I'd like information about C5


Uptime Institute

Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government's "Security Recommendations for Cloud Providers".

The C5 attestation can be used by AWS customers and their compliance advisors to understand the range of IT-Security assurance services that AWS offers as they move their workloads to the cloud. C5 adds the regulatory defined IT-Security level equivalent to the IT-Grundschutz with the addition of cloud specific controls.

C5 adds additional controls that provide information pertaining to data location, service provisioning, place of jurisdiction, existing certification, information disclosure obligations, and a full-service description. Using this information, customers can evaluate how legal regulations (i.e. data privacy), their own policies, or the threat environment relate to their use of cloud computing services.

The BSI Cloud Computing Compliance Control Catalogue (C5) covers all aspects of a securely operated Cloud Service. For current AWS customers the internal discussion with Security- and Compliance Manager will be considerably facilitated. For potential customers it will be much easier to transfer Use Cases to AWS. In either case we take that, the attestation will significantly rise the Service-Consumption.
Computacenter AG & Co oHG

Designed and released by the BSI in February 2016, the C5 control set offers additional assurance to customers in Germany as they move their complex and regulated workloads to Cloud Computing Service providers such as AWS.

The following standards have been taken into account by the BSI:

• ISO/IEC 27001:2013 (ISO - International Organization for Standardization)

• CSA Cloud Controls Matrix 3.01 (CSA - Cloud Security Alliance)

• AICPA Trust Service Principles Criteria 2014 (AICPA - American Institute of Certified Public Accountants)

• ANSSI Référentiel Secure Cloud 2.0 (Draft) (ANSSI - Agence nationale de la sécurité des systèmes d'information)

• IDW ERS FAIT 5 04.11.201 (draft of a statement on accounting: "Grundsätze ordnungsmäßiger Buchführung bei Auslagerung von rechnungslegungsrelevanten Dienstleistungen einschließlich Cloud Computing" [Generally accepted accounting principles for the outsourcing of accounting-related services including cloud computing], 4 November, 2014 version)

• BSI IT-Grundschutz Catalogues, 14th version 2014

• BSI SaaS Sicherheitsprofile 2014 [BSI SaaS security profiles 2014]


Contact Us