Maximum security for cloud services

With the C5 criteria catalogue (Cloud Computing Compliance Criteria Catalogue), the German federal office for security in information technology (BSI) defines the baseline security requirements for cloud services, regardless of their application context.
The goal is to provide a high level of information security and to make this transparent through a standardised audit in order to create confidence in cloud services. Providers who successfully pass the audit are awarded C5 attestation. C5 attestations provide customers of cloud service providers with orientation when selecting their business partners and form a basis for their own risk management.
In 2019, the C5 criteria catalogue was completely revised, and the new version was completed in 2020. On 1 July 2024, the new Section 393 of Book Five of the German Social Code (SGB V) for cloud services in the healthcare sector came into force. This means that providers of cloud services in the healthcare sector are required to have C5 attestation or comparable attestation or certificates with immediate effect!
But federal authorities (minimum standard of the Federal Office for Information Security (BSI) in accordance with Section 8 (1) sentence 1 of the BSI Act) and companies in the utilities sector or operators of critical infrastructure (Section 8a (3) of the BSI Act, IT Security Act) also require C5 attestation. This means that it is often a condition for working together with government authorities and large companies.
Another option, however, is for cloud service providers whose customers require enhanced information security to be audited in accordance with C5.
In the C5 audit, one or several cloud services are audited for defined regions – on the basis of the international standard ISAE 3000 or its national implementation. The audit can only be conducted by certified public accountants. If the cloud services fulfil all criteria, the provider receives C5 attestation for the audited services. An annual repeat audit is recommended.
Specifically, according to information from the BSI, the C5 audit tests “the service-related internal control system of the cloud provider for providing the cloud service”. This includes the basic principles, procedures, measures and the controls in place in the organisational structure and process organisation.
The cloud service provider either compiles a description of this and submits a declaration, or the auditors themselves survey the controls that are in place and submit a report on this audit.
A distinction is made between two types of audits: Suitability test and effectiveness test.
- Type 1: In the case of the suitability test the auditor provides an audit opinion on whether the controls at the time of the audit are suitably designed and configured to meet the criteria of the C5 with sufficient certainty (“suitability of the design”). It is the relevant form of an initial audit.
- Type 2: During the effectivenesstest, the audit opinion encompasses not only the statement of suitability but also a statement about the effectiveness of controls in an audit period (“operating effectiveness”). This type of audit is relevant for follow-on audits.
The audit report documents the auditing activities and describes the system with the measures put in place by the provider.
- Access to public contracts: Federal authorities and the public sector often stipulate current C5 attestation as a requirement for awarding contracts.
- Competitive advantage: As a certified provider you can stand out from your competitors in a growing and complex market and highlight the added value you bring to the table.
- Quality and professionalism: The C5 attestation indicates to your customers that your company works to high security standards and invests in information security.
- Simplified customer audits: With a single C5 audit you can demonstrate compliance with security criteria to multiple customers. This reduces the effort for both sides.
- Boost customer confidence: With a C5 attestation you demonstrate transparent proof to your customers that you meet the stringent security requirements of the BSI C5 standard.
- Compliance and risk management: The C5 certification helps you to fulfil regulatory requirements. The C5 catalogue is also a good help when it comes to risk management and the identification of security risks.
Expert support from preparation to certification
achelos provides holistic support for cloud service providers seeking to achieve C5 attestation. We proceed by taking the following steps:
- Analysis and consultation
- Initial security analysis of your current cloud infrastructure and the application level of your cloud services.
- Gap analysis to provide a comparison with the requirements of C5.
- Implementation of security measures
- Development and implementation of necessary security controls
- Creation and adaptation of security policies and processes
- Training sessions and workshops
- Training for your IT teams on the subject of C5 requirements and best practices
- Organisation of regular workshops with a view to continuous improvement of security standards
- Audit preparation
- Support with documentation of all necessary evidence
- Implementation of internal audits in preparation for the external C5 audit through a certified public accountant
- C5 audit
- Arrangement of a suitable certified public accountant to conduct the C5 audit
Any questions? Your contacts for queries in this field are:

