What is C5?

What is C5?

If you are a cloud service provider (CSP) with European customers, have offices in the European Union (EU), or if you are simply a company that seeks to find a comprehensive cloud computing control framework, we would like you to meet C5.

C5, or the Cloud Computing Compliance Criteria Catalogue, is a baseline of security controls that was developed by the Federal Office for Information Security in Germany (Bundesmat fur Sicherheit in der Informationstechnik, or “BSI”).  First published in 2016, C5 was BSI’s response to the ever-growing need to consider information security in the cloud computing world.  Rather than completely reinventing the wheel, BSI sought to pull from existing reputable frameworks and standards before then tacking on the controls that it felt established a foundation for a secure cloud service offering—all in an attempt to help develop transparent and trusted relationships between CSPs and cloud customers.

For the foundational standards, the C5 catalogue of controls pulls from those that have been previously established and internationally recognized, such as International Organization for Standardization (ISO) 27001, ISO 27002, and ISO 27017, as well as the Cloud Control Matrix (CCM) of the Cloud Security Alliance (CSA).  The Trust Services Criteria (TSC) established by the Association of International Certified Professional Accountants (AICPA) and the SecNumCloud established by the French Agence nationale de la sécurité des systèmes d'information were also considered during the formulation of C5, and given this mixed bag of standards/frameworks that were taken into account, it does sound rather complicated.  But luckily, BSI has made it quite clear what is expected with C5 compliance, even as the catalogue has been revamped over time.

Since 2016, BSI has sought to improve and maintain the relevance of C5, and so in late 2019, it released the 2020 version, or C5:2020.  Regarding the latest iteration, there are several important particulars to consider, including:

  • While the catalogue allows for organizations to determine the requirements—both objectives and controls—that would be applicable to them, the controls that are deemed applicable can be quite strict at times.  CSPs should take time to read through and digest the controls to determine where they may have shortcomings and also where there may be flexibility in meeting a requirement.

  • In the same vein, CSPs can decide whether they are looking to meet the ‘basic’ requirements of the catalogue of controls, or if they feel that the ‘additional’ requirements are necessary.  BSI does not seek to favor either set of requirements for CSPs; rather, they recommend that CSPs work with their customers to determine which set of requirements would give them the assurance they need.

  • When a CSP is ready to undergo a C5 examination, they should be aware of the reporting requirements and that the third party performing the attestation needs to have certain qualifications, including minimum professional experience with IT audits as a public audit firm or relevant certifications/examinations, such as Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, or a Certificate of Cloud Security Knowledge (CCSK), among others.

  • BSI plans to continue to update the catalogue on a periodic basis, so it is important to check the BSI website regularly to see if new control requirements have been added or modified.  The most recent update, C5:2020, was released in late 2019 and should be adopted for all examinations with a review period end of February 15, 2021 or later.

Benefits to a C5 Examination

Because the marketplace is changing, C5 continues to grow more and more relevant.  According to LogicMonitor’s 2019 survey, 83% of enterprises will be in the cloud by 2020, and 50% will spend an average of $1.2 million on cloud services annually.  These organizations that are moving to the cloud or are considering doing so are concerned about two things—security and privacy, including how cloud providers can ensure data protection.  To help ease these apprehensions, customers can seek assistance from a third party to validate controls of potential cloud providers so that they can have all this information on hand when selecting a CSP—although there are many security frameworks available for use in these assessments, the C5 examination should be noted as particularly beneficial for both CSPs themselves and potential customers.

For instance, there is flexibility available in a C5 audit, as organizations can choose to only include certain services or certain regions in the scope—for those just starting with C5 audits, this can mean much easier initial steps, rather than trying to apply the requirements to the entire organization and all services and regions immediately.

Because yes, the requirements within C5 could be considered difficult, as they do hold an organization to high security standards; in fact, they were designed this way on purpose in an attempt to avoid multiple, or possibly redundant, audits, or certifications.  Moreover, a C5 examination could increase trust of customers because it holds the cloud provider to that higher set of standards, indicating a greater level of protection and making customers more likely to utilize those examined services for critical business or confidential data. Not only that, but upon completion, the C5 attestation report also provides transparency about exactly how the CSP is securing the service and the data it holds. With that information readily available, customers can easily compare cloud providers’ security controls when scouting for services.

Internationally accepted attestations and certifications are increasing in demand, especially for those organizations who operate in several countries.  Should one of those countries be Germany, the home to BSI, C5 compliance makes sense for organizations that offer cloud services there, and in fact, if you provide cloud services to German federal agencies, C5 compliance is actually required. It’s no surprise then that German companies consider C5 compliance an important factor when seeking services offered by cloud providers; however, organizations do not need to be Germany-based to obtain C5 compliance—right now, there are about 20 cloud service providers that have an attestation of C5 compliance against at least some of their services, including seven out of the top 10 CSPs that operate worldwide.

Common Pain Points of the C5 Examination

Despite the growing demand and stated appeal of C5, there are still some sticky wickets that organizations may face when attempting to conform to the C5 requirements, which have already been noted as being particularly stringent.  First, the sheer size of the catalogue that includes 121 basic requirements across a total of 17 domains may be initially overwhelming to organizations.  Not only that, but the amount of actual detail upon drilling down can lead to things slipping through the cracks.  For instance, one of the seemingly more tricky C5 objectives focuses on the management of metadata, with the basic premise that any organization should be aware of the usage data that is maintained/collected from their systems.  Since many companies place most of their focus on cloud customer data and ensuring that logical security safeguards are in place there, often the attention to metadata is forgotten or placed on the back burner.

Another aspect that companies may struggle with is the prescriptive nature of some of the requirements.  One of C5’s reappearing themes is that policies and procedures need to be documented in a particular manner, meaning these documents need to include a laundry list of details that include, but are not limited to, the following: objective, scope, roles and responsibilities, and steps for the execution of the security strategy.  For some organizations, this additional step of documenting details in a stipulated manner within their policies and procedures may prove to be problematic or necessitate extra steps.

How to Prepare

For organizations that have not previously completed a C5 audit, it is important to thoroughly plan with your auditor.  In the cases of those organizations or services that might not be prepared for the security requirements outlined within C5, a readiness or gap assessment is a great option, and having the same firm perform both the readiness assessment and subsequent examination is advantageous, as it allows for familiarity with the system and processes to better prepare.

Prior to starting a readiness assessment, review the standard itself.  Next, determine if this assessment can be performed internally, or if the organization has sufficient resources that understand the requirements to determine if controls are in place to meet said requirements.  If not,  an external third party with expertise in this area can prove beneficial.

Once the readiness assessment is complete, ensure that the organization has sufficient time for remediation before the examination date or review period starting date.  Schellman typically recommends at least two to three months for remediation, as it is important to allow enough properly allotted time to design and implement the requirements.  When doing so, ensure that controls are not only implemented, but personnel are also trained on their responsibilities.  For any requirements that do not appear to be applicable to the scope, confirm the reasoning is fully documented for review by the firm completing the examination.

For organizations that have previously completed a C5 audit, there is still some preparation required for the new C5:2020, and it is strongly recommended for audits with periods ending on or after February 15, 2021.  Moreover, if a SOC 2 examination is scheduled, you might consider adding the C5 requirements to that report, as the requirements together can be prepared in accordance with the international audit standards ISAE 3000. On the BSI website, there are helpful documents available to help map established standard/frameworks to controls defined in C5, and this includes mapping to SOC 2 criteria.

Why Schellman?

We at Schellman believe our clients deserve the best.  That’s why we never use contractors, and why we continually monitor our audit staff to ensure that they consistently complete effective assessments, thereby providing continuity of the audit team and familiarity with systems from year to year.

Unlike other firms, we:

  • Hold certifications in high regard, as:

    • Over 70 employees are lead auditors for ISO 27001;

    • Over 70 employees are CCSKs; and

    • Approximately 100 employees are CISAs.

  • Conduct more than 2,000 assurance, compliance, and certifications annually.

  • Hire only experienced personnel:

    • From the senior associate level and beyond, nine out of 10 employees are transfers from Big-4 accounting firms or large consulting firms.

  • Offer low turnover rates and an average experience level of over five years for senior associates.

  • Feature cross-trained teams of auditors who can conduct multiple audits at once, saving time.

  • Provide a dedicated management team and an easily accessible point of contact that does not require having to call a service line.

  • Conduct weekly status check-ins leading into the audit, giving clients time to ask questions or check on status updates.

  • Stick to our project timelines and deliver final reports in weeks, rather than months.

About the Authors

Debbie is Principal and co-owner at Schellman & Company.  She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice.  Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee.  She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

Kristen Wilbur is a senior manager with Schellman & Company, with over 10 years of experience in providing IT attestation and compliance services.  Kristen has evaluated risk and controls for Global 1000, Fortune 500, and regional companies during the course of her career with a strong focus in the technology sector. Kristen currently leads the New York City practice at Schellman where she specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In her portfolio she also oversees large scale engagements that include assessments around FedRAMP, HITRUST, and Privacy. Kristen has a strong passion for giving back and recently helped to establish the corporate social responsibility program at Schellman called SchellmanCARES.

About the Author

Schellman & Company

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

More Content by Schellman & Company
Previous Article
What You Should Know About Armed Forces Day
What You Should Know About Armed Forces Day

Armed Forces Day has personal significance to Schellman & Co's Eric Espinoza, who joined the US Army nearly...

Next Article
WFH - Baby Mama Edition
WFH - Baby Mama Edition

In our “new normal” most of us are still getting used to working from home. The prospect of staying home pr...


First Name
Error - something went wrong!