C5 Attestation: A Comprehensive Guide for Cloud Service Providers

by: A-LIGN 3 mins

Securing cloud infrastructure is a top priority for modern organizations. A commonly recognized compliance standard for cloud service providers (CSPs) is the Cloud Computing Compliance Criteria Catalogue or C5. C5 was first introduced by the Federal Office for Information Security (BSI) in Germany in 2016. In this blog post, we will provide a comprehensive guide to C5 attestation, highlighting its fundamental principles and what organizations need to do to achieve compliance.

Why is C5 attestation important for CSPs?

C5 attestation provides a comprehensive framework of standard security controls for CSPs providing cloud services. The security controls are tailored to meet the needs of CSPs and provide a foundation for secure cloud services. By complying with the C5 requirements, CSPs can demonstrate a high level of security maturity and gain a competitive advantage in the market.

What are the C5 requirements?

The C5 criteria are divided into 17 categories and objectives initially based on ISO 27001:2013 Annex A. These categories include Asset Management, Physical Security, Identity and Access Management, and countless others. The C5 criteria also considers a wide range of standards and publications, including the AICPA Trust Services Criteria, ISO 27001, ISO 27002, ISO 27017, the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM), and the German IT baseline protection manual (BSI-IT-Grundschutz). CSPs that are already compliant with one or more of these publications should consider their preparedness and applicability to the C5 criteria.

What is the C5 examination process?

The Federal Office for Information Security has dictated that C5 assessments should be performed using nationally and internationally established standards, namely ISAE 3000 in conjunction with the AICPA’s AT-C section 105 “Concepts Common to All Attestation Engagements” and AT-C section 205 “Examination Engagements.” The catalog dictates that conformity with the C5 criteria should always be provided using the ISAE 3000 audit standard.

A good starting place for organizations new to C5 is a SOC 2 plus C5 readiness assessment. Your assessor can help you understand the requirements, assess your current status, and identify potential gaps. After the readiness assessment is completed, your team will have a roadmap to follow that can make the final examination easier for all parties involved.

Whether a readiness assessment is needed or not, full compliance should be achieved via a SOC 2 plus C5 attestation with the ISAE 3000 integration. The engagement can be completed as a Type 1, attesting to the design of the C5 control set, or a Type 2, testing the design, implementation, and operating effectiveness of the organization’s controls as they meet the SOC 2 and C5 criteria.

Staying up to date with C5 requirements

The BSI updates the C5 controls regularly to reflect the changing cybersecurity landscape. Organizations can stay updated on new or modified controls by regularly checking the BSI website. Failure to comply with the updated controls could result in non-compliances, fines, and reputational damage.

Updates to the C5 Attestation

Germany has tightened its rules about processing health data as more companies rely on cloud computing to safely transmit and access patient information.

The new Section 393 SGB V provides “minimum technical standards” for IT systems and cloud computing and will require many companies to get a new C5 certificate.

According to the new requirements, health and social data can only be processed in Germany, in an EU or EEA member state, or in a third country adequacy decision by the European Commission. The data processing entity should also have a business establishment in Germany.

Section 393 SGB V also requires stricter technical and security compliance requirements. Companies that process data using cloud computing services need the following:

Appropriate technical and organizational measures for data security.

A current C5 certificate. Until June 30, 2025, a Type 1 certificate is considered current. Beginning in July 2025, a new Type 2 certificate is required.

To implement C5 certificate conditions and criteria.

Health care providers and insurance companies will have additional technical and organizational requirements based on the type of provider or institution.

Medical research and projects may be subject to these new requirements too, though the scope isn’t immediately clear. Companies that conduct clinical trials with pharmaceuticals, medical devices, and diagnostics are less likely to be impacted by these new standards than trials that collect real-world data, like non-interventional studies.

Getting started with C5

Achieving C5 attestation is essential for security-conscious CSPs that want to demonstrate their commitment to security to clients and customers. The process requires dedication, effort, and a thorough understanding of the C5 catalogue, but the benefits are undeniable. By embracing C5, organizations can establish a foundation for secure cloud services, improve their security posture, and gain a competitive edge in the market.

Contact A-LIGN to learn more about C5 attestation.

What is SOC 2? Complete Guide to SOC 2 Reports and Compliance

Audit Report Red Flags

Obsidian Security scales compliance program with A-LIGN and Drata

What Is CMMC 2.0? A Guide to CMMC Compliance Requirements for Defense Contractors