Secure Cloud Computing: Audits according to the BSI C5 Catalog

Testing the transparency and IT security of your cloud service

Are you a cloud service provider looking for an objective assessment of your current cloud infrastructure? A transparent assessment can be obtained by completing an audit in accordance with the Cloud Computing Compliance Controls Catalog, C5 for short, of the Federal Office for Information Security (BSI). Under the guidance of the auditing company FIDES Treuhand GmbH & Co. KG, we carry out corresponding C5 audits and can provide you with a meaningful and comprehensive audit report.

IT-Grundschutz Sicheres Cloud Computing: Prüfungen nach BSI C5-Katalog IT-Grundschutz Sicheres Cloud Computing: Prüfungen nach BSI C5-Katalog IT-Grundschutz Sicheres Cloud Computing: Prüfungen nach BSI C5-Katalog IT-Grundschutz Sicheres Cloud Computing: Prüfungen nach BSI C5-Katalog

Your benefits at a glance

  • Objective evaluation of your cloud infrastructure by an independent third party
  • You will receive a comprehensive report on the audited control and monitoring measures, including an assessment of their appropriateness and effectiveness
  • A transparent audit provides customers with the information they need to choose you as a trustworthy cloud computing provider
  • For federal agencies: Provides evidence that the external cloud computing provider adequately meets the C5 baseline requirements

What are the advantages of a C5 audit?

When companies choose a cloud solution and an associated cloud computing provider, they must be confident that their data will be secure. A C5 audit provides objective proof that you as a provider have taken appropriate security measures in accordance with the C5 catalog and therefore fulfill the minimum level of IT security required by the BSI. The result is a detailed audit report on the organizational structure and processes of your security and monitoring measures as well as their suitability and effectiveness. This allows potential customers to obtain full transparency regarding your service from the outset through an independent third party.

The BSI C5 catalog contains criteria for assessing the information security of a cloud service, which have been derived from various national and international standards. It therefore combines different minimum requirements for secure cloud computing in just one document and in recent years has successfully established itself as a security standard within the cloud industry.

The criteria catalog is currently available in the 2020 version and covers a total of 17 subject areas. These in turn contain various basic requirements and objectives that the cloud computing provider must adhere to. An audit in accordance with the C5 catalog can be combined with a standard audit by an auditor or with an audit, e.g. in accordance with ISO 27001 or ISO 22301, in order to make use of synergy effects.

Frequently asked questions:

What topics does the C5 catalog cover?

The catalog C5:2020 contains 125 criteria that can be classified into the following 17 subject areas:

  • Organisation of Information Security (OIS)
  • Security Policies and Instructions (SP)
  • Personnel (HR)
  • Asset Management (AM)
  • Physical Security (PS)
  • Operations (OPS)
  • Identity and Access Management (IDM)
  • Cryptography and Key Management (CRY)
  • Communication Security (COS)
  • Portability and Interoperability (PI)
  • Procurement, Development and Modification of Information Systems (DEV)
  • Control and Monitoring of Service Providers and Suppliers (SSO)
  • Security Incident Management (SIM)
  • Business Continuity Management (BCM)
  • Compliance (COM)
  • Dealing with Investigation Requests from Government Agencies (INQ)
  • Product Safety and Security (PSS)
Which national and international standards does the C5 catalog cover?

The C5 criteria were derived from the following national and international standards:

  • DIN EN ISO/IEC 27001:2017 – Information security management systems
  • DIN ISO/IEC 27002:2016 – IT security procedures
  • ISO/IEC 27017:2015 – Security techniques
  • BSI – IT Baseline Security, 2nd Edition 2019
  • CSA – Cloud Controls Matrix 3.0.1 (CSA CCM)
  • AICPA – Trust Services Criteria 2017 (TSC)
  • ANSSI – Providers of cloud computing services v. 3.1 (SecNumCloud)
  • IDW RS FAIT 5 – Statement on Financial Reporting: "Principles of Orderly Accounting for the Outsourcing of Financial Reporting-Related Services including Cloud Computing", as at November 4, 2015
What are the main changes in C5:2020?

The new version of the C5 catalog was completed in January 2020. The updates include:

  • two new subject areas
    C5:2020 has been extended to cover Product Safety and Security (PSS) and Dealing with Investigation Requests from Government Agencies (INQ).
    Product safety and security refers to the security of the cloud service itself and requires, for example, that the cloud computing provider issues guidelines on how to configure the service securely. The requirements of the new area are derived from the EU Cybersecurity Act, among others.
    The subject area dealing with investigation requests from government agencies is intended to ensure that requests for investigations by government agencies for judicial review are dealt with appropriately.
  • the revision of security criteria
    Some of the security criteria of the C5:2016 have been fundamentally revised to further improve their quality. In addition, for each criterion there are now instructions as to whether - and if so, how - this can be checked within the framework of a continuous audit. Furthermore, the new corresponding criteria describe the interfaces between cloud computing providers and cloud customers in order to make cloud customers aware of their role in the secure use of a cloud service

  • enabling a direct audit
    Previously, a cloud computing provider had to submit an independently prepared system description prior to a relevant audit. With C5:2020, it is now possible to have a direct audit and to have a comparable description prepared by an auditor.

Why we are a strong partner for you

Double the expertise

Experienced auditor meets IT security expert. Benefit from the concentrated know-how of this partnership.

For companies of any size

We carry out audits for large, internationally positioned cloud computing providers as well as for small and medium-sized cloud service providers.


Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

You have questions? We are pleased to help!

Further services

ISO 27001

As a certified IT security service provider by the German Federal Office of Information Security (BSI), TÜViT supports companies and public authorities with the planning, implementation, monitoring and continuous improvement of their information security management system.
Read more


With a certification under ISO 27001 based on the “BSI IT-Grundschutz” standard, you show your customers and business partners the importance you associate with IT security, since the level of your information security fulfills the requirements of the BSI.
Read more

ISMS for the Energy Industry

TÜViT supports grid operators with the rollout of their ISMS according to ISO 27001, taking into account ISO 27019.
Read more