- What Is the STAR Program and Why Does It Appear on the CCAK?
- Domain 9 Weight, Scope, and What the Exam Actually Tests
- The Three Levels of the STAR Registry: A Deep Dive
- STAR Attestation vs. STAR Certification: Key Distinctions
- How STAR Connects to CCM and CAIQ Across Domains
- Continuous Monitoring, STAR Watch, and Domain 8 Overlap
- How Domain 9 Questions Are Framed on the Actual Exam
- Scheduling Domain 9 Within Your Broader CCAK Prep
- Frequently Asked Questions
- Domain 9 carries 5% of the CCAK exam weight, making it one of the smallest but most interconnected domains to master.
- The STAR Program has three distinct levels - Self-Assessment, Attestation/Certification, and Continuous Monitoring - each with specific assurance implications.
- STAR Attestation is paired with SOC 2, while STAR Certification is paired with ISO/IEC 27001; confusing these two is a common exam mistake.
- The Cloud Controls Matrix (CCM) and CAIQ are foundational instruments for STAR submissions, connecting Domain 9 directly to Domains 3 and 7.
What Is the STAR Program and Why Does It Appear on the CCAK?
The Security, Trust, Assurance, and Risk (STAR) Program is the Cloud Security Alliance's flagship cloud provider assurance framework. It gives cloud service providers (CSPs) a structured, publicly verifiable way to demonstrate security posture, and it gives cloud customers and auditors a consistent lens through which to evaluate that posture. For anyone sitting the Certificate of Cloud Auditing Knowledge exam, STAR is not background knowledge - it is a testable, operationally specific topic that requires genuine understanding of how the program's mechanisms function in practice.
The CCAK was developed jointly by CSA and ISACA specifically to create a credential for professionals who audit, assess, and govern cloud environments. The STAR Program is the CSA's primary assurance ecosystem, so its inclusion in Domain 9 is logical: a qualified cloud auditor must be able to navigate STAR registry entries, interpret assurance levels, understand the role of third-party attestors, and know how STAR submissions relate to the Cloud Controls Matrix. Candidates who treat Domain 9 as a throwaway five-percent domain often find that STAR concepts appear as answer choices or distractors in questions rooted in other domains too.
Domain 9 Weight, Scope, and What the Exam Actually Tests
At 5% of the total exam, Domain 9 sits alongside Domain 4 (A Threat Analysis Methodology for Cloud Using CCM, also 5%) as one of the two smallest domains. However, the CCAK exam's question style does not always isolate domain knowledge neatly. Scenario-based questions frequently require synthesizing concepts from multiple domains, and STAR is a common thread. Understanding the exact scope of what Domain 9 covers is therefore essential for accurate test preparation.
Domain 9 tests candidates on:
- The purpose, structure, and governance of the STAR Program within the CSA ecosystem
- The three STAR registry levels and their assurance implications
- The specific standards paired with STAR Attestation and STAR Certification
- The role of the CAIQ as a self-assessment instrument within STAR
- How STAR submissions support cloud customer due diligence and procurement decisions
- The concept of continuous monitoring through STAR Watch and its relationship to automated assurance
- How STAR interacts with the CSA Code of Conduct and GDPR compliance frameworks
For a thorough grounding in how Domain 9 fits within the full exam blueprint, reviewing the CCAK Exam Format 2026: Question Types and Time Limits will help you calibrate how much preparation time the domain realistically deserves relative to heavier hitters like Domain 2 (Cloud Compliance Program, 21%) and Domain 1 (Cloud Governance, 18%).
Domain 9: STAR Program - Core Competency Areas
Candidates must understand STAR not as a marketing badge but as a structured assurance hierarchy with distinct legal, contractual, and audit implications at each level.
- STAR Level 1: Self-Assessment via CAIQ or CCM mapping
- STAR Level 2: Third-party assessment via Attestation (SOC 2) or Certification (ISO/IEC 27001)
- STAR Level 3: Continuous monitoring via STAR Watch (emerging / in development)
- CSA STAR registry as a public transparency mechanism
- STAR for GDPR as a specialized compliance overlay
The Three Levels of the STAR Registry: A Deep Dive
Level 1 - Self-Assessment
Level 1 is the entry point into the STAR Program. A cloud service provider completes either the Consensus Assessments Initiative Questionnaire (CAIQ) or maps its controls to the Cloud Controls Matrix and submits the documentation to the CSA STAR Registry, which is publicly accessible at no cost. This level is notable because it involves no independent verification - it is entirely self-reported. For auditors and cloud customers, this means Level 1 provides transparency but not assurance in the formal audit sense. The CCAK exam tests whether candidates understand this distinction: a Level 1 STAR submission is a starting point for due diligence, not a conclusion.
Level 2 - Third-Party Assessment
Level 2 splits into two distinct pathways depending on which existing audit framework a CSP wishes to combine with the STAR requirements:
- STAR Attestation: Combines CSA STAR requirements with a SOC 2 Type 1 or Type 2 engagement. A licensed CPA firm conducts the assessment. The output is a SOC 2 report enhanced with STAR-specific criteria drawn from the CCM.
- STAR Certification: Combines CSA STAR requirements with an ISO/IEC 27001 audit. An accredited certification body performs the assessment. The output is an ISO/IEC 27001 certificate augmented with a STAR-specific maturity model assessment against CCM controls.
The practical difference matters enormously for the exam. Attestation is a North American, CPA-driven model rooted in AICPA standards. Certification is an international model rooted in ISO accreditation. Questions that present a scenario involving a European CSP seeking recognized third-party assurance will typically point toward STAR Certification rather than STAR Attestation. Questions involving U.S. enterprise customers requiring SOC 2 audit deliverables will point toward STAR Attestation.
Level 3 - Continuous Monitoring
STAR Level 3, associated with the STAR Watch initiative, represents the most forward-looking tier of the program. Rather than a point-in-time audit or a periodic self-assessment, Level 3 aims to provide ongoing, automated transparency into a CSP's security posture. While still evolving, the CCAK curriculum expects candidates to understand its conceptual underpinnings: that cloud assurance should not be a once-a-year exercise but a continuous feed of verifiable security telemetry. This connects directly to Domain 8 (Continuous Assurance and Compliance, 7%), and candidates should study these two domains in tandem.
STAR Attestation vs. STAR Certification: Key Distinctions
| Attribute | STAR Attestation | STAR Certification |
|---|---|---|
| Underlying Framework | SOC 2 (AICPA) | ISO/IEC 27001 |
| Assessor Type | Licensed CPA Firm | Accredited Certification Body |
| Output Document | SOC 2 report with STAR addendum | ISO/IEC 27001 certificate with STAR maturity rating |
| Geographic Prevalence | Primarily North America | International / widely recognized in Europe and Asia-Pacific |
| Maturity Model | Not inherent to SOC 2 | CCM-based maturity model included |
| Validity Period | Defined by SOC 2 engagement scope | Typically three-year certification cycle |
How STAR Connects to CCM and CAIQ Across Domains
One of the most important structural insights for CCAK candidates is that Domain 9 does not stand alone. The STAR Program's operational backbone is the CCM and the CAIQ - both of which are the central subjects of Domain 3 (CCM and CAIQ: Goals, Objectives, and Structure, 12%) and Domain 7 (CCM: Auditing Controls, 8%). A CSP completing a Level 1 self-assessment uses the CAIQ to document how its services address each CCM control domain. A third-party auditor conducting a STAR Certification engagement tests CCM controls using the same auditing logic covered in Domain 7.
This interdependency means that studying Domain 9 in isolation is a strategic mistake. When you review CCM control domains in your Domain 3 preparation, mentally tag each one with the question: "How would this control domain appear in a STAR registry submission?" When you work through Domain 7's auditing methodology, ask: "What does this look like during a STAR Certification engagement?" This cross-domain thinking is precisely the kind of synthesis the CCAK exam rewards.
Practicing with realistic scenario questions is the most efficient way to build this cross-domain fluency. The CCAK practice test platform includes questions that deliberately span multiple domains, including scenarios where a STAR submission is the factual anchor and the question tests your understanding of CCM mapping or auditor responsibility.
Key Takeaway
Every STAR submission - whether Level 1 or Level 2 - is fundamentally a CCM-anchored document. Mastering the CCM control domains in Domain 3 and Domain 7 directly strengthens your Domain 9 performance, and vice versa.
Continuous Monitoring, STAR Watch, and Domain 8 Overlap
Domain 8 covers Continuous Assurance and Compliance at 7% of the exam. Its overlap with Domain 9 is deliberate and conceptually important. STAR Watch - the Level 3 tier of the STAR Program - is the CSA's answer to a fundamental limitation of traditional audit models: point-in-time assessments become stale the moment the engagement closes. In a cloud environment where configurations change continuously, a 12-month-old SOC 2 report or ISO/IEC 27001 certificate may not reflect current reality.
STAR Watch envisions a world where CSPs provide real-time or near-real-time security telemetry that flows into the STAR Registry, giving cloud customers ongoing visibility rather than periodic snapshots. Candidates should understand:
- The conceptual shift from periodic to continuous assurance that STAR Level 3 represents
- How automated tools and APIs could feed continuous compliance data into STAR
- The relationship between continuous monitoring and cloud governance obligations covered in Domain 1
- Why continuous assurance does not eliminate the need for periodic formal audits but complements them
Understanding this conceptual architecture also helps with Domain 8 questions that ask about the role of automated compliance monitoring, cloud-native audit evidence collection, and the limitations of traditional audit cycles in dynamic cloud environments.
How Domain 9 Questions Are Framed on the Actual Exam
The CCAK uses scenario-based questions extensively. For Domain 9, expect questions structured around one of these recurring patterns:
- Provider selection scenarios: A cloud customer is evaluating two CSPs. One has a Level 1 STAR submission and the other has a STAR Certification. What is the assurance implication of each? Which provides independent verification?
- Auditor assignment scenarios: A CSP wants to pursue STAR Attestation. Who must conduct the assessment? What deliverable does the customer receive?
- Framework mapping scenarios: A CSP has completed an ISO/IEC 27001 audit and wants to include CSA STAR assurance. What additional steps are required and what is the resulting output?
- Continuous monitoring scenarios: An organization wants real-time visibility into its CSP's security posture rather than an annual report. Which STAR level aligns with this requirement?
- CAIQ and self-assessment scenarios: A CSP's procurement team is being asked to provide evidence of security controls. They complete a CAIQ. Which STAR level does this represent, and what are its limitations?
Notice that all five patterns require you to know specific facts - not generic cloud security concepts. The difference between a STAR Attestation conducted by a CPA and a STAR Certification conducted by an accredited body is not something you can reason through from first principles. It requires deliberate study of the STAR Program's actual structure.
For more insight into how these question types are distributed across the full exam, see the CCAK Exam Format 2026: Question Types and Time Limits guide, which covers question mechanics, timing, and the scenario-based format in detail.
Scheduling Domain 9 Within Your Broader CCAK Prep
Because Domain 9 carries only 5% of the exam weight, it should not anchor your study schedule - but it should be sequenced thoughtfully. The optimal approach is to study Domain 9 after you have solid grounding in Domain 3 (CCM and CAIQ) and Domain 8 (Continuous Assurance), since both provide essential context for understanding why STAR is structured the way it is.
Foundation: Domains 1 and 2
- Cloud Governance (18%) - largest single context for why assurance frameworks like STAR exist
- Cloud Compliance Program (21%) - highest-weight domain; establishes regulatory and compliance framing
Core Frameworks: Domains 3 and 7
- CCM and CAIQ structure - essential prerequisite for understanding STAR submissions
- CCM Auditing Controls - directly applicable to STAR Certification engagement methodology
Auditing and Continuous Assurance: Domains 6, 8, and 9
- Cloud Auditing (15%) - covers audit planning, evidence, and reporting in cloud contexts
- Continuous Assurance (7%) - conceptual partner to STAR Level 3
- STAR Program (5%) - study last; everything else provides its context
Integration and Practice Testing
- Remaining domains: Domains 4 and 5
- Full-length practice exams on the CCAK practice test platform to identify cross-domain gaps
- Targeted review of any STAR-related questions answered incorrectly
This sequencing reflects a spaced-repetition principle applied specifically to CCAK content: encounter STAR concepts lightly in Domain 3 study, reinforce them during Domain 8, and consolidate them in a dedicated Domain 9 review session. By the time you sit the exam, STAR terminology should feel familiar from multiple angles rather than as isolated memorization.
The CCAK Domain 9: STAR Program Complete Study Guide 2026 is a useful bookmark for returning to key STAR distinctions during your integration week, particularly the Attestation vs. Certification comparison and the Level 1 limitations.
Frequently Asked Questions
STAR Attestation combines STAR requirements with a SOC 2 engagement conducted by a licensed CPA firm, primarily used in North American contexts. STAR Certification combines STAR requirements with an ISO/IEC 27001 audit conducted by an accredited certification body, recognized internationally. Confusing these two is one of the most common Domain 9 mistakes on the exam. Remember: Attestation ties to AICPA/SOC 2; Certification ties to ISO/IEC 27001.
No. A STAR Level 1 submission - whether via the CAIQ or a CCM mapping - is entirely self-reported and involves no independent third-party verification. It provides transparency about a CSP's claimed security posture but does not constitute formal audit assurance. The CCAK exam tests this distinction frequently in due diligence and procurement scenarios.
While 5% is a small slice, Domain 9 content surfaces as answer choices and distractors in questions anchored in other domains. A focused two-to-three study sessions - after completing Domain 3 and Domain 8 - is typically sufficient. Prioritize understanding the three STAR levels and the Attestation vs. Certification distinction rather than attempting comprehensive memorization of STAR Program history.
STAR Level 3 represents a shift from periodic, point-in-time assurance to continuous monitoring of a CSP's security posture. While Levels 1 and 2 produce static documents (a CAIQ submission or an audit report), Level 3 envisions real-time or near-real-time security telemetry flowing into the STAR Registry. It is still evolving but is tested conceptually on the CCAK in relation to Domain 8's continuous assurance themes.
The most effective preparation involves scenario-based questions that mirror the CCAK's multi-domain format. The CCAK practice test platform includes Domain 9-aligned questions as well as cross-domain scenarios where STAR concepts appear alongside CCM auditing and continuous compliance topics. Reviewing incorrect answers with explanations is particularly valuable for solidifying the Attestation vs. Certification distinction and the STAR registry level hierarchy.