What is the Cloud Computing Compliance Criteria Catalogue?

The Cloud Computing Compliance Criteria Catalogue (C5) is a catalogue of standards specifically tailored to meet the security needs of cloud computing services. This guide, created by the Federal Office for Information Security (BSI), acts as a framework for evaluating and verifying the security implementations that cloud service providers have in place.

What does the Cloud Computing Compliance Criteria Catalogue entail?

The C5 Catalogue is a set of criteria published by the Federal Office for Information Security in 2016. It outlines the minimum standards for secure cloud computing and compiles the requirements that cloud service providers need to fulfil in order to be recognised as reliable partners for handling and processing sensitive data.

Currently, the criteria catalogue includes 17 topics and addresses more than 120 criteria. The latest edition of the catalogue, released in 2020, outlines requirements in various areas such as:

  • Organisation of information security
  • Security policies and operating procedures
  • Physical security
  • Standard operating procedures
  • Identity and access management
  • Cryptography and key management
  • Secure communications
  • Security incident management

Who are the C5 compliance criteria relevant for?

The criteria described in the catalogue are primarily aimed at organisations and companies that provide cloud services. The C5 catalogue is particularly important for German cloud service providers and cloud storage providers that manage or store sensitive data. With its uniform standards, it offers a framework that providers can use as a guide to ensure the personal data they store is safe and that security risks are minimised.

It’s not only providers who benefit. Cloud service clients can utilise the criteria catalogue to get an understanding of the key aspects of information security within cloud computing. This allows them to make a well-informed choice regarding where to store and place their personal data.

IONOS Object Storage
Secure, affordable storage

Cost-effective, scalable storage that integrates into your application scenarios. Protect your data with highly secure servers and individual access control.

What distinguishes C5-certified providers?

Generally, providers that achieve the C5 certification distinguish themselves by adhering to the rigorous security standards outlined in the BSI’s Cloud Computing Compliance Criteria Catalogue. As this catalogue encompasses all aspects of information security, C5-certified cloud providers are typically regarded as secure. While this does not imply that security incidents are entirely preventable, customers can trust that their data is protected and that any events will be handled in a professional way.

Exactly which criteria are met depends on the individual service provider, as the criteria catalogue distinguishes between basic and additional criteria. Basic criteria must be met to receive certification. Additional criteria, on the other hand, may be fulfilled optionally in order to achieve an even higher level of protection.

What are other security certifications?

The C5 certification isn’t the only relevant certification for cloud providers. The criteria in the C5 catalogue come from a range of national and international standards, each of which holds its own significance:

  • ISO/IEC 27001 certification: Requirements for introducing, implementing, monitoring and improving a documented information security management system
  • BSI IT Basic Protection guide: Best practices for implementing security measures
  • ISO/IEC 27002 certification: Information on implementing security mechanisms in information security management systems and on other aspects of information security.

The ISO 27001 standard is of particular importance for IT service providers and cloud providers. It is much broader than the C5 Cloud Computing Compliance Criteria Catalogue and covers not only cloud services, but also various aspects of information security management. In this way, it creates a more general framework for information security.

Was this article helpful?
Page top