Understanding C5

Keep your built assets secure

C5: An important part of any security framework


What is the C5 attestation?

In 2016, the attestation scheme Cloud Computing Compliance Criteria Catalogue (C5) was created by the German Federal Office for Information Security.

C5 provides a framework to audit organisations who create cloud software services on strict criteria, allowing them to demonstrate their security measures and contingency against malicious attacks. 

The C5 attestation provides good evidence-based insights of these organisations, so that businesses looking for third-party vendors can have peace of mind that their data will remain safe and secure in the vendor’s system.  

Data is an organisation’s greatest asset

Regardless of industry, every business generates a massive amount of data, and malicious attackers are constantly attempting to gain access to this data for many reasons. The built asset industry is no different, and a successful attack that results in a leak or loss of data can be particularly devastating. According to research by Bitkom, it was estimated that Germany alone was to lose 206 billion euros from cyberattacks. 

Whether an attack results in lengthy and costly legal troubles, damages trust and reputation, or reveals sensitive information about high-security assets, organisations cannot afford to be lax when it comes to their information security management strategy. Vetting third-party vendors against a range of security standards and compliances is best practice to keep your data secure when it is handled outside of your organisation. 

The benefits of C5

One of the main benefits of C5 attestation is that it is granted following an audit by independent third parties. This standardised process provides unbiased confirmation that the cloud provider is reliable and trustworthy.

The reports created during the C5 audit and examination also give customers the ability to analyse the cloud service provider’s information security, complete their own risk assessment, and compare it to other cloud providers.

The C5 makes this easy to do because the attestation report goes beyond simply saying that a cloud service provider is secure and trustworthy – it also clearly outlines how they are securing their service and data. 

The C5 criteria

The C5 contains 18 categories consist of general conditions and other categories like organisation of information security, personnel and asset management for example. Those other criteria contain 121 requirements that extend across the entire company.

  • Organisation of Information Security (OIS)

    The objective of this criterion is to plan, implement, maintain, and continuously improve the organisation’s information security framework.

  • Identity and Access Management (IDM)

    Intended to prevent unauthorised access by securing user authentication and authorisation.

  • Security Incident Management (SIM)

    This criterion ensures that the cloud service provider has a consistent, comprehensive approach in place for evaluating, communicating, and handling security incidents.

  • Security Policies and Instructions (SP)

    This criterion is designed to provide instructions and policies relating to the security requirements. It also aims to support the business requirements.

  • Control and Monitoring of Service Providers and Suppliers (SSO)

    The objective of this criterion is protection of the information that the cloud service provider’s suppliers or services providers have access to.

  • Business Continuity Management (BCM)

    This criterion involves planning, implementing, and testing measures and procedures relating to emergency management and business continuity.

  • Personnel (HR)

    Ensure that employees understand and are aware of their responsibilities when it comes to information security. Including understanding that the organisation’s assets are protected even when changes to employment occur.

  • Cryptography and Key Management (CRY)

    The objective of this criterion is to protect the authenticity, integrity, and confidentiality of information through appropriate and effective use of cryptography.

  • Compliance (COM)

    The objective of this criterion is to ensure compliance with legal, regulatory, and contractual information security.

  • Asset Management (AM)

    This criterion ensures that the organisation’s own assets are appropriately protected.

  • Communication Security (COS)

    This criterion is designed to ensure that information in networks and processing systems is protected.

  • Dealing with investigation requests from government agencies (INQ)

    This criterion is designed to ensure that the cloud service provider is equipped to appropriately deal with government investigations.

  • Operations (OPS)

    The objective of this criterion is to ensure that operations run smoothly. This includes proper planning and monitoring measures to protect against malware, log events, and deal with vulnerabilities and failures.

  • Procurement, Development, and Modification of Information Systems (DEV)

    This criterion ensures information security during the cloud service provider’s development cycle.

  • Product Safety and Security (PSS)

    The objective of this criterion is to provide up-to-date information to cloud customers about the secure configuration and known vulnerabilities of the service.

How C5 compares other security audits

C5 was designed to avoid the need for multiple audits and certifications. It can, however, sync with other relevant audits and certifications to reduce the need for unnecessary audits.

These cloud security international standards laid the foundation for the C5 criteria. However the ISO/IEC 27001 does not detail how to implement the requirements where C5 standard provides detailed information how to implement its criteria.

This standard covers five key trust areas of system reliability – security, availability, processing integrity, confidentiality, and privacy. It can be combined with the C5 audit for overlapping controls to reduce redundancy. Like C5, SOC has a set of criteria that need to be met and includes the opinion of an independent auditor. One key difference between these two standards is that C5 also performs direct engagements where the auditors review procedures and controls already in place to evaluate their effectiveness.

NIST CSF is a set of guidelines focused on risk management designed to help organisations reduce and manage cybersecurity risks. It’s another complementary framework with many areas of overlap with the ISO 27001 and C5. NIST is mandatory for federal agencies in the United States.

C5 Implementation

Implementing C5 criteria gives cloud service providers a competitive edge by enhancing security. To ensure that a cloud service provider is in alignment with C5, independent auditors or certified public accountants conduct an examination to ensure that the criteria have been met.  

From there, an internationally standardised examination report is created. This report details the process of the examination as well as outlining which of the cloud service provider’s processes, procedures, and measures satisfy the C5 criteria. To receive C5 attestation, the cloud service provider must fulfil the criteria in their entirety.  

Meeting legal requirements with C5

The C5 attestation is also proof that the legal requirements for secure cloud services have been met. This provides added reassurance that data will be safe and secure when working with a third-party vendor. 

The risk of cyber-attacks on critical infrastructure has increased by 3900% in the last decade. Due to this increased risk of critical infrastructures, C5 has become a legal obligation for many authorities and financial institutions in Germany. Working with vendors with the C5 attestation also ensures compliance with other requirements and laws governing these built assets.  


As a globally recognised standard, C5 attestation provides the ability to objectively evaluate and compare the security of cloud solution providers. This standardised examination and evaluation make it easier to find a third-party vendor that is trustworthy and reliable, providing a sense of comfort that your data and other important information will be secure when using their services.

Further security insights