Knowledge Center / BSI C5
BSI (Germany) · Germany / EU

BSI C5 (Cloud Computing Compliance Criteria Catalogue)

German catalogue of cloud security controls attested by auditors.

Introduction to BSI C5

The Cloud Computing Compliance Criteria Catalogue (Cloud Computing Compliance Controls Catalogue), universally abbreviated as BSI C5, is the cloud-security assurance framework published by the German Federal Office for Information Security (Bundesamt fuer Sicherheit in der Informationstechnik, BSI). First issued in 2016 and comprehensively revised in 2020 (the current baseline commonly referred to as C5:2020), it defines a minimum baseline of information-security controls that cloud service providers (CSPs) must demonstrate to customers, particularly customers in the German public sector, regulated industries and enterprises with elevated data-protection obligations. Unlike a certification scheme, BSI C5 is delivered as an independent third-party attestation report produced by an audit firm under the international assurance standard ISAE 3000 (and, in Germany, the equivalent IDW PS 951 / AssS 5100), giving customers audited evidence rather than a self-declared badge.

This deep-dive is written for two audiences at once: the auditor or assessor who must plan and execute a C5 attestation engagement, and the implementer or CISO team at a cloud provider (or a cloud customer performing supplier due diligence) who must build, evidence and operate the underlying controls. It enumerates every C5 control domain, explains the Type 1 versus Type 2 attestation model, the basic-versus-additional criteria tiering, the mandatory supplementary information (system description, environment parameters, complementary customer controls), and maps C5 to adjacent frameworks such as ISO/IEC 27001, SOC 2, the EU Cloud Services scheme (EUCS) and the German BSI IT-Grundschutz.

Copyright and source note
BSI C5 is a copyrighted publication of the Bundesamt fuer Sicherheit in der Informationstechnik. The catalogue itself is distributed by the BSI free of charge, but its text, control wording and diagrams remain the intellectual property of the BSI. This guide is an original, independent commentary written for educational and readiness purposes. It paraphrases obligations in our own words and does not reproduce the BSI's copyrighted control text verbatim. Always obtain the current official C5 catalogue from the BSI and engage a qualified auditor for a formal attestation.

What is BSI C5

BSI C5 is a catalogue of cloud-specific information-security requirements that a CSP's control environment is measured against by an independent auditor. The output of a C5 engagement is not a certificate but an attestation report (Pruefungsbericht) containing the auditor's opinion on whether the CSP's controls are suitably designed and, in a Type 2 engagement, operating effectively across a defined period. Because the report is grounded in ISAE 3000, it is internationally recognised and directly comparable to a SOC 2 report in structure, while the control content is tailored to cloud risks and German regulatory expectations.

The framework was created to solve a specific market failure: cloud customers, especially in government and regulated sectors, could not easily and consistently assess whether a provider's security posture met a credible minimum baseline. C5 standardises that baseline and forces transparency through mandatory environment disclosures. Key characteristics include:

  • Attestation, not certification — a qualified auditor issues an ISAE 3000 / IDW PS 951 opinion; there is no BSI-issued certificate or logo.
  • Two report types — Type 1 (design and implementation at a point in time) and Type 2 (design plus operating effectiveness over a period, typically 6 to 12 months).
  • Two criteria tiers — Basic Criteria (mandatory baseline) and Additional Criteria (for higher assurance / higher-confidentiality workloads).
  • Mandatory transparency — the CSP must publish system description and environment parameters covering jurisdiction, data location, subcontractors, investigation and disclosure practices, and certifications.
  • Shared-responsibility clarity — C5 requires the CSP to state Complementary Customer Controls (CCCs): controls the customer must operate for the overall system to be secure.
  • Cloud-native scope — controls address multi-tenancy, virtualisation, container and orchestration security, portability and interoperability, and cloud incident response.

C5:2020 expanded the 2016 edition from roughly 114 to 121 basic criteria across 17 domains, added new subject areas (notably product security / DevOps, and enhanced dealing-with-investigation-requests disclosures), and aligned more closely with ISO/IEC 27001 Annex A and CSA CCM to reduce duplicate audit effort.

Who must comply and scope of applicability

BSI C5 is not a statute; no organisation is legally forced to obtain a C5 attestation by the catalogue itself. However, compliance is effectively mandatory in a growing set of procurement and regulatory contexts, and voluntary but commercially decisive in many others. The table below summarises who is in scope and why.

Actor / scenarioApplicabilityDriver
Cloud service providers (IaaS/PaaS/SaaS) selling into GermanyStrongly expectedStandard German enterprise and public-sector procurement requirement; often a tender pre-condition
CSPs serving German federal / state governmentEffectively mandatoryGerman public-cloud procurement frameworks and BSI guidance reference C5 as the baseline
Financial-sector cloud providers (banks, insurers)Strongly expectedBaFin supervisory expectations (KAIT / BAIT / VAIT) reference C5 for cloud outsourcing assurance
Healthcare and public-health cloud providersExpectedElevated data-protection and BSI critical-infrastructure (KRITIS) expectations
Enterprises consuming cloud (customer side)IndirectUse supplier C5 reports for due diligence and to document shared-responsibility (CCCs)
Subservice providers / subcontractors of a CSPConditionalCarved-in or inclusive method may extend the audit scope to material subcontractors
Non-German EU / global CSPsVoluntary but strategicC5 is a recognised differentiator and pre-stage for the EU Cloud Services scheme (EUCS)

Scope boundaries within a CSP

  • The scope is defined by the CSP as a specific cloud service (or set of services), with a named service model (IaaS/PaaS/SaaS), deployment model, and the supporting infrastructure, applications and processes.
  • Corporate IT that does not support the in-scope service can be excluded, but must be delineated clearly in the system description.
  • Subservice organisations (e.g., a colocation data-centre or an upstream IaaS) are handled by the inclusive method (carve-in, audited within scope) or the carve-out method (excluded, with reliance placed on the subservice provider's own attestation).
  • The reporting period (Type 2) and reporting date (Type 1) must be stated; a typical Type 2 period is 6 or 12 months.

Structure of BSI C5

C5:2020 organises its criteria into 17 subject-area domains. Each domain contains a set of basic criteria (the mandatory baseline) and, for some, additional criteria for higher assurance. Every criterion carries an identifier (a two-to-four-letter domain prefix plus a number, e.g., OIS-01, IDM-08, PS-03). Surrounding the criteria are mandatory environment/transparency disclosures. The table lists the domains and their conventional prefixes.

#Domain (English)PrefixFocus
1Organisation of Information SecurityOISGovernance, ISMS, roles, risk management, segregation of duties
2Security Policies and InstructionsSPPolicy framework, documentation, review cycle
3PersonnelHRScreening, employment terms, training, disciplinary and termination
4Asset ManagementAMInventory, classification, acceptable use, return of assets
5Physical SecurityPSData-centre perimeter, access, environmental protection, equipment
6OperationsOPSCapacity, malware, logging, backup, monitoring, change and vulnerability management
7Identity and Access ManagementIDMProvisioning, authentication, privileged access, access review
8Cryptography and Key ManagementCRYEncryption at rest/in transit, key lifecycle, HSM
9Communication SecurityCOSNetwork segregation, boundary protection, data-in-transit, DoS defence
10Portability and InteroperabilityPIData import/export, standard formats, exit and reversibility
11Procurement, Development and Modification of Information SystemsDEVSecure SDLC, outsourced development, product/DevOps security
12Control and Monitoring of Service Providers and SuppliersSSOSupplier due diligence, subservice monitoring, supply-chain risk
13Security Incident ManagementSIMDetection, classification, response, forensics, customer notification
14Business Continuity ManagementBCMBusiness impact analysis, redundancy, DR testing, recovery objectives
15ComplianceCOMLegal/regulatory identification, internal audit, control assurance
16Dealing with Investigation Requests from Government AgenciesINQLawful-access handling, jurisdiction, customer notification, transparency
17Product SecurityPSSSecure product configuration, sessions, errors, images and orchestration

In addition to the 17 domains, the CSP must supply mandatory supplementary information: (a) a System Description of the service; (b) Environment Parameters (Rahmenparameter) covering jurisdiction, availability, data location, disclosure of investigation requests, certifications and audits; and (c) Complementary Customer Controls (CCCs).

Master assessment checklist

This is the operational heart of the guide. Each h3 below corresponds to one C5 domain. For every domain, the table gives representative criterion identifiers, what the auditor must verify, and the typical evidence a CSP should present. Together these cover all 17 domains plus the mandatory environment and shared-responsibility disclosures. No control area is omitted.

OIS — Organisation of Information Security

What to verifyTypical evidence
An ISMS is established, documented and approved by management (OIS-01)ISMS scope statement, ISO 27001 certificate or equivalent, management approval minutes
Information-security roles and responsibilities are defined and assigned (OIS-02)RACI matrix, CISO appointment letter, security org chart
Segregation of duties reduces conflicting responsibilities (OIS-03)SoD matrix, access-conflict review records
Contact with authorities and interest groups is maintained (OIS-04)CERT/BSI liaison records, ISAC or industry-group membership
A risk-management framework identifies, assesses and treats risks (OIS-05, OIS-06, OIS-07)Risk methodology, risk register, treatment plan, residual-risk sign-off

SP — Security Policies and Instructions

What to verifyTypical evidence
A top-level information-security policy exists and is approved (SP-01)Signed policy, version history, board/management approval
Detailed policies and work instructions exist for each control area (SP-02)Policy library index, procedure documents
Policies are communicated to relevant personnel (SP-02)Intranet distribution logs, acknowledgement records
Policies are reviewed at planned intervals and on significant change (SP-03)Review calendar, revision dates, change-triggered review records

HR — Personnel

What to verifyTypical evidence
Background verification is performed before employment for sensitive roles (HR-01)Screening policy, redacted background-check confirmations
Employment contracts include confidentiality and security obligations (HR-02)NDA templates, signed contract clauses
Security awareness and role-specific training is delivered and tracked (HR-03)Training curriculum, completion reports, phishing-simulation results
A disciplinary process addresses security breaches (HR-04)Disciplinary policy, sanction records (redacted)
Access and assets are revoked on termination or role change (HR-05, HR-06)Leaver checklist, deprovisioning tickets, asset-return logs

AM — Asset Management

What to verifyTypical evidence
Assets supporting the service are inventoried with owners (AM-01)Asset register / CMDB export, ownership field populated
Information is classified per a defined scheme (AM-02, AM-03)Classification policy, data-labelling standard, sample tagged assets
Acceptable-use rules govern assets and information (AM-04)Acceptable-use policy, acknowledgement records
Removable media and mobile devices are controlled (AM-05, AM-06)MDM/endpoint policy, encryption enforcement, media-handling procedure
Secure disposal of media and equipment is performed (AM-06)Sanitisation/destruction certificates, disposal logs

PS — Physical Security

What to verifyTypical evidence
Data-centre physical perimeters and zones are defined and enforced (PS-01)Site plans, zoning diagram, access-control system config
Physical access is granted on least-privilege and reviewed (PS-02)Badge access lists, visitor logs, periodic access reviews
Protection against environmental threats is in place (PS-03, PS-04)Fire suppression, HVAC, flood/seismic assessments, maintenance records
Redundant utilities (power, cooling, network) are provided (PS-05)UPS and generator test logs, N+1 topology, cooling redundancy design
Supporting infrastructure is monitored and maintained (PS-06)BMS/DCIM dashboards, maintenance schedules

OPS — Operations

What to verifyTypical evidence
Capacity is planned and monitored to meet demand (OPS-01)Capacity plans, utilisation dashboards, scaling records
Protection against malware is deployed and updated (OPS-04, OPS-05)AV/EDR coverage report, signature/update logs, detection alerts
Backups are performed, protected and restore-tested (OPS-06, OPS-07)Backup policy, job logs, encryption of backups, restore-test reports
Logging captures security-relevant events and is protected (OPS-10 to OPS-14)Logging standard, SIEM ingestion, log-integrity/retention config, admin-activity logs
Time synchronisation across systems (OPS-15)NTP configuration, drift-monitoring records
Vulnerability management: scanning, prioritisation, remediation SLAs (OPS-17 to OPS-19)Scan reports, penetration-test reports, patch-SLA tracking, exception register
Change management governs system modifications (OPS-20 to OPS-23)Change policy, CAB minutes, emergency-change records, segregation of dev/test/prod

IDM — Identity and Access Management

What to verifyTypical evidence
User registration and de-registration follows an approved process (IDM-01)Joiner/mover/leaver workflow, approval records
Access rights are granted on least privilege and need-to-know (IDM-02, IDM-03)Role-permission matrix, access-request approvals
Privileged access is restricted, logged and time-bound (IDM-04, IDM-09)PAM tooling, just-in-time elevation logs, admin-account inventory
Strong authentication (MFA) is enforced, especially for admin and remote (IDM-08)MFA policy, enforcement config, coverage report
Access rights are reviewed at defined intervals (IDM-05, IDM-06)Periodic recertification records, revocation of orphaned accounts
Password/secret management meets defined strength and storage rules (IDM-07, IDM-10)Password policy, secrets-vault usage, hashing standards

CRY — Cryptography and Key Management

What to verifyTypical evidence
A cryptography policy defines approved algorithms and use (CRY-01)Crypto policy, approved cipher-suite list aligned to BSI TR-02102
Data in transit is encrypted with strong protocols (CRY-02)TLS configuration, protocol/cipher scan results
Data at rest is encrypted where required (CRY-03)Storage/database encryption config, key-scope documentation
Keys are generated, distributed, stored, rotated and destroyed securely (CRY-04)Key-management procedure, HSM records, rotation logs, key-ceremony evidence

COS — Communication Security

What to verifyTypical evidence
Networks are segregated to isolate tenants and zones (COS-01, COS-02)Network architecture diagram, VLAN/VPC/segmentation config, firewall rules
Boundary protection controls filter and monitor traffic (COS-03, COS-04)Firewall/IDS/IPS config, ruleset review records
Data-in-transit protection across untrusted networks (COS-05)VPN/TLS enforcement, encryption of inter-DC traffic
Protection against denial-of-service attacks (COS-06)DDoS-mitigation service config, incident/mitigation logs
Policies govern information transfer with third parties (COS-07, COS-08)Data-transfer agreements, secure-transfer procedures

PI — Portability and Interoperability

What to verifyTypical evidence
Customers can export their data in a documented, usable format (PI-01, PI-02)Export API/documentation, supported formats, sample export
Interoperability via documented interfaces/standards (PI-03)API documentation, standards conformance statements
Secure and complete data deletion on contract termination (PI-04)Exit procedure, deletion certificate/attestation, retention wind-down

DEV — Procurement, Development and Modification of Information Systems

What to verifyTypical evidence
A secure SDLC governs development with security requirements (DEV-01, DEV-02)SDLC policy, security-requirement templates, threat-model records
Separation of development, test and production environments (DEV-03)Environment topology, access separation, no-prod-data-in-test controls
Secure coding, code review and security testing (DEV-04 to DEV-06)Coding standards, SAST/DAST/SCA reports, peer-review records
Outsourced development is controlled and reviewed (DEV-07)Supplier contracts with security clauses, code-quality/security gates
Change and version control with segregation and approval (DEV-08, DEV-09)Git/branch-protection config, CI/CD pipeline approvals, release records

SSO — Control and Monitoring of Service Providers and Suppliers

What to verifyTypical evidence
Suppliers and subservice providers are identified and risk-assessed (SSO-01)Supplier inventory, criticality classification, risk assessments
Security requirements are embedded in supplier contracts (SSO-02, SSO-03)Contract security schedules, DPAs, right-to-audit clauses
Subservice performance and security are monitored (SSO-04, SSO-05)SLA reports, review meeting minutes, subservice attestations (SOC 2 / C5)
Changes to supplier services are managed (SSO-06)Change-notification records, re-assessment on material change

SIM — Security Incident Management

What to verifyTypical evidence
An incident-management process with roles and escalation exists (SIM-01)Incident-response plan, on-call roster, escalation matrix
Events are detected, logged, classified and prioritised (SIM-02, SIM-03)SIEM alerts, incident tickets, severity-classification scheme
Incidents are responded to and lessons learned captured (SIM-04, SIM-05)Post-incident reviews, corrective-action tracking
Customers are notified of incidents affecting them within defined timelines (SIM-06)Notification procedure, SLA for customer notification, sample notifications
Forensic readiness and evidence preservation (SIM-07)Forensics procedure, chain-of-custody records, evidence-handling tooling

BCM — Business Continuity Management

What to verifyTypical evidence
Business impact analysis identifies critical services and objectives (BCM-01)BIA documentation, RTO/RPO definitions per service
Continuity and recovery plans are documented (BCM-02, BCM-03)BC/DR plans, runbooks, failover architecture
Redundancy is designed to meet availability commitments (BCM-03)Multi-AZ/multi-site topology, redundancy design docs
Continuity and recovery arrangements are tested regularly (BCM-04)DR test schedule, test reports, post-test remediation

COM — Compliance

What to verifyTypical evidence
Applicable legal, regulatory and contractual requirements are identified (COM-01)Legal register, GDPR/BDSG applicability analysis
Compliance with policies and standards is monitored (COM-02)Internal control monitoring, compliance dashboards
Independent reviews / internal audits of the ISMS are performed (COM-03)Internal audit plan, audit reports, findings and closure
Records are protected and retained per requirements (COM-04)Retention schedule, record-protection controls

INQ — Dealing with Investigation Requests from Government Agencies

What to verifyTypical evidence
A process governs handling of lawful-access / investigation requests (INQ-01)Government-request procedure, legal-review workflow
Requests are assessed for legal validity before any disclosure (INQ-02)Legal-assessment records, rejection of invalid requests
Customers are notified where legally permitted (INQ-03)Notification policy, transparency-report practice
The jurisdiction and applicable law for data access is disclosed (INQ-04)Environment-parameter disclosure, jurisdiction statement

PSS — Product Security

What to verifyTypical evidence
The product enforces secure default configuration and hardening (PSS-01, PSS-02)Hardening baselines, secure-default settings, CIS-benchmark evidence
Session management and authentication in the product are secure (PSS-03, PSS-04)Session-timeout config, token-handling design, auth test results
Error handling avoids disclosure of sensitive information (PSS-05)Error-handling standard, penetration-test verification
Container/VM images and orchestration are securely built and scanned (PSS-06 to PSS-11)Image-scan reports, registry-signing, orchestration-hardening (Kubernetes) config, admission-control policies
Input validation and output encoding protect against injection (PSS-07)Secure-coding evidence, SAST/DAST findings on injection classes

Environment parameters and complementary customer controls (mandatory disclosures)

What to verifyTypical evidence
System description accurately describes the service, boundaries and subservicesSigned system description, architecture diagrams, subservice list
Environment parameters disclose jurisdiction, data location, availability, certificationsRahmenparameter table, data-residency statement, certification list
Disclosure of investigation-request handling and transparency practiceTransparency statement, investigation-request policy summary
Complementary Customer Controls (CCCs) are defined and communicatedCCC list in the report, customer-facing shared-responsibility matrix
Subservice method (carve-in vs carve-out) is declared and consistentScope statement, reliance memos, subservice attestations

Scoping and materiality / tiering

C5 scoping decisions determine both audit cost and the assurance value of the resulting report. The principal levers are: which service(s) are in scope, whether Basic or Basic-plus-Additional criteria are covered, whether the engagement is Type 1 or Type 2, and how subservice organisations are treated.

  • Service scope — define the specific cloud service(s), service model (IaaS/PaaS/SaaS) and the supporting infrastructure and processes. Broader scope means broader assurance but more evidence.
  • Criteria tier — Basic Criteria are mandatory for any C5 report. Additional Criteria are elective and target workloads with elevated confidentiality/integrity/availability needs; including them materially raises assurance and effort.
  • Report type — Type 1 (design at a date) is faster and suits first-year readiness; Type 2 (operating effectiveness over a period) is what most enterprise and regulated customers ultimately require.
  • Subservice method — carve-in (inclusive) audits the subservice within scope; carve-out excludes it and relies on the subservice provider's own attestation plus CCCs. The choice must be consistent and disclosed.
  • Materiality — the auditor sets materiality for control deviations; a control with a deviation may still yield an unqualified opinion if compensating controls or immateriality are demonstrated, otherwise the opinion is qualified.
Type 1 versus Type 2 in practice
A first-time provider often issues a Type 1 report to prove design, then transitions to an annual Type 2 covering a 6-to-12-month period. Regulated customers (finance, public sector) typically insist on Type 2 with the Additional Criteria for their high-confidentiality workloads.

Implementation approach

A pragmatic C5 programme runs in five phases. Each phase lists key activities and the deliverables a CISO team should produce.

Phase 1 — Scoping and gap assessment

  • Activities: define in-scope service and boundaries; choose Basic vs Additional and Type 1 vs Type 2; map existing ISO 27001 / SOC 2 controls to C5 domains; run a gap assessment across all 17 domains and environment parameters.
  • Deliverables: scope statement, C5-to-existing-control mapping, gap register with owners and target dates, subservice inventory and method decision.

Phase 2 — Remediation and control build

  • Activities: close gaps (policies, PAM/MFA, logging/SIEM, backup and DR testing, vulnerability-management SLAs, product/DevOps hardening, crypto/key management, supplier clauses); establish evidence-capture at source.
  • Deliverables: updated policy library, hardened baselines, remediation-closure evidence, control-operation records begin accruing.

Phase 3 — System description and environment parameters

  • Activities: author the system description; complete environment parameters (jurisdiction, data location, availability, investigation-request handling, certifications); define Complementary Customer Controls.
  • Deliverables: signed system description, environment-parameter table, CCC list, customer-facing shared-responsibility matrix.

Phase 4 — Attestation engagement

  • Activities: engage a qualified ISAE 3000 / IDW PS 951 auditor; support walkthroughs, design testing and (for Type 2) operating-effectiveness sampling across the period; remediate any exceptions where possible.
  • Deliverables: auditor evidence packages, exception log with responses, draft attestation report.

Phase 5 — Report, publish and sustain

  • Activities: finalise the report and opinion; distribute under NDA to customers; feed findings into continual improvement; schedule the next annual Type 2 period and monitor control health continuously.
  • Deliverables: signed attestation report, distribution register, corrective-action plan, next-cycle audit calendar.

Maturity / capability model

Although C5 issues a binary attestation opinion rather than a maturity score, CSPs benefit from tracking control maturity internally to predict audit readiness and prioritise investment. The following five-level model is a practical lens for C5 readiness.

LevelNameDescriptionC5 readiness signal
1Initial / ad hocControls exist informally; little documentation or consistencyNot audit-ready; many design gaps across domains
2DocumentedPolicies and procedures written and approved; controls definedType 1 (design) may be achievable for some domains
3ImplementedControls operate consistently and produce evidenceType 1 achievable across scope; Type 2 evidence beginning to accrue
4ManagedControls are monitored with metrics; deviations detected and correctedType 2 achievable with unqualified opinion likely
5OptimisedControls continuously improved; automation and Additional Criteria embeddedType 2 with Additional Criteria; low deviation rate, strong assurance

Assessment and audit approach

A C5 attestation follows the ISAE 3000 assurance methodology. The typical engagement steps are:

  1. Engagement acceptance and scoping — agree the service scope, criteria tier (Basic / Additional), report type (Type 1 / Type 2), reporting period and subservice method.
  2. Understand the system — review the system description and environment parameters; perform walkthroughs of each domain to understand control design.
  3. Assess control design — evaluate whether controls, if operating, would meet each applicable criterion; identify design gaps.
  4. Test operating effectiveness (Type 2 only) — select samples across the reporting period and test each control's operation using inspection, observation, inquiry and re-performance.
  5. Evaluate deviations — assess exceptions for severity and pervasiveness against materiality; consider compensating controls.
  6. Form the opinion — conclude unqualified, qualified, adverse or disclaimer; document the basis.
  7. Report — issue the attestation report containing management's assertion, the system description, the control matrix with test results, and the auditor's opinion, plus CCCs and subservice reliance.
  8. Distribute and monitor — release the report to customers under confidentiality; feed exceptions into remediation for the next cycle.

Evidence request list

Auditors typically request the following evidence categories. CSPs should assemble these in an evidence repository ahead of fieldwork.

  • Governance and ISMS: ISMS scope, security policy, risk methodology and register, treatment plan, management-review minutes, org chart, ISO 27001 certificate.
  • Policies and procedures: full policy library with version history, review dates and communication/acknowledgement records.
  • Personnel: screening policy and confirmations, NDAs, training curriculum and completion reports, leaver/deprovisioning records.
  • Asset and data: asset register/CMDB, classification scheme, media-handling and disposal certificates.
  • Physical and environmental: data-centre access lists and reviews, visitor logs, UPS/generator and fire-suppression test records, DCIM dashboards.
  • Operations: capacity plans, AV/EDR coverage, backup and restore-test reports, logging/SIEM configuration and retention, patch/vulnerability-scan reports, penetration-test reports, change-management records.
  • Identity and access: JML workflow, MFA and PAM configuration, access-recertification records, secrets-management evidence.
  • Cryptography: crypto policy, TLS/at-rest encryption configs, key-management and HSM records, rotation logs.
  • Network and communication: architecture diagrams, segmentation and firewall configs, DDoS-mitigation and IDS/IPS logs.
  • Development and product: SDLC policy, SAST/DAST/SCA reports, CI/CD approvals, image-scan and orchestration-hardening evidence.
  • Suppliers: supplier inventory and risk assessments, contract security schedules, DPAs, subservice attestations (SOC 2 / C5).
  • Incident and continuity: IR plan, incident tickets and post-incident reviews, customer-notification records, BIA, BC/DR plans and test reports.
  • Compliance and legal: legal/regulatory register, GDPR/BDSG analysis, internal-audit reports, records-retention schedule.
  • Transparency: system description, environment-parameter table, investigation-request procedure, CCC list.

Roles and responsibilities

RoleResponsibility in a C5 programme
Executive management / boardApprove ISMS and policy, accept residual risk, sign management assertion, fund the programme
CISO / Information Security OfficerOwn the ISMS and control framework, drive gap closure, coordinate the audit
Compliance / GRC teamMaintain legal register, manage the evidence repository, track remediation and internal audit
Cloud / platform engineeringImplement technical controls: segmentation, encryption, hardening, logging, IAM/PAM
DevOps / product securityOperate secure SDLC, image scanning, orchestration hardening, product-security controls (PSS)
IT operations / SRERun capacity, backup, patching, change management, monitoring and DR testing
HRScreening, contracts, security training, joiner/leaver processes
Legal / DPOHandle investigation requests, jurisdiction disclosure, DPAs, GDPR/BDSG compliance
Procurement / vendor managementSupplier due diligence, contract security clauses, subservice monitoring
Independent auditor (external)Perform the ISAE 3000 / IDW PS 951 attestation and issue the opinion

KPIs and metrics to track

  • Percentage of applicable C5 criteria with design implemented (readiness coverage).
  • Number and severity of open control gaps versus target closure dates.
  • MFA and privileged-access coverage across in-scope systems (target 100%).
  • Mean time to detect (MTTD) and mean time to respond (MTTR) for security incidents.
  • Percentage of critical/high vulnerabilities remediated within SLA.
  • Patch compliance rate across in-scope infrastructure.
  • Backup success rate and successful restore-test rate.
  • DR test frequency and RTO/RPO achievement against objectives.
  • Access-recertification completion rate and orphaned-account count.
  • Security-awareness training completion and phishing-simulation failure rate.
  • Number of audit exceptions per cycle and time to remediate them.
  • Subservice-provider attestation coverage (percentage of material subservices with current C5/SOC 2).
  • Customer-incident-notification adherence to the committed SLA.

Readiness checklist

  • Service scope, criteria tier (Basic / Additional) and report type (Type 1 / Type 2) are defined and agreed.
  • ISMS is established, documented and approved by management.
  • All 17 C5 domains have documented policies and implemented controls.
  • Risk register, treatment plan and residual-risk acceptance are current.
  • MFA and privileged-access management are enforced across in-scope systems.
  • Logging/SIEM captures security events with protected retention.
  • Vulnerability scanning, penetration testing and patch SLAs are operating.
  • Encryption at rest and in transit with documented key management is in place.
  • Network segmentation isolates tenants and zones; boundary and DDoS controls operate.
  • Secure SDLC, image scanning and orchestration hardening (PSS) are evidenced.
  • Incident-response plan tested; customer-notification SLA defined.
  • BIA, BC/DR plans and DR tests completed within the period.
  • Supplier/subservice inventory, risk assessments and contracts (with DPAs) are current.
  • System description, environment parameters and CCCs are authored and signed.
  • Investigation-request handling and jurisdiction disclosure are documented.
  • Evidence repository assembled and mapped to each C5 criterion.
  • Qualified ISAE 3000 / IDW PS 951 auditor engaged.

Common gaps and findings

  • Incomplete or inaccurate system description and environment parameters that do not match the actual environment.
  • Complementary Customer Controls (CCCs) missing or not communicated to customers, blurring shared responsibility.
  • MFA not enforced for all privileged and remote access; standing (non-time-bound) admin rights.
  • Insufficient log retention or unprotected logs; gaps in admin-activity logging.
  • Vulnerability and patch remediation without defined or met SLAs; growing exception backlog.
  • Backups not restore-tested, or DR plans documented but never exercised within the period.
  • Weak subservice governance: no current attestation from material subservice providers, or inconsistent carve-in/carve-out treatment.
  • Product-security (PSS) gaps: unscanned container images, unhardened orchestration, insecure default configurations.
  • Change management bypassed for emergency changes without retrospective approval.
  • Investigation-request process undefined, or jurisdiction/data-location disclosure incomplete.
  • Access recertification overdue; orphaned or shared accounts persisting.
  • Evidence produced retrospectively for the audit rather than generated at source during the period (a common Type 2 failure).

BSI C5 mapped to other frameworks

C5 was deliberately aligned with mainstream frameworks to reduce duplicate audit effort. The mapping below is indicative; a formal crosswalk should be maintained per criterion.

C5 domain / conceptISO/IEC 27001:2022SOC 2 (TSC)Related scheme
OIS / SP (governance, policy)Clauses 4-10, A.5 policiesCC1 control environmentEUCS governance; IT-Grundschutz ISMS
HR (personnel)A.6 people controlsCC1 / CC2IT-Grundschutz ORP.2
AM (asset management)A.5.9-A.5.14CC6IT-Grundschutz CON/OPS asset modules
PS (physical security)A.7 physical controlsCC6.4IT-Grundschutz INF
OPS (operations, logging, vuln, change)A.8 technological controlsCC6, CC7, CC8CSA CCM operations; EUCS
IDM (identity and access)A.5.15-A.5.18, A.8.2-A.8.5CC6.1-CC6.3NIST 800-53 AC/IA
CRY (cryptography)A.8.24CC6.1BSI TR-02102; CSA CCM EKM
COS (communication security)A.8.20-A.8.23CC6.6, CC6.7CSA CCM IVS/DSI
PI (portability, exit)A.8.13-A.8.14 (backup/redundancy)A1 availabilityEUCS portability; GDPR portability
DEV / PSS (secure SDLC, product)A.8.25-A.8.31CC8.1CSA CCM AIS; OWASP ASVS
SSO (supplier / subservice)A.5.19-A.5.23CC9.2CSA CCM STA; DORA third-party
SIM (incident management)A.5.24-A.5.28CC7.3-CC7.5NIS2 / GDPR breach notification
BCM (business continuity)A.5.29-A.5.30A1.2, A1.3ISO 22301; DORA operational resilience
COM (compliance)A.5.31-A.5.36, Clause 9CC2 / CC4GDPR / BDSG
INQ (investigation requests)A.5.31, A.5.34(privacy criteria)GDPR; German telecom/lawful-access law
How CyberSigma helps
CyberSigma runs end-to-end BSI C5 readiness and attestation-support programmes. As a CERT-In empanelled auditor and PCI QSA practice, we scope your cloud service, decide the Basic-versus-Additional criteria tier and Type 1-versus-Type 2 path, and run a domain-by-domain gap assessment across all 17 C5 domains plus the mandatory environment parameters and Complementary Customer Controls. We remediate gaps in identity and privileged access, encryption and key management, logging and SIEM, vulnerability and patch SLAs, secure DevOps and product security (PSS), business continuity and supplier governance, then author your system description and shared-responsibility matrix and assemble an audit-ready evidence repository mapped to every criterion. We coordinate the independent ISAE 3000 / IDW PS 951 auditor, support walkthroughs and Type 2 operating-effectiveness testing, and drive exceptions to closure. Because we maintain live crosswalks to ISO/IEC 27001, SOC 2, EUCS and IT-Grundschutz, we reuse your existing control evidence to cut cost and time-to-attestation. Talk to CyberSigma to plan your BSI C5 journey.

Frequently asked questions

Is BSI C5 a certification?
It is delivered as an auditor attestation (ISAE 3000) rather than a certificate, but functions as the German market benchmark for cloud security.
Official documents

Need help with BSI C5?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.