Framework Conditions

With the fully transparent publication of every audit process and results, EuroCloud StarAudit delivers valuable, relevant and reliable information concerning the quality of a StarAudit certified cloud service.

A published StarAudit Certificate and assessment report provide a profound decision basis for cloud customers that seek mature cloud services and therefore require a full scope of written, transparent and confirmed audit documentation.

The publication of these documents is one of the main differences compared to all other available cloud quality seals and a unique value proposition. It has been a core quality of EuroCloud StarAudit since the very beginning.

A EuroCloud StarAudit must be performed by accredited StarAudit Auditors (AA) in the name of an accredited StarAudit Audit Organisation (AAO). Only AA and AAO listed at staraudit.org/valid/ are eligible to perform audits.

EUROCLOUD STARAUDIT - AUDIT DOCUMENTATION

The relevant and obligatory documents for a EuroCloud StarAudit Audit-Documentation are the full version of the Assessment Report (AR), and the Public Audit Report (PAR), the Confirmation if Compliance (CoC-AA) signed by each involved auditor, The Confirmation of Compliance (CoC-AAO) signed by a representative of the responsible Audit Organisation and the StarAudit Certification - CSP Approval Process (CSP-AP).

All documents (templates) can be downloaded in its most current version from the StarAudit download interface staraudit.org/home/downloadinterface/ using the download code: STAR-AA11-DOCS. All documents are delivered as digitally signed pdf documents only.

The relevant and obligatory documents for a EuroCloud StarAudit publication are the EuroCloud StarAudit Certificate, the full version of the Assessment Report (AR), and the Public Audit Report (PAR).

A EuroCloud StarAudit Certificate is granted only if all relevant audit documents are made available by the AAO in their final versions without errors, have been approved and signed by the AAO and CSP, have been approved by the EuroCloud StarAudit directorate and are ready for publication online at staraudit.org/all-certificates/

REVIEW PROCESS

Once the EuroCloud StarAudit directorate has received all certification-relevant documents from the AAO, the REVIEW PROCESS begins. The AAO must submit the full audit documentation (all documents and all references) at the same time (as a bundle) and already quality checked and signed. These documents are: all AA-CoC, AAO-CoC, PAR, AR and all reference documents. The EuroCloud StarAudit directorate will then review all submitted information within a period of two weeks. The StarAudit directorate will inform the AAO in case of any issues, questions or errors. This is done with the document Checklist StarAudit Certification Process. If there are errors in the audit documentation, the certification process begins anew with the submission of the updated audit documentation by the AAO.

CERTIFICATION PROCESS

Once the EuroCloud StarAudit directorate has fully reviewed and accepted the audit documentation, the CERTIFICATION PROCESS begins. A draft certificate will be issued and the AAO can start the approval process with the CSP by using the document StarAudit Certification - CSP Approval Process (CSP-AP).

APPROVAL PROCESS

Both the CSP and the AAO must sign the document StarAudit Certification - CSP Approval Process (CSP-AP) in order to approve the correct version, date and content of the StarAudit Assessment Report (AR) (in a final version) and the StarAudit Certificate (in a draft version). Signatures must be performed either as qualified digital signatures (government-confirmed) or manually. Scanned (image) signatures are not accepted.

PUBLICATION PROCESS

EuroCloud will issue and publish the StarAudit Certificate (final version) online at staraudit.org/all-certificates/ together with the Public Audit Report (PAR) and the full Assessment Report (AR). EuroCloud neither issues a StarAudit Self-Assessment Seal nor a EuroCloud StarAudit Certificate without full publication of all three approved and signed documents online.

VALIDATION DATES

The certificate is issued with a date (beginning of validity of certificate) no later than 1 week after the EuroCloud StarAudit directorate has received the signed document StarAudit Certification - CSP Approval Process (CSP-AP).

Should the period between the end of the activity of the auditors (which is documented in the CoC-AA) and the beginning of the CERTIFICATION PROCESS be longer than one month, the validity of the EuroCloud StarAudit Certificate for the first year will be reduced accordingly.

Example 1: Activity of the auditors: 15 January - 15 February. Finalization of audit documentation by AAO, Review Process, Certification Process: 15 February - 1 March. Beginning of validity of the StarAudit Certificate: 15 March. End of validity of the StarAudit Certificate: 14 March of the following year.

Example 2: Activity of the auditors: 15 January - 15 February. Finalization of audit documentation by AAO, Review Process, Certification Process: 15 February - 1 April. Beginning of validity of the StarAudit Certificate: 15 April. End of validity of the StarAudit Certificate: 14 March of the following year.

DOCUMENTATION

The certification process (between AAO and the EuroCloud StarAudit directorate) is documented using the document Checklist StarAudit Certification Process, which like all other documents can be downloaded in its most current version from the StarAudit download interface staraudit.org/home/downloadinterface/ using the download code: STAR-AA11-DOCS. All documents are delivered as digitally signed pdf documents only.

CHECKLIST STARAUDIT CERTIFICATION PROCESS

The full process of a StarAudit certificate is documented in the file [SA] Checklist_StarAudit-Certification-Process, which is available for download in the Secure Data Room.

SECURE DATA ROOM

AAO are required to report every commissioned certification to the StarAudit Directorate. A secure area along with access to the Brainloop Secure Data Room will then be configured for the AAO for the commissioned certification process.

ASSESSMENT REPORT

A complete StarAudit Assessment Report must be transmitted to achieve certification, and the Assessment Report must be generated using the latest version of the StarAudit Assessment Tool available online. Reports generated with older versions of the Assessment Tool must be recompiled using the most recent online version of the Assessment Tool. 

SCOPE OF CERTIFICATION

The requirements regarding the scope of a StarAudit audit process for certification of a cloud service are specified bindingly for all AAO by the StarAudit directorate and published under staraudit.org/home/audit-framework

COMPLETENESS

In order to achieve complete certification, all controls of the selected StarAudit Level (3-5 stars) must be processed using the StarAudit Assessment Tool. 

For controls that cannot be processed for justifiable reasons (value: "not applicable"), a plausible justification must be provided by the accredited auditor in the "Comments" field.

REFERENCES

For any controls where a reference to other documents is sensible, all reference documents must be listed in the "Comments" field. This applies in particular to documents through which the auditor was able to prove the correctness of the specified control results (documents provided by the cloud provider as proof or that were accessible to the auditor).

These documents must be uploaded to the Secure Data Room as PDF documents using a file name that corresponds to the respective control, e.g.: A01-S01-C01-Q01.pdf

This file name must also be specified in the "Comments" field, to allow easy correlation of the reference file to the respective control.

LEGAL AUDIT

Controls in Area 2 must be processed exclusively by auditors possessing explicit legal expertise. Such auditors may be practicing lawyers who possess a licence for the country for which legal compliance in the context of StarAudit is being certified and are accredited as AA-L.

CERTIFICATION FEE

The StarAudit directorate will bill the AAO for the certification fee according to the selected StarAudit Level. This fee must be paid in full to the bank account of EuroCloud StarAudit before the final certificate or refresh-certificate is issued and published on staraudit.org.

REFRESH CERTIFICATION

Since 2016, all StarAudit certificates are valid for 3 years instead of 2 years. A refresh certification (refresh) must be conducted annually to maintain the validity of the certificate. From 2017 on, this also applies to all older certificates.

AAO SELECTION

A refresh certification can be conducted by the original AAO or by a different AAO. There are no requirements by the StarAudit directorate in this regard; the decision is made entirely by the cloud provider as the customer of the respective AAO.

LIABILITY

After each successful refresh certification process, StarAudit will issue a new certificate. The new certificate will bear the name and logo of the AAO that conducted the refresh certification. 

In the course of the refresh certification, a new complete Assessment Report, as well as all certification documents must be submitted to the StarAudit directorate. The AAO conducting the refresh certification is responsible for the entire contents of the new Assessment Report. 

ACCESS TO DATA

If a refresh certification is conducted by a different AAO than the original certification, the new AAO will receive access to all reference documents stored in the StarAudit Secure Data Room. 

Due to the sensitive nature of these documents, the mandate by the cloud provider to the AAO must be proven to the StarAudit directorate through transmission of a confirmation signed by the cloud provider. 

If the cloud provider does not provide permission to disclose previous audit information to the new AAO that is conducting the refresh, all information relevant for the refresh Assessment Report will have to be compiled from scratch.

SPECIFICATIONS FOR REFRESH CERTIFICATION

StarAudit has defined the following framework requirements for refresh certifications:

1. The refresh certification must have an extent (in man-days) of at least 1/3 of the extent of the original certification. The verified controls must be documented by the AAO. See the requirements for audits on the website: https://staraudit.org/home/audit-framework
2. As the StarAudit criteria are under constant improvement, new or changed controls may have been published between the original audit and the refresh. Any new or changed controls must therefore be processed anew. The threshold date is the date of submission of the Assessment Report by the AAO, i.e. the current StarAudit catalogue at the time of submission is applicable.
3. Area 1: The AAO that conducts the refresh is obligated to check all information in Area 1.
4. Area 2: The AAO is required to check whether the contractual documents that were the basis of the checks in Area 2 are still the same; if not, the contractual documents must be re-audited.
5. Area 3-7: The AOO is required to check whether there were any changes on the side of the cloud provider that affect controls in Areas 3-7; if yes, these controls must be processed a new and the Assessment Report adapted accordingly. During the refresh audit, the auditor should review all changes having occurred since the last audit (new key suppliers changed, regulations changed, cloud service improvements, DC improvements, etc.).
6. The auditor should check whether and how any non-conformities found in the previous audit have been corrected.
7. Every requirement of the StarAudit criteria shall be checked at least once during the certification cycle, and all changes (or improvements, corrective actions etc.) from the previous audit must be verified.

VALIDITY OF REFRESH CERTIFICATE

Following the receipt of complete payment of the certification fee, the new certificate will be issued and published by the StarAudit directorate, and will be valid for 1 year.

In regard to the overall validity of a StarAudit Certificate, this means that: In order to receive a StarAudit Certificate, an initial full audit must be performed. If the full audit is completed successfully, the cloud service receives a certificate that is valid for three years provided that the annual refresh audits are completed successfully. If a refresh audit is not performed or not completed successfully, the StarAudit Certificate automatically becomes invalid.

Example:

FULL AUDIT

• 31 December 2009: Full StarAudit audit is completed successfully
• 1 January 2010: StarAudit Certificate is issued (date on certificate is relevant)
• Basic validity of Certificate is 3 years with annual refresh obligation

REFRESH 1

• 31 December 2010: Refresh audit must be completed successfully
• 1 January 2011: StarAudit Certificate is reissued. Refresh certificate is valid for 1 year.

REFRESH 2

• 31 December 2011: Refresh audit must be completed successfully
• 1 January 2012: StarAudit Certificate is reissued. Refresh certificate is valid for 1 year.
• 31 December 2012: StarAudit Certificate loses its validity.
• This is the latest possible date to successfully complete a new full audit.

During the refresh audit, all mandatory audit elements as well as any audit-relevant changes to the cloud service and any audit elements that were commented on in the internal audit report during the previous audit must be checked.

The refresh audit confirms that the current state of the audited organisation conforms to the StarAudit criteria, and its procedure and requirements are identical to those of a full audit. A complete (all controls) Assessment Report must be published after every refresh audit. All other requirements are the same as for a full audit.

A refresh audit certificate is valid for one year. A new full audit must be performed after three years. The annual refresh audits should simplify this task significantly.