100+ Free Certified CSA STAR Auditor Practice Questions

Pass your Certified CSA STAR Auditor (STAR Lead Auditor) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

A STAR Auditor is assessing whether a cloud provider meets CCM DSP controls regarding data subject rights under GDPR. What is the most direct evidence the auditor should request?

Documented procedures for handling data subject access requests, right to erasure requests, and evidence of actual requests being processed

Evidence of employee GDPR training completion

The CSP's general privacy policy published on its website

The CSP's ISO/IEC 27001 certification certificate

to track

2026 Statistics

Key Facts: Certified CSA STAR Auditor Exam

The CSA STAR Auditor credential requires ISO/IEC 27001 lead/qualified auditor status as a prerequisite. The training course is approximately 6 hours self-paced, followed by a ~2-hour exam. It covers the CSA Cloud Controls Matrix (CCM) v4 with 17 control domains, the STAR Capability Maturity Model (1-15 scale), CAIQ, STAR Registry, and integrated CCM + ISO 27001 audit methodology. Passing earns the Certified CSA STAR Auditor title and 6 CPE credits.

Sample Certified CSA STAR Auditor Practice Questions

Try these sample questions to test your Certified CSA STAR Auditor exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What does the acronym STAR stand for in the CSA STAR program?

A.Security Trust Assurance and Risk

B.Standardized Testing and Audit Requirements

C.Security Technology and Risk

D.Standards Testing Assurance Registry

Explanation: STAR stands for Security, Trust, Assurance, and Risk. The CSA STAR program was jointly launched by CSA and BSI in 2013 as a publicly accessible registry for cloud service providers to publish their security assessments. The program is designed to promote transparency and allow customers to evaluate cloud provider security postures.

2Which two organizations jointly developed the STAR Lead Auditor training and the Certified CSA STAR Auditor credential?

A.ISO and ISACA

B.CSA and BSI

C.NIST and Cloud Security Alliance

D.ENISA and ISO

Explanation: The Certified CSA STAR Auditor credential and its accompanying STAR Lead Auditor training were jointly developed by the Cloud Security Alliance (CSA) and the British Standards Institution (BSI). The collaboration leverages BSI's expertise in ISO/IEC 27001 certification and CSA's cloud security framework knowledge.

3What is the mandatory prerequisite for candidates seeking the Certified CSA STAR Auditor credential?

A.CCSK or CCSP certification

B.ISO/IEC 27001 qualified or lead auditor status

C.Completion of the CAIQ self-assessment

D.Three years of cloud operations experience

Explanation: The Certified CSA STAR Auditor requires candidates to already hold ISO/IEC 27001 qualified or lead auditor status. This prerequisite ensures that STAR Auditors have a solid foundation in information security management system (ISMS) auditing before layering on CCM-specific cloud security assessment skills.

4The STAR Lead Auditor training course is estimated to take approximately how long to complete?

A.2 hours

B.12 hours

C.6 hours

D.20 hours

Explanation: The STAR Lead Auditor self-paced online training course is estimated at approximately 6 hours of study, followed by a separate 2-hour exam. This efficient delivery format makes the credential accessible to already-qualified ISO 27001 auditors who want to add cloud audit specialization.

5The CSA STAR program organizes assurance into multiple levels. Which level involves third-party independent audits?

A.Level 1 – Self-Assessment

B.Level 2 – Third-Party Audit

C.Level 3 – Continuous Monitoring

D.Level 4 – Attestation

Explanation: Level 2 of the STAR program involves rigorous independent third-party assessments conducted by accredited auditors. At Level 2, cloud providers can obtain STAR Certification (based on ISO/IEC 27001 plus CCM), STAR Attestation (based on SOC 2 plus CCM), or STAR C-STAR Assessment. Level 1 is self-assessment, and Level 3 involves continuous monitoring.

6At STAR Level 1, cloud service providers demonstrate their security posture by completing which document?

A.STAR Certification report signed by an accredited auditor

B.ISO/IEC 27001 Statement of Applicability

C.Consensus Assessments Initiative Questionnaire (CAIQ)

D.SOC 2 Type II audit report

Explanation: At STAR Level 1, cloud service providers complete and publish the Consensus Assessments Initiative Questionnaire (CAIQ). The CAIQ contains over 250 yes/no questions aligned to CCM control areas, allowing customers and auditors to evaluate a provider's self-declared compliance with CSA best practices. Level 1 is free and open to all CSPs.

7How many control domains does the Cloud Controls Matrix (CCM) version 4 contain?

A.10

B.13

C.17

D.25

Explanation: CCM version 4 is organized into 17 control domains covering all key aspects of cloud security, from Application and Interface Security (AIS) to Threat and Vulnerability Management (TVM). The full matrix contains approximately 197 individual control objectives distributed across these 17 domains.

8Which CCM v4 domain abbreviation corresponds to Cryptography, Encryption, and Key Management?

A.CCC

B.CEK

C.IAM

D.DSP

Explanation: CEK stands for Cryptography, Encryption, and Key Management in CCM v4. This domain covers requirements for encryption algorithms, key lifecycle management, key storage, and cryptographic module validation. Auditors assess whether cloud providers implement appropriate cryptographic controls to protect data at rest and in transit.

9In the STAR Capability Maturity Model, management capability scores are assigned on what scale?

A.1 to 5

B.0 to 100

C.1 to 15

D.1 to 10

Explanation: The STAR Capability Maturity Model uses a scoring scale of 1 to 15 for each CCM control domain. These scores are divided into five groups representing different management capability levels. The overall organizational maturity score is derived by averaging the scores across all assessed control domains.

10When assigning a management capability score to a CCM control area, what principle governs the final score when multiple capability factors are evaluated?

A.The highest factor score is used as the final score

B.All factor scores are averaged to produce the final score

C.The lowest factor score across all evaluated factors becomes the final score

D.The median factor score is used as the final score

Explanation: The STAR maturity scoring model applies a 'weakest link' principle: when auditors evaluate five capability factors for a control area, the lowest score among those factors becomes the final score for that control domain. This conservative approach ensures that deficiencies in any single capability factor are fully reflected in the overall domain score.

About the Certified CSA STAR Auditor Exam

The Certified CSA STAR Auditor (STAR Lead Auditor) is a joint credential from the Cloud Security Alliance and BSI that qualifies professionals to conduct second-party and third-party audits of cloud service providers against the CSA STAR Certification standard. Built on ISO/IEC 27001, the STAR Certification program adds a Cloud Controls Matrix (CCM) v4 maturity assessment layer. Candidates must already hold ISO/IEC 27001 qualified or lead auditor status. The credential covers all 17 CCM control domains, the 1-15 capability maturity scoring model, audit methodology, evidence evaluation, and integration of CCM assessment into ISO 27001 audits.

Questions

20 scored questions

Time Limit

~2 hours (exam component)

Passing Score

Not publicly disclosed

Exam Fee

Included in BSI/CSA training bundle (Cloud Security Alliance (CSA) + BSI)

Certified CSA STAR Auditor Exam Content Outline

20%

CSA STAR Program Fundamentals

STAR levels (Level 1 Self-Assessment/CAIQ, Level 2 Third-Party Audit, Level 3 Continuous Monitoring), STAR Registry, STAR Certification vs Attestation vs C-STAR, BSI/CSA joint development, accreditation under ISO/IEC 17021

30%

Cloud Controls Matrix (CCM) v4

17 domains: AIS (Application & Interface Security), BCR (Business Continuity), CCC (Change Control), CEK (Cryptography & Key Management), DCS (Datacenter Security), DSP (Data Security & Privacy), GRC (Governance Risk Compliance), HRS (Human Resources Security), IAM (Identity & Access Management), IPY (Interoperability & Portability), IVS (Infrastructure & Virtualization Security), LOG (Logging & Monitoring), SEF (Security Incident Management), STA (Supply Chain), TVM (Threat & Vulnerability Management), UEM (Universal Endpoint Management); SSRM; CCM v4 changes; CAIQ

20%

STAR Capability Maturity Model

1-15 scoring scale, five management capability factors, weakest-link scoring principle, major nonconformity cap at 6, overall organizational maturity derived from domain score average

20%

Audit Process and Methodology

ISO 19011 audit principles, audit planning and scope definition, opening/closing meetings, evidence types and reliability, sampling, nonconformity classification (major vs minor), corrective action requests, opportunities for improvement, combined ISO 27001 + CCM audit integration

10%

ISO/IEC 27001 Integration

ISO 27001 as STAR Certification foundation, Annex A to CCM v4 mappings, surveillance audits, three-year certification cycle with annual surveillance, ISO/IEC 17021 accreditation requirement for certification bodies

How to Pass the Certified CSA STAR Auditor Exam

What You Need to Know

Passing score: Not publicly disclosed
Exam length: 20 questions
Time limit: ~2 hours (exam component)
Exam fee: Included in BSI/CSA training bundle

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Certified CSA STAR Auditor Study Tips from Top Performers

1Memorize the 17 CCM v4 domain abbreviations and their full names — exam scenarios will reference them by abbreviation

2Understand the weakest-link scoring rule: when five capability factors are evaluated, the lowest factor score is the domain score

3Know that major nonconformities cap the domain capability score at 6, not zero — the control exists but has critical gaps

4Distinguish STAR Certification (ISO 27001 + CCM) from STAR Attestation (SOC 2 + CCM) — a common exam scenario topic

5Understand CAIQ: it is the Level 1 self-assessment tool; in Level 2, auditors independently verify the claims CSPs made in the CAIQ

6Know that evidence reliability hierarchy runs: direct auditor observation > automated system outputs > third-party documents > CSP-provided documents > verbal assurances

7Review the SSRM: it maps each CCM control to CSP responsibility, customer responsibility, or shared — critical for scoping audits across IaaS, PaaS, SaaS

8Complete all 100 practice questions and re-review every wrong answer focusing on which CCM domain applies and why

Frequently Asked Questions

What is the prerequisite for the Certified CSA STAR Auditor credential?

Candidates must hold ISO/IEC 27001 qualified or lead auditor status before pursuing the Certified CSA STAR Auditor credential. This prerequisite ensures candidates have a solid ISMS auditing foundation before adding the cloud-specific CCM and STAR assessment layer. The training and exam are jointly delivered by BSI and CSA through an approximately 6-hour self-paced online course followed by a 2-hour exam.

What is the CSA STAR program and how many levels does it have?

The CSA STAR (Security, Trust, Assurance, and Risk) program is a publicly accessible cloud security assurance framework launched jointly by CSA and BSI in 2013. It has three levels: Level 1 (Self-Assessment via CAIQ), Level 2 (Third-Party Audit: STAR Certification based on ISO 27001+CCM, or STAR Attestation based on SOC 2+CCM), and Level 3 (STAR Continuous: ongoing automated monitoring). The STAR Registry publishes all submissions publicly.

How many domains does the Cloud Controls Matrix (CCM) v4 have?

CCM v4 contains 17 control domains covering approximately 197 individual controls. The domains are: AIS (Application & Interface Security), BCR (Business Continuity), CCC (Change Control & Configuration), CEK (Cryptography, Encryption & Key Management), DCS (Datacenter Security), DSP (Data Security & Privacy), GRC (Governance, Risk & Compliance), HRS (Human Resources Security), IAM (Identity & Access Management), IPY (Interoperability & Portability), IVS (Infrastructure & Virtualization Security), LOG (Logging & Monitoring), SEF (Security Incident Management, E-Discovery & Forensics), STA (Supply Chain, Transparency & Accountability), TVM (Threat & Vulnerability Management), UEM (Universal Endpoint Management), and A&A (Audit & Assurance).

How does the STAR Capability Maturity Model scoring work?

The STAR maturity model scores each CCM control domain on a scale of 1 to 15, divided into five management capability groups. When evaluating a domain, auditors assess five capability factors and apply a weakest-link rule: the lowest factor score becomes the domain score. Control areas with major nonconformities are capped at a maximum score of 6. The overall organizational maturity score is the average of all domain scores.

How does STAR Certification relate to ISO/IEC 27001?

STAR Certification is built on top of ISO/IEC 27001. A cloud provider must first achieve ISO/IEC 27001 certification and then undergo an additional CCM v4 maturity assessment conducted by an accredited certification body. In practice, the two audits are typically integrated so evidence can be shared. The STAR certificate is issued alongside the ISO 27001 certificate and follows the same three-year cycle with annual surveillance audits.

What is the difference between STAR Certification and STAR Attestation?

Both are Level 2 (third-party) STAR program offerings. STAR Certification is based on ISO/IEC 27001 plus CCM maturity scoring and is issued by accredited certification bodies. STAR Attestation is based on SOC 2 Trust Services Criteria plus CCM and is delivered by licensed CPA firms. Organizations choose based on their compliance framework preferences and target customer markets.

How should I prepare for the CSA STAR Auditor exam?

Complete the BSI/CSA STAR Lead Auditor self-paced training course (approximately 6 hours). Supplement it by studying the CSA CCM v4 documentation including the SSRM, Implementation Guidelines, and CAIQ. Review the STAR certification guidance document on auditing the CCM. Study ISO 19011 audit principles and ISO/IEC 27001 Annex A to CCM v4 mappings. Practice with scenario-based questions covering all 17 CCM domains, maturity scoring rules, and audit methodology.