Skip to main content Skip to footer

iManage achieves CSA Level 2 STAR certification: What it means for our clients

Heidi Hanson

Content Marketing Editor Senior Specialist, iManage

Are you underestimating your risk exposure to cybercrime? Unless your organization has the resources to monitor and protect your on-premises data with the same level of vigilance as iManage, you might be.

iManage recently announced it has achieved Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Level 2 certification. What does this mean for iManage Cloud customers, prospective cloud customers, and on-premises customers debating a move to the iManage Cloud?

To find out, we talked with Mark Richman, who – as a Principal Product Manager at iManage – has intimate knowledge of what it takes to achieve certification from an organization like CSA.

First, Richman said that he wants to dispel the illusion that “If I can put my hands on the data, then I control it, and therefore I can secure it better.”

That couldn't be further from the truth, he told us. Because unless your organization has the knowledge, skills, and resources to monitor and protect your data with the same level of vigilance as a reputable cloud provider like iManage, you may be greatly underestimating your risk of exposure to cybercrime through a growing number of vulnerabilities.

According to the Cybersecurity and Infrastructure Security Agency (CISA), “Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”

Software isn’t the only vulnerability, either. Remote working and mobile devices and apps have introduced a significant amount of risk into the threat landscape for law firms and corporate legal operations, as well as for governments and other organizations. And the data indicate that law firms have reason to take that risk seriously. CISION PR Newswire reported:

"Threat actors are aggressively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, notwithstanding industry-leading efforts, law firms have been successfully compromised,” said Jim Rosenthal, CEO, BlueVoyant.

Richman acknowledged that a customer or prospect might observe that anybody can draw a PowerPoint and make up these seemingly magical phrases like “Zero Trust” and “Zero Touch” and ask us how they can be sure that what iManage is saying is really true and that they can trust the security we say we maintain is maintained in fact?

“That's where these certifications come in,” says Richman. But who are the CSA, anyway? And why should they be trusted?

The CSA is a non-profit organization that exists, in part, to “promote the use of best practices for providing security assurance within cloud computing." More than 100,000 industry professionals are a part of the alliance, which provides news, insights, research, forums, education, and events to support their mission. A customer can have confidence that the certifications it awards are impartial and unbiased because:

  1. The organization is dedicated to making cloud computing more secure
  2. Providers are required to complete a rigorous assessment process for certification

To achieve CSA STAR Level 2 status iManage underwent an audit and extensive validation, and that provides a degree of assurance that the security that we, iManage, say that we maintain is actually being maintained, not only from a technical perspective, but also from a process and policy perspective.

STAR provides two levels of assurance. Level 1 CSA STAR Self-Assessment is the introductory offering, open to all CSPs. Richman said the CSA STAR Level 1 Self-Assessment and the Consensus Assessments Initiative questionnaire (CAIQ) is very long and broad and covers many aspects of security, looking at processes and policies as well as technical aspects. Level 2 goes further up the assurance stack, involving third-party assessment-based certification.

The iManage certificate, issued by Schellman and Company, is available for download from the CSA STAR registry. The iManage CSA STAR Level 1 Self-Assessment and the completed Consensus Assessments Initiative questionnaire (CAIQ) are also available on the registry.

 All of these things have to work together, hand in hand, to be able to achieve the high level of security that iManage maintains. And the more certifications we have, the better, for us and for our customers.

“It’s 9 out of 10 dentists that recommend CREST, not 2 out of 10, or 5 out of 10,” Richman quips.

In a nutshell, earning the CSA STAR Level 1 and Level 2 certification highlights our commitment to providing industry-leading, best-practices security for the iManage global cloud infrastructure. It provides trust and assurance that the things we say about our platform are not just marketing speak and hyperbole. Our security and privacy controls are audited and verified by industry experts and 3rd parties whose business it is to judge the accuracy of our claims.


The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud.

About the author

Heidi Hanson