The Cloud Computing Compliance Criteria Catalogue (C5) is generally a minimum standard for IT security for Cloud Service Providers (CSPs). CSPs are classified as essential infrastructure within the 'data storage and processing' essential service if the corresponding threshold of the BSI KRITIS Regulation is exceeded. A passed C5 attestation can also be used as part of a documentation of compliance according to Section 8a (3) BSIG, as long as some basic conditions (see following sections) are met during the testing.

The scope of the actions according to Section 8a(1) of the Federal Office for Information Security Act as well as the audit object of the documentation of compliance according to Section 8a(3) of the Federal Office for Information Security Act must cover the entire operated asset according to the BSI KRITIS Regulation (e.g. server farm). In the case of cloud service providers (CSP), in order that the documentation of C5 is sufficient for their asset as part of the documentation of compliance according to Section 8a(3) of the Federal Office for Information Security Act, documentation of adequate protection under consideration of the state of the art must also be provided for all operationally relevant information technology services, systems, components or processes that are not audited via the C5 attestation. This can be done by extending the C5 audit to the previously unaudited parts of the CSP or by an additional audit.

The Federal Office for Information Security Act requires appropriate action to be taken for the operationally relevant parts of the respective asset categories (in consideration of availability, confidentiality, integrity and authenticity) in accordance with the protection needs. Avoiding shortage of supplies in essential services is very important in the context of KRITIS. Therefore, the appropriate specification of the protection needs of the operationally relevant parts of the asset category has to be examined (cf. Section 8a(1) of the Federal Office for Information Security Act and Section 8a(3) of the Federal Office for Information Security Act) and, in addition to the requirements of C5, care should be taken to ensure that the systems relevant to operations for essential services are based on a resilient architecture.

The central concern in dealing with risks must be to maintain the security of supply of the company or to comply with the Service Level Agreements (SLA) concluded with customers. As part of risk management, therefore, the protection objectives of availability, confidentiality, integrity and authenticity must be assessed in terms of the extent to which the essential service is maintained -- a purely business management approach is usually not sufficient. The consequences of impairing the functionality of an operated critical infrastructure can be used as an indication of the extent of a risk to society.

Risks within the scope of Section 8a (1) BSIG may not be accepted if security precautions pursuant to Section 8a (1) BSIG are possible and appropriate. Even if risks cannot be completely eliminated, the risks must be adequately reduced as far as possible before acceptance is permitted.

Furthermore, an insurance of the risks does not replace the required security precautions. Appropriate safeguards pursuant to Section 8a (1) BSIG remain necessary. Even if risks cannot be completely eliminated, the risks must be adequately reduced as far as possible before an insurance on the risk treatment is permitted. Concluding additional insurance policies is unaffected.

In addition, there must be compliance with the requirements of C5 regarding the implementation of the measures. If further measures are to be adopted over and above the requirements of C5 with regard to the appropriate protection in accordance with Section 8a (1) BSIG for risk treatment, these must be implemented for the documentation of compliance in accordance with Section 8a (3) BSIG or be in an expected stage of progress at the time of documentation. These measures and deficiencies must be included in the list of security deficiencies.

Documentation of compliance pursuant to Section 8a (3) BSIG must be provided at least every two years. At the time a record is submitted, the underlying C5 attestations must be current, i.e. issued in the last 12 months. If necessary, older documentation can be included as compliance documentation in the form of a document analysis. This documentation requirement can be integrated easily into C5 attestation.

In addition to the current attestation, a list of identified security deficiencies can also be submitted as appropriate documentation. The documentation pursuant to Section 8a (3) BSIG should be submitted by using the BSI forms and in accordance with the 'Guidance on Compliance Documentation'. In particular, one document per asset must be submitted in accordance with BSI-KritisV, although individual asset documentation can also be created as part of an overall audit.

In making their assessment of the appropriateness and suitability of the risk treatment or measures, the auditor must take into account aspects that are relevant for KRITIS (such as the impact of a disruption on society or the security of supply).

The audited party should, alongside the qualifications stated in C5, also meet the suitability criteria listed in the 'Guidance on Compliance Documentation'.