Regardless of how cloud services are used, they must meet certain baseline security requirements. These are outlined in the Cloud Computing Compliance Controls Catalogue (C5) published by the BSI (Bundesamt für Sicherheit in der Informationstechnik).
- The criteria catalogue underwent a major revision in 2019, with the updated 2020 version finalised shortly thereafter.
- On 1 July 2024, the new Section 393 of the German Social Code, Book V (SGB V) came into force, applying to cloud services in the healthcare sector.
Since then, cloud service providers in the healthcare industry have been required to obtain a C5 attestation – or an equivalent certificate – to prove compliance with the C5 criteria. However, this also applies to federal authorities (according to the BSI’s minimum standards under Section 8(1) BSIG) and to critical infrastructure operators (KRITIS) and utilities (under Section 8a(3) BSIG, IT Security Act).
Through the C5 catalogue and the associated compliance audit, legislators aim to ensure a high level of information security, enable transparency through standardised testing, and build trust in cloud services. For customers, the C5 attestation serves as a valuable benchmark when selecting service providers.
The C5 audit: Scope and types of assessment
The C5 audit involves examining one or more cloud services in specific regions, conducted by independent auditors based on the international ISAE 3000 standard or its national equivalent. Annual re-assessments are recommended.
According to the BSI, the audit assesses the cloud provider’s internal control system related to the delivery of cloud services. This includes principles, procedures, measures, and controls implemented in both the organisational structure and operations.
There are two types of audit:
- Type 1 – Suitability test: The auditor evaluates whether the controls are appropriately designed and implemented at a specific point in time (“suitability of the design”). This is the typical format for an initial audit.
- Type 2 – Effectiveness Test: This includes the Type 1 assessment, but also evaluates the effectiveness of the controls over a defined audit period (“operating effectiveness”). It is mainly used for follow-up audits. The audit report outlines all test procedures and describes the system along with the provider’s implemented controls.
C5 certifications for Medical Device manufacturers and e-health providers
achelos GmbH supported both a medical device manufacturer and an e-health service provider in successfully obtaining C5 attestations.
- Medical Device Manufacturer
A leading manufacturer of dialysis products sought to develop a cloud-based service for pre-configuring dialysis machines. The process began with threat modelling and a risk analysis. Based on these findings, targeted measures were selected in accordance with C5 requirements to mitigate the identified risks.
As a result, the company was able to implement all core and supplementary C5 controls and successfully received the attestation. The cloud service is now secured, regularly audited, and market-ready. Thanks to recurring re-certifications, the audit burden has been significantly reduced compared to infrequent assessments.
- E-Health Service Provider
This market leader in digital information systems for doctors and dentists offers hospitals and medical centres a wide range of e-health management solutions. achelos began by conducting a status assessment and a gap analysis for the provider’s cloud service model. Measures were aligned with the updated C5 requirements, and supplementary controls were added as needed. All C5 criteria for the cloud service model were identified and successfully put into practice. The C5 attestation was issued and is regularly renewed. With a fully certified cloud offering, the e-health provider now enjoys a clear edge over the competition.
The benefits of C5 certification
Businesses benefit from C5 certification in several ways. For one, it can open doors to public sector contracts, where a valid C5 attestation is often a prerequisite. In a complex and competitive market, certified providers can stand out and position themselves as trustworthy partners. The attestation demonstrates adherence to high security standards and serves as a mark of quality.
It can also streamline customer audits, as compliance with security requirements has already been independently verified. C5 certification showcases transparency, which builds customer confidence. Furthermore, the C5 framework supports risk management by identifying potential vulnerabilities and guiding the implementation of appropriate controls.
Expert support from preparation to certification
To make the audit process more accessible and efficient, achelos offers end-to-end support – from initial preparation to the final C5 audit.
The process begins with a comprehensive security analysis of the current cloud infrastructure and service layers. This is followed by a gap analysis against the C5 criteria. From there, the necessary security controls are developed and implemented. achelos also helps define and adapt security policies and processes. IT teams receive training in C5 requirements and best practices, and regular workshops are recommended to ensure continuous improvement.
In preparation for the audit, achelos assists in compiling all necessary documentation and conducts an internal pre-audit. Finally, achelos connects the customer with a qualified auditor to carry out the official external C5 audit.
Authors: Gorden Bittner, Sales Director and Mario Kemper, Security Consultant – achelos GmbH
![[Translate to English:]](/fileadmin/_processed_/9/7/csm_C5_Testat_Services_976x640_ff90296c84.webp "[Translate to English:]")