Cloud Computing Compliance Controls Catalog (C5)
Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government's "Security Recommendations for Cloud Providers".
The C5 attestation can be used by AWS customers and their compliance advisors to understand the range of IT-Security assurance services that AWS offers as they move their workloads to the cloud. C5 adds the regulatory defined IT-Security level equivalent to the IT-Grundschutz with the addition of cloud specific controls.
C5 adds additional controls that provide information pertaining to data location, service provisioning, place of jurisdiction, existing certification, information disclosure obligations, and a full-service description. Using this information, customers can evaluate how legal regulations (i.e. data privacy), their own policies, or the threat environment relate to their use of cloud computing services.
C5 Attestation for your SaaS and PaaS Applications
AWS customers can achieve a C5 attestation for cloud applications running on the AWS infrastructure. As of November 2016, AWS was the first Cloud Service Provider in Germany to receive C5 at the infrastructure level. With the C5 report, AWS lays the foundation for documenting C5 compliance as an Infrastructure as a Service (IaaS) provider.
AWS customers can now achieve a C5 attestation for their cloud applications without being required to audit the physical security of data centers or the infrastructure of the cloud. Customers can also attest applications deployed as Software as a Service (SaaS) and Platform as a Service (PaaS) to the C5 attestation framework. Their customers thus receive proof that they are effectively implementing the BSI standard level of IT security at all layers.
C5 Customer Testimonials
The BSI Cloud Computing Compliance Control Catalogue (C5) covers all aspects of a securely operated Cloud Service. For current AWS customers the internal discussion with Security- and Compliance Manager will be considerably facilitated. For potential customers it will be much easier to transfer Use Cases to AWS. In either case we take that, the attestation will significantly rise the Service-Consumption.
Computacenter AG & Co oHG
The BSI C5 attestation is proof that the Box Cloud is a secure cloud solution for Enterprise Content Management. By the commitment to and investment in compliance in both Germany and Europe, Box shows how important these markets are for the company. Box utilizes, among others, the AWS infrastructure in the Frankfurt region, which is also C5 compliant.
"AWS C5 attestation, a scheme designed for managing the infrastructure, is significant proof of information security for us and our customers in the areas of data center, server, network and data. With AWS' reliable security, we can place our energy and focus on our own business, knowing we are in good hands."
The following FAQs are intended as a guide to receiving C5 attestation for your SaaS and PaaS applications. Additional information about C5 and the “Cloud Computing Compliance Controls Catalogue (C5) - Criteria to assess the information security of cloud services”, can be found on the BSI website.
Which AWS services are in scope for C5?
What is C5?
C5 (Cloud Computing Compliance Controls Catalogue) is the “cloud computing IT-Security” standard in Germany. Designed and released by the BSI in February 2016, the C5 control set offers additional assurance to customers in Germany as they move their complex and regulated workloads to Cloud Computing Service providers such as AWS. C5 covers the following international standards:
- ISO/IEC 27001:2013 (ISO - International Organization for Standardization)
- CSA Cloud Controls Matrix 3.01 (CSA - Cloud Security Alliance)
- AICPA Trust Service Principles Criteria 2014 (AICPA - American Institute of Certified Public Accountants)
- ANSSI Référentiel Secure Cloud 2.0 (Draft) (ANSSI - Agence nationale de la sécurité des systèmes d'information)
- IDW ERS FAIT 5 04.11.201 (draft of a statement on accounting: "Grundsätze ordnungsmäßiger Buchführung bei Auslagerung von rechnungslegungsrelevanten Dienstleistungen einschließlich Cloud Computing" ["Generally accepted accounting principles for the outsourcing of accounting-related services including cloud computing"], 4 November, 2014 Version)
- BSI IT-Grundschutz Catalogues, 14th Version 2014
- BSI SaaS Sicherheitsprofile 2014 [BSI SaaS Security Profiles 2014]
Who created this new standard?
Germany’s national cybersecurity authority Bundesamt für Sicherheit in der Informationstechnik (BSI) created the C5 standard. BSI defines the IT-Security requirements for all governmental systems, and most German companies align their IT-Security strategy with BSI standards.
Why was a new standard created?
Controls from the standards mentioned above were collected and then packaged specifically for the scope of Cloud Computing. This benefits the CSP and the customer by providing a clear understanding of the role of the CSP and the role of the customer in the Shared Responsibility Model.
What is the difference between C5 and IT-Grundschutz of BSI?
IT-Grundschutz is a standard for establishing and maintaining an appropriate protection of the information of an institution. The IT-Grundschutz Catalogues describe safeguards for typical business processes, IT systems and applications and addresses the protection of the own information of an enterprise. C5 provides guidance on cloud service provider (CSP) offerings.
What is the difference between a certification and an attestation?
A certification is issued by an accredited specialized company and often lasts between one and three years. An attestation can be received during a compliance audit or an accounting by qualified personnel. An attestation focuses more on the continuous implementation aspect, which means that the re-audit cycle is much shorter – down to 6 months. According to ISAE 3000 / 3402, the audit process delivers evidence of appropriateness and effectiveness over a past range of time. A certification is just a snapshot in time.
What are the customer benefits of this standard?
Specifically, in Germany customers are used to looking for services which are certified against the BSI defined German IT-Grundschutz (IT baseline security). The IT-Grundschutz works well for on-premise or traditional outsourcing relationships, but is not optimized for Cloud Computing. C5 provides customers with a report documenting an equivalent IT-Security level to the IT-Grundschutz covering all IT-Security aspects for Cloud Computing. For authorities, a C5 attestation is a basic requirement in the procurement process.
How will AWS support me in receiving C5 attestation for my SaaS and PaaS applications?
C5 is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It defines which requirements (also referred to as controls) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet. AWS customers benefit from the C5 attestation for the infrastructure (IaaS) layer allowing them to focus on the attestation of their SaaS / PaaS-layer applications.
In November 2016, AWS was the first Cloud Service Provider in Germany to receive C5 at the infrastructure level. With our C5 attestation, we have laid the foundation for you to receive the C5 attestation for your cloud applications from your auditor. This gives AWS customers the opportunity to go for their own C5 attestation without having the need to include the physical security of data centers and managing the infrastructure part of the cloud in scope of their individual audit. Applications deployed as Software as a Service (SaaS) and Platform as a Service (PaaS) can also be attested to the C5 attestation framework. Your customers thus receive proof that you are effectively implementing the BSI standard level of IT security at all layers.
How do I get a C5 attestation?
The compliance controls catalogue specifies that a public auditor issues an attestation for the cloud services examined according to an internationally recognized procedure. The basis for the attestation is an audit report in which the auditor demonstrates whether the requirements were met and implemented effectively.
For questions regarding the preparation and execution of a C5 audit, please contact your auditor.
Which criteria should I pay attention to when choosing an auditor?
An annual audit is usually not carried out by a public auditor in person, but by a team. This team also includes IT experts. In order to attest to the compliance controls catalogue, team members must verify that they are qualified (see Section 3.5.1). Examples include certifications from the ISACA (CISA, CISM, CRISC), the CSA (CCSK) or ISO 27001 and IT-Grundschutz auditors. These qualifications must be listed and verified in the attestation.
How long does the audit process take to get a C5 attestation?
The duration of the audit process depends on the existing certifications in your company. A certification such as ISO 27001 shortens the audit process. It is recommended to do an attestation together with a certification, since all the requirements of ISO IEC 27001 are also listed in the compliance controls catalogue.
Does this standard have an international impact?
BSI has aligned this work with ANSSI and their upcoming Secure Cloud Label. The C5 standard had been influenced by and did influence the Secure Cloud standard in France, with the clear goal to have the option for a mutual recognition under a common label called ESCloud.