Your path to certified cloud security and greater market confidence
We accompany you from status check to audit opinion—clear, efficient, and audit-oriented.
Selected Clients
Security That Convinces Customers
Insecure cloud services
drive customers away
We get you
BSI C5 ready & secure
More trust.
More contracts. More success!
Your path to the BSI C5 exam in 4 steps
BSI C5
Master the BSI C5 audit in 4 steps!
- Analysis & status check
- Building tailored controls
- Review of the control system
- Issuance of the attestation
1
Analysis & Status Check
We analyse the current state of your information security level with regard to your cloud service and identify gaps in relation to the BSI C5 requirements.
Duration: 1–2 days
2
Building Tailored Controls
Based on the analysis, you develop an internal control system tailored to your cloud service – we support you throughout the entire build-up as part of our audit-related advisory services.
Duration: 4–6 weeks
3
Review of the Control System
Our independent auditors assess the suitability and implementation (Type 1) and, where applicable, the effectiveness (Type 2) of your implemented controls and their compliance with the BSI C5 criteria catalogue.
Duration: 4–6 weeks
4
Issuance of the Attestation
After a successful BSI C5 audit, we issue the attestation regarding your internal control system in accordance with BSI C5 (incl. audit report) – as proof of a verified security level for your cloud service.
Duration: 2 weeks
Benefits of a BSI C5 Audit
Build trust, minimise risks and secure competitive advantages with a BSI C5 audit
Building Trust with Customers and Partners
A C5 attestation signals that your cloud services meet the highest security standards – strengthening the confidence of customers and business partners.
Meeting Regulatory Requirements
The BSI C5 audit helps fulfil statutory and industry-specific requirements regarding information security – an important step towards compliance, particularly when processing social or health data.
Transparency and Traceability
The BSI C5 criteria catalogue establishes uniform requirements – giving your customers clear, traceable statements on the security of your cloud services.
Competitive Advantage Through BSI C5 Audit
A successful BSI C5 attestation can serve as a differentiating factor in the market – especially compared to providers without a BSI C5 attestation.
Preparation for International Standards
The BSI C5 criteria catalogue is compatible with other standards such as ISO 27001 or SOC 2 – making the BSI C5 audit an ideal starting point for globally oriented compliance strategies.
What Our Customers Say
"Thanks to the competent and goal-oriented approach of the ADVANTA team, we were able to complete the BSI C5 Type 1 audit on schedule and successfully. We were particularly impressed by the systematic working method and the targeted preparation for all coordination meetings, which made the entire audit process efficient and transparent."
"Thanks to the professional and efficient support from ADVANTA, we were able to successfully complete the BSI C5 Type 1 audit within the planned timeframe. The structured approach, the constructive and well-prepared coordination meetings made the entire audit process smooth and transparent. We value the excellent collaboration and especially the ADVANTA team's ability to familiarise themselves with company structures and business models."
"With the reliable and practice-oriented guidance from ADVANTA, we were able to complete the BSI C5 Type 1 audit successfully and without delays. Particularly valuable to us were the clear structure of the approach, the precise preparation of all coordination meetings, and the transparent communication throughout the entire audit process. The collaboration with the ADVANTA team was consistently constructive and focused."
BSI C5, ISO 27001, NIS 2, DORA
Criterion
BSI C5
ISO 27001
NIS 2
DORA
Specific reference to cloud services
✓
✗
✗
✗
Legally mandatory implementation
✗
✗
✓
✓
Specification of concrete security requirements
✓
✓
✓
✓
Implementation of a service-related ICS required/possible
✓
✗
✗
✓
Adaptability to company specifications
✓
✓
✗
✓
BSI C5
Specific reference to cloud services
Legally mandatory implementation
Specification of concrete security requirements
Implementation of a service-related ICS required/possible
Adaptability to company specifications
ISO 27001
Specific reference to cloud services
Legally mandatory implementation
Specification of concrete security requirements
Implementation of a service-related ICS required/possible
Adaptability to company specifications
NIS 2
Specific reference to cloud services
Legally mandatory implementation
Specification of concrete security requirements
Implementation of a service-related ICS required/possible
Adaptability to company specifications
DORA
Specific reference to cloud services
Legally mandatory implementation
Specification of concrete security requirements
Implementation of a service-related ICS required/possible
Adaptability to company specifications
THESE ARE YOUR CONTACTS
Justus Franke
Managing Director,
Certified Public Accountant
Justus Franke is a managing partner at ADVANTA. As an auditor and consultant, he supports companies in the design, implementation and audit of management and control systems – with a particular focus on process-oriented governance, risk management and compliance.
Lena Franke
Managing Director, Certified Public Accountant
Lena Franke is a managing partner at ADVANTA. She advises companies on the design, development and audit of management systems – with a particular focus on quality management as well as energy and environmental management. Her expertise lies in the practical implementation of normative requirements and the continuous improvement of operational processes.
Nils Lingthaler
Manager,
ISO 27001 Auditor
Nils Lingthaler is a Manager at ADVANTA. As an industrial engineer and certified ISO 27001 auditor, he advises companies on IT compliance, information security, and management and control systems. His focus is on the introduction and further development of management systems as well as the practical implementation of regulatory requirements.
FAQ
What is the C5?
The BSI C5 criteria catalogue contains minimum requirements for secure cloud computing as specified by the BSI. From the BSI's perspective, it consolidates criteria that cloud providers should meet regardless of the application context in order to guarantee a minimum level of security for their cloud services towards their customers.
After successful audit of all criteria by certified public accountants, the cloud provider is issued a C5 attestation covering the audited cloud services.
After successful audit of all criteria by certified public accountants, the cloud provider is issued a C5 attestation covering the audited cloud services.
What is assessed in a C5 audit?
In a C5 audit, one or more cloud services of a cloud provider are assessed for defined regions. A C5 attestation is therefore not issued for a cloud provider as a whole, but always only for the audited cloud services within the specified geographical regions of the cloud provider.
What is a C5 attestation?
A C5 attestation is an assurance report issued following the audit of one or more cloud services, in which at least all basic criteria of the C5 criteria catalogue have been assessed.
This audit is conducted in accordance with the international standard ISAE 3000, or its national equivalents. Under this standard, only certified public accountants are permitted to conduct audits and issue corresponding attestations.
This audit is conducted in accordance with the international standard ISAE 3000, or its national equivalents. Under this standard, only certified public accountants are permitted to conduct audits and issue corresponding attestations.
What is the difference between an attestation and a certificate?
A certificate involves three different parties: the auditee, the auditor, and the certification body. The audit report of the auditor – accredited by the certification body – is submitted to the certification body for review. If it complies with the certification regulations, the certification body issues the corresponding certificate. The involvement of these three parties is intended to ensure the quality and comparability of certificates. It also prevents or discourages "courtesy certificates". Attestation, on the other hand, involves only two parties: the auditee and the auditor.
The auditor is engaged and paid by the auditee, creating a dependency that could potentially affect the quality of the attestation. To counteract this, the C5 uses a procedure in which the auditor is generally liable for their audit performance. After the C5 criteria have been audited, an attestation is issued.
The auditor is engaged and paid by the auditee, creating a dependency that could potentially affect the quality of the attestation. To counteract this, the C5 uses a procedure in which the auditor is generally liable for their audit performance. After the C5 criteria have been audited, an attestation is issued.
Who is authorised to issue a C5 attestation?
Under current regulations, only certified public accountants are authorised to issue a C5 attestation. ADVANTA is a recognised auditing firm – contact us now.
What happens when an attestation and a certification are carried out simultaneously?
Conducting an attestation and a certification simultaneously offers one major advantage: since all requirements of ISO/IEC 27001 are also covered in the C5, the principle of "audit once – certify many" can be applied. This means that the results of a single audit can be used for multiple purposes – for example, for the C5 and for an ISO/IEC 27001 certificate simultaneously. This significantly reduces the effort involved in carrying out the audit.
Is a valid ISO 27001 certification required for a C5 attestation?
No, an ISO 27001 certification is not a prerequisite for a C5 attestation. However, many C5 requirements are aligned with ISO/IEC 27001. An existing certification can therefore be beneficial and facilitate the audit process, but it is not mandatory. Find out more about ISO 27001 certification.
Does a C5 attestation cover the entire organisation or only the cloud service?
A C5 attestation applies exclusively to the audited cloud service, not to the organisation as a whole. The assessment covers the specific service, including its processes, security measures and infrastructure as operated during the audit period.
What is meant by a service-related internal control system (ICS)?
A service-related internal control system (ICS) encompasses all organisational measures and controls implemented by a cloud service provider to ensure security, proper conduct and regulatory compliance in the operation of its services. It forms the basis for the C5 audit, as it documents and safeguards the implementation of the requirements.