BSI C5 — Cloud Computing Compliance Criteria Catalogue

A German SaaS vendor for HR software receives a vendor due diligence questionnaire from a DAX corporation: 180 security questions, 60 of them referencing C5 criteria explicitly. The deadline is two weeks. Without a C5 attestation or at least C5-aligned documentation the effort per large customer runs into three-digit person-days.

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the requirements catalogue for cloud services published by the Federal Office for Information Security (BSI). It defines minimum security requirements that cloud providers must meet and enables cloud customers to perform a standardised assessment. The examination is performed by statutory auditors as an attestation under ISAE 3000 or IDW PS 860.

What does the standard cover?

C5:2020 contains around 125 basic criteria across 17 topic areas, supplemented by additional criteria for higher confidentiality requirements.

The 17 topic areas

OIS — Organisation of information security
SP — Security policies and guidelines
HR — Human resources
AM — Asset management
PS — Physical security
RB — Regular operations
IDM — Identity and access management
KRY — Cryptography and key management
KOS — Communication security
PI — Portability and interoperability
BEI — Procurement, development and change of information systems
DLL — Management and monitoring of service providers and suppliers
SIM — Security incident management
BCM — Contingency management
COM — Compliance
INQ — Handling investigation requests by government agencies
PSS — Product security (especially for SaaS offerings)

Content of individual criteria

Each criterion contains a description, the requirement, supplementary notes and a mapping to ISO/IEC 27001:2013, NIST SP 800-53, BSI IT-Grundschutz and the CSA Cloud Controls Matrix. Example:

OIS-01 — Responsibilities for information security: A person is appointed who is responsible for the establishment, operation and maintenance of the information security management system. The responsibility is documented and assigned to top management.

An organisation running an ISMS under ISO 27001 already fulfils most C5 criteria automatically. The areas where C5 places distinct emphasis are:

Transparency for cloud customers: Which data is processed where? Which sub-processors are involved?
Handling government requests (INQ): documented processes for requests from authorities, notification obligations to customers.
Portability (PI): data export capabilities, avoidance of vendor lock-in.
Product security (PSS): secure default configurations, vulnerability management within the product.

Attestation process

C5 is attested rather than certified. Statutory auditors (in Germany under IDW PS 860, internationally under ISAE 3000) produce a report on the appropriateness and effectiveness of controls.

Type 1 — appropriateness at a point in time. The auditor assesses whether the controls are designed to meet the C5 criteria. Point-in-time view, no evidence of operating effectiveness. Suitable for young providers or shortly after introduction.

Type 2 — operating effectiveness over a period. In addition to Type 1, the auditor examines the operating effectiveness of the controls over a period (typically 6-12 months). Sampling from live operations. Industry standard for established providers.

Report recipients: The C5 report is confidential and is made available to cloud customers on request under NDA. A public certificate database as with ISO 27001 does not exist. Providers advertise that they “hold a C5 attestation”; the report itself remains confidential.

Effort per audit cycle: initial Type 1 attestation: 5-15 auditor days plus internal preparation. Annual Type 2 follow-up attestations: 10-25 auditor days depending on scope.

Mapping to other standards

Standard	Relation to C5
ISO/IEC 27001:2022	Compliance covers 60-80% of the C5 criteria; explicit mapping in the C5 catalogue
ISO/IEC 27002:2022	Implementation guidance for Annex A controls; complements C5 in practice
ISO/IEC 27017	Cloud-specific security controls; thematically very close to C5
ISO/IEC 27018	Protection of personal data in the cloud; complements C5 in the GDPR context
SOC 2 Type 2	US counterpart; around 70% content overlap
BSI IT-Grundschutz	Mapping to modules available; useful in a combined strategy
CSA Cloud Controls Matrix	International cloud control catalogue; mapping included in the C5 document

Implementation effort

SaaS start-up (10-50 people): 9-15 months to the first Type 1 attestation. An ISMS under ISO 27001 is effectively a prerequisite — starting without an ISMS means planning 12-24 months.

Established SaaS or PaaS provider (50-500 people): 6-12 months from decision to a Type 2 attestation when ISO 27001 is already in place. Ongoing effort 1-3 FTE for a compliance team plus involvement from engineering, IT operations and legal.

Hyperscaler (>10,000 people): dedicated compliance programmes; annual Type 2 attestations covering multiple cloud regions and service families. Industrialised process with dedicated compliance engineering teams.

Key cost drivers:

Statutory auditor fees (often six-figure annual sums for mid-sized providers)
Tooling investments (GRC platform, logging, vulnerability scanners)
Effort for sub-processor management (DLL): every sub-processor appears in the report and needs its own contractual and control evidence

ISO/IEC 27001: Core ISMS standard; prerequisite for efficient C5 implementation.
ISO/IEC 27002: Implementation guidance for the controls referenced in C5.
BSI IT-Grundschutz: German security standard with mapping to C5 criteria.
ISO/IEC 27005: Risk management methodology; relevant for risk assessment in the C5 context.

Sources

BSI: Cloud Computing Compliance Criteria Catalogue (C5) — official catalogue (free of charge)
BSI C5:2020 criteria catalogue (PDF) — full list of criteria
IDW PS 860 — audit standard for C5 attestation in Germany
ISAE 3000 — international assurance engagement standard

Frequently asked questions

Do I absolutely need C5 as a cloud provider?

C5 is not mandatory. However, anyone selling to German federal or state authorities, banks or larger DAX corporations is regularly asked about a C5 attestation during procurement. Cloud hyperscalers (AWS, Azure, Google Cloud, IBM) hold C5 attestations for their German regions. For SaaS providers, C5 is a significant trust signal in the DACH market.

What is the difference between C5 Type 1 and Type 2?

Type 1 assesses the appropriateness of the control design at a point in time. Type 2 also assesses the operating effectiveness over a period (typically 6-12 months). Type 2 is the industry standard and is what serious customers demand. Type 1 is a stepping stone for providers that lack the operating history required for Type 2.

How does C5 relate to SOC 2?

Both are attestation reports for cloud services issued under audit standards (C5 under ISAE 3000 / IDW PS 860, SOC 2 under SSAE 18). C5 is the German market standard with around 125 criteria from the BSI catalogue; SOC 2 is the US standard with its five Trust Service Criteria. Content-wise they overlap by around 70 percent. Providers selling globally often need both; in the DACH region, C5 is usually enough.