Anyone wanting to sell cloud services in Germany to the public sector, to healthcare or to regulated companies rarely gets past three letters and a digit: C5. The BSI's catalogue has established itself as the reference for what a secure cloud service must deliver at a minimum.
What is BSI C5?
C5 stands for Cloud Computing Compliance Criteria Catalogue, a catalogue of requirements from the German Federal Office for Information Security. The current version, C5:2020, bundles a good 120 basic criteria into 17 subject areas, from the organisation of information security through identity and rights management, cryptography and communications security to the handling of security incidents. Supplementary additional criteria cover elevated protection needs.
What is special is the form of proof: C5 is not a certification but an attestation. An auditor examines it according to international auditing standards and certifies the result in a detailed report. In the Type 1 attestation, the appropriateness of the controls is assessed at a given cut-off date; in the more meaningful Type 2 attestation, their effectiveness over a period of usually twelve months is assessed as well.
How does a C5 attestation work?
- System description: The cloud provider describes its service, the boundaries of the audit and the environmental parameters, such as data centre locations and subcontractors.
- Assign controls: For each applicable criterion, the provider documents the controls that have been implemented.
- Independent audit: The auditor tests the design and, for Type 2, the effectiveness of the controls during the audit period.
- A report instead of a seal: The result is a comprehensive audit report that the provider makes available to its customers for their own risk assessment; deviations are disclosed rather than hidden.
Why C5 matters
- For cloud services used by the German federal administration, the C5 proof is the established benchmark, and many federal states and municipalities take their lead from it.
- In healthcare, the C5 attestation is anchored in law, for example for digital health applications and further services that process social data in the cloud.
- The detailed audit report allows customers a genuine risk assessment instead of a mere logo on the website.
- The catalogue translates abstract cloud security into concrete, testable criteria and thereby also makes internal requirement lists easier.
Typical scenarios
- A state authority requires a C5 Type 2 attestation for the offered SaaS solution in its tender.
- The maker of a digital health application needs the attestation of its cloud operator for approval.
- A corporation uses the C5 report of its cloud provider as the basis for its own supplier risk assessment under ISO 27001.
- A cloud provider uses the C5 criteria as a blueprint before it even enters the audit.
Reading the C5 report correctly
For cloud customers, the report is more valuable than any logo, provided you read it in full. Three places deserve particular attention. The system description shows which services, locations and subcontractors were actually audited; an attestation for a different region or a sister product is of little help. The disclosed deviations show where controls were not effective or only partially effective, and how the provider responded. And the complementary customer controls list what the provider expressly expects from you, such as maintaining permissions, secure configuration and securing the connection.
The last point in particular is often overlooked: even the provider's best attestation does not cover the customer side. Anyone who does not implement their own obligations from the report is running an audited service in an unaudited environment.
C5 and ISO 27001: the difference
The two forms of proof complement each other. ISO 27001 certifies the management system of an organisation; the certificate confirms that security processes exist and are practised. C5, by contrast, examines cloud-specific controls of a concrete service and, instead of a certificate, delivers a detailed audit report that, in the case of Type 2, proves effectiveness over months. In practice, demanding customers ask for both: ISO 27001 for the organisation, C5 for the cloud service. The entry on cybersecurity compliance provides an overview of the whole set of frameworks.
Working with KAEMI
For customers, C5 is above all a matter of selection and connectivity: which cloud services meet the benchmark, and how does the data get there securely? KAEMI supports you in selecting attested platforms for Compute & AI and builds the private, verifiably secured connection via Cloud Connectivity & SDN , so that the path into the audited cloud does not become the unaudited gap. We support the assessment of the audit reports within your supplier management in a requirements-oriented way.