Basic concept

C5 is a criteria catalogue setting a baseline security level for cloud services. It aims at illustrating information security in a transparent way based on a standardized examination and report. Customers evaluate these reports within their own risk analysis. More general, the catalogue is used by cloud service providers, customers and auditors. All three share responsibility establishing and maintaining information security.

Cloud service providers can implement C5 criteria enhancing security and establishing a competitive edge. In order to demonstrate alignment with C5 criteria, the CSP can mandate for example certified public accountants or other auditors of their choice to conduct an examination.

Auditors check whether C5 criteria are met at the time of the investigation and, depending on the type of engagement, whether they have also been met in the past. They create a detailed examination report according to international standards. The report documents the actions taken during the examination and contains a system description, stating, which procedures, processes and measures the CSP has implemented to satisfy C5.

Using cloud services provides opportunity, but also involves risks. It is crucial that cloud customers conduct their own risk assessment. As a foundation, the customer should order the C5 report from the respective cloud service provider and analyse it. This procedure should be repeated yearly. The standardized reports enable cloud customers to compare and control different cloud providers regarding information security in a structured way. BSI Germany is not involved in selecting auditors and does not check audit reports. It is the customers' responsibility to analyse the reports and draw their own conclusions from them. The customer is also responsible for checking whether a baseline security level is sufficient or if additional criteria are relevant for their specific use case.