According to the Ifo Institute, around half of all companies in Germany use cloud computing. To ensure that data in the cloud is secure, numerous certifications have been developed over time, with which cloud providers can prove that their infrastructure is resistant to a wide range of threat scenarios. For decision makers in companies, it is important to know the currently most secure standards and to use them as a guide when choosing the right cloud service provider. The Federal Office for Information Security has therefore developed the C5 requirements catalog (acronym for “Cloud Computing Compliance Criteria Catalogue”). It is a reliable attestation of high safety standards.
Certification jungle: ISO 27001, CCM and more
Providers of public cloud services — the so-called public cloud — have long recognized that independent certifications in accordance with various sets of standards and corresponding certificates represent a competitive advantage. As a result, many of them have now undergone such certification, and the ISO standards in the 27000 series have established themselves internationally as the most important standard in this segment for years.
ISO regulations 27001 and 27002 deal more generally with various aspects of information security management. They are extended by several sub-standards, such as ISO 27017 or ISO 27018, which are specifically tailored to the requirements and mechanisms for ensuring high security standards in cloud computing. In addition, other standards have also been established, such as the Cloud Controls Matrix (CCM) from the internationally active Cloud Security Alliance.
However, due to the numerous different certifications, it is difficult for decision makers in companies to keep track of things. The variety of audit schemes also poses problems for providers of cloud services: For example, the requirements of the individual standards sometimes overlap, meaning that certain subject areas are unnecessarily checked multiple times during audits. In addition, it is not always easy for cloud computing service providers to keep track of customer requirements, as these can change primarily as a result of regulatory measures.
BSI C5: A new gold standard
In order to alleviate this problem and provide decision makers in organizations as well as providers of cloud services with meaningful proof of the level of data protection and security achieved, the Federal Office for Information Security (BSI) had the BSI C5 catalog drawn up around ten years ago. The C5 requirements catalog was first published in 2016 and supplemented in 2020. It reviews the information security management systems (ISMS) implemented in organizations, particularly with regard to cloud computing. Cloud service providers who want to obtain a C5 certificate must undergo an audit by an independent auditor.
BSI C5 avoids multiple checks
The BSI C5 criteria catalog is not an additional standard intended to reinvent the wheel. Instead, it bundles a wide variety of test schemes and guidelines and supplements them. This avoids multiple checks of individual requirements and reduces the overall cost of an audit. The BSI C5 specification integrates criteria from the ISO 27001 standard, the SOC 2 standard, the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA), several BSI regulations such as basic IT protection or SaaS security profiles, and more.
The BSI explains the overlaps between the various certifications and how they are implemented in the C5 certificate in a separate cross-reference table. In a total of 17 subject areas with 121 requirements, the C5 criteria catalog defines a comprehensive level of security in cloud computing, which is to be achieved by the certified cloud providers with the help of technical and organizational measures. In the organizational sector, the range of individual criteria examined ranges from the implementation of general security guidelines and requirements for personnel to the management of authorizations and cryptographic technologies to monitoring subcontractors and suppliers.
In addition, the C5 catalog also deals, for example, with the implementation of procedures to ensure the cloud service provider's business continuity in the event of emergencies. In addition, the handling of government investigative requests is documented. All audit criteria require appropriate prior formalization by the cloud service provider.
The differences between BSI C5 Type 1 and BSI C5 Type 2
In contrast to other certifications and tests, the BSI C5 standard is not a static test scheme, but divided into two types: The type 1 C5 certificate certifies that the cloud service provider has adequate security management at the time of the audit. It is purchased initially. The Type 2 certificate, on the other hand, aims to ensure the continued effectiveness of the security measures during the audit period. The Type 2 certificate cannot be obtained without an initial Type 1 audit. The examination period for the Type 2 certificate is usually six to twelve months.
During a type 2 certification, auditors must therefore not only be satisfied that the implemented security management system at the cloud provider was available and ready for use at the time of the audit, but must also provide this proof throughout the audit period. As a result of this significantly more complex test for the Type 2 certificate, customers of the certified cloud service provider receive significantly more reliable evidence of its reliability than with a static certification limited to only one test date.
The requirements for a BSI C5 certificate
The requirements for obtaining a BSI C5 test report are extremely demanding. Depending on customer requirements, they are roughly divided into three steps:
1. First, a so-called gap analysis is carried out at the cloud service provider, which determines the gap between the actual and target state of the security management system when processing data in the cloud. The cloud provider's ISMS documentation serves as the basis for this. With this, the service provider documents the existing security standard of its infrastructure.
2. In the second step, a catalogue of measures is drawn up, which includes the further procedure to close the gap between target and current situation. As a rule, a suitably qualified consulting firm or an auditor is already involved as an advisory body in this process.
3. However, the actual testing only takes place in the third step. At present, this may only be carried out by specially qualified auditors who carry out the audit and then issue the attestation. They must also prove their particular qualification required in the BSI C5 catalog. The auditor assesses the appropriateness of the cloud service provider's security management and certifies in the C5 certificate that the control mechanisms are effectively set up and suitably designed so that the criteria of the C5 catalog are met.
BSI C5 Type 2 certifies sustainable safety
The type 2 C5 certificate also checks and assesses the effectiveness of the cloud provider's ISMS system over a defined period of time. As a result, the testing process for Type 2 attestation is even more complex than for Type 1 testing. The examination period may vary: The BSI specifies a period of six or twelve months to go through the certification process again.
Repeated checks make effective security control management possible even over long periods of time, which creates additional trust among customers of the respective cloud provider. The claim of the BSI and the acting auditors to award the C5 certificate only if the requirements of the list of criteria have really been met without restriction also contributes to this.
Benefits of C5 testing for cloud customers
For decision makers in companies and organizations who want to move data assets to the cloud, it is essential to select the most qualified provider possible. The data to be processed in the cloud plays just as much a role as legal requirements. Decision-makers should therefore first determine the protection requirements of their company or organization when processing data in the cloud in order to be able to assess whether a provider with a C5 certificate can meet the individual requirements.
When analyzing protection requirements, criteria such as the availability of data, ensuring data integrity and also the confidentiality of the data must be taken into account, with all business areas being included in the analysis. It should then be checked whether the C5 certificate submitted by each cloud provider meets these criteria. In addition to the C5 basic criteria, additional criteria can also play a role.
It is therefore essential for decision makers to review the detailed C5 audit report in order to find the most suitable solution for the company or organization. Additional tests at the cloud service provider by the customer, for example through its internal audit, can also be an effective means of taking into account individual criteria not covered by the C5 certificate when managing security in the cloud. It goes without saying that with the respective renewal of the C5 test at the cloud service provider, appropriate checks should also be carried out regularly by the customer.
Added value with SecureCloud
SecureCloud has made the security of customer data a top priority since the company was founded more than ten years ago. That is why we have organized all processes of our service from the outset with the aim of maximum data security. All innovative additional services that we have established over the years related to actual cloud storage also follow this premise. These include cloud backup from our sister company exabackup, the SecureWork cloud office and electronic signature with SecureSign.
For this reason, not only have we ourselves been ISO/IEC 27001 certified for some time, but also our data centers. With the receipt of the BSI C5 test certificate, we now also demonstrate the highest security standard currently available for all our services and therefore also recommend ourselves for areas of application where this certificate is required by legal regulations. Through regular follow-up checks, we always keep the certificates and attestations up to date.
You can therefore be sure that we will continue to offer our customers only the most secure and reliable solutions in all areas relating to the cloud, without any ifs or buts.
Interessiert Sie die souveräne Cloud?
Unsere Experten erklären Ihnen gerne mehr.
