Why do major companies such as Google, Amazon, and Microsoft all hold cloud security attestations for a compliance standard created in Germany? Cloud Computing Compliance Criteria Catalogue (C5) has emerged as a key security and auditing tool for cloud service providers (CSPs) with relevance that stretches far beyond German borders, benefitting CSPs, government agencies and enterprises, auditors and assessors, and customers of cloud services.
Keep reading to learn more about C5, how compliance with it benefits CSPs and others, and how to approach attestation for the best results.
Contents
What is C5 Standard?
The C5 standard was introduced by Germany’s Federal Office for Information Security (BSI) in 2016 and then revised in 2020 to more accurately reflect cloud computing security needs. C5 covers many security controls, including data protection, incident response plans, physical security, and legal and regulatory compliance.
The standard itself is not a legal one. The purpose of C5 is to provide a framework for auditing CSPs so that cloud customers can better assess the security of their providers. That security is judged against German government requirements, but C5 is also designed to integrate with other major standards such as ISO 21001, SOC 2, and GDPR.
The real value of the C5 standard is in the attestation report that it requires for compliance. The report forces CSPs to be more transparent about their information security and demonstrate it in a standardized manner so that customers can properly assess the security approach of their cloud providers.
The Benefits of C5 Attestations for CSPs and Others
C5 attestations provide several advantages to CSPs. A big part of that is that it benefits CSP customers and auditors just as much as it benefits the attested organization itself. Let’s take a closer look:
How C5 Benefits CSPs
- Credibility: German and EU security standards are considered quite rigorous. Complying with C5 is vital for earning credibility in those regions, but even beyond them, helps show a commitment to transparent, robust security measures.
- Boosts Customer Trust: There’s a reason why a multitude of larger CSPs have sought C5 attestation. By requiring a publicly accessible attestation report, it forces added visibility, which then gives added assurance that customer data is safe with your cloud services. This can help convince organizations with critical or sensitive workloads to trust you more and move their data to the cloud.
- Competitive Advantage: If CSPs want to get a foot in the door of regulated markets, especially in Germany and the EU, a C5 attestation provides a valuable edge over competitors. It also helps businesses stand out in other contexts as it shows a willingness to tighten security measures and share their approach openly.
- Reduces Compliance Burden: Preparing for audits can be costly and time-consuming. Since C5 incorporates controls from multiple global frameworks, it can streamline compliance efforts and help CSPs better prepare for audits.
- Risk Protection: C5 prioritizes a proactive risk approach that improves CSPs' security positions and lessens the chance of compliance-related issues.
How C5 Benefits CSP Customers
- Better Risk Management: Whether it’s individual users or bigger cloud customers like SMEs, working with a C5-attested CSP means less risk exposure, especially in the case of sensitive or government work.
- Compliance Support: Many cloud customers have their own regulatory demands to contend with. Working with a C5-attested CSP makes it easier to meet those standards and ensures better compliance across the board.
- Simplifies CSP Assessments: Because C5 reports are available publicly, it allows cloud customers to assess CSPs easily and against consistent standards. This makes due diligence much quicker and is why C5 attestation is seen as a plus.
How C5 Benefits Auditors
- More Efficiency: C5 provides a comprehensive, highly structured approach for auditors. It’s designed to reduce redundancies for other audits and allow for greater time spent on actual testing rather than too much effort being wasted on planning.
- Standardization: A major hindrance in auditing and compliance is that there can be major misinterpretations that occur between reports and auditors if things aren’t standardized properly. C5 provides a consistent set of controls that cuts the risk of this kind of ambiguity.
What are the C5 Requirements?
The true value of C5 becomes particularly evident when looking at its requirements. The standard is one of the most comprehensive, with controls that range from typical, foundational security concerns to areas that are more specific to C5.
Baseline C5 Requirements
These are the baseline requirements of C5:
- Information security organization, which essentially refers to how roles and responsibilities are assigned for checking and maintaining cloud security.
- Risk and incident management strategies on how to identify and mitigate risks, as well as how to respond to any issues that arise.
- Investing in business continuity measures so that backups and recovery plans are available as needed.
- Establishing security policies.
- Ensuring proper human resources security in the form of background checks, etc.
- Enacting and updating access control measures.
- Asset management concerning classification and ownership.
- The use of cryptography controls, such as encryption and key management.
- Securing physical risk areas such as data centers.
- Checking communications security in terms of network segregation and secure transmission.
- System and development maintenance.
- Keeping up with general compliance requirements.
The C5 Additional Transparency Requirements
C5’s additional transparency requirements are what make it such a unique and valuable security assessment tool. These requirements ask for public disclosure on things like where data is stored and processed, incident statistics, and who has access to data, what subcontractors are used, and what other certifications a CSP has.
These additional requirements have some flexibility. Organizations don’t necessarily need to meet all of them, but many of the trust and credibility benefits of C5 stem from meeting these requirements.
The C5 Attestation Report
Key information from the audit is prepared by an independent auditor and shared in the C5 attestation report with the following general structure:
- A management statement describing the cloud service.
- A description of the system’s components, architecture, etc.
- The control objectives as aligned with the C5 catalogue.
- The testing and findings collected by the auditor.
- A conclusion on how the controls hold up to the C5 requirements.
- An appendix with additional transparency disclosures.
As you can likely tell, it’s a thorough report and one that places as much importance on the functioning of cloud security controls as it does on transparent practices around these controls.
Tips for Organizations Considering C5 Attestation
Here’s how to get the most out of the C5 attestation process and ensure a successful report at the end:
- Consider A Readiness Assessment: This allows organizations time to familiarize themselves with requirements and see how prepared they are for the attestation before investing in a full audit.
- Allow For Plenty of Time to Prepare And / Or Remediate: Even if organizations choose to skip the above, time needs to be given to understanding the C5 catalogue. Some remediation will likely be required to meet C5’s exacting standards. Depending on how extensive these adjustments are, organizations should allow for at least 1 to 3 months ahead of the audit.
- Take Care in Choosing What Requirements to Be Assessed Against: The C5 catalogue is made up of basic and additional requirements. Deciding whether to take on the additional requirements is something a professional can advise on, but it’s also worth looking to your customers and what they’d value transparency on.
- Choose A Qualified Third-Party Assessor: Qualifications as a CISA, ISO Lead Auditor, and other internationally recognized certifications are vital for a C5 assessor, as is adequate IT auditing experience.
- Stay Vigilant Regarding Updates to the Standard: The BSI is committed to updating C5 regularly. Organizations preparing for attestation need to ensure that they are using the most up-to-date version of the catalogue in their compliance efforts.
C5 Standard and Prescient Security
At Prescient Security, we have a team of highly qualified and experienced cloud security experts ready to assist with C5 audits and preparation. Click here to speak to someone from our team. We’re happy to answer any of your C5 questions and ensure that the process boosts your security and overall compliance journey as much as it does your customer relationships.