Question 1

What is BSI C5 and why is it important for cloud providers?

Accepted Answer

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is an attestation standard developed by Germany's Federal Office for Information Security (BSI) for cloud services. It defines minimum security requirements for cloud providers serving German government agencies and regulated industries. C5 attestation signals to German and EU customers that a cloud service meets a rigorous, independently verified security baseline. Major cloud providers including AWS, Microsoft Azure, and Google Cloud maintain C5 attestations for their German and EU regions.

Question 2

What is the difference between C5 Type 1 and Type 2 attestations?

Accepted Answer

A Type 1 attestation (or 'suitability assessment') evaluates whether the design of a cloud provider's controls meets C5 criteria at a specific point in time. A Type 2 attestation additionally assesses the operational effectiveness of controls over a defined observation period (minimum 12 months). German procurement requirements and enterprise customers typically prefer Type 2 attestations because they demonstrate controls are consistently applied in practice, not just designed correctly.

Question 3

How does C5 relate to ISO 27001 and SOC 2?

Accepted Answer

C5 2020 was explicitly aligned to ISO 27001:2013 and the SOC 2 Trust Services Criteria. There is significant overlap: approximately 80% of C5 criteria map to ISO 27001 Annex A controls, and many C5 criteria parallel SOC 2 TSC requirements. Cloud providers with existing ISO 27001 certification or SOC 2 Type 2 reports can leverage that work for C5 - the harmonized criteria allow combined assessments that cover multiple frameworks efficiently. However, C5 also includes unique criteria not in ISO 27001 or SOC 2, particularly around cloud-specific transparency and supply chain requirements.

Question 4

Who can conduct a C5 attestation?

Accepted Answer

C5 attestations must be conducted by qualified, independent auditors with relevant expertise in cloud security assessments. BSI publishes guidance on auditor qualifications. In practice, C5 attestations are typically conducted by major professional services firms and specialized IT security auditors with ISO 27001 Lead Auditor qualifications and cloud security expertise. Dark Rock coordinates the C5 attestation engagement and manages the full evidence package for your chosen auditor.

Question 5

Is C5 required outside Germany?

Accepted Answer

C5 is a BSI standard, so it's not legally mandated outside Germany. However, its significance is growing across the EU - particularly in German-speaking markets (Austria, Switzerland), the Netherlands, and among EU public sector organizations. As the EU Cloud Security Certification Scheme (EUCS) under ENISA develops, C5 is positioned as a key reference for EU-level cloud certification at higher assurance levels. Organizations targeting European enterprise or public sector customers increasingly encounter C5 as a procurement requirement.

Question 6

How long does a C5 Type 2 attestation take?

Accepted Answer

The C5 Type 2 process typically takes 12–18 months from initial gap assessment to issued attestation report. The timeline is driven largely by the required minimum 12-month observation period for operational effectiveness testing. Organizations with mature security programs and existing ISO 27001 certification can often compress the preparation phase - the gap between your existing controls and C5 criteria determines how much remediation work precedes the formal observation period.

BSI C5 Cloud Security Attestation for the German Market

Why BSI C5 Is Essential for German and EU Cloud Providers

Our Approach

Scope & Applicability Analysis

Gap Assessment

Remediation & Documentation

Attestation & Market Access

What You Get

Get BSI C5 Ready

Related Frameworks

Frequently Asked Questions