EuroCloud Europe (ECE) runs the StarAudit program, also known as the StarAudit Stream. StarAudit is a global standard that allows organizations to document their excellence in cloud service management by performing a StarAudit Self-Assessment or by undergoing a full audit process that results in a StarAudit certificate.
CHECKLIST STARAUDIT CERTIFICATION PROCESS
The full process of a StarAudit certificate is documented in the file [SA] Checklist_StarAudit-Certification-Process, which is available for download in the Secure Data Room.
SECURE DATA ROOM
AAO are required to report every commissioned certification to the StarAudit Directorate. A secure area along with access to the Brainloop Secure Data Room will then be configured for the AAO for the commissioned certification process.
AAO CERTIFICATION DOCUMENTS
The currently valid certification documents to be submitted by the AAO together with the Assessment Report are the following:
- StarAudit-AA-CoC Auditor Confirmation of Compliance
- StarAudit-AAO-CoC Audit Organisation Confirmation of Compliance
- StarAudit-AAO-PAR Public Audit Report
The certification documents can be downloaded at any time from the StarAudit download interface https://staraudit.org/home/downloadinterface/ using the download code: STAR-AAO1-DOCS
Other documents that can be found stored in the Secure Data Room:
- Checklist for StarAudit Certification Process
- Framework Conditions for Conducting of StarAudit Certification Processes. Instructions for Accredited StarAudit Organizations
- StarAudit Certification Approval Process
Please make sure to use the latest version of these documents at the time of completion of the certification.
Each certification document must be personally signed and stamped with the AAO's company stamp. Scanned signatures are not valid. The certification documents must then be sent to the StarAudit directorate by email together with the Assessment Report: firstname.lastname@example.org
A complete StarAudit Assessment Report must be transmitted to achieve certification, and the Assessment Report must be generated using the latest version of the StarAudit Assessment Tool available online. Reports generated with older versions of the Assessment Tool must be recompiled using the most recent online version of the Assessment Tool.
SCOPE OF CERTIFICATION
The requirements regarding the scope of a StarAudit audit process for certification of a cloud service are specified bindingly for all AAO by the StarAudit directorate and published under https://staraudit.org/home/audit-framework
In order to achieve complete certification, all controls of the selected StarAudit Level (3-5 stars) must be processed using the StarAudit Assessment Tool.
For controls that cannot be processed for justifiable reasons (value: "not applicable"), a plausible justification must be provided by the accredited auditor in the "Comments" field.
For any controls where a reference to other documents is sensible, all reference documents must be listed in the "Comments" field. This applies in particular to documents through which the auditor was able to prove the correctness of the specified control results (documents provided by the cloud provider as proof or that were accessible to the auditor).
These documents must be uploaded to the Secure Data Room as PDF documents using a file name that corresponds to the respective control, e.g.: A01-S01-C01-Q01.pdf
This file name must also be specified in the "Comments" field, to allow easy correlation of the reference file to the respective control.
Controls in Area 2 must be processed exclusively by auditors possessing explicit legal expertise. Such auditors may be practicing lawyers who possess a licence for the country for which legal compliance in the context of StarAudit is being certified and are accredited as AA-L.
After submission and evaluation of all documents, the StarAudit directorate will issue a Draft Certificate that the AAO must check for correctness.
The certificate will always include the name of the AAO as well as its logo.
The StarAudit directorate will bill the AAO for the certification fee according to the selected StarAudit Level. This fee must be paid in full to the bank account of EuroCloud StarAudit before the final certificate or refresh-certificate is issued and published on staraudit.org.
Since 2016, all StarAudit certificates are valid for 3 years instead of 2 years. A refresh certification (refresh) must be conducted annually to maintain the validity of the certificate. From 2017 on, this also applies to all older certificates.
A refresh certification can be conducted by the original AAO or by a different AAO. There are no requirements by the StarAudit directorate in this regard; the decision is made entirely by the cloud provider as the customer of the respective AAO.
After each successful refresh certification process, StarAudit will issue a new certificate. The new certificate will bear the name and logo of the AAO that conducted the refresh certification.
In the course of the refresh certification, a new complete Assessment Report, as well as all certification documents must be submitted to the StarAudit directorate. The AAO conducting the refresh certification is responsible for the entire contents of the new Assessment Report.
ACCESS to DATA
If a refresh certification is conducted by a different AAO than the original certification, the new AAO will receive access to all reference documents stored in the StarAudit Secure Data Room.
Due to the sensitive nature of these documents, the mandate by the cloud provider to the AAO must be proven to the StarAudit directorate through transmission of a confirmation signed by the cloud provider.
If the cloud provider does not provide permission to disclose previous audit information to the new AAO that is conducting the refresh, all information relevant for the refresh Assessment Report will have to be compiled from scratch.
SPECIFICATIONS for REFRESH CERTIFICATION
StarAudit has defined the following framework requirements for refresh certifications:
- The refresh certification must have an extent (in man-days) of at least 1/3 of the extent of the original certification. See the requirements for audits on the website: staraudit.org/home/audit-framework
- As the StarAudit criteria are under constant improvement, new or changed controls may have been published between the original audit and the refresh. Any new or changed controls must therefore be processed anew. The threshold date is the date of submission of the Assessment Report by the AAO, i.e. the current StarAudit catalogue at the time of submission is applicable.
- Area 1: The AAO that conducts the refresh is obligated to check all information in Area 1.
- Area 2: The AAO is required to check whether the contractual documents that were the basis of the checks in Area 2 are still the same; if not, the contractual documents must be re-audited.
- Area 3-6: The AOO is required to check whether there were any changes on the side of the cloud provider that affect controls in Areas 3-6; if yes, these controls must be processed a new and the Assessment Report adapted accordingly. During the refresh audit, the auditor should review all changes having occurred since the last audit (new key suppliers changed, regulations changed, cloud service improvements, DC improvements, etc.).
- The auditor should check whether and how any non-conformities found in the previous audit have been corrected.
- Every requirement of the StarAudit criteria shall be checked at least once during the certification cycle, and all changes (or improvements, corrective actions etc.) from the previous audit must be verified.
VALIDITY OF REFRESH CERTIFICATE
Following the receipt of complete payment of the certification fee, the new certificate will be issued and published by the StarAudit directorate, and will be valid for 1 year.
|1st Certification||Responsability||Effort (h)|
|Customer Workshop to organize audit process||AAO||4||4||4|
|Contract & Compliance (Area 2)||per country and/or per contract version||AA Legal||8||12||16|
|Security and Data Privacy (Area 3)||per Service||AA Sec/DP||8||12||16|
|Operation & Infrastruture (Area 4)||per Datacentre (5 Stars already pre set with 2 DC)||AA DC||8||12||32|
|Processes (Area 5)||per Service||AA BPM||8||12||16|
|Application (Area 6IPS)||per Service||AA CS||8||12||16|
|On Site Audit||AA SEC/DP/DC||8||12||16|
|Analysing + editing Auditreports||all AA & ECE||8||12||18|
|Written final Auditreport||AAO||4||4||4|
|Issuing of Certificate + Publication on ECE Web||ECE||flat||flat||flat|
|Effort in Mandays||10||14||20|
green: multiplication factors
orange: mandatory effort for Staraudit audits
The effort calculation is an average renumeration based on real certifications. The range might be adjusted by the Audit organization for each certification offer by a maximum of +- 30 %
The Audit Organization is responsible to perform a complete audit and cover all Staraudit controls. This means that the Auditor has to be capable to identify to which extend a client is prepared well and can deliver existing certificates that are matching Staraudit controls. It is possible that existing certificates and reports are not sufficient, not all Staraudit controls are covered, or the scope of an other audit as been too narrow and can therefore not subsitute a full Staraudit assessment.
An existing Self-Assessment performed by the audit client is a prerequisite for any audit. The client can perform a Self Assessment so that the auditors can check if they are fulfilled correctly and to verify the statements against submissions and onsite checks. This is a substantial support for the auditor and facilitates the preparation of the client and the communication between the client and the auditors as well as among the members of the audit team.
Existing and valid Staraudit awards in the cloud stack e.g "DC ready“ may reduce the effort (and calculation) within Area 4 up to 100%.
Other DC certificates (e.g Uptime Tier 3 or higher, eco DC Star Audit, TÜVIT, TIA 942) may be listed as equivalent 80-100%.
Such certificates may also be nominated to Staraudit. They will be checked and if approval can be given, they will be listed as official equivalent