BSI C5 Consulting

The Cloud Computing Compliance Controls Catalogue (C5) was developed by the German Federal Office for Information Security (BSI) and defines mandatory minimum security requirements for cloud services in Germany. It primarily addresses cloud service providers and SaaS/PaaS/IaaS operators offering services to public authorities, critical infrastructure operators, or regulated enterprises. At the same time, cloud customers from these sectors are required to demand and evaluate C5 attestations from their providers.

C5 builds on internationally recognised standards – in particular ISO/IEC 27001, CSA CCM, SOC 2, and the AICPA Trust Services Criteria – but specifically addresses the risks inherent in cloud-based environments. This includes transparency over data centre locations and data processing, security of tenant isolation, control over privileged access, and auditability of infrastructure changes.

The significance of C5 has grown substantially: public sector clients increasingly require C5 attestations as a prerequisite for cloud procurement. Financial services firms use C5 to assess their outsourcing partners. And as NIS2 and DORA extend compliance requirements across supply chains, the ability to evaluate qualified third-party providers is becoming an operational necessity for regulated organisations.

C5 is structured around 17 control domains covering more than 130 individual controls. The domains range from organisational security and security policies through cryptography, identity and access management, to operational security, network security, and incident management. Cloud-specific domains include portability, interoperability, and transparency of processing.

The Transparency domain deserves particular attention: C5 requires cloud providers to disclose detailed information about their system environment – data centre locations, sub-processors, technologies in use, and the boundaries of their responsibility. These so-called environment information disclosures are part of every C5 attestation and enable customers to conduct their own informed risk assessment.

A second major focus is identity and access management, particularly for privileged accounts. Cloud environments structurally present broad attack surfaces through administrator accounts; C5 requires multi-layered controls, comprehensive logging, and regular review of all privileged access. For many providers, implementing this requirement is the most resource-intensive individual measure on the path to attestation.

C5 attestations exist in two levels. A Type 1 attestation certifies that, at the point of examination, the required controls are conceptually in place. A Type 2 attestation goes further: it certifies that the controls have been effectively operated over an observation period of at least six months. For regulated clients and public sector buyers, the Type 2 attestation is the relevant evidence.

Preparing for a Type 2 attestation therefore requires not only implementing the controls, but also maintaining documented, auditable evidence of their application throughout the observation period. This means that logs, approval trails, test results, and review records must be systematically archived in an audit-ready manner.

We support you through the entire process: from the initial gap analysis through the implementation of missing controls to coordination with the auditor issuing the attestation. Throughout, we focus on sustainable implementation – not optimised for the audit alone, but manageable in day-to-day operations.

The C5 catalogue is published by the BSI as a normative document and is regularly updated – the current version is C5:2020. Each of the 17 control domains contains control objectives and individual controls, divided into basic criteria (mandatory) and additional criteria (recommended). For an attestation, all basic criteria must be satisfied; additional criteria signal higher security maturity to auditors and prospective customers.

C5 maps explicitly to ISO/IEC 27001, SOC 2 (AICPA Trust Services Criteria), and the CSA Cloud Controls Matrix. For providers who already hold an ISO 27001 certification, this is a valuable starting point: many controls are already covered by the existing ISMS. At the same time, C5 includes cloud-specific controls that ISO 27001 alone does not address – particularly around tenant isolation, data portability, data location, and privileged access at the hypervisor level. A targeted gap analysis identifies precisely what remains to be done.

For the practical work with the C5 catalogue, we conduct a structured gap analysis that evaluates each control individually: fully implemented, partially implemented, or not implemented. This inventory produces a prioritised implementation roadmap that is realistic in both economic and timeline terms. We always factor in the specific architecture of the cloud service – a SaaS provider has different priorities than an IaaS operator.