INTRODUCTION
With the fully transparent publication of every audit process and results, EuroCloud StarAudit delivers valuable, relevant and reliable information concerning the quality of a StarAudit certified cloud service.
A published StarAudit Certificate and assessment report provide a profound decision basis for cloud customers that seek mature cloud services and therefore require a full scope of written, transparent and confirmed audit documentation.
The publication of these documents is one of the main differences compared to all other available cloud quality seals and a unique value proposition. It has been a core quality of EuroCloud StarAudit since the very beginning.
EUROCLOUD STARAUDIT - AUDIT EXECUTION
A EuroCloud StarAudit must be performed by accredited StarAudit Auditors (AA) in the name of an accredited StarAudit Audit Organisation (AAO). Only AA and AAO listed at staraudit.org/valid/ are eligible to perform audits.
EUROCLOUD STARAUDIT - AUDIT DOCUMENTATION
The relevant and obligatory documents for a EuroCloud StarAudit Audit-Documentation are the full version of the Assessment Report (AR), and the Public Audit Report (PAR), the Confirmation if Compliance (CoC-AA) signed by each involved auditor, The Confirmation of Compliance (CoC-AAO) signed by a representative of the responsible Audit Organisation and the StarAudit Certification - CSP Approval Process (CSP-AP).
All documents (templates) can be downloaded in its most current version from the StarAudit download interface staraudit.org/home/downloadinterface/ using the download code: STAR-AA11-DOCS. All documents are delivered as digitally signed pdf documents only.
EUROCLOUD STARAUDIT - AUDIT PUBLICATION
The relevant and obligatory documents for a EuroCloud StarAudit publication are the EuroCloud StarAudit Certificate, the full version of the Assessment Report (AR), and the Public Audit Report (PAR).
EUROCLOUD STARAUDIT - AUDIT CERTIFICATE
A EuroCloud StarAudit Certificate is granted only if all relevant audit documents are made available by the AAO in their final versions without errors, have been approved and signed by the AAO and CSP, have been approved by the EuroCloud StarAudit directorate and are ready for publication online at staraudit.org/all-certificates/
REVIEW PROCESS
Once the EuroCloud StarAudit directorate has received all certification-relevant documents from the AAO, the REVIEW PROCESS begins. The AAO must submit the full audit documentation (all documents and all references) at the same time (as a bundle) and already quality checked and signed. These documents are: all AA-CoC, AAO-CoC, PAR, AR and all reference documents. The EuroCloud StarAudit directorate will then review all submitted information within a period of two weeks. The StarAudit directorate will inform the AAO in case of any issues, questions or errors. This is done with the document Checklist StarAudit Certification Process. If there are errors in the audit documentation, the certification process begins anew with the submission of the updated audit documentation by the AAO.
CERTIFICATION PROCESS
Once the EuroCloud StarAudit directorate has fully reviewed and accepted the audit documentation, the CERTIFICATION PROCESS begins. A draft certificate will be issued and the AAO can start the approval process with the CSP by using the document StarAudit Certification - CSP Approval Process (CSP-AP).
APPROVAL PROCESS
Both the CSP and the AAO must sign the document StarAudit Certification - CSP Approval Process (CSP-AP) in order to approve the correct version, date and content of the StarAudit Assessment Report (AR) (in a final version) and the StarAudit Certificate (in a draft version). Signatures must be performed either as qualified digital signatures (government-confirmed) or manually. Scanned (image) signatures are not accepted.
PUBLICATION PROCESS
EuroCloud will issue and publish the StarAudit Certificate (final version) online at staraudit.org/all-certificates/ together with the Public Audit Report (PAR) and the full Assessment Report (AR). EuroCloud neither issues a StarAudit Self-Assessment Seal nor a EuroCloud StarAudit Certificate without full publication of all three approved and signed documents online.
VALIDATION DATES
The certificate is issued with a date (beginning of validity of certificate) no later than 1 week after the EuroCloud StarAudit directorate has received the signed document StarAudit Certification - CSP Approval Process (CSP-AP).
Should the period between the end of the activity of the auditors (which is documented in the CoC-AA) and the beginning of the CERTIFICATION PROCESS be longer than one month, the validity of the EuroCloud StarAudit Certificate for the first year will be reduced accordingly.
Example 1: Activity of the auditors: 15 January - 15 February. Finalization of audit documentation by AAO, Review Process, Certification Process: 15 February - 1 March. Beginning of validity of the StarAudit Certificate: 15 March. End of validity of the StarAudit Certificate: 14 March of the following year.
Example 2: Activity of the auditors: 15 January - 15 February. Finalization of audit documentation by AAO, Review Process, Certification Process: 15 February - 1 April. Beginning of validity of the StarAudit Certificate: 15 April. End of validity of the StarAudit Certificate: 14 March of the following year.
DOCUMENTATION
The certification process (between AAO and the EuroCloud StarAudit directorate) is documented using the document Checklist StarAudit Certification Process, which like all other documents can be downloaded in its most current version from the StarAudit download interface staraudit.org/home/downloadinterface/ using the download code: STAR-AA11-DOCS. All documents are delivered as digitally signed pdf documents only.
CHECKLIST STARAUDIT CERTIFICATION PROCESS
The full process of a StarAudit certificate is documented in the file [SA] Checklist_StarAudit-Certification-Process, which is available for download in the Secure Data Room.
SECURE DATA ROOM
AAO are required to report every commissioned certification to the StarAudit Directorate. A secure area along with access to the Brainloop Secure Data Room will then be configured for the AAO for the commissioned certification process.
ASSESSMENT REPORT
A complete StarAudit Assessment Report must be transmitted to achieve certification, and the Assessment Report must be generated using the latest version of the StarAudit Assessment Tool available online. Reports generated with older versions of the Assessment Tool must be recompiled using the most recent online version of the Assessment Tool.
SCOPE OF CERTIFICATION
The requirements regarding the scope of a StarAudit audit process for certification of a cloud service are specified bindingly for all AAO by the StarAudit directorate and published under staraudit.org/home/audit-framework
COMPLETENESS
In order to achieve complete certification, all controls of the selected StarAudit Level (3-5 stars) must be processed using the StarAudit Assessment Tool.
For controls that cannot be processed for justifiable reasons (value: "not applicable"), a plausible justification must be provided by the accredited auditor in the "Comments" field.
REFERENCES
For any controls where a reference to other documents is sensible, all reference documents must be listed in the "Comments" field. This applies in particular to documents through which the auditor was able to prove the correctness of the specified control results (documents provided by the cloud provider as proof or that were accessible to the auditor).
These documents must be uploaded to the Secure Data Room as PDF documents using a file name that corresponds to the respective control, e.g.: A01-S01-C01-Q01.pdf
This file name must also be specified in the "Comments" field, to allow easy correlation of the reference file to the respective control.
LEGAL AUDIT
Controls in Area 2 must be processed exclusively by auditors possessing explicit legal expertise. Such auditors may be practicing lawyers who possess a licence for the country for which legal compliance in the context of StarAudit is being certified and are accredited as AA-L.
CERTIFICATION FEE
The StarAudit directorate will bill the AAO for the certification fee according to the selected StarAudit Level. This fee must be paid in full to the bank account of EuroCloud StarAudit before the final certificate or refresh-certificate is issued and published on staraudit.org.
REFRESH CERTIFICATION
Since 2016, all StarAudit certificates are valid for 3 years instead of 2 years. A refresh certification (refresh) must be conducted annually to maintain the validity of the certificate. From 2017 on, this also applies to all older certificates.
AAO SELECTION
A refresh certification can be conducted by the original AAO or by a different AAO. There are no requirements by the StarAudit directorate in this regard; the decision is made entirely by the cloud provider as the customer of the respective AAO.
LIABILITY
After each successful refresh certification process, StarAudit will issue a new certificate. The new certificate will bear the name and logo of the AAO that conducted the refresh certification.
In the course of the refresh certification, a new complete Assessment Report, as well as all certification documents must be submitted to the StarAudit directorate. The AAO conducting the refresh certification is responsible for the entire contents of the new Assessment Report.
ACCESS TO DATA
If a refresh certification is conducted by a different AAO than the original certification, the new AAO will receive access to all reference documents stored in the StarAudit Secure Data Room.
Due to the sensitive nature of these documents, the mandate by the cloud provider to the AAO must be proven to the StarAudit directorate through transmission of a confirmation signed by the cloud provider.
If the cloud provider does not provide permission to disclose previous audit information to the new AAO that is conducting the refresh, all information relevant for the refresh Assessment Report will have to be compiled from scratch.
SPECIFICATIONS FOR REFRESH CERTIFICATION
StarAudit has defined the following framework requirements for refresh certifications:
- The refresh certification must have an extent (in man-days) of at least 1/3 of the extent of the original certification. The verified controls must be documented by the AAO. See the requirements for audits on the website: https://staraudit.org/home/audit-framework
- As the StarAudit criteria are under constant improvement, new or changed controls may have been published between the original audit and the refresh. Any new or changed controls must therefore be processed anew. The threshold date is the date of submission of the Assessment Report by the AAO, i.e. the current StarAudit catalogue at the time of submission is applicable.
- Area 1: The AAO that conducts the refresh is obligated to check all information in Area 1.
- Area 2: The AAO is required to check whether the contractual documents that were the basis of the checks in Area 2 are still the same; if not, the contractual documents must be re-audited.
- Area 3-7: The AOO is required to check whether there were any changes on the side of the cloud provider that affect controls in Areas 3-7; if yes, these controls must be processed a new and the Assessment Report adapted accordingly. During the refresh audit, the auditor should review all changes having occurred since the last audit (new key suppliers changed, regulations changed, cloud service improvements, DC improvements, etc.).
- The auditor should check whether and how any non-conformities found in the previous audit have been corrected.
- Every requirement of the StarAudit criteria shall be checked at least once during the certification cycle, and all changes (or improvements, corrective actions etc.) from the previous audit must be verified.
VALIDITY OF REFRESH CERTIFICATE
Following the receipt of complete payment of the certification fee, the new certificate will be issued and published by the StarAudit directorate, and will be valid for 1 year.
In regard to the overall validity of a StarAudit Certificate, this means that: In order to receive a StarAudit Certificate, an initial full audit must be performed. If the full audit is completed successfully, the cloud service receives a certificate that is valid for three years provided that the annual refresh audits are completed successfully. If a refresh audit is not performed or not completed successfully, the StarAudit Certificate automatically becomes invalid.
Example:
FULL AUDIT
- 31 December 2009: Full StarAudit audit is completed successfully
- 1 January 2010: StarAudit Certificate is issued (date on certificate is relevant)
- Basic validity of Certificate is 3 years with annual refresh obligation
REFRESH 1
- 31 December 2010: Refresh audit must be completed successfully
- 1 January 2011: StarAudit Certificate is reissued. Refresh certificate is valid for 1 year.
REFRESH 2
- 31 December 2011: Refresh audit must be completed successfully
- 1 January 2012: StarAudit Certificate is reissued. Refresh certificate is valid for 1 year.
- 31 December 2012: StarAudit Certificate loses its validity.
- This is the latest possible date to successfully complete a new full audit.
During the refresh audit, all mandatory audit elements as well as any audit-relevant changes to the cloud service and any audit elements that were commented on in the internal audit report during the previous audit must be checked.
The refresh audit confirms that the current state of the audited organisation conforms to the StarAudit criteria, and its procedure and requirements are identical to those of a full audit. A complete (all controls) Assessment Report must be published after every refresh audit. All other requirements are the same as for a full audit.
A refresh audit certificate is valid for one year. A new full audit must be performed after three years. The annual refresh audits should simplify this task significantly.
1st Certification | Responsability | Effort (h) |
*** | **** | ***** | ||||
Organisation | Overal Coordination | AAO | 3 | 4 | 6 | |
Coordination Auditor | AAO | 3 | 6 | 6 | ||
Customer Workshop to organize audit process | AAO | 4 | 4 | 4 | ||
Audit | Profile (Area1) | AAO | 2 | 2 | 2 | |
Contract & Compliance (Area 2) | per country and/or per contract version | AA Legal | 8 | 12 | 16 | |
Security and Data Privacy (Area 3) | per Service | AA Sec/DP | 8 | 12 | 16 | |
Operation & Infrastruture (Area 4) | per Datacentre (5 Stars already pre set with 2 DC) | AA DC | 8 | 12 | 32 | |
Processes (Area 5) | per Service | AA BPM | 8 | 12 | 16 | |
Application (Area 6IPS) | per Service | AA CS | 8 | 12 | 16 | |
On Site Audit | AA SEC/DP/DC | 8 | 12 | 16 | ||
Analysing + editing Auditreports | all AA & ECE | 8 | 12 | 18 | ||
AAO | 4 | 4 | 4 | |||
Written final Auditreport | AAO | 4 | 4 | 4 | ||
Issuing of Certificate + Publication on ECE Web | ECE | flat | flat | flat | ||
76 | 108 | 156 | ||||
Effort in Mandays | 10 | 14 | 20 |
green: multiplication factors
orange: mandatory effort for Staraudit audits
Further remarks
The effort calculation is an average renumeration based on real certifications. The range might be adjusted by the Audit organization for each certification offer by a maximum of +- 30 %
The Audit Organization is responsible to perform a complete audit and cover all Staraudit controls. This means that the Auditor has to be capable to identify to which extend a client is prepared well and can deliver existing certificates that are matching Staraudit controls. It is possible that existing certificates and reports are not sufficient, not all Staraudit controls are covered, or the scope of an other audit as been too narrow and can therefore not subsitute a full Staraudit assessment.
An existing Self-Assessment performed by the audit client is a prerequisite for any audit. The client can perform a Self Assessment so that the auditors can check if they are fulfilled correctly and to verify the statements against submissions and onsite checks. This is a substantial support for the auditor and facilitates the preparation of the client and the communication between the client and the auditors as well as among the members of the audit team.
Existing and valid Staraudit awards in the cloud stack e.g "DC ready“ may reduce the effort (and calculation) within Area 4 up to 100%.
Other DC certificates (e.g Uptime Tier 3 or higher, eco DC Star Audit, TÜVIT, TIA 942) may be listed as equivalent 80-100%.
Such certificates may also be nominated to Staraudit. They will be checked and if approval can be given, they will be listed as official equivalent