The 2020 cloud computing compliance criteria catalogue (C5) consists of 125 criteria divided into 17 subject areas (see Section 2.2 of the cloud computing compliance criteria catalogue (C5)). The C5 criteria were derived from nationally and internationally established standards and publications in the field of cloud computing and information security (see Section 2.3 of the criteria catalogue).

The 'International Standard on Assurance Engagements 3000' (ISAE 3000) forms the overarching framework of the audit methodology.

The subject of an audit in line with C5 is the service-related internal control system of the cloud provider for the provision of the cloud service. This comprises the principles, procedures and measures, including the controls set up for this purpose in its structural and procedural organisation. The cloud provider either prepares a description of this and issues a statement (audit of a statement) or the auditors ascertain the established controls themselves within the scope of the audit and report on this (direct audit).

Audits can take the form of an adequacy audit or an effectiveness audit. In reporting on these audits, a distinction is made between

• Type 1 reporting: The auditor expresses an opinion on whether the controls are suitably designed and implemented at the time of the audit to meet the C5 criteria with reasonable assurance.
• Type 2 reporting: In addition to the statement on suitability, the audit opinion includes a statement on the operating effectiveness of the controls over an audit period.

A practical example illustrates the difference:

The basic criterion OPS-02 provides for technical and organisational measures for monitoring. The cloud provider has stated in its description of this criterion that the service is subject to constant monitoring in order to be able to react in time when certain threshold values are reached. Monitoring software is used to monitor availability, capacity and performance.
In the case of type 1 reporting, the auditor must be satisfied at the time of the audit that this monitoring software is actually in use and monitors the said criteria on the basis of appropriately defined threshold values.
In the case of type 2 reporting, the auditor must also satisfy be satisfied that the monitoring was carried out continuously during the audit period. For this purpose, the cloud provider must keep corresponding evidence (for example log files) that allow the auditor to identify interruptions of the monitoring or the reaching of the defined threshold values. The auditor would have the corresponding records for these events provided, usually on a random basis, in order to be convinced of the effectiveness of the reporting system.

The differences are particularly evident in the provision of evidence: in a Type 1 audit, only exemplary evidence of the establishment of controls is provided. Type 2, on the other hand, provides evidence of the effective application or implementation of controls over the entire audit period, which is typically 6 or 12 months. The audit is often carried out using random samples. This more in-depth approach means that Type 2 reports are more meaningful and reliable.

In the BSI'sview, an effectiveness test (type 2) is required to achieve an appropriate informative value. Audits on the adequacy (type 1) of the service-related internal control system should only be carried out in the case of the initial audit of a cloud service according to this catalogue of criteria and should under no circumstances be considered several times in succession. The type of reporting is identified in the report itself. We recommend that customers explicitly contact their service provider if a type 1 audit report is repeatedly submitted.

The Cloud Computing Compliance Criteria Catalogue (C5) states that auditing and reporting in line with the Cloud Computing Compliance Criteria Catalogue (C5) should be performed in principle according to the ISAE 3000 auditing standard. It should be emphasised, however, that requirements have been firmed up or added at several points in the Cloud Computing Compliance Criteria Catalogue (C5), for example, regarding auditor qualifications or minimum reporting content. See Section 3 of the Cloud Computing Compliance Criteria Catalogue (C5) for the precise details. To perform a BSI-compliant Cloud Computing Compliance Criteria Catalogue (C5) audit, the regulations contained in the Cloud Computing Compliance Criteria Catalogue (C5) take precedence and must be implemented.

Reporting comprises the following separate parts -- see C5 (Cloud Computing Compliance Criteria Catalogue) section 3.4.8. The order of these parts may differ on a case-by-case basis.

1. Independent auditor's report with summarising audit opinion
2. Written statement by the cloud service provider's legal representative concerning the factually correct presentation of the service-related internal control system in the description provided, as well as the suitability of design (type 1 reporting) and, if so commissioned, the effectiveness of the controls presented in the description (type 2 reporting) -- this section is omitted for a direct engagement
3. Description of the cloud provider's service-related internal control system for provisioning the cloud service in relation to the C5 (Cloud Computing Compliance Criteria Catalogue) criteria (in short: system description)
4. Presentation of the applicable C5 (Cloud Computing Compliance Criteria Catalogue) criteria and cloud provider controls, as well as the auditor's test procedures and test results
5. Other information provided by the cloud provider, such as statements on any defects identified (this part is optional and the auditor therefore does not express an opinion on this section)

All Cloud Computing Compliance Criteria Catalogue (C5) criteria must be formulated in such a way that they can be audited and are technology-neutral. No actions aimed at fulfilling the criteria are prescribed; instead, it is up to the cloud provider to define and implement appropriate actions. The international applicability of the criteria was also taken into account when developing the Cloud Computing Compliance Criteria Catalogue (C5).

The criteria must be fulfilled in their entirety for a Cloud Computing Compliance Criteria Catalogue (C5) attestation. If individual criteria are irrelevant due to a specific use case, proceed according to Section 3.4.2.1 of the Cloud Computing Compliance Criteria Catalogue (C5). Despite great care being taken in formulating the C5 criteria, problems may still arise in terms of content or form when applying individual criteria. If this does happen, contact the BSI.

Cloud providers who render all services themselves and do not use services from other providers are rather the exception. For this reason, the criteria catalogue explicitly covers the use of external ITservices. Detailed information on the processes can be found in Section 3.4.5 of the C5.

Not all SaaS providers offer their own infrastructure too. It is often the case that one provider's SaaS application will run on the infrastructure of another cloud provider. A C5 audit can be performed for the cloud service in this case too. In principle, the infrastructure provider can be treated like a subcontractor, as described in Section 3.4.5 of C5.

However, since this is an important and frequent use case, the BSI has done some intensive research into it. The objective is to record the criteria that are relevant for the SaaS provider and determine which of those criteria are largely relevant for the sub-service providers.

If a cloud provider is already being audited in line with other standards but has not yet formalised its internal control system, there is still a good chance that a Cloud Computing Compliance Criteria Catalogue (C5) audit can be performed with a moderate amount of effort. Since the Cloud Computing Compliance Criteria Catalogue (C5) is based on international standards, it is highly likely that many of the actions required to fulfil the Cloud Computing Compliance Criteria Catalogue (C5) criteria are already being implemented. If the internal control system has not been formalised yet, the direct auditing method can still be used to obtain a Cloud Computing Compliance Criteria Catalogue (C5) attestation. See Section 3.4.3.2 of the Cloud Computing Compliance Criteria Catalogue (C5) for details.

Cloud providers typically have customers with differing compliance requirements and therefore often implement multiple standards at the same time. The following situations can occur as a result:

• The cloud provider has already established an internal control system that is based on international standards. The cloud provider now wants to acquire C5 (Cloud Computing Compliance Criteria Catalogue) attestation.
• The cloud provider already has C5 (Cloud Computing Compliance Criteria Catalogue) audits conducted on a regular basis and now also wants to acquire additional types of security certification.

In both cases, a useful step is to compare the requirements from international standards with the C5 (Cloud Computing Compliance Criteria Catalogue) criteria, with the aim of identifying any 'gaps' in the control system used to date. As an initial step towards convergence, the reference tables published by the BSI can be used. It should be noted however, that these represent only a rough approximation, and as a result of varying granularities and differences in abstraction level, a one-to-one assignment of criteria from different standards is often not possible.

Auditors cannot rely on the reference tables provided, but must investigate on a contextual and case-by-case basis whether or not the C5 (Cloud Computing Compliance Criteria Catalogue) requirements are indeed fulfilled. The reference tables are primarily intended to help the cloud provider prepare for an audit according to the C5 (Cloud Computing Compliance Criteria Catalogue).

Existing certificates for other standards are generally not recognised as part of a C5 attestation.

The approach and the auditing methods for certificates generally differ from the method used for the C5 since, for example, the effectiveness of methods in the past is not inspected.

If the audit of the other certificates is completed at the same time as the C5 audit, this can create synergy effects.

The BSI often receives enquiries regarding who can perform a C5 audit and whether the BSI can recommend or arrange auditors. The BSI does not as a principle make any such recommendations. The requirements for auditors are specified in Chapter 3 of the C5 and adhering to them should be specified as part of the contract to appoint an auditor.