Home
Resources

C5: BSI Cloud Computing Compliance Criteria Catalogue

Framework Deepdive
C5: BSI Cloud Computing Compliance Criteria Catalogue

Summary

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

1. Overview

What C5 Is

The Cloud Computing Compliance Criteria Catalogue (C5) is the cloud assurance criteria catalogue published and maintained by Germany's Federal Office for Information Security (Bundesamt fur Sicherheit in der Informationstechnik, BSI). It defines a comprehensive set of minimum requirements for cloud service providers (CSPs) and the corresponding criteria against which a CSP is examined by an independent auditor. The current edition is C5:2020 (with subsequent BSI updates and clarifications); BSI publishes the catalogue at bsi.bund.de.

Who It Applies To

C5 is a German-government-led standard but increasingly recognized across the European market. It is mandatory or strongly expected for CSPs supplying federal-government workloads in Germany under the Federal IT Strategy, and is referenced by Germany's largest enterprises and many Austrian and Swiss buyers. It is also a recognized baseline for Schwarz Group, Deutsche Bahn, and other large-scale European cloud procurements. The catalogue addresses Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service.

Attestation Types

An independent auditor (typically a CPA firm in Germany, Wirtschaftsprufer in German) examines the CSP's controls and issues an attestation report under ISAE 3000 (or the equivalent German standard IDW PS 860). Three report types:

  • AT-1 Type 1 — examination of the design and implementation of controls at a point in time. Similar in scope to a SOC 2 Type 1.
  • AT-2 Type 2 — examination of design, implementation, and operating effectiveness over a defined observation period (typically 6–12 months). Similar in scope to a SOC 2 Type 2.
  • AT-3 — additional examination format for selected criteria where deeper assurance is required.

Outcome

An ISAE 3000 (IDW PS 860) attestation report covering the C5 criteria, accompanied by the CSP's System Description. The report is consumed by procurement teams in regulated and risk-conscious enterprise buyers, in particular in the German public sector and the German DAX 40 supply chain.

Security Consultants supports CSPs preparing for C5 through the C5 service, typically alongside ISO 27001 and SOC 2 programs to share controls and evidence with international audiences.

2. Scope & Applicability

System Description (SoyD)

The C5 examination requires a System Description analogous to a SOC 2 System Description. It describes the cloud service, the supporting infrastructure, the criteria in scope, the controls implemented, the location of processing, the personnel involved, and any subservice organizations and Complementary User Entity Controls (CUECs). The SoyD is reviewed by the auditor and becomes part of the published report.

Basic Criteria vs Additional Criteria

C5 distinguishes Basic Criteria (the baseline expected of any cloud service in the scope of the report) from Additional Criteria (heightened expectations for higher-assurance workloads). The CSP and the auditor agree which Additional Criteria are in scope based on the customer-base profile and the data sensitivity served.

Subservice Organizations

CSPs operating on top of an underlying IaaS provider (AWS, Azure, GCP, Oracle, IBM, or sovereign-cloud variants) follow a carve-out or inclusive method analogous to SOC 2. The underlying IaaS providers typically maintain their own C5 attestations covering the inherited controls.

Data Residency

C5 itself is not a data-residency standard, but enterprise customers reading the C5 report typically expect German or EU data residency for sensitive workloads. The SoyD documents the actual processing locations.

3. Core Principles

C5:2020 organizes its 121 Basic Criteria and additional optional Additional Criteria into 17 subject areas. The structure aligns broadly to ISO 27001 Annex A while introducing cloud-specific articulations.

  • OIS — Organization of Information Security
  • HR — Human Resources
  • AM — Asset Management
  • PS — Physical Security
  • RB — Regulatory Framework, Investigative Authorities, Data Protection
  • OPS — Operations
  • IDM — Identity and Access Management
  • CRY — Cryptography and Key Management
  • COS — Communications Security
  • PI — Portability and Interoperability
  • DEV — Procurement, Development and Modification
  • SSO — Control and Monitoring of Service Providers and Suppliers
  • SIM — Security Incident Management
  • BCM — Business Continuity Management
  • COM — Compliance
  • INQ — Investigations by Government Agencies
  • PSS — Product Safety and Security (added in newer revisions for selected categories)

The catalogue's distinct features versus SOC 2 or ISO 27001 are the explicit treatment of investigative-authority access (RB and INQ), the cryptography and key-management depth (CRY), and the regulatory and data-protection framing reflecting German legal expectations.

4. Control Breakdown

OIS — Organization of Information Security

Documented ISMS, governance, roles, segregation of duties. Maps to ISO 27001 Clauses 4–7 and Annex A.5.

HR — Human Resources

Background screening, terms of employment, training, disciplinary process, exit handling. Maps to ISO 27001 A.6.

AM — Asset Management

Inventory, classification, handling, return on exit. Maps to ISO 27001 A.5.9–5.13.

PS — Physical Security

Perimeter, entry controls, equipment, environmental safeguards. Maps to ISO 27001 A.7.

RB — Regulatory Framework

Compliance with applicable law and regulation, data protection (GDPR alignment), records management. Maps to ISO 27001 A.5.30–5.36 with additional German-law-specific framing.

OPS — Operations

Capacity, change management, malware protection, backup, logging and monitoring, vulnerability management, configuration management, time synchronization. Maps to multiple ISO 27001 A.8 controls.

IDM — Identity and Access Management

Identity lifecycle, authentication including MFA, privileged access, periodic access review. Maps to ISO 27001 A.5.15–5.18 and A.8.2–8.5.

CRY — Cryptography and Key Management

Algorithm selection per BSI Technical Guideline TR-02102; documented key management lifecycle; HSM use where required; customer key management options. Maps to ISO 27001 A.8.24 with more prescriptive expectations.

COS — Communications Security

Network segmentation, transmission protection, secure remote access. Maps to ISO 27001 A.8.13, A.8.20–8.22.

PI — Portability and Interoperability

Documented data export and migration capabilities. A C5-specific area not directly mirrored in ISO 27001.

DEV — Procurement, Development and Modification

Secure SDLC, change management, vulnerability handling in development. Maps to ISO 27001 A.8.25–8.32.

SSO — Control and Monitoring of Service Providers and Suppliers

Supplier inventory, due diligence, contractual security requirements, continuous monitoring. Maps to ISO 27001 A.5.19–5.22.

SIM — Security Incident Management

Detection, response, notification, lessons learned. Maps to ISO 27001 A.5.24–5.28.

BCM — Business Continuity Management

BCM policy, BIA, BCP and DR plans, testing, reporting. Maps to ISO 27001 A.5.29–5.30.

COM — Compliance

Compliance program, internal audit, management review. Maps to ISO 27001 Clauses 9 and 10.

INQ — Investigations by Government Agencies

Procedures and transparency around government data-access requests, including disclosure obligations to affected customers where lawful. A C5-specific area reflecting the German legal context.

PSS — Product Safety and Security

For selected service categories, additional product-side security requirements.

5. Minimum Requirements (Non-Negotiable)

Mandatory Documents

  • System Description (SoyD) covering the cloud service, scope, controls, processing locations, subservice organizations, CUECs
  • Information Security Policy and supporting policies
  • Risk assessment and risk treatment documentation
  • Compliance register
  • Documented procedures for all 17 C5 subject areas
  • Government investigative authority request handling procedure (INQ)
  • Cryptography Policy aligned with BSI TR-02102
  • Portability and interoperability documentation (PI)
  • Subservice organization register
  • Incident response plan and BCP / DR plans with test records

Mandatory Processes

  • Risk assessment performed and updated
  • Continuous vulnerability scanning and patch management
  • Periodic access reviews
  • Annual BCP and DR testing
  • Annual security awareness training
  • Subservice organization monitoring
  • Incident response and customer notification
  • Cryptography and key management lifecycle execution

Technical Controls Baseline

  • Strong authentication including MFA on privileged access
  • Network segmentation and boundary protection
  • Cryptography aligned with BSI TR-02102
  • Centralized logging and monitoring with retention sufficient for investigation
  • Endpoint protection
  • Configuration management with baselines and change control

6. Technical Implementation Guidance

Build on ISO 27001 / SOC 2 Foundation

C5 overlaps materially with ISO 27001 Annex A and SOC 2 Common Criteria. For CSPs already running an ISO 27001 ISMS, C5 readiness is primarily an exercise in: SoyD authoring; documentation alignment to the 17 subject areas; cryptography uplift to BSI TR-02102; explicit INQ procedures; and PI documentation.

Cryptography to BSI TR-02102

  • Use algorithms recommended in TR-02102-1 (general), TR-02102-2 (TLS), TR-02102-3 (IPsec), TR-02102-4 (SSH)
  • Document the algorithm inventory and any deviations with justification
  • Manage keys through a documented lifecycle; for higher Additional Criteria, HSM use is expected
  • Offer customer key management options where contractually required (some Additional Criteria assume customer-controlled keys)

Government Investigative Authority Handling (INQ)

  • Document the procedure for receipt, validation, escalation, and execution of government data-access requests
  • Where lawful, disclose to affected customers
  • Publish transparency-report-style information appropriate to the CSP's market position

Portability and Interoperability (PI)

  • Document export formats and procedures
  • Provide tooling or APIs that allow customers to export data without unreasonable effort
  • Document interoperability standards supported

Subservice Organizations

  • Maintain the subservice organization register
  • Reference the underlying provider's C5 attestation where used (AWS, Azure, GCP and Oracle maintain C5 attestations for their German regions)
  • Document Complementary Subservice Organization Controls (CSOCs) in the SoyD

Penetration Testing

7. Policy & Procedure Requirements

  • Information Security Policy
  • Risk Management Procedure
  • Access Control Policy and Procedures (IDM)
  • Cryptography and Key Management Policy (CRY) aligned with BSI TR-02102
  • Communications Security Policy (COS)
  • Operations Security Procedures (OPS)
  • Asset Management Policy (AM)
  • Physical Security Procedures (PS)
  • Procurement, Development and Modification Standard (DEV)
  • Supplier and Service Provider Procedure (SSO)
  • Security Incident Management Procedure (SIM)
  • Business Continuity and DR Plans (BCM)
  • Compliance and Internal Audit Procedure (COM)
  • Government Investigative Authority Request Procedure (INQ)
  • Portability and Interoperability Procedure (PI)
  • Product Safety and Security Standard (PSS) where applicable
  • System Description (SoyD)

For CSPs running parallel ISO 27001 and SOC 2 programs, most documents serve all three with C5-specific extensions. See our ISO 27001 service and SOC 2 service.

8. Audit Evidence & Verification

The C5 examination is performed by an independent auditor under ISAE 3000 (or IDW PS 860 for German audits). The auditor tests the CSP's controls per the agreed criteria set and produces the attestation report.

Typical Evidence Categories

  • System Description (SoyD)
  • Documented policies and procedures across all 17 subject areas
  • Risk assessment and risk treatment records
  • Operational evidence: change tickets, access reviews, vulnerability scans, monitoring logs, incident records
  • Cryptography and key management evidence including algorithm inventory and lifecycle records
  • Subservice organization register and reliance documentation
  • BCP / DR test results
  • Penetration test results (for Additional Criteria)
  • INQ handling records
  • PI documentation and export capability demonstrations

Common Remediation Items

  • SoyD weaknesses: insufficient depth on processing locations, CUECs, CSOCs
  • Cryptography inventory not aligned to BSI TR-02102
  • INQ procedure absent or unrehearsed
  • Portability and Interoperability documentation thin
  • Subservice organization register stale or missing C5 reference
  • Risk assessment treated as a one-off exercise

9. Implementation Timeline Considerations

Typical Duration

  • First-time AT-1 Type 1 (ISO 27001 base in place): 4–6 months
  • First-time AT-2 Type 2 (ISO 27001 base in place): 8–15 months including a 6–12 month observation period
  • First-time program without ISO 27001 foundation: 12–18 months for AT-1 readiness
  • Annual recertification: 6–10 weeks of auditor fieldwork plus continuous evidence collection

Milestones

  • Scope and audience analysis
  • Gap analysis against C5:2020 Basic Criteria and selected Additional Criteria
  • SoyD authoring
  • Documentation alignment to the 17 subject areas
  • Cryptography uplift to BSI TR-02102
  • INQ and PI procedure rollout
  • Subservice organization register and reliance documentation
  • Penetration testing and remediation
  • Pre-audit readiness review
  • AT-1 or AT-2 fieldwork by the auditor
  • Report issuance

Dependencies

  • Audit firm selection (typically a German Wirtschaftsprufer firm)
  • Subservice organization C5 documentation availability
  • Engineering capacity for cryptography and PI uplift
  • vCISO or program lead to coordinate (see vCISO service)

10. Ongoing BAU Requirements

  • Annual AT-2 examination (or AT-1 for selected criteria)
  • Continuous vulnerability scanning and remediation
  • Quarterly access reviews
  • Annual BCP and DR test
  • Annual cryptography review against BSI TR-02102 updates
  • Subservice organization C5 documentation tracked and renewed
  • Continuous INQ procedure readiness
  • Annual penetration test
  • Continuous evidence collection through the observation period
  • Customer notification mechanism for incidents and government requests where lawful

11. Maturity Levels

Minimum Compliance

  • SoyD authored
  • Basic Criteria implemented across the 17 subject areas
  • Manual evidence collection
  • AT-1 Type 1 report

Intermediate

  • AT-2 Type 2 in operation with continuous evidence collection
  • Selected Additional Criteria implemented
  • Integrated ISMS evidence library shared with ISO 27001 and SOC 2
  • Cryptography fully aligned with BSI TR-02102

Advanced

  • Comprehensive Additional Criteria coverage
  • Sovereign-cloud option with customer-controlled keys
  • Public transparency reporting on government access requests
  • Integrated C5 + ISO 27001 + SOC 2 + GDPR evidence library

12. FAQs

Is C5 a certification?

No. C5 is an attestation reported under ISAE 3000 (or IDW PS 860). It is analogous in form to a SOC 2 report, not to an ISO certification.

Who issues the C5 report?

An independent auditor, typically a CPA / Wirtschaftsprufer firm authorized to perform ISAE 3000 / IDW PS 860 attestations. BSI does not directly certify or audit CSPs against C5. Security Consultants is not an attestation auditor — we prepare clients for the audit and manage the program.

Is C5 mandatory?

It is a contractual or procurement requirement rather than a regulatory mandate. The German federal government and many large German enterprises require C5 for cloud procurement. Other European buyers increasingly reference it.

How is C5 different from ISO 27001?

ISO 27001 is a certifiable ISMS standard. C5 is a cloud-service-specific control catalogue attested under ISAE 3000. They overlap on roughly 70–85 percent of underlying controls; a CSP commonly runs both. C5 adds cloud-specific articulations on subservice organizations, portability, government access (INQ), and BSI-aligned cryptography.

How is C5 different from SOC 2?

Structurally similar (both attestation reports based on a System Description tested by an auditor). C5 has cloud-specific subject areas not in SOC 2, including explicit INQ, Portability and Interoperability, and BSI-aligned cryptography expectations. SOC 2 has the Trust Services Criteria with their AICPA points of focus. A CSP serving both German enterprise and US enterprise typically runs both.

What is the relationship to BSI TR-02102?

BSI Technical Guideline TR-02102 (in four parts covering general, TLS, IPsec, SSH) is the authoritative German cryptography recommendation. The C5 CRY subject area expects alignment with TR-02102.

What is the relationship to the German federal IT-Grundschutz?

IT-Grundschutz is the broader German federal information security baseline. C5 is the cloud-specific complement. Some German federal procurements reference both.

What does C5 cost?

For a CSP with ISO 27001 in operation, expect first-year incremental program costs of €150,000–€400,000 including auditor fees, consulting, and engineering uplift. Annual AT-2 recertification typically runs 60–80 percent of year one. Costs scale with scope size and the number of Additional Criteria selected.

Are AWS, Azure, GCP C5-attested?

Yes. AWS, Microsoft Azure, Google Cloud, Oracle, and IBM each maintain C5 attestations covering their German regions. CSPs operating on top inherit relevant controls per the subservice organization carve-out method and document inheritance in the SoyD.

Can we use one System Description for SOC 2 and C5?

Mostly. The two share the System Description concept and most underlying controls. C5 requires explicit treatment of subject areas not in SOC 2 (INQ, PI, PSS where applicable, BSI-aligned cryptography). Build a unified SoyD with C5-specific extensions.

How does C5 relate to GDPR?

The C5 RB subject area addresses regulatory framework including data protection. C5 attestation does not replace GDPR compliance, but it provides material evidence of the Article 32 security of processing technical and organizational measures. See our GDPR service.

13. Summary

C5 is the German federal cloud assurance catalogue and the principal procurement signal for cloud services entering the German enterprise and public-sector market. It builds on ISO 27001 with cloud-specific articulations on subservice organizations, portability, government access, and BSI-aligned cryptography. Most CSPs serving German enterprise buyers run C5 alongside ISO 27001 and SOC 2, sharing the bulk of underlying controls and tailoring documentation per the 17 subject areas.

To scope an engagement, book a call from the C5 service page, or talk to us about combining C5 with ISO 27001, SOC 2, or a complete vCISO program for ongoing program management.

Share this post

Related articles

Framework Deepdive

ISO/IEC 42001:2023 AIMS Deepdive

Read article
ISO/IEC 42001:2023 AIMS Deepdive cover
Framework Deepdive

NIS 2 Compliance Deepdive

Read article
NIS 2 Compliance Deepdive cover
Framework Deepdive

DORA Compliance Deepdive

Read article
DORA Compliance Deepdive cover