The 2020 cloud computing compliance criteria catalogue (C5) consists of 125 criteria divided into 17 subject areas (see Section 2.2 of the cloud computing compliance criteria catalogue (C5)). The C5 criteria were derived from nationally and internationally established standards and publications in the field of cloud computing and information security (see Section 2.3 of the criteria catalogue).

The 'International Standard on Assurance Engagements 3000' (ISAE 3000) forms the overarching framework of the audit methodology.

The subject of an audit in line with C5 is the service-related internal control system of the cloud provider for the provision of the cloud service. This comprises the principles, procedures and measures, including the controls set up for this purpose in its structural and procedural organisation. The cloud provider either prepares a description of this and issues a statement (audit of a statement) or the auditors ascertain the established controls themselves within the scope of the audit and report on this (direct audit).

Audits can take the form of an adequacy audit or an effectiveness audit. In reporting on these audits, a distinction is made between

• Type 1 reporting: The auditor expresses an opinion on whether the controls are suitably designed and implemented at the time of the audit to meet the C5 criteria with reasonable assurance.
• Type 2 reporting: In addition to the statement on suitability, the audit opinion includes a statement on the operating effectiveness of the controls over an audit period.

A practical example illustrates the difference:

The basic criterion OPS-02 provides for technical and organisational measures for monitoring. The cloud provider has stated in its description of this criterion that the service is subject to constant monitoring in order to be able to react in time when certain threshold values are reached. Monitoring software is used to monitor availability, capacity and performance.
In the case of type 1 reporting, the auditor must be satisfied at the time of the audit that this monitoring software is actually in use and monitors the said criteria on the basis of appropriately defined threshold values.
In the case of type 2 reporting, the auditor must also satisfy be satisfied that the monitoring was carried out continuously during the audit period. For this purpose, the cloud provider must keep corresponding evidence (for example log files) that allow the auditor to identify interruptions of the monitoring or the reaching of the defined threshold values. The auditor would have the corresponding records for these events provided, usually on a random basis, in order to be convinced of the effectiveness of the reporting system.

The differences are particularly evident in the provision of evidence: in a Type 1 audit, only exemplary evidence of the establishment of controls is provided. Type 2, on the other hand, provides evidence of the effective application or implementation of controls over the entire audit period, which is typically 6 or 12 months. The audit is often carried out using random samples. This more in-depth approach means that Type 2 reports are more meaningful and reliable.

In the BSI'sview, an effectiveness test (type 2) is required to achieve an appropriate informative value. Audits on the adequacy (type 1) of the service-related internal control system should only be carried out in the case of the initial audit of a cloud service according to this catalogue of criteria and should under no circumstances be considered several times in succession. The type of reporting is identified in the report itself. We recommend that customers explicitly contact their service provider if a type 1 audit report is repeatedly submitted.

Reporting comprises the following separate parts -- see C5 (Cloud Computing Compliance Criteria Catalogue) section 3.4.8. The order of these parts may differ on a case-by-case basis.

1. Independent auditor's report with summarising audit opinion
2. Written statement by the cloud service provider's legal representative concerning the factually correct presentation of the service-related internal control system in the description provided, as well as the suitability of design (type 1 reporting) and, if so commissioned, the effectiveness of the controls presented in the description (type 2 reporting) -- this section is omitted for a direct engagement
3. Description of the cloud provider's service-related internal control system for provisioning the cloud service in relation to the C5 (Cloud Computing Compliance Criteria Catalogue) criteria (in short: system description)
4. Presentation of the applicable C5 (Cloud Computing Compliance Criteria Catalogue) criteria and cloud provider controls, as well as the auditor's test procedures and test results
5. Other information provided by the cloud provider, such as statements on any defects identified (this part is optional and the auditor therefore does not express an opinion on this section)

Whether the cloud computing compliance criteria catalogue (C5) audit report is appropriate evidence of the information security of a cloud service is at the discretion of each customer and depends on their individual use case. We recommend that customers conduct a protection needs assessment. A basic guideline for this can be found here. This involves analysing which information is to be processed in the cloud service and how much protection it requires. Typically, the evaluation is carried out with regard to confidentiality, integrity and availability. Determining the protection needs must be open-ended, taking account of all business areas and the current legal situation.

After determining the protection needs, the next step is to establish whether the criteria formulated in the BSI cloud computing compliance criteria catalogue (C5) meet the identified protection needs. If the basic criteria are not sufficient for this, additional criteria or own, individual criteria can also be considered. However, it should be noted that reporting these in line with the cloud computing compliance criteria catalogue (C5) is not mandatory.

If the cloud provider can provide up-to-date reporting in line with the cloud computing compliance criteria catalogue (C5), this can be a suitable tool for controlling and monitoring the cloud provider, depending on the use case and if it is high quality, complete and properly utilised. However, cloud customers should also consider setting up further measures, such as:

• Reviewing reports provided by the cloud provider on the fulfilment of the service level agreement
• Regular meetings with representatives of the cloud provider to review service delivery (business reviews)
• Conducting own audits (e.g. internal audits), in conjunction with other cloud provider customers as necessary

In the case of a certificate, there are three separate parties: the auditee, the auditor and the certification body. The audit report from the auditor accredited by the certification body is sent to the certification body for review. If the report meets the standards applicable to certification, a corresponding certificate is issued by the certification body. Involving these three parties in this way aims to ensure the quality and comparability of the certificates. Such an approach also avoids 'certificates as a favour' or at least makes them more difficult. Currently, no certificate can be awarded for the Cloud Computing Compliance Criteria Catalogue (C5).

Fulfilment of the Cloud Computing Compliance Criteria Catalogue (C5) requires the completion of an attestation procedure. In case of an attestation, there are only two parties: the auditee and the auditor. The auditor is engaged by the prospective auditee and is also paid by them. Audit reports are not reviewed by an independent body. In this scenario, the auditor is to a certain extent dependent on the auditee, which could adversely affect the quality of the attestation. The critical appraisal of the audit report and an assessment of its quality is the responsibility of the customer and is absolutely essential. Customers should therefore always request the corresponding audit report from the cloud provider.