Back to Blog
testimonial-strategy
csa-star-certification
cloud-security-alliance
cloud-controls-matrix
ccm
continuous-monitoring
multi-level-attestation

When a Customer Completes CSA STAR Certification — Testimonial Wall Strategy for Cloud Security Posture, Multi-Level Attestation, and Continuous-Monitoring Disclosure

ProofShow Team··9 min read

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program is the most widely adopted cloud-specific assurance framework in the global enterprise market, with more than two thousand listed organizations in the STAR Registry as of 2026. The program is structured as a three-level assurance scheme: Level 1 is a publicly published self-assessment against the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ); Level 2 is a third-party certification or attestation that combines the CCM with an underlying standard (most commonly ISO 27001 for STAR Certification, or SOC 2 Type II for STAR Attestation); and Level 3 is a continuous monitoring program that publishes near-real-time control performance metrics rather than point-in-time attestations. A customer that has completed any level of STAR has made specific claims about their cloud security posture, the scope of cloud services covered, and the underlying standard against which the controls were assessed.

From a customer-success and testimonial-wall perspective, a CSA STAR milestone differs structurally from the SOC 2 audit, ISO 27001 certification, FedRAMP authorization, and HITRUST CSF certification milestones in five ways. First, STAR is cloud-specific — the Cloud Controls Matrix is constructed for cloud service provider and cloud consumer contexts, and the assessment scope must be defined in terms of cloud services rather than corporate operations. Second, STAR is multi-level, and the testimonial wall must communicate the achieved level explicitly because Level 1, Level 2, and Level 3 represent materially different assurance commitments. Third, STAR Level 2 inherits the underlying standard's attestation type (point-in-time for ISO 27001, period-of-time for SOC 2), and the testimonial language must reflect the underlying standard's temporal model. Fourth, the STAR Registry is publicly searchable, which means testimonial claims are independently verifiable in a way that some other compliance milestones are not. Fifth, Level 3 continuous monitoring creates an ongoing publication obligation that interacts with testimonial-wall maintenance differently from periodic recertification.

This guide separates the CSA STAR journey into five phases, explains the testimonial-wall risks in each phase, and provides per-phase playbooks calibrated to the program's specific multi-level mechanics and Registry publication expectations.

The five phases of a CSA STAR journey

A typical CSA STAR Level 2 certification journey for a cloud service provider runs eight to twelve months from initial CCM scoping through Registry listing.

Phase 1: CCM and CAIQ scoping. The customer reviews the Cloud Controls Matrix domains and control objectives, maps each domain to existing controls, identifies coverage gaps, and completes the Consensus Assessment Initiative Questionnaire (CAIQ) for the cloud services in scope. The phase produces the CAIQ document and the gap-remediation plan. The customer also selects the target STAR level (Level 1 self-assessment, Level 2 certification or attestation, Level 3 continuous monitoring).

Phase 2: Underlying standard alignment. For Level 2, the customer aligns the CCM controls with the underlying standard (ISO 27001 Annex A controls for STAR Certification, SOC 2 Trust Service Criteria for STAR Attestation). The phase produces the integrated control catalog that the certification or attestation body will assess. For Level 1, the phase is reduced to internal review of the CAIQ for public publication.

Phase 3: Assessment execution. For Level 2, the certification or attestation body conducts the assessment (a Stage 1 and Stage 2 audit for STAR Certification, a Type II readiness review and audit for STAR Attestation). For Level 1, the phase is the internal validation of the self-assessment before submission. For Level 3, the phase is the design and instrumentation of the continuous monitoring program. The phase produces the assessment report or the self-assessment document.

Phase 4: STAR Registry submission and listing. The customer submits the assessment outputs to the CSA STAR Registry. CSA reviews the submission, lists the organization on the Registry with the assessed level, and assigns the listing a unique identifier. The phase produces the Registry listing.

Phase 5: Registry maintenance and renewal. Level 1 listings have a one-year validity and require annual renewal. Level 2 Certification listings have a three-year validity with annual surveillance audits. Level 2 Attestation listings have a one-year validity tied to the SOC 2 Type II report period. Level 3 listings require ongoing continuous monitoring publication. The phase has no end-date and produces a steady-state listing-and-renewal cycle.

Each phase has distinct testimonial-wall risks and opportunities. The largest risk across all phases is the conflation of "we are STAR-certified" with the specific level achieved — Level 1 self-assessment, Level 2 third-party certification, and Level 3 continuous monitoring represent very different assurance commitments, and the testimonial wall must communicate the achieved level precisely.

Per-phase playbook for the testimonial wall

Phase 1: CCM and CAIQ scoping

During the CCM scoping phase, the testimonial wall faces a premature-claim risk and a scope-precision risk.

First, do not publish any testimonial that references "CSA STAR" until the appropriate phase milestone is achieved. For Level 1, the milestone is the Registry listing of the self-assessment. For Level 2, the milestone is the issued certification or attestation. For Level 3, the milestone is the Registry listing with the continuous monitoring designation. The remediation is to defer all STAR-specific testimonial publication until the listing is live and verifiable in the Registry.

Second, prepare for scope precision. The Cloud Controls Matrix is scoped per cloud service offering. A customer that operates multiple cloud services may certify only a subset, and the testimonial wall must reflect the certified subset. The remediation is to draft testimonial copy that explicitly names the certified cloud services rather than implying organization-wide coverage.

Phase 2: Underlying standard alignment

During the underlying-standard alignment phase, the testimonial wall faces an underlying-standard-disclosure risk.

First, prepare to disclose the underlying standard for Level 2. STAR Certification is built on ISO 27001, and STAR Attestation is built on SOC 2. A testimonial that names "STAR Level 2" without disclosing the underlying standard creates ambiguity about the assurance type — point-in-time versus period-of-time, certification versus attestation. The remediation is to draft testimonial copy that names both the STAR level and the underlying standard (for example, "STAR Level 2 Certification based on ISO 27001").

Second, do not pre-announce. Even when CCM alignment is complete and the assessment is scheduled, the certification or attestation is not yet issued. Pre-announcement creates risk if a major nonconformity surfaces in the assessment and the listing is delayed. The remediation is to defer announcement until the Registry listing is live.

Phase 3: Assessment execution

During assessment execution, the testimonial wall faces an assessor-relationship risk and a finding-disclosure risk.

First, do not name the certification body, attestation firm, or individual assessor without consent. Certification and attestation organizations have specific marking and reference rules, and individual assessors typically have client-confidentiality policies. The remediation is to follow the issuing organization's published marking rules and to seek explicit consent before naming individuals.

Second, treat assessment findings as confidential. The assessment report may identify nonconformities, observations, or opportunities for improvement that were corrected before issuance. Even when certification is ultimately issued, the existence of in-process findings should not be referenced in marketing copy. The remediation is to draft testimonial copy that references the listing outcome, not the assessment-process details.

Phase 4: STAR Registry submission and listing

During Registry submission, the testimonial wall faces a Registry-link consistency risk.

First, link testimonial copy to the live Registry listing. The CSA STAR Registry is publicly searchable, and STAR-claiming testimonials should be accompanied by a verifiable Registry link or listing identifier. The remediation is to include the Registry listing reference in testimonial copy and to validate that the link resolves to the correct listing.

Second, match the testimonial copy to the listed scope. The Registry listing specifies the cloud services covered, the assessed level, and (for Level 2) the underlying standard. Testimonial copy that overstates scope beyond the listing creates a verifiable misalignment. The remediation is to draft testimonial copy that uses the Registry listing language as the source of truth for scope claims.

Phase 5: Registry maintenance and renewal

During Registry maintenance, the testimonial wall faces a temporal-validity risk and a Level-3 publication-currency risk.

First, date-stamp and refresh. Level 1 listings expire annually, Level 2 Certification listings cover a three-year cycle with surveillance, and Level 2 Attestation listings expire annually with the underlying SOC 2 report period. A testimonial published in year one but visible after expiration creates a stale-attestation risk. The remediation is to date-stamp STAR-claiming testimonials and to include a refresh process at each renewal cycle.

Second, for Level 3, maintain publication currency. Level 3 continuous monitoring requires ongoing publication of control performance metrics. A testimonial that claims Level 3 must be backed by current published metrics, not by metrics published at the initial listing date. The remediation is to align testimonial-wall maintenance with the Level 3 publication cadence.

What to publish and what to omit

Testimonials about a CSA STAR milestone should publish: the achieved STAR level (with explicit naming of Level 1, Level 2, or Level 3), the cloud services in scope, the underlying standard for Level 2, the Registry listing reference, the customer's investment in cloud security posture, and the value of the listing for cloud-buyer trust and procurement.

Testimonials should omit: claims that conflate Level 1 self-assessment with Level 2 third-party assurance, scope claims beyond the Registry listing, certification body or attestation firm names without consent, in-process assessment findings, claims about cloud services outside the listed scope, and Level 3 claims without current published continuous monitoring metrics.

The ProofShow approach to CSA STAR testimonials emphasizes level precision, scope alignment with the Registry listing, and underlying-standard disclosure for Level 2 — three claim categories that are independently verifiable through the public Registry and durable across the listing lifecycle. For broader context on compliance-milestone testimonials, see the SOC 2 audit playbook, the ISO 27001 certification playbook, and the ISO 42001 certification playbook.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free