Introduction to BSI C5
The Cloud Computing Compliance Criteria Catalogue (Cloud Computing Compliance Controls Catalogue), universally abbreviated as BSI C5, is the cloud-security assurance framework published by the German Federal Office for Information Security (Bundesamt fuer Sicherheit in der Informationstechnik, BSI). First issued in 2016 and comprehensively revised in 2020 (the current baseline commonly referred to as C5:2020), it defines a minimum baseline of information-security controls that cloud service providers (CSPs) must demonstrate to customers, particularly customers in the German public sector, regulated industries and enterprises with elevated data-protection obligations. Unlike a certification scheme, BSI C5 is delivered as an independent third-party attestation report produced by an audit firm under the international assurance standard ISAE 3000 (and, in Germany, the equivalent IDW PS 951 / AssS 5100), giving customers audited evidence rather than a self-declared badge.
This deep-dive is written for two audiences at once: the auditor or assessor who must plan and execute a C5 attestation engagement, and the implementer or CISO team at a cloud provider (or a cloud customer performing supplier due diligence) who must build, evidence and operate the underlying controls. It enumerates every C5 control domain, explains the Type 1 versus Type 2 attestation model, the basic-versus-additional criteria tiering, the mandatory supplementary information (system description, environment parameters, complementary customer controls), and maps C5 to adjacent frameworks such as ISO/IEC 27001, SOC 2, the EU Cloud Services scheme (EUCS) and the German BSI IT-Grundschutz.
Copyright and source note
BSI C5 is a copyrighted publication of the Bundesamt fuer Sicherheit in der Informationstechnik. The catalogue itself is distributed by the BSI free of charge, but its text, control wording and diagrams remain the intellectual property of the BSI. This guide is an original, independent commentary written for educational and readiness purposes. It paraphrases obligations in our own words and does not reproduce the BSI's copyrighted control text verbatim. Always obtain the current official C5 catalogue from the BSI and engage a qualified auditor for a formal attestation.
What is BSI C5
BSI C5 is a catalogue of cloud-specific information-security requirements that a CSP's control environment is measured against by an independent auditor. The output of a C5 engagement is not a certificate but an attestation report (Pruefungsbericht) containing the auditor's opinion on whether the CSP's controls are suitably designed and, in a Type 2 engagement, operating effectively across a defined period. Because the report is grounded in ISAE 3000, it is internationally recognised and directly comparable to a SOC 2 report in structure, while the control content is tailored to cloud risks and German regulatory expectations.
The framework was created to solve a specific market failure: cloud customers, especially in government and regulated sectors, could not easily and consistently assess whether a provider's security posture met a credible minimum baseline. C5 standardises that baseline and forces transparency through mandatory environment disclosures. Key characteristics include:
- Attestation, not certification — a qualified auditor issues an ISAE 3000 / IDW PS 951 opinion; there is no BSI-issued certificate or logo.
- Two report types — Type 1 (design and implementation at a point in time) and Type 2 (design plus operating effectiveness over a period, typically 6 to 12 months).
- Two criteria tiers — Basic Criteria (mandatory baseline) and Additional Criteria (for higher assurance / higher-confidentiality workloads).
- Mandatory transparency — the CSP must publish system description and environment parameters covering jurisdiction, data location, subcontractors, investigation and disclosure practices, and certifications.
- Shared-responsibility clarity — C5 requires the CSP to state Complementary Customer Controls (CCCs): controls the customer must operate for the overall system to be secure.
- Cloud-native scope — controls address multi-tenancy, virtualisation, container and orchestration security, portability and interoperability, and cloud incident response.
C5:2020 expanded the 2016 edition from roughly 114 to 121 basic criteria across 17 domains, added new subject areas (notably product security / DevOps, and enhanced dealing-with-investigation-requests disclosures), and aligned more closely with ISO/IEC 27001 Annex A and CSA CCM to reduce duplicate audit effort.
Who must comply and scope of applicability
BSI C5 is not a statute; no organisation is legally forced to obtain a C5 attestation by the catalogue itself. However, compliance is effectively mandatory in a growing set of procurement and regulatory contexts, and voluntary but commercially decisive in many others. The table below summarises who is in scope and why.
| Actor / scenario | Applicability | Driver |
|---|
| Cloud service providers (IaaS/PaaS/SaaS) selling into Germany | Strongly expected | Standard German enterprise and public-sector procurement requirement; often a tender pre-condition |
| CSPs serving German federal / state government | Effectively mandatory | German public-cloud procurement frameworks and BSI guidance reference C5 as the baseline |
| Financial-sector cloud providers (banks, insurers) | Strongly expected | BaFin supervisory expectations (KAIT / BAIT / VAIT) reference C5 for cloud outsourcing assurance |
| Healthcare and public-health cloud providers | Expected | Elevated data-protection and BSI critical-infrastructure (KRITIS) expectations |
| Enterprises consuming cloud (customer side) | Indirect | Use supplier C5 reports for due diligence and to document shared-responsibility (CCCs) |
| Subservice providers / subcontractors of a CSP | Conditional | Carved-in or inclusive method may extend the audit scope to material subcontractors |
| Non-German EU / global CSPs | Voluntary but strategic | C5 is a recognised differentiator and pre-stage for the EU Cloud Services scheme (EUCS) |
Scope boundaries within a CSP
- The scope is defined by the CSP as a specific cloud service (or set of services), with a named service model (IaaS/PaaS/SaaS), deployment model, and the supporting infrastructure, applications and processes.
- Corporate IT that does not support the in-scope service can be excluded, but must be delineated clearly in the system description.
- Subservice organisations (e.g., a colocation data-centre or an upstream IaaS) are handled by the inclusive method (carve-in, audited within scope) or the carve-out method (excluded, with reliance placed on the subservice provider's own attestation).
- The reporting period (Type 2) and reporting date (Type 1) must be stated; a typical Type 2 period is 6 or 12 months.
Structure of BSI C5
C5:2020 organises its criteria into 17 subject-area domains. Each domain contains a set of basic criteria (the mandatory baseline) and, for some, additional criteria for higher assurance. Every criterion carries an identifier (a two-to-four-letter domain prefix plus a number, e.g., OIS-01, IDM-08, PS-03). Surrounding the criteria are mandatory environment/transparency disclosures. The table lists the domains and their conventional prefixes.
| # | Domain (English) | Prefix | Focus |
|---|
| 1 | Organisation of Information Security | OIS | Governance, ISMS, roles, risk management, segregation of duties |
| 2 | Security Policies and Instructions | SP | Policy framework, documentation, review cycle |
| 3 | Personnel | HR | Screening, employment terms, training, disciplinary and termination |
| 4 | Asset Management | AM | Inventory, classification, acceptable use, return of assets |
| 5 | Physical Security | PS | Data-centre perimeter, access, environmental protection, equipment |
| 6 | Operations | OPS | Capacity, malware, logging, backup, monitoring, change and vulnerability management |
| 7 | Identity and Access Management | IDM | Provisioning, authentication, privileged access, access review |
| 8 | Cryptography and Key Management | CRY | Encryption at rest/in transit, key lifecycle, HSM |
| 9 | Communication Security | COS | Network segregation, boundary protection, data-in-transit, DoS defence |
| 10 | Portability and Interoperability | PI | Data import/export, standard formats, exit and reversibility |
| 11 | Procurement, Development and Modification of Information Systems | DEV | Secure SDLC, outsourced development, product/DevOps security |
| 12 | Control and Monitoring of Service Providers and Suppliers | SSO | Supplier due diligence, subservice monitoring, supply-chain risk |
| 13 | Security Incident Management | SIM | Detection, classification, response, forensics, customer notification |
| 14 | Business Continuity Management | BCM | Business impact analysis, redundancy, DR testing, recovery objectives |
| 15 | Compliance | COM | Legal/regulatory identification, internal audit, control assurance |
| 16 | Dealing with Investigation Requests from Government Agencies | INQ | Lawful-access handling, jurisdiction, customer notification, transparency |
| 17 | Product Security | PSS | Secure product configuration, sessions, errors, images and orchestration |
In addition to the 17 domains, the CSP must supply mandatory supplementary information: (a) a System Description of the service; (b) Environment Parameters (Rahmenparameter) covering jurisdiction, availability, data location, disclosure of investigation requests, certifications and audits; and (c) Complementary Customer Controls (CCCs).
Master assessment checklist
This is the operational heart of the guide. Each h3 below corresponds to one C5 domain. For every domain, the table gives representative criterion identifiers, what the auditor must verify, and the typical evidence a CSP should present. Together these cover all 17 domains plus the mandatory environment and shared-responsibility disclosures. No control area is omitted.
OIS — Organisation of Information Security
| What to verify | Typical evidence |
|---|
| An ISMS is established, documented and approved by management (OIS-01) | ISMS scope statement, ISO 27001 certificate or equivalent, management approval minutes |
| Information-security roles and responsibilities are defined and assigned (OIS-02) | RACI matrix, CISO appointment letter, security org chart |
| Segregation of duties reduces conflicting responsibilities (OIS-03) | SoD matrix, access-conflict review records |
| Contact with authorities and interest groups is maintained (OIS-04) | CERT/BSI liaison records, ISAC or industry-group membership |
| A risk-management framework identifies, assesses and treats risks (OIS-05, OIS-06, OIS-07) | Risk methodology, risk register, treatment plan, residual-risk sign-off |
SP — Security Policies and Instructions
| What to verify | Typical evidence |
|---|
| A top-level information-security policy exists and is approved (SP-01) | Signed policy, version history, board/management approval |
| Detailed policies and work instructions exist for each control area (SP-02) | Policy library index, procedure documents |
| Policies are communicated to relevant personnel (SP-02) | Intranet distribution logs, acknowledgement records |
| Policies are reviewed at planned intervals and on significant change (SP-03) | Review calendar, revision dates, change-triggered review records |
HR — Personnel
| What to verify | Typical evidence |
|---|
| Background verification is performed before employment for sensitive roles (HR-01) | Screening policy, redacted background-check confirmations |
| Employment contracts include confidentiality and security obligations (HR-02) | NDA templates, signed contract clauses |
| Security awareness and role-specific training is delivered and tracked (HR-03) | Training curriculum, completion reports, phishing-simulation results |
| A disciplinary process addresses security breaches (HR-04) | Disciplinary policy, sanction records (redacted) |
| Access and assets are revoked on termination or role change (HR-05, HR-06) | Leaver checklist, deprovisioning tickets, asset-return logs |
AM — Asset Management
| What to verify | Typical evidence |
|---|
| Assets supporting the service are inventoried with owners (AM-01) | Asset register / CMDB export, ownership field populated |
| Information is classified per a defined scheme (AM-02, AM-03) | Classification policy, data-labelling standard, sample tagged assets |
| Acceptable-use rules govern assets and information (AM-04) | Acceptable-use policy, acknowledgement records |
| Removable media and mobile devices are controlled (AM-05, AM-06) | MDM/endpoint policy, encryption enforcement, media-handling procedure |
| Secure disposal of media and equipment is performed (AM-06) | Sanitisation/destruction certificates, disposal logs |
PS — Physical Security
| What to verify | Typical evidence |
|---|
| Data-centre physical perimeters and zones are defined and enforced (PS-01) | Site plans, zoning diagram, access-control system config |
| Physical access is granted on least-privilege and reviewed (PS-02) | Badge access lists, visitor logs, periodic access reviews |
| Protection against environmental threats is in place (PS-03, PS-04) | Fire suppression, HVAC, flood/seismic assessments, maintenance records |
| Redundant utilities (power, cooling, network) are provided (PS-05) | UPS and generator test logs, N+1 topology, cooling redundancy design |
| Supporting infrastructure is monitored and maintained (PS-06) | BMS/DCIM dashboards, maintenance schedules |
OPS — Operations
| What to verify | Typical evidence |
|---|
| Capacity is planned and monitored to meet demand (OPS-01) | Capacity plans, utilisation dashboards, scaling records |
| Protection against malware is deployed and updated (OPS-04, OPS-05) | AV/EDR coverage report, signature/update logs, detection alerts |
| Backups are performed, protected and restore-tested (OPS-06, OPS-07) | Backup policy, job logs, encryption of backups, restore-test reports |
| Logging captures security-relevant events and is protected (OPS-10 to OPS-14) | Logging standard, SIEM ingestion, log-integrity/retention config, admin-activity logs |
| Time synchronisation across systems (OPS-15) | NTP configuration, drift-monitoring records |
| Vulnerability management: scanning, prioritisation, remediation SLAs (OPS-17 to OPS-19) | Scan reports, penetration-test reports, patch-SLA tracking, exception register |
| Change management governs system modifications (OPS-20 to OPS-23) | Change policy, CAB minutes, emergency-change records, segregation of dev/test/prod |
IDM — Identity and Access Management
| What to verify | Typical evidence |
|---|
| User registration and de-registration follows an approved process (IDM-01) | Joiner/mover/leaver workflow, approval records |
| Access rights are granted on least privilege and need-to-know (IDM-02, IDM-03) | Role-permission matrix, access-request approvals |
| Privileged access is restricted, logged and time-bound (IDM-04, IDM-09) | PAM tooling, just-in-time elevation logs, admin-account inventory |
| Strong authentication (MFA) is enforced, especially for admin and remote (IDM-08) | MFA policy, enforcement config, coverage report |
| Access rights are reviewed at defined intervals (IDM-05, IDM-06) | Periodic recertification records, revocation of orphaned accounts |
| Password/secret management meets defined strength and storage rules (IDM-07, IDM-10) | Password policy, secrets-vault usage, hashing standards |
CRY — Cryptography and Key Management
| What to verify | Typical evidence |
|---|
| A cryptography policy defines approved algorithms and use (CRY-01) | Crypto policy, approved cipher-suite list aligned to BSI TR-02102 |
| Data in transit is encrypted with strong protocols (CRY-02) | TLS configuration, protocol/cipher scan results |
| Data at rest is encrypted where required (CRY-03) | Storage/database encryption config, key-scope documentation |
| Keys are generated, distributed, stored, rotated and destroyed securely (CRY-04) | Key-management procedure, HSM records, rotation logs, key-ceremony evidence |
COS — Communication Security
| What to verify | Typical evidence |
|---|
| Networks are segregated to isolate tenants and zones (COS-01, COS-02) | Network architecture diagram, VLAN/VPC/segmentation config, firewall rules |
| Boundary protection controls filter and monitor traffic (COS-03, COS-04) | Firewall/IDS/IPS config, ruleset review records |
| Data-in-transit protection across untrusted networks (COS-05) | VPN/TLS enforcement, encryption of inter-DC traffic |
| Protection against denial-of-service attacks (COS-06) | DDoS-mitigation service config, incident/mitigation logs |
| Policies govern information transfer with third parties (COS-07, COS-08) | Data-transfer agreements, secure-transfer procedures |
PI — Portability and Interoperability
| What to verify | Typical evidence |
|---|
| Customers can export their data in a documented, usable format (PI-01, PI-02) | Export API/documentation, supported formats, sample export |
| Interoperability via documented interfaces/standards (PI-03) | API documentation, standards conformance statements |
| Secure and complete data deletion on contract termination (PI-04) | Exit procedure, deletion certificate/attestation, retention wind-down |
DEV — Procurement, Development and Modification of Information Systems
| What to verify | Typical evidence |
|---|
| A secure SDLC governs development with security requirements (DEV-01, DEV-02) | SDLC policy, security-requirement templates, threat-model records |
| Separation of development, test and production environments (DEV-03) | Environment topology, access separation, no-prod-data-in-test controls |
| Secure coding, code review and security testing (DEV-04 to DEV-06) | Coding standards, SAST/DAST/SCA reports, peer-review records |
| Outsourced development is controlled and reviewed (DEV-07) | Supplier contracts with security clauses, code-quality/security gates |
| Change and version control with segregation and approval (DEV-08, DEV-09) | Git/branch-protection config, CI/CD pipeline approvals, release records |
SSO — Control and Monitoring of Service Providers and Suppliers
| What to verify | Typical evidence |
|---|
| Suppliers and subservice providers are identified and risk-assessed (SSO-01) | Supplier inventory, criticality classification, risk assessments |
| Security requirements are embedded in supplier contracts (SSO-02, SSO-03) | Contract security schedules, DPAs, right-to-audit clauses |
| Subservice performance and security are monitored (SSO-04, SSO-05) | SLA reports, review meeting minutes, subservice attestations (SOC 2 / C5) |
| Changes to supplier services are managed (SSO-06) | Change-notification records, re-assessment on material change |
SIM — Security Incident Management
| What to verify | Typical evidence |
|---|
| An incident-management process with roles and escalation exists (SIM-01) | Incident-response plan, on-call roster, escalation matrix |
| Events are detected, logged, classified and prioritised (SIM-02, SIM-03) | SIEM alerts, incident tickets, severity-classification scheme |
| Incidents are responded to and lessons learned captured (SIM-04, SIM-05) | Post-incident reviews, corrective-action tracking |
| Customers are notified of incidents affecting them within defined timelines (SIM-06) | Notification procedure, SLA for customer notification, sample notifications |
| Forensic readiness and evidence preservation (SIM-07) | Forensics procedure, chain-of-custody records, evidence-handling tooling |
BCM — Business Continuity Management
| What to verify | Typical evidence |
|---|
| Business impact analysis identifies critical services and objectives (BCM-01) | BIA documentation, RTO/RPO definitions per service |
| Continuity and recovery plans are documented (BCM-02, BCM-03) | BC/DR plans, runbooks, failover architecture |
| Redundancy is designed to meet availability commitments (BCM-03) | Multi-AZ/multi-site topology, redundancy design docs |
| Continuity and recovery arrangements are tested regularly (BCM-04) | DR test schedule, test reports, post-test remediation |
COM — Compliance
| What to verify | Typical evidence |
|---|
| Applicable legal, regulatory and contractual requirements are identified (COM-01) | Legal register, GDPR/BDSG applicability analysis |
| Compliance with policies and standards is monitored (COM-02) | Internal control monitoring, compliance dashboards |
| Independent reviews / internal audits of the ISMS are performed (COM-03) | Internal audit plan, audit reports, findings and closure |
| Records are protected and retained per requirements (COM-04) | Retention schedule, record-protection controls |
INQ — Dealing with Investigation Requests from Government Agencies
| What to verify | Typical evidence |
|---|
| A process governs handling of lawful-access / investigation requests (INQ-01) | Government-request procedure, legal-review workflow |
| Requests are assessed for legal validity before any disclosure (INQ-02) | Legal-assessment records, rejection of invalid requests |
| Customers are notified where legally permitted (INQ-03) | Notification policy, transparency-report practice |
| The jurisdiction and applicable law for data access is disclosed (INQ-04) | Environment-parameter disclosure, jurisdiction statement |
PSS — Product Security
| What to verify | Typical evidence |
|---|
| The product enforces secure default configuration and hardening (PSS-01, PSS-02) | Hardening baselines, secure-default settings, CIS-benchmark evidence |
| Session management and authentication in the product are secure (PSS-03, PSS-04) | Session-timeout config, token-handling design, auth test results |
| Error handling avoids disclosure of sensitive information (PSS-05) | Error-handling standard, penetration-test verification |
| Container/VM images and orchestration are securely built and scanned (PSS-06 to PSS-11) | Image-scan reports, registry-signing, orchestration-hardening (Kubernetes) config, admission-control policies |
| Input validation and output encoding protect against injection (PSS-07) | Secure-coding evidence, SAST/DAST findings on injection classes |
Environment parameters and complementary customer controls (mandatory disclosures)
| What to verify | Typical evidence |
|---|
| System description accurately describes the service, boundaries and subservices | Signed system description, architecture diagrams, subservice list |
| Environment parameters disclose jurisdiction, data location, availability, certifications | Rahmenparameter table, data-residency statement, certification list |
| Disclosure of investigation-request handling and transparency practice | Transparency statement, investigation-request policy summary |
| Complementary Customer Controls (CCCs) are defined and communicated | CCC list in the report, customer-facing shared-responsibility matrix |
| Subservice method (carve-in vs carve-out) is declared and consistent | Scope statement, reliance memos, subservice attestations |
Scoping and materiality / tiering
C5 scoping decisions determine both audit cost and the assurance value of the resulting report. The principal levers are: which service(s) are in scope, whether Basic or Basic-plus-Additional criteria are covered, whether the engagement is Type 1 or Type 2, and how subservice organisations are treated.
- Service scope — define the specific cloud service(s), service model (IaaS/PaaS/SaaS) and the supporting infrastructure and processes. Broader scope means broader assurance but more evidence.
- Criteria tier — Basic Criteria are mandatory for any C5 report. Additional Criteria are elective and target workloads with elevated confidentiality/integrity/availability needs; including them materially raises assurance and effort.
- Report type — Type 1 (design at a date) is faster and suits first-year readiness; Type 2 (operating effectiveness over a period) is what most enterprise and regulated customers ultimately require.
- Subservice method — carve-in (inclusive) audits the subservice within scope; carve-out excludes it and relies on the subservice provider's own attestation plus CCCs. The choice must be consistent and disclosed.
- Materiality — the auditor sets materiality for control deviations; a control with a deviation may still yield an unqualified opinion if compensating controls or immateriality are demonstrated, otherwise the opinion is qualified.
Type 1 versus Type 2 in practice
A first-time provider often issues a Type 1 report to prove design, then transitions to an annual Type 2 covering a 6-to-12-month period. Regulated customers (finance, public sector) typically insist on Type 2 with the Additional Criteria for their high-confidentiality workloads.
Implementation approach
A pragmatic C5 programme runs in five phases. Each phase lists key activities and the deliverables a CISO team should produce.
Phase 1 — Scoping and gap assessment
- Activities: define in-scope service and boundaries; choose Basic vs Additional and Type 1 vs Type 2; map existing ISO 27001 / SOC 2 controls to C5 domains; run a gap assessment across all 17 domains and environment parameters.
- Deliverables: scope statement, C5-to-existing-control mapping, gap register with owners and target dates, subservice inventory and method decision.
Phase 2 — Remediation and control build
- Activities: close gaps (policies, PAM/MFA, logging/SIEM, backup and DR testing, vulnerability-management SLAs, product/DevOps hardening, crypto/key management, supplier clauses); establish evidence-capture at source.
- Deliverables: updated policy library, hardened baselines, remediation-closure evidence, control-operation records begin accruing.
Phase 3 — System description and environment parameters
- Activities: author the system description; complete environment parameters (jurisdiction, data location, availability, investigation-request handling, certifications); define Complementary Customer Controls.
- Deliverables: signed system description, environment-parameter table, CCC list, customer-facing shared-responsibility matrix.
Phase 4 — Attestation engagement
- Activities: engage a qualified ISAE 3000 / IDW PS 951 auditor; support walkthroughs, design testing and (for Type 2) operating-effectiveness sampling across the period; remediate any exceptions where possible.
- Deliverables: auditor evidence packages, exception log with responses, draft attestation report.
Phase 5 — Report, publish and sustain
- Activities: finalise the report and opinion; distribute under NDA to customers; feed findings into continual improvement; schedule the next annual Type 2 period and monitor control health continuously.
- Deliverables: signed attestation report, distribution register, corrective-action plan, next-cycle audit calendar.
Maturity / capability model
Although C5 issues a binary attestation opinion rather than a maturity score, CSPs benefit from tracking control maturity internally to predict audit readiness and prioritise investment. The following five-level model is a practical lens for C5 readiness.
| Level | Name | Description | C5 readiness signal |
|---|
| 1 | Initial / ad hoc | Controls exist informally; little documentation or consistency | Not audit-ready; many design gaps across domains |
| 2 | Documented | Policies and procedures written and approved; controls defined | Type 1 (design) may be achievable for some domains |
| 3 | Implemented | Controls operate consistently and produce evidence | Type 1 achievable across scope; Type 2 evidence beginning to accrue |
| 4 | Managed | Controls are monitored with metrics; deviations detected and corrected | Type 2 achievable with unqualified opinion likely |
| 5 | Optimised | Controls continuously improved; automation and Additional Criteria embedded | Type 2 with Additional Criteria; low deviation rate, strong assurance |
Assessment and audit approach
A C5 attestation follows the ISAE 3000 assurance methodology. The typical engagement steps are:
- Engagement acceptance and scoping — agree the service scope, criteria tier (Basic / Additional), report type (Type 1 / Type 2), reporting period and subservice method.
- Understand the system — review the system description and environment parameters; perform walkthroughs of each domain to understand control design.
- Assess control design — evaluate whether controls, if operating, would meet each applicable criterion; identify design gaps.
- Test operating effectiveness (Type 2 only) — select samples across the reporting period and test each control's operation using inspection, observation, inquiry and re-performance.
- Evaluate deviations — assess exceptions for severity and pervasiveness against materiality; consider compensating controls.
- Form the opinion — conclude unqualified, qualified, adverse or disclaimer; document the basis.
- Report — issue the attestation report containing management's assertion, the system description, the control matrix with test results, and the auditor's opinion, plus CCCs and subservice reliance.
- Distribute and monitor — release the report to customers under confidentiality; feed exceptions into remediation for the next cycle.
Evidence request list
Auditors typically request the following evidence categories. CSPs should assemble these in an evidence repository ahead of fieldwork.
- Governance and ISMS: ISMS scope, security policy, risk methodology and register, treatment plan, management-review minutes, org chart, ISO 27001 certificate.
- Policies and procedures: full policy library with version history, review dates and communication/acknowledgement records.
- Personnel: screening policy and confirmations, NDAs, training curriculum and completion reports, leaver/deprovisioning records.
- Asset and data: asset register/CMDB, classification scheme, media-handling and disposal certificates.
- Physical and environmental: data-centre access lists and reviews, visitor logs, UPS/generator and fire-suppression test records, DCIM dashboards.
- Operations: capacity plans, AV/EDR coverage, backup and restore-test reports, logging/SIEM configuration and retention, patch/vulnerability-scan reports, penetration-test reports, change-management records.
- Identity and access: JML workflow, MFA and PAM configuration, access-recertification records, secrets-management evidence.
- Cryptography: crypto policy, TLS/at-rest encryption configs, key-management and HSM records, rotation logs.
- Network and communication: architecture diagrams, segmentation and firewall configs, DDoS-mitigation and IDS/IPS logs.
- Development and product: SDLC policy, SAST/DAST/SCA reports, CI/CD approvals, image-scan and orchestration-hardening evidence.
- Suppliers: supplier inventory and risk assessments, contract security schedules, DPAs, subservice attestations (SOC 2 / C5).
- Incident and continuity: IR plan, incident tickets and post-incident reviews, customer-notification records, BIA, BC/DR plans and test reports.
- Compliance and legal: legal/regulatory register, GDPR/BDSG analysis, internal-audit reports, records-retention schedule.
- Transparency: system description, environment-parameter table, investigation-request procedure, CCC list.
Roles and responsibilities
| Role | Responsibility in a C5 programme |
|---|
| Executive management / board | Approve ISMS and policy, accept residual risk, sign management assertion, fund the programme |
| CISO / Information Security Officer | Own the ISMS and control framework, drive gap closure, coordinate the audit |
| Compliance / GRC team | Maintain legal register, manage the evidence repository, track remediation and internal audit |
| Cloud / platform engineering | Implement technical controls: segmentation, encryption, hardening, logging, IAM/PAM |
| DevOps / product security | Operate secure SDLC, image scanning, orchestration hardening, product-security controls (PSS) |
| IT operations / SRE | Run capacity, backup, patching, change management, monitoring and DR testing |
| HR | Screening, contracts, security training, joiner/leaver processes |
| Legal / DPO | Handle investigation requests, jurisdiction disclosure, DPAs, GDPR/BDSG compliance |
| Procurement / vendor management | Supplier due diligence, contract security clauses, subservice monitoring |
| Independent auditor (external) | Perform the ISAE 3000 / IDW PS 951 attestation and issue the opinion |
KPIs and metrics to track
- Percentage of applicable C5 criteria with design implemented (readiness coverage).
- Number and severity of open control gaps versus target closure dates.
- MFA and privileged-access coverage across in-scope systems (target 100%).
- Mean time to detect (MTTD) and mean time to respond (MTTR) for security incidents.
- Percentage of critical/high vulnerabilities remediated within SLA.
- Patch compliance rate across in-scope infrastructure.
- Backup success rate and successful restore-test rate.
- DR test frequency and RTO/RPO achievement against objectives.
- Access-recertification completion rate and orphaned-account count.
- Security-awareness training completion and phishing-simulation failure rate.
- Number of audit exceptions per cycle and time to remediate them.
- Subservice-provider attestation coverage (percentage of material subservices with current C5/SOC 2).
- Customer-incident-notification adherence to the committed SLA.
Readiness checklist
- Service scope, criteria tier (Basic / Additional) and report type (Type 1 / Type 2) are defined and agreed.
- ISMS is established, documented and approved by management.
- All 17 C5 domains have documented policies and implemented controls.
- Risk register, treatment plan and residual-risk acceptance are current.
- MFA and privileged-access management are enforced across in-scope systems.
- Logging/SIEM captures security events with protected retention.
- Vulnerability scanning, penetration testing and patch SLAs are operating.
- Encryption at rest and in transit with documented key management is in place.
- Network segmentation isolates tenants and zones; boundary and DDoS controls operate.
- Secure SDLC, image scanning and orchestration hardening (PSS) are evidenced.
- Incident-response plan tested; customer-notification SLA defined.
- BIA, BC/DR plans and DR tests completed within the period.
- Supplier/subservice inventory, risk assessments and contracts (with DPAs) are current.
- System description, environment parameters and CCCs are authored and signed.
- Investigation-request handling and jurisdiction disclosure are documented.
- Evidence repository assembled and mapped to each C5 criterion.
- Qualified ISAE 3000 / IDW PS 951 auditor engaged.
Common gaps and findings
- Incomplete or inaccurate system description and environment parameters that do not match the actual environment.
- Complementary Customer Controls (CCCs) missing or not communicated to customers, blurring shared responsibility.
- MFA not enforced for all privileged and remote access; standing (non-time-bound) admin rights.
- Insufficient log retention or unprotected logs; gaps in admin-activity logging.
- Vulnerability and patch remediation without defined or met SLAs; growing exception backlog.
- Backups not restore-tested, or DR plans documented but never exercised within the period.
- Weak subservice governance: no current attestation from material subservice providers, or inconsistent carve-in/carve-out treatment.
- Product-security (PSS) gaps: unscanned container images, unhardened orchestration, insecure default configurations.
- Change management bypassed for emergency changes without retrospective approval.
- Investigation-request process undefined, or jurisdiction/data-location disclosure incomplete.
- Access recertification overdue; orphaned or shared accounts persisting.
- Evidence produced retrospectively for the audit rather than generated at source during the period (a common Type 2 failure).
BSI C5 mapped to other frameworks
C5 was deliberately aligned with mainstream frameworks to reduce duplicate audit effort. The mapping below is indicative; a formal crosswalk should be maintained per criterion.
| C5 domain / concept | ISO/IEC 27001:2022 | SOC 2 (TSC) | Related scheme |
|---|
| OIS / SP (governance, policy) | Clauses 4-10, A.5 policies | CC1 control environment | EUCS governance; IT-Grundschutz ISMS |
| HR (personnel) | A.6 people controls | CC1 / CC2 | IT-Grundschutz ORP.2 |
| AM (asset management) | A.5.9-A.5.14 | CC6 | IT-Grundschutz CON/OPS asset modules |
| PS (physical security) | A.7 physical controls | CC6.4 | IT-Grundschutz INF |
| OPS (operations, logging, vuln, change) | A.8 technological controls | CC6, CC7, CC8 | CSA CCM operations; EUCS |
| IDM (identity and access) | A.5.15-A.5.18, A.8.2-A.8.5 | CC6.1-CC6.3 | NIST 800-53 AC/IA |
| CRY (cryptography) | A.8.24 | CC6.1 | BSI TR-02102; CSA CCM EKM |
| COS (communication security) | A.8.20-A.8.23 | CC6.6, CC6.7 | CSA CCM IVS/DSI |
| PI (portability, exit) | A.8.13-A.8.14 (backup/redundancy) | A1 availability | EUCS portability; GDPR portability |
| DEV / PSS (secure SDLC, product) | A.8.25-A.8.31 | CC8.1 | CSA CCM AIS; OWASP ASVS |
| SSO (supplier / subservice) | A.5.19-A.5.23 | CC9.2 | CSA CCM STA; DORA third-party |
| SIM (incident management) | A.5.24-A.5.28 | CC7.3-CC7.5 | NIS2 / GDPR breach notification |
| BCM (business continuity) | A.5.29-A.5.30 | A1.2, A1.3 | ISO 22301; DORA operational resilience |
| COM (compliance) | A.5.31-A.5.36, Clause 9 | CC2 / CC4 | GDPR / BDSG |
| INQ (investigation requests) | A.5.31, A.5.34 | (privacy criteria) | GDPR; German telecom/lawful-access law |
How CyberSigma helps
CyberSigma runs end-to-end BSI C5 readiness and attestation-support programmes. As a CERT-In empanelled auditor and PCI QSA practice, we scope your cloud service, decide the Basic-versus-Additional criteria tier and Type 1-versus-Type 2 path, and run a domain-by-domain gap assessment across all 17 C5 domains plus the mandatory environment parameters and Complementary Customer Controls. We remediate gaps in identity and privileged access, encryption and key management, logging and SIEM, vulnerability and patch SLAs, secure DevOps and product security (PSS), business continuity and supplier governance, then author your system description and shared-responsibility matrix and assemble an audit-ready evidence repository mapped to every criterion. We coordinate the independent ISAE 3000 / IDW PS 951 auditor, support walkthroughs and Type 2 operating-effectiveness testing, and drive exceptions to closure. Because we maintain live crosswalks to ISO/IEC 27001, SOC 2, EUCS and IT-Grundschutz, we reuse your existing control evidence to cut cost and time-to-attestation. Talk to CyberSigma to plan your BSI C5 journey.