BSI C5 - discovered, explained

BSI C5

Your cloud service checked for transparency and IT security

Are you a provider of a cloud service and would like to have your current cloud infrastructure objectively assessed? With an audit in accordance with the Cloud Computing Compliance Controls Catalogue, C5 for short, from the German Federal Office for Information Security (BSI), you will receive a transparent assessment.

What is the C5 criteria catalog?

The C5 (Cloud Computing Compliance Controls Catalogue) is a framework developed by the German Federal Office for Information Security (BSI) to ensure the security and compliance of cloud services. It provides a comprehensive collection of security controls that cloud providers should implement to ensure data protection and compliance with security standards.

The C5 catalogue is particularly aimed at companies that use or offer cloud services and helps them to understand and implement security requirements. By applying C5, organisations can increase the transparency and security of their cloud services and strengthen the trust of their customers.

Learn more about the C5 criteria catalogue

Cloud-specific regulations in healthcare

With the new Section 393 "Cloud use in healthcare; authorisation to issue ordinances" in the German Social Code (SGB) V, the Federal Ministry of Health is increasing the protection of sensitive, personal social and health data.

Health insurance funds and service providers as well as their respective contract data processors may only process such data using cloud-based applications if the following requirements are met:

The provider of the cloud-based service has a BSI C5 Type 1 or Type 2 audit report that covers the BSI C5 Basic Criteria.
The institution using the cloud service has:
taken appropriate and state-of-the-art technical and organisational measures to secure cloud use,
implemented the end user controls formulated by the cloud provider in the BSI C5 test report.

This also applies to organisations that have set up private clouds and use them themselves. This also covers organisations that are not traditional IT or cloud providers. These include, for example, research institutions, pharmaceutical companies or other service providers that store and process personal health data in their private cloud.

A new regulation is currently being drafted, the "C5 Equivalence Regulation", which is likely to extend the requirements.

On the draft bill

C5 equivalence regulation

Regulation on equivalent safety certificates to the C5 standard

Alternative standards

Until now, the BSI C5 Type 1 or Type 2 test report was the optimal choice for covering the BSI C5 basic criteria (see Section 393 (4) sentence 3 SGB V) and ensuring the security of cloud-based services. In order to avoid duplication in the fulfilment of the criteria, the Federal Ministry of Health defines alternative standards in its C5 equivalence regulation ("Regulation on equivalent proof of security to the C5 standard for cloud computing services in the healthcare sector").

The C5 equivalence regulation contains the following criteria

An alternative standard to the C5 Type 1 or Type 2 certificate is

ISO/IEC 27001 in its currently valid version
ISO 27001 on the basis of IT-Grundschutz by the Federal Office for Information Security
Cloud Controls Matrix Version 4.0 in the currently valid version

If a cloud service is certified according to one of these standards, it can be considered secure within the meaning of the German Social Security Code, provided that certain additional requirements are met.

Additional requirements for alternative standards

Action plan in accordance with Section 1 (2) C5 equivalence regulation: The service must have a plan that shows how it fulfils the requirements of the C5 criteria catalogue.

This plan must at least

document which security requirements of the C5 catalogue are not covered by the existing standard.
explain what technical and organisational measures will be taken to close these uncovered gaps.
contain a milestone plan that ensures that all measures to close the gaps will be implemented within 12 months of the milestone plan being drawn up.
include documentation of measures to achieve a C5 Type 1 certificate within 18 months of the milestone plan being drawn up and to achieve a C5 Type 2 certificate within 24 months of the milestone plan being drawn up.

Submission requirement

The action plan and the existing certificate must be presented to healthcare providers and the responsible supervisory authorities on request.

To the Federal Law Gazette

Special features of the BSI C5 criteria catalog

Is a framework developed by the BSI to ensure the security and compliance of cloud services
Supports the systematic improvement of the IT security of your cloud service
Helps to identify potential security gaps and risks at an early stage
Provides customers with a sound basis for choosing a cloud provider

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin

To the consulting services Contact us

Goal achieved?

We check that

TÜV Informationstechnik I Essen

To the test offers Contact us

Frequently Asked Questions (FAQ)

What you need to know about BSI C5

C5 test certificates always refer to a past, completed period. In this respect, they can only lose their validity if it can be proven that false statements were made (negligently, grossly negligently or intentionally) for the reporting period. However, a C5 test certificate that is several years old is hardly useful for the risk management of current customers. For this reason, C5 audits are usually repeated annually.

The C5 is aimed at cloud customers, cloud providers and their auditors. The provider must implement the criteria of the C5 and the auditor must provide evidence of conformity.

As the term "cloud" is used in a variety of ways, the C5 can also be used for IT services that do not explicitly have "cloud" in their title but are related to cloud services. The basic security requirements for a cloud service are covered by the C5, although a cloud customer must still check whether the criteria are also sufficiently addressed for their own specific use case. This allows a cloud customer to focus more on their own individual information security requirements and their implementation or their own criteria that go beyond the basic level of the C5. The criteria are applicable across all sectors.

No, the C5 is primarily focussed on information security and not data protection. If you use a C5-tested cloud service, it is therefore not automatically data protection-compliant.

The C5 includes all the criteria of ISO/IEC 27001 in the basic criteria. This means that a cloud provider that has implemented ISO/IEC 27001 has already implemented measures for many of the criteria in the catalogue. For the basic criteria, the C5 requires a management system that is based on ISO/IEC 27001.

The ISO/IEC 27017 standard "Code of practice for information security controls based on ISO/IEC 27002 for cloud services" extends the ISO/IEC 27002 standard to include cloud-specific implementation instructions. It also includes some additional criteria in the appendix, which can also be found in C5. The code of practice is a good reference for implementing the C5 criteria.

ISO/IEC 27018 "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors" deals with the protection of personal data in cloud computing. It is closely modelled on European data protection, but is not normative in nature. As the C5 does not deal with data protection, ISO/IEC 27018 can be used as a very helpful supplement to data protection.

The C5 report must indicate which services of a cloud provider have been subject to a C5 audit. As this does not necessarily cover the entire infrastructure and all services of a cloud provider, the cloud customer must first ensure that the services they use are also covered by the C5 test certificate.

No, there is currently no official C5 logo.

The BSI C5 criteria catalogue contains 121 criteria for the information security of cloud services. These are divided into 17 subject areas, each of which is assigned an objective to be achieved by the criteria. The areas are based on the presentation of the objectives from ISO/IEC 27001:2013 Annex A:

No.	Area	Objective
1	Organisation of information security (OIS) 5.1 on page 37	Planning, implementation, maintenance and continuous improvement of an information security framework within the organisation
2	Security policies and work instructions (SP) 5.2 on page 42	Provide guidelines and instructions regarding the security claim and to support business requirements
3	Human Resources (HR) 5.3 on page 45	Ensure that employees understand their roles, are aware of their responsibilities in relation to information security and that the organisation's assets are protected when roles change or are terminated
4	Asset Management (AM) 5.4 on page 49	Identify the organisation's assets and ensure an appropriate level of protection throughout their lifecycle
5	Physical security (PS) 5.5 on page 54	Prevent unauthorised physical access and protect against theft, damage, loss and operational failure
6	Regular operation (OPS) 5.6 on page 61	Ensuring proper regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring of events and dealing with vulnerabilities, faults and errors
7	Identity and authorisation management (IDM) 5.7 on page 77	Securing the authorisation and authentication of users of the cloud provider (usually privileged users) to prevent unauthorised access
8	Cryptography and key management (CRY) 5.8 on page 84	Ensuring appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information
9	Communication security (COS) 5.9 on page 87	Ensuring the protection of information in networks and the corresponding information processing systems
10	Portability and interoperability (PI) 5.10 on page 92	Enabling the ability to access the cloud service via other cloud services or cloud customers' IT systems, to retrieve the stored data upon termination of the contractual relationship and to securely delete it from the cloud provider
11	Procurement, development and modification of information systems (DEV) 5.11 on page 95	Ensuring information security in the development cycle of system components of the cloud service
12	Control and monitoring of service providers and suppliers (SSO) 5.12 on page 101	Ensuring the protection of information that service providers or suppliers of the cloud provider (sub-service providers) can access and monitoring the agreed services and security requirements
13	Dealing with security incidents (SIM) 5.13 on page 106	Ensuring a consistent and comprehensive procedure for recording, evaluating, communicating and handling security incidents
14	Business continuity and incident management (BCM) 5.14 on page 110	Plan, implement, maintain and test procedures and measures for business continuity and emergency management
15	Compliance (COM) 5.15 on page 113	Avoiding violations of legal, regulatory, self-imposed or contractual information security requirements and verifying compliance
16	Dealing with enquiries from government agencies (INQ) 5.16 on page 116	Ensure appropriate handling of government investigation requests with regard to legal review, informing cloud customers and limiting access to or disclosure of data
17	Product security (PSS) 5.17 on page 118	Providing cloud customers with up-to-date information on the secure configuration and known vulnerabilities of the cloud service, suitable mechanisms for error handling and logging as well as for authentication and authorisation of cloud customer users