C5 Cloud Security Attestation: A Practical Guide
Germany’s cloud security standard - and increasingly a European one
C5 - the Cloud Computing Compliance Criteria Catalogue - is an attestation framework published by Germany’s Federal Office for Information Security (BSI). The current version, C5:2020, defines 121 criteria across 17 security domains that cloud service providers must meet. If you offer cloud services to German public sector organizations, healthcare providers, or financial institutions, C5 attestation is either mandatory or strongly expected. Increasingly, enterprise clients across Europe are requesting it alongside ISO 27001 and SOC 2.
What C5 covers
C5:2020 organizes its 121 criteria into 17 domains. These cover the full security lifecycle of a cloud service:
| Domain | What it addresses |
|---|---|
| Organization of information security | Security governance, roles, responsibilities |
| Personnel security | Screening, awareness, employment terms |
| Asset management | Inventory, classification, media handling |
| Physical security | Data center access, environmental controls |
| Operations security | Change management, capacity, logging, malware protection |
| Identity and access management | Authentication, authorization, privilege management |
| Cryptography | Encryption standards, key management lifecycle |
| Communications security | Network segmentation, transfer controls, firewalls |
| Portability and interoperability | Data export, API standards, migration support |
| Procurement and supply chain | Supplier assessment, subservice providers |
| Compliance | Regulatory alignment, audit evidence |
Each criterion has a basic requirement and an additional requirement. The basic level covers standard security expectations. The additional level addresses higher-assurance needs - relevant for providers handling particularly sensitive workloads or serving critical infrastructure clients.
Who needs C5
German public sector. C5 attestation is mandatory for cloud services used by German federal agencies and increasingly by state and local government. If you sell to the public sector in Germany, this is not optional.
Healthcare. Germany’s Digitalgesetz (DigiG) requires that cloud services processing health data hold a C5 Type 2 attestation. This applies to infrastructure providers, SaaS platforms, and any cloud service in the healthcare processing chain.
Financial services. While not always explicitly mandated, German financial regulators expect cloud providers to demonstrate security through recognized frameworks. C5 is the default choice alongside SOC 2 Type II for providers serving banks, insurers, and fintech companies regulated by BaFin.
Enterprise clients in Germany and the EU. Beyond regulated sectors, large German enterprises increasingly include C5 attestation in their procurement requirements. For cloud providers targeting the DACH region (Germany, Austria, Switzerland), C5 has become a market access requirement comparable to SOC 2 in North America.
C5 vs ISO 27001 vs SOC 2
These three frameworks overlap but serve different purposes. Understanding the distinction helps you decide what you need:
ISO 27001 is a management system certification. It verifies that you have a structured approach to managing information security risks - policies, risk assessments, controls, internal audits, continuous improvement. It covers your entire ISMS, not just cloud services.
SOC 2 is an attestation based on the AICPA’s Trust Services Criteria. It focuses on controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are particularly valued by North American enterprise clients.
C5 is an attestation specifically designed for cloud service security. It goes deeper into cloud-specific controls - data portability, interoperability, transparency about subservice providers, and data location - than either ISO 27001 or SOC 2.
The key practical differences:
| Aspect | ISO 27001 | SOC 2 | C5 |
|---|---|---|---|
| Type | Certification | Attestation report | Attestation report |
| Scope | Entire ISMS | Service-level controls | Cloud service controls |
| Auditor | Accredited certification body | CPA firm | Independent auditor (ISAE 3000) |
| Market | Global | Primarily North America | Germany and EU |
| Cloud-specific | General (ISO 27017 adds cloud) | Partially | Fully cloud-focused |
| Validity | 3 years (with surveillance) | Point in time or 6-12 months | Point in time or 6-12 months |
Many cloud providers targeting the European market obtain all three. If you already have ISO 27001, roughly 60-70% of C5 criteria map to existing controls. The gap is typically in cloud-specific transparency requirements, portability controls, and the detailed documentation C5 demands about your cloud architecture.
Type 1 vs Type 2 attestation
Like SOC 2, C5 offers two types of attestation reports:
Type 1 evaluates whether your controls are suitably designed at a specific point in time. It answers: “Are the right controls in place?” This is useful as an interim step while you build operating history, but regulated clients increasingly require Type 2.
Type 2 evaluates whether your controls are not only designed properly but also operating effectively over a defined period - typically 6 to 12 months. It answers: “Do the controls actually work in practice?” This is what German healthcare and public sector requirements specify.
The audit follows ISAE 3000 (Revised) standards. Your auditor must be independent and qualified - typically a large audit firm or specialized IT audit practice. The resulting report includes a detailed description of your cloud service, the criteria tested, the auditor’s findings, and any exceptions or qualifications.
The implementation approach
If you already have an ISO 27001 ISMS, the path to C5 is a structured gap analysis and remediation:
Map existing controls. Compare your current Statement of Applicability and documentation against C5’s 121 criteria. Identify what carries over, what needs enhancement, and what is entirely new.
Address cloud-specific gaps. The areas where ISO 27001 organizations typically have gaps include: detailed cloud service descriptions (C5 expects precise documentation of architecture, data flows, and processing locations), portability and interoperability controls, transparency requirements about subservice providers, and specific cryptographic key management documentation.
Build operating evidence. For a Type 2 report, you need at least 6 months of evidence showing controls operating effectively. This means logging, monitoring, change management records, access reviews, and incident response evidence - all consistently maintained over the attestation period.
Engage your auditor early. Unlike ISO 27001 where you can self-assess extensively before the certification audit, C5 audits benefit from early auditor engagement. A readiness assessment helps you understand what the specific auditor expects in terms of evidence format and detail.
How 27kay can help
We help cloud service providers prepare for C5 attestation - from initial gap analysis against the 121 criteria through audit readiness. If you already have an ISO 27001 ISMS, we will map your existing controls to C5, identify the gaps, and build a realistic remediation plan. If you are starting from scratch, we can design an integrated approach that covers both ISO 27001 and C5 together.
Targeting the German market and need C5 attestation? Let’s talk - we will assess where you stand and help you get audit-ready.