BSI C5: Your cloud service tested for transparency and IT security
You are a provider of a cloud service and would like to have your current cloud infrastructure objectively assessed?
With an audit in accordance with the Cloud Computing Compliance Controls Catalog, C5 for short, from the German Federal Office for Information Security (BSI), you will receive a transparent assessment. Together with our partner FIDES, we carry out corresponding C5 audits and provide you with a meaningful and comprehensive audit report. This forms the basis for successful, final certification according to C5 by the BSI.
Objective evaluation of your cloud infrastructure
A C5 audit serves as objective proof that you have taken appropriate security measures in accordance with the C5 catalog.
Maximum transparency towards customers & business partners
With the BSI C5 audit & certification, you show that you follow recognized standards & make your data processing practices transparent.
Reduction of security risks
With the help of the BSI C5 criteria catalog, you can continuously improve your risk management and prevent data and security breaches.
What is the C5 criteria catalog?
The C5 (Cloud Computing Compliance Controls Catalogue) is a framework developed by the German Federal Office for Information Security (BSI) to ensure the security and compliance of cloud services. It provides a comprehensive collection of security controls that cloud providers should implement to ensure data protection and compliance with security standards.
The C5 catalog is particularly aimed at companies that use or offer cloud services and helps them to understand and implement security requirements. By applying C5, organizations can increase the transparency and security of their cloud services and strengthen the trust of their customers.
Cloud-specific regulations in the healthcare sector
With the new Section 393 “Cloud use in healthcare; authorization to issue ordinances” in the German Social Code (SGB) V, the Federal Ministry of Health is increasing the protection of sensitive, personal social and health data.
Health insurance funds and service providers as well as their respective contract data processors may only process such data using cloud-based applications if the following requirements are met:
- The provider of the cloud-based service has a BSI C5 Type 1 or Type 2 test report that covers the BSI C5 basic criteria.
- The organization using the cloud service has:
taken appropriate and state of the art technical and organizational measures to secure cloud usage,
implemented the end-user controls formulated by the cloud provider in the BSI C5 test report.
This also applies to organizations that have set up private clouds and use them themselves. This also covers organizations that are not traditional IT or cloud providers. These include, for example, research institutions, pharmaceutical companies or other service providers that store and process personal health data in their private cloud.
A new regulation is currently being drafted, the “C5 Equivalence Regulation”, which is likely to extend the requirements.
Your benefits at a glance
Objective confirmation of security
With a C5 audit & certification, you can prove that you have implemented extensive security measures.
Identification of potential security gaps
With the help of the BSI C5 criteria catalog, you can uncover potential security gaps and risks at an early stage.
Compliance with regulatory requirements
In certain areas (e.g. healthcare), the C5 audit meets regulatory requirements.
Trust among customers
The transparent audit provides customers with a solid basis for choosing a cloud provider.
Improved competitiveness
Independent testing & certification according to C5 successfully sets you apart from the competition.
Increased IT security
The BSI C5 catalog helps you to systematically improve the IT security of your cloud service.
Our services for BSI C5 certification
BSI C5 Maturity Assessment
With our BSI C5 Maturity Assessment, you quickly gain clarity on the extent to which your existing security measures already meet the BSI C5 criteria. For example, we review existing guidelines, assign the measures described therein to the BSI C5 criteria, evaluate their coverage and identify potential gaps. Based on the results of the maturity assessment, cloud providers can close identified gaps and prepare themselves for the BSI C5 audit with our support.
BSI C5 Audit Type 1
In collaboration with our partners from the accountancy sector, who are recognized BSI C5 auditors we are able to carry out the BSI C5 audit (type 1) required in accordance with Section 393 (4) sentence 1 “Cloud use in the healthcare sector; authorization to issue regulations” SGB V. The audit mainly comprises interviews with specialist personnel and the review of evidence such as guidelines. The aim of the audit is to assess the extent to which the cloud provider's security measures are appropriately designed and implemented to meet the BSI C5 basic criteria at a given point in time.
BSI C5 Audit Type 2
Section 393 (4) sentence 2 “Cloud use in the healthcare sector; authorization to issue regulations” SGB V provides for a BSI C5 audit type 2. In this case, too, we can carry out the required audit together with our partners from the accountancy sector as recognized BSI C5 auditors. The type 2 audit essentially comprises interviews with specialist personnel, the examination of evidence and, in addition, random sampling. The aim of the audit is to assess the extent to which the cloud provider's security measures were appropriately designed, implemented and effective over a defined period of time (usually between 6 and 12 months) in order to meet the BSI C5 basic criteria.
The C5 criteria catalog: A brief overview
The BSI C5 criteria catalog contains 121 criteria for the information security of cloud services. These are divided into 17 subject areas, each of which is assigned an objective to be achieved by the criteria. The areas are based on the presentation of the objectives from ISO/IEC 27001:2013 Annex A:
| No. | Area | Objective |
| 1 | Organisation of Information Security (OIS) 5.1 on page 35 | Plan, implement, maintain and continuously improve the information security framework within the organisation. |
| 2 | Security Policies and Instructions (SP) 5.2 on page 39 | Provide policies and instructions regarding security requirements and to support business requirements |
| 3 | Personnel (HR) 5.3 on page 42 | Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation’s assets are protected in the event of changes in responsibilities or termination. |
| 4 | Asset Management (AM) 5.4 on page 46 | Identify the organisation’s own assets and ensure an appropriate level of protection throughout their lifecycle. |
| 5 | Physical Security (PS) 5.5 on page 51 | Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. |
| 6 | Operations (OPS) 5.6 on page 58 | Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. |
| 7 | Identity and Access Management (IDM) 5.7 on page 72 | Secure the authorisation and authentication of users of the Cloud Service Provider (typically privileged users) to prevent unauthorised access. |
| 8 | Cryptography and Key Management (CRY) 5.8 on page 79 | Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. |
| 9 | Communication Security (COS) 5.9 on page 82 | Ensure the protection of information in networks and the corresponding information processing systems. |
| 10 | Portability and Interoperability (PI) 5.10 on page 86 | Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. |
| 11 | Procurement, Development and Modification of Information Systems (DEV) 5.11 on page 89 | Ensure information security in the development cycle of information systems. |
| 12 | Control and Monitoring of Service Providers and Suppliers (SSO) 5.12 on page 95 | Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. |
| 13 | Security Incident Management (SIM) 5.13 on page 100 | Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. |
| 14 | Business Continuity Management (BCM) 5.14 on page 103 | Plan, implement, maintain and test procedures and measures for business continuity and emergency management. |
| 15 | Compliance (COM) 5.15 on page 106 | Avoid non-compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements. |
| 16 | Dealing with investigation requests from government agencies (INQ) 5.16 on page 109 | Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. |
| 17 | Product Safety and Security (PSS) 5.17 on page | Provides up-to-date information on the secure configuration and known vulnerabilities of the cloud service for cloud customers, appropriate mechanisms for troubleshooting and logging, as well as authentication and authorisation of users of cloud customers. |
Frequently Asked Questions (FAQ):
C5 certificates always refer to a completed period that has already passed. In this sense, they can only lose their validity if it can be proven that false statements were made (negligently, grossly negligently or intentionally) for the reporting period. However, a C5 test certificate that is several years old is hardly useful for the risk management of current customers. For this reason, C5 audits are usually repeated annually.
The C5 is aimed at cloud customers, cloud providers and their auditors. The provider must implement the C5 criteria and the auditor must provide evidence of conformity.
As the term “cloud” is used in a variety of ways, the C5 can also be used for IT services that do not explicitly have “cloud” in their title but are related to cloud services. The basic security requirements for a cloud service are covered by the C5, although a cloud customer must still check whether the criteria are also sufficiently addressed for their own specific use case. This allows a cloud customer to focus more on their own individual information security requirements and their implementation or their own criteria that go beyond the basic level of the C5. The criteria are applicable across all sectors.
No, the C5 primarily focuses on information security and not data protection. If you use a C5-tested cloud service, it is therefore not automatically data protection compliant.
The C5 includes all the criteria of ISO/IEC 27001 in the basic criteria. This means that a cloud provider that has implemented ISO/IEC 27001 has already implemented measures for many of the criteria in the catalog. For the basic criteria, the C5 requires a management system that is based on ISO/IEC 27001.
The ISO/IEC 27017 standard “Code of practice for information security controls based on ISO/IEC 27002 for cloud services” extends the ISO/IEC 27002 standard to include cloud-specific implementation instructions. It also includes some additional criteria in the appendix, which can also be found in C5. The code of practice is a good reference for implementing the C5 criteria.
ISO/IEC 27018 “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” deals with the protection of personal data in cloud computing. It is strongly based on European data protection, but is not normative in nature. As the C5 does not deal with data protection, ISO/IEC 27018 can be used as a very helpful supplement to data protection.
The C5 report must indicate which services of a cloud provider have been subject to a C5 audit. As this does not necessarily cover the entire infrastructure and all services of a cloud provider, the cloud customer must first ensure that the services it uses are also covered by the C5 test certificate.
No, there is currently no official C5 logo.
Why we are a strong partner for you
Independence
Expertise
International network of experts
Industry experience
Tailor-made for you
You have questions? We are pleased to help!
