C5
BSI C5:2020 attestation program build and ongoing support for B2B SaaS and consulting firms in the German enterprise market.
Comprehensive BSI C5 Attestation Consulting & End-to-End ISAE 3000 Program Build
C5:2020 is the cloud assurance criteria catalogue published by Germany's Federal Office for Information Security (BSI). It is the principal procurement signal for cloud services entering the German federal government and the largest German enterprise buyers, including the DAX 40 supply chain. C5 is an attestation, not a certification: an independent auditor (typically a German Wirtschaftsprüfer firm) examines the cloud service provider's controls under ISAE 3000 or the equivalent IDW PS 860 and issues an AT-1 Type 1 (point in time) or AT-2 Type 2 (operating effectiveness across a 6 to 12 month observation period) attestation report. The C5 control set is organized into 17 subject areas with Basic Criteria and optional Additional Criteria for higher-assurance workloads.
Security Consultants prepares CSPs for C5 attestation. We are not an attestation auditor. We scope the cloud service against C5:2020, author the System Description (SoyD), align documentation to all 17 subject areas, uplift cryptography to BSI Technical Guideline TR-02102, build the government investigative authority handling procedure (INQ), document portability and interoperability (PI), and manage the subservice organization register with C5 reliance evidence from AWS, Microsoft Azure, Google Cloud, or Oracle. Once the attestation report is issued, our vCISO subscription operates continuous evidence collection through the observation period, annual penetration testing, BCP and DR testing, and cryptography reviews against TR-02102 updates. The same evidence base supports parallel ISO 27001 and SOC 2 programs.
.svg){kind=icon}
System Description (SoyD) Built for the German Auditor
The SoyD is what the Wirtschaftsprüfer examines first. We author it with the depth on processing locations, subservice organization reliance from your underlying IaaS provider's C5 attestation, Complementary User Entity Controls, and Complementary Subservice Organization Controls that German auditors expect. No thin or boilerplate System Descriptions.
.svg){kind=icon}
BSI TR-02102 Cryptography Alignment
German auditors test algorithm selection against BSI Technical Guideline TR-02102 across general use, TLS, IPsec, and SSH. We audit your cryptographic inventory, deprecate non-compliant cipher suites, document the key management lifecycle, and build HSM use into the architecture where Additional Criteria require customer-controlled keys.
INQ and PI: The C5-Distinct Controls
Government investigative authority handling (INQ) and Portability and Interoperability (PI) are C5-specific subject areas without equivalents in SOC 2 or ISO 27001. We build the INQ procedure for receipt, validation, escalation, and lawful customer disclosure, plus the documented data export tooling that PI examiners test.
Readiness Consulting, Not Attestation Audit
We prepare you for the auditor. We are not the auditor and never will be. That separation lets us build a defensible System Description, run the pre-audit readiness review, and advocate through the fieldwork without the conflict that comes from selling readiness and attestation under one roof.
A proven, methodical
approach
Project Kick-Off & Setup
We start with a project kick-off where the manager sets up your engagement in our project management platform. We confirm your target report (AT-1 Type 1 or AT-2 Type 2), define the scope, select your auditor or coordinate with your existing Wirtschaftsprüfer firm, agree the observation period, and name a program lead.
Scope Definition & Subservice Organization Mapping
We confirm the cloud service in scope, the data sensitivity and customer-base profile, the Basic Criteria baseline, and which Additional Criteria apply. The subservice organization register maps every underlying IaaS provider (AWS, Azure, GCP, Oracle, IBM) to its existing C5 attestation and documents the carve-out or inclusive method.
Gap Analysis Against C5:2020
We assess implementation control-by-control across all 17 C5 subject areas: OIS, HR, AM, PS, RB, OPS, IDM, CRY, COS, PI, DEV, SSO, SIM, BCM, COM, INQ, and PSS where applicable. Remediation is prioritized by auditor risk and observation-period start date.
System Description Authoring & Documentation Stack
We author the SoyD with the depth a German auditor expects, build the cryptography policy aligned with BSI TR-02102, document the INQ government request handling procedure, prepare the PI portability and interoperability documentation, and align the BCP, DR, and IR procedures to the 17 subject areas.
Technical Remediation & Auditor Coordination
We close the technical gaps: TR-02102-aligned cryptography across general, TLS, IPsec, and SSH; phishing-resistant MFA on privileged access; centralized logging with retention sufficient for the observation period; annual penetration testing for Additional Criteria coverage. We coordinate the AT-1 or AT-2 fieldwork with the Wirtschaftsprüfer and represent the program through finding response.
Post-Attestation Operations, vCISO & Ongoing Assurance
After the attestation report is issued, our vCISO subscription operates continuous evidence collection through the next observation period, quarterly access reviews, annual BCP and DR testing, annual penetration testing, TR-02102 reviews on BSI updates, and subservice organization C5 documentation refresh. The evidence base is shared with parallel ISO 27001 and SOC 2 programs.
Services tailored to you
"Attila is a rock star when it comes to security consulting! He is experienced with enterprise-level security and he guided us through our SOC 2 Type 2 certification. He helped us revamp up our security system and posture and gave great advice. Thanks to Attila, we passed the audit without any exceptions. If you need a security pro who knows their stuff and will help you get results, Attila's your guy. Highly recommend!"
"Working with Attila has been an outstanding experience from start to finish. As a professional CISO, Security, and Compliance consultant, Attila's down-to-earth, no-nonsense, and well-organized approach was instrumental in guiding us through the process of getting ISO 27001 certified. His expertise in the field is undeniable, and his ability to navigate the complexities of certification with such ease made all the difference."
"Attila delivered outstanding work, guiding us through the entire process of achieving our ISO 27001 certification for two companies. His expertise, attention to detail, and commitment were evident at every step. He provided clear, actionable advice, ensuring we met all requirements with confidence. Highly recommended for anyone seeking top-notch support in cybersecurity and compliance. 10/10!"
"Attila is a true Information Security expert and we've worked with him to achieve ISO27001 certification. Highly recommended."
"Working with Attila has been an exceptional experience! They provided invaluable assistance in preparing our company for ISO 27001 security certification, guiding us through every step of the process with professionalism and expertise. Their knowledge of the certification requirements, combined with their ability to tailor solutions to our unique needs, was instrumental in ensuring our readiness. The team was thorough, efficient, and highly responsive, consistently delivering high-quality work and actionable insights. Thanks to their support, we feel confident in our security posture and are well-prepared for the certification audit."
"Attila and his team were everything that we were looking for in this specific task and more. We were completely new to the ISO accreditation & auditing process and he helped us understand the procedure even before he officially entered a contract of employment with us.
We first discussed a plan of how long it would take to complete the accreditation, and both were done within the agreed timeframe and boundaries. As a result, we achieved the ultimate goal of obtaining the prestigious ISO 27001:2022 certification.
Attila had great patience when it came to answering all of our questions, and he was very professional from the start till the end. We will keep him in mind if I we need an ISO accreditation and auditing consultation again, we sincerely recommend him to anyone who seek ISO accreditation."
“The Security Consultants team is infinitely capable and has years of experience navigating complex compliance programs. They were able to explain, in simple terms, what sort of scope we were looking at and how to put in place an execution plan and roadmap to achieve our objectives. Our business (Valid8 Financial) requires SOC 2, HIPAA, FedRAMP, and GDPR compliance as we deal with extremely sensitive financial data.”
"The Security Consultants team has been exceptional and a pleasure to work with. Their deep experience with HITRUST CSF was one of the main reasons we chose them, and I'm glad to say that the team has impressed us at every step, often going above and beyond. I would recommend Security Consultants for anyone looking for an expert in HITRUST CSF and other compliance frameworks and best practices."
