Headed to RSA in San Francisco? May 6-9 | Join us!

C5 Attestation: A Comprehensive Guide for Cloud Service Providers 

article c5 attestation 1 0

Securing cloud infrastructure is a top priority for modern organizations. A commonly recognized compliance standard for cloud service providers (CSPs) is the Cloud Computing Compliance Criteria Catalogue or C5. C5 was first introduced by the Federal Office for Information Security (BSI) in Germany in 2016. In this blog post, we will provide a comprehensive guide to C5 attestation, highlighting its fundamental principles and what organizations need to do to achieve compliance.  

Why is C5 attestation important for CSPs? 

C5 attestation provides a comprehensive framework of standard security controls for CSPs providing cloud services. The security controls are tailored to meet the needs of CSPs and provide a foundation for secure cloud services. By complying with the C5 requirements, CSPs can demonstrate a high level of security maturity and gain a competitive advantage in the market. 

What are the C5 requirements? 

The C5 criteria are divided into 17 categories and objectives initially based on ISO 27001:2013 Annex A. These categories include Asset Management, Physical Security, Identity and Access Management, and countless others. The C5 criteria also considers a wide range of standards and publications, including the AICPA Trust Services Criteria, ISO 27001, ISO 27002, ISO 27017, the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM), and the German IT baseline protection manual (BSI-IT-Grundschutz). CSPs that are already compliant with one or more of these publications should consider their preparedness and applicability to the C5 criteria.  

What is the C5 examination process? 

The Federal Office for Information Security has dictated that C5 assessments should be performed using nationally and internationally established standards, namely ISAE 3000 in conjunction with the AICPA’s AT-C section 105 “Concepts Common to All Attestation Engagements” and AT-C section 205 “Examination Engagements.” The catalog dictates that conformity with the C5 criteria should always be provided using the ISAE 3000 audit standard. 

A good starting place for organizations new to C5 is a SOC 2 plus C5 readiness assessment. Your assessor can help you understand the requirements, assess your current status, and identify potential gaps. After the readiness assessment is completed, your team will have a roadmap to follow that can make the final examination easier for all parties involved.  

Whether a readiness assessment is needed or not, full compliance should be achieved via a SOC 2 plus C5 attestation with the ISAE 3000 integration. The engagement can be completed as a Type 1, attesting to the design of the C5 control set, or a Type 2, testing the design, implementation, and operating effectiveness of the organization’s controls as they meet the SOC 2 and C5 criteria.  

Staying up to date with C5 requirements 

The BSI updates the C5 controls regularly to reflect the changing cybersecurity landscape. Organizations can stay updated on new or modified controls by regularly checking the BSI website. Failure to comply with the updated controls could result in non-compliances, fines, and reputational damage. 

Getting started with C5 

Achieving C5 attestation is essential for security-conscious CSPs that want to demonstrate their commitment to security to clients and customers. The process requires dedication, effort, and a thorough understanding of the C5 catalogue, but the benefits are undeniable. By embracing C5, organizations can establish a foundation for secure cloud services, improve their security posture, and gain a competitive edge in the market. 

Contact A-LIGN to learn more about C5 attestation.