The BSI C5 Criteria Catalogue contains minimum requirements for secure cloud computing, which have been specified by the BSI. From the BSI's perspective, it summarizes criteria that cloud providers should meet regardless of the application context to ensure a minimum level of security for their cloud services towards their customers.

After successful examination of all criteria by auditors, the cloud provider is issued a C5 attestation for the audited cloud services.

During a C5 examination, one or more cloud services of a cloud provider are audited for defined regions. A C5 attestation is therefore not issued for a cloud provider as a whole, but always only for the audited cloud services in the defined geographical regions of the cloud provider.

A C5 attestation is a confirmation statement in the form of an audit report, following an examination of one or more cloud services, in which at least all basic criteria of the C5 criteria catalogue have been audited.

This examination is carried out according to the international standard ISAE 3000 or its national equivalents. According to this standard, only certified auditors may conduct audits and only they may issue corresponding attestations.

With a certificate, there are three different parties: auditee, auditor, and certification body. The audit report from the auditor accredited by the certification body is sent to the certification body for review. If it complies with the certification regulations, the certification body issues a corresponding certificate. The involvement of these three parties is intended to ensure the quality and comparability of certificates. Furthermore, such a procedure prevents or makes "favor certificates" more difficult. With attestation, there are only two parties: the auditee and the auditor.

The auditor is commissioned by the auditee and paid by them. This creates a dependency of the auditor on the auditee, which can lead to an impairment of the quality of the attestation. To counteract this, a procedure was chosen for C5 in which the auditor is generally liable for their audit services. Following an examination of the C5 criteria, an attestation is issued.

According to current regulations, only certified auditors can issue a C5 attestation. ADVANTA is a recognized auditing firm - contact us now.

Simultaneous execution of attestation and certification has the following major advantage: Since all requirements of ISO/IEC 27001 are also listed in C5, the principle of "audit once – certify many" can be applied when conducting attestation and certification simultaneously. This means that the result of the audit can be used for different audits, e.g., for C5 and for an ISO/IEC 27001 certificate. This significantly reduces the effort required to conduct the audit.

No, an ISO 27001 certification is not a prerequisite for a C5 attestation. However, many requirements of C5 are based on ISO/IEC 27001. An existing certification can therefore be helpful and facilitate the audit, but it is not mandatory. Learn more about ISO 27001 certification now.

A C5 attestation refers exclusively to the audited cloud service, not to the entire organization. The respective service is specifically assessed, including its processes, security measures, and infrastructure as they were operated during the audit period.

A service-related internal control system (ICS) encompasses all organizational measures and controls that a cloud service provider implements to ensure security, proper operation, and regulatory compliance when operating their services. It forms the basis for the C5 audit, as it documents and safeguards the implementation of requirements.