest version of the StarAudit Assessment Tool available online. Reports generated with older versions of the Assessment Tool must be recompiled using the most recent online version of the Assessment Tool.
SCOPE OF CERTIFICATION
The requirements regarding the scope of a StarAudit audit process for certification of a cloud service are specified bindingly for all AAO by the StarAudit directorate and published under staraudit.org/home/audit-framework
COMPLETENESS
In order to achieve complete certification, all controls of the selected StarAudit Level (3-5 stars) must be processed using the StarAudit Assessment Tool.
For controls that cannot be processed for justifiable reasons (value: "not applicable"), a plausible justification must be provided by the accredited auditor in the "Comments" field.
REFERENCES
For any controls where a reference to other documents is sensible, all reference documents must be listed in the "Comments" field. This applies in particular to documents through which the auditor was able to prove the correctness of the specified control results (documents provided by the cloud provider as proof or that were accessible to the auditor).
These documents must be uploaded to the Secure Data Room as PDF documents using a file name that corresponds to the respective control, e.g.: A01-S01-C01-Q01.pdf
This file name must also be specified in the "Comments" field, to allow easy correlation of the reference file to the respective control.
LEGAL AUDIT
Controls in Area 2 must be processed exclusively by auditors possessing explicit legal expertise. Such auditors may be practicing lawyers who possess a licence for the country for which legal compliance in the context of StarAudit is being certified and are accredited as AA-L.
CERTIFICATION FEE
The StarAudit directorate will bill the AAO for the certification fee according to the selected StarAudit Level. This fee must be paid in full to the bank account of EuroCloud StarAudit before the final certificate or refresh-certificate is issued and published on staraudit.org.
REFRESH CERTIFICATION
Since 2016, all StarAudit certificates are valid for 3 years instead of 2 years. A refresh certification (refresh) must be conducted annually to maintain the validity of the certificate. From 2017 on, this also applies to all older certificates.
AAO SELECTION
A refresh certification can be conducted by the original AAO or by a different AAO. There are no requirements by the StarAudit directorate in this regard; the decision is made entirely by the cloud provider as the customer of the respective AAO.
LIABILITY
After each successful refresh certification process, StarAudit will issue a new certificate. The new certificate will bear the name and logo of the AAO that conducted the refresh certification.
In the course of the refresh certification, a new complete Assessment Report, as well as all certification documents must be submitted to the StarAudit directorate. The AAO conducting the refresh certification is responsible for the entire contents of the new Assessment Report.
ACCESS TO DATA
If a refresh certification is conducted by a different AAO than the original certification, the new AAO will receive access to all reference documents stored in the StarAudit Secure Data Room.
Due to the sensitive nature of these documents, the mandate by the cloud provider to the AAO must be proven to the StarAudit directorate through transmission of a confirmation signed by the cloud provider.
If the cloud provider does not provide permission to disclose previous audit information to the new AAO that is conducting the refresh, all information relevant for the refresh Assessment Report will have to be compiled from scratch.
SPECIFICATIONS FOR REFRESH CERTIFICATION
StarAudit has defined the following framework requirements for refresh certifications:
- The refresh certification must have an extent (in man-days) of at least 1/3 of the extent of the original certification. The verified controls must be documented by the AAO. See the requirements for audits on the website: staraudit.org/home/audit-framework
- As the StarAudit criteria are under constant improvement, new or changed controls may have been published between the original audit and the refresh. Any new or changed controls must therefore be processed anew. The threshold date is the date of submission of the Assessment Report by the AAO, i.e. the current StarAudit catalogue at the time of submission is applicable.
- Area 1: The AAO that conducts the refresh is obligated to check all information in Area 1.
- Area 2: The AAO is required to check whether the contractual documents that were the basis of the checks in Area 2 are still the same; if not, the contractual documents must be re-audited.
- Area 3-6: The AOO is required to check whether there were any changes on the side of the cloud provider that affect controls in Areas 3-6; if yes, these controls must be processed a new and the Assessment Report adapted accordingly. During the refresh audit, the auditor should review all changes having occurred since the last audit (new key suppliers changed, regulations changed, cloud service improvements, DC improvements, etc.).
- The auditor should check whether and how any non-conformities found in the previous audit have been corrected.
- Every requirement of the StarAudit criteria shall be checked at least once during the certification cycle, and all changes (or improvements, corrective actions etc.) from the previous audit must be verified.
VALIDITY OF REFRESH CERTIFICATE
Following the receipt of complete payment of the certification fee, the new certificate will be issued and published by the StarAudit directorate, and will be valid for 1 year.
In regard to the overall validity of a StarAudit Certificate, this means that: In order to receive a StarAudit Certificate, an initial full audit must be performed. If the full audit is completed successfully, the cloud service receives a certificate that is valid for three years provided that the annual refresh audits are completed successfully. If a refresh audit is not performed or not completed successfully, the StarAudit Certificate automatically becomes invalid.
Example:
FULL AUDIT
- 31 December 2009: Full StarAudit audit is completed successfully
- 1 January 2010: StarAudit Certificate is issued (date on certificate is relevant)
- Basic validity of Certificate is 3 years with annual refresh obligation
REFRESH 1
- 31 December 2010: Refresh audit must be completed successfully
- 1 January 2011: StarAudit Certificate is reissued. Refresh certificate is valid for 1 year.
REFRESH 2
- 31 December 2011: Refresh audit must be completed successfully
- 1 January 2012: StarAudit Certificate is reissued. Refresh certificate is valid for 1 year.
- 31 December 2012: StarAudit Certificate loses its validity.
- This is the latest possible date to successfully complete a new full audit.
During the refresh audit, all mandatory audit elements as well as any audit-relevant changes to the cloud service and any audit elements that were commented on in the internal audit report during the previous audit must be checked.
The refresh audit confirms that the current state of the audited organisation conforms to the StarAudit criteria, and its procedure and requirements are identical to those of a full audit. A complete (all controls) Assessment Report must be published after every refresh audit. All other requirements are the same as for a full audit.
A refresh audit certificate is valid for one year. A new full audit must be performed after three years. The annual refresh audits should simplify this task significantly.
| 1st Certification | Responsability | Effort (h) |
| *** | **** | ***** | ||||
| Organisation | Overal Coordination | AAO | 3 | 4 | 6 | |
| Coordination Auditor | AAO | 3 | 6 | 6 | ||
| Customer Workshop to organize audit process | AAO | 4 | 4 | 4 | ||
| Audit | Profile (Area1) | AAO | 2 | 2 | 2 | |
| Contract & Compliance (Area 2) | per country and/or per contract version | AA Legal | 8 | 12 | 16 | |
| Security and Data Privacy (Area 3) | per Service | AA Sec/DP | 8 | 12 | 16 | |
| Operation & Infrastruture (Area 4) | per Datacentre (5 Stars already pre set with 2 DC) | AA DC | 8 | 12 | 32 | |
| Processes (Area 5) | per Service | AA BPM | 8 | 12 | 16 | |
| Application (Area 6IPS) | per Service | AA CS | 8 | 12 | 16 | |
| On Site Audit | AA SEC/DP/DC | 8 | 12 | 16 | ||
| Analysing + editing Auditreports | all AA & ECE | 8 | 12 | 18 | ||
| AAO | 4 | 4 | 4 | |||
| Written final Auditreport | AAO | 4 | 4 | 4 | ||
| Issuing of Certificate + Publication on ECE Web | ECE | flat | flat | flat | ||
| 76 | 108 | 156 | ||||
| Effort in Mandays | 10 | 14 | 20 |
green: multiplication factors
orange: mandatory effort for Staraudit audits
Further remarks
The effort calculation is an average renumeration based on real certifications. The range might be adjusted by the Audit organization for each certification offer by a maximum of +- 30 %
The Audit Organization is responsible to perform a complete audit and cover all Staraudit controls. This means that the Auditor has to be capable to identify to which extend a client is prepared well and can deliver existing certificates that are matching Staraudit controls. It is possible that existing certificates and reports are not sufficient, not all Staraudit controls are covered, or the scope of an other audit as been too narrow and can therefore not subsitute a full Staraudit assessment.
An existing Self-Assessment performed by the audit client is a prerequisite for any audit. The client can perform a Self Assessment so that the auditors can check if they are fulfilled correctly and to verify the statements against submissions and onsite checks. This is a substantial support for the auditor and facilitates the preparation of the client and the communication between the client and the auditors as well as among the members of the audit team.
Existing and valid Staraudit awards in the cloud stack e.g "DC ready“ may reduce the effort (and calculation) within Area 4 up to 100%.
Other DC certificates (e.g Uptime Tier 3 or higher, eco DC Star Audit, TÜVIT, TIA 942) may be listed as equivalent 80-100%.
Such certificates may also be nominated to Staraudit. They will be checked and if approval can be given, they will be listed as official equivalent
Qualifications for AA and AAO
EuroCloud Europe approves certification bodies for the StarAudit product. StarAudit is a global standard allowing organizations to show excellence in cloud service management. Therefore StarAudit applies a quality framework for auditors according to international audit standards.
Qualifications for Accredited Auditors (AA)
- Recommended: Evidence of a degree, diploma, or certificate issued by university
- Evidence of at least 4 years of relevant workplace experience, in an Information Security, IT Service, Legal, DC infrastructure, Software Development related position, reviewed and verified.
- Evidence of satisfactory completion of a recognized StarAudit Course (Certificate number)
- Candidate has read through and is aware of the requirements stated in Framework Conditions for Conducting of StarAudit Certification Processes. Instructions for Accredited StarAudit Organisations (AAO)
- Candidate is approved as a StarAudit trainee
- Recommended: Personal attributes as defined in ISO 19011 evaluated and found acceptable i
- Candidate demonstrates management capabilities appropriate to the role of auditor.
- Recommended: At least 1 complete StarAudit Audits (initial or renewal, not surveillance) and 10 days StarAudit audit experience as Observer under guidance of approved StarAudit Lead Auditor.
Accredited Auditing Organization (AAO) Prerequisites
Note: Parts related to impartiality and independence, outsourcing, and general requirements for the certification bodies have been copied from ISO/IEC 17021-1:2015 and ISO/IEC 17020:2012)
- The AAO shall be a legal entity or a defined part of a legal entity that can be held legally responsible for all its certification activities.
- The AAO shall be approved by EuroCloud Europe and audited at least once a year by EuroCloud Europe.
- Conformity assessment activities shall be undertaken impartially. The AAO shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality.
- The AAO shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongoing basis. Where there are any threats to impartiality, the AAO shall document and demonstrate how it eliminates or minimizes such threats and document any residual risk. The demonstration shall cover all potential threats that are identified, whether they arise from within the AAO or from the activities of other persons, bodies or organizations. When a relationship poses an unacceptable threat to impartiality (such as a wholly owned subsidiary of the AAO requesting certification from its parent), then certification shall not be provided.
- An AAO shall not certify another AAO.
- The AAO and any part of the same legal entity and any entity under the organizational control of the AAO shall not offer or provide management system consultancy (This does not preclude the possibility of exchange of information (e.g. explanation of findings or clarification of requirements) between the AAO and its clients)).
- The carrying out of internal audits by the AAO and any part of the same legal entity to its certified clients is a significant threat to impartiality. Therefore, the AAO and any part of the same legal entity and any entity under the organizational control of the AAO shall not offer or provide internal audits to its certified clients. A recognized mitigation of this threat is that the AAO shall not certify a management system on which it provided internal audits for a minimum of two years following the completion of the internal audits.
- In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the AAO to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy.
- The AAO shall have documentation which describes the activities for which it is competent.
- Where the AAO forms a part of a legal entity performing other activities, the relationship between these other activities and audit activities shall be defined.
- The AAO shall have documentation describing the contractual conditions under which it provides the audit service (performs audit process).
- The AAO shall define and document the competence requirements for all personnel involved in audit activities, including requirements for education, training, technical knowledge, skills and experience.
- The AAO shall have a process to achieve and demonstrate effective auditing, including the use of auditors and audit team leaders possessing generic auditing skills and knowledge, as well as skills and knowledge appropriate for auditing in specific technical areas. The AAO shall use the methods and procedures for auditing which are defined in the requirements against which audit is to be performed (ISO 19011 standard and relevant StarAudit criteria).
- The AAO shall have a process in which it describes the conditions under which outsourcing (which is subcontracting to another organization to provide part of the certification activities on behalf of the AAO) may take place. The AAO shall have a legally enforceable agreement covering the arrangements, including confidentiality and conflicts of interests, with each body that provides outsourced services.
- The AAO shall ensure that the AAO that provides outsourced services, and the individuals that it uses, conform to requirements of the AAO and are not involved, either directly or through any other employer, with an organization to be audited, in such a way that impartiality could be compromised.
- The AAO shall inform the client, in advance, of the information it intends to place in the public domain. All other information, except for information that is made publicly accessible by the client, shall be considered confidential.
- Personnel, including any committee members, contractors, personnel of external organizations or individuals acting on the AAO’s behalf, shall keep confidential all information obtained or created during the performance of the AAO’s activities except as required by law.
- The AAO shall establish procedures for internal audits to verify that it fulfils the requirements listed above and that the management system is effectively implemented and maintained. The internal audits shall be conducted at least once a year. (ISO 19011 provides guidelines for conducting internal audits).
- The AAO’s top management shall establish procedures to review its management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness, including the stated proceses and objectives related to the fulfilment of the requirments listed above. These reviews shall be conducted at least once a year.