What is BSI C5?

BSI C5 stands for "Cloud Computing Compliance Controls Catalogue" from the Federal Office for Information Security (BSI) in Germany. It is a catalogue of criteria that defines security requirements for cloud services. Cloud service providers can be certified according to this catalogue to demonstrate that they meet certain security standards. It serves as a guide for companies that use or want to assess cloud services.

BSI C5 deals with:

  • Security requirements for cloud services

  • Integrity of data

  • Confidentiality of data

  • Availability of data

  • Controls and measures to ensure security

  • Benchmarking for cloud service providers

  • Guidance for companies when selecting cloud services.


30 minutes free consultation

Are you interested in our certification?
Get in touch with us without obligation.
We will be happy to advise you.


Who is BSI C5 intended for?

  • Cloud service providers: To certify their security measures and prove to customers that they fulfil certain security standards.

  • Companies and organisations: As a guide to understand what security requirements they should place on cloud service providers and how they can verify these requirements.

  • Auditors and consultants: To have a standardised basis for reviewing and assessing the security of cloud services.

  • Decision-makers: To make informed decisions about the use of cloud services based on recognised security standards.

How is BSI C5 structured?

The BSI C5 (Cloud Computing Compliance Controls Catalogue) is systematically divided into different areas to enable a comprehensive assessment of the security of cloud services. The exact structure may change over time as the BSI may update the catalogue to respond to new threats and technologies.

Overview of the structure:

  • 1. organisation of information security: organisational structure and responsibilities.

  • 2. personnel security: background checks, training, awareness-raising.

  • 3. asset management: management and classification of assets.

  • 4. access control: regulating access to data and resources.

  • 5. Cryptography: Use of encryption and cryptographic methods.

  • 6. Physical and environmental security: Physical protection of facilities.

  • 7. operational security: patch management, malware protection, incident response.

  • 8. communication security: securing communication networks and services.

  • 9. system acquisition, development and maintenance: secure software development and maintenance.

  • 10. supplier relationships: Security requirements for third-party vendors and suppliers.

  • 11. information security incident management: Responding to security incidents.

  • 12. aspects of information security management for cloud services: cloud-specific security challenges.

  • 13. compliance: adherence to legal and contractual requirements.

This overview provides a rough structure of the BSI C5. Each point contains detailed requirements and controls that are necessary for a comprehensive assessment and certification.

Fundamentals of the BSI C5:

Purpose: Standardised criteria catalogue for cloud security, serves as an orientation and certification basis.

  • 1. Target group: Cloud service providers and users of cloud services.

  • 2. voluntary: Certification is usually voluntary, but often desired to build trust.

  • 3. Comprehensive: Covers a broad spectrum of security topics.

  • 4. internationally recognised: Globally relevant despite focus on Germany.

  • 5. up-to-date: Regular updates by the BSI.

  • 6. Transparency: Creates clarity about the security measures of cloud service providers.

The BSI C5 offers a structured approach to cloud security for providers and users.

What is BSI C5 certification?

Certification according to the BSI C5:

  • 1. confirmation: Demonstrates that a cloud service provider fulfils the security standards defined in BSI C5.

  • 2. independent audit: carried out by an accredited body

  • 3. confidence-building: signals a high level of security to customers and partners

  • 4. Transparency: Allows clear evaluation of the provider's security measures.

  • 5. topicality: Requires regular checks for maintenance.

BSI C5 certification is a seal of quality for the security of cloud services.

How does BSI C5 certification work?

Eine Zertifizierung nach dem BSI C5:

  • 1. preparation: The cloud service provider prepares internally by ensuring that all requirements listed in BSI C5 are met. This may include internal audits, training and technical adjustments.

  • 2. selection of an inspection body: The cloud service provider selects an accredited inspection body recognised by the BSI to carry out the certification.

  • 3. on-site audit: The audit body conducts an on-site audit to verify the implementation of the BSI C5 requirements. This may include interviews, technical tests and document reviews.

  • 4. reporting: After the audit, the inspection body prepares a report on its findings. If deviations are found, the cloud service provider must take corrective action.

  • 5. issuance of certificate: If all requirements are met, the inspection body issues a certificate confirming that the cloud service provider complies with the BSI C5 requirements.

  • 6. surveillance: Regular surveillance audits are usually required to maintain the certificate. This ensures that the cloud service provider continues to meet the requirements.

  • 7. recertification: A full recertification is required after a certain period of time (e.g. after three years).

This process ensures that cloud service providers not only fulfil the BSI C5 requirements at the time of certification, but also maintain them over time.

BFMT's experts have the necessary qualifications and expertise to certify you to BSI C5.


30 minutes free consultation

Are you interested in our certification?
Get in touch with us without obligation.
We will be happy to advise you.