What is the Cloud Computing Compliance Criteria Catalogue?

The Cloud Computing Compliance Criteria Catalogue (C5) is a catalog of standards specifically tailored to meet the security needs of cloud computing services. This guide, created by the Federal Office for Information Security (BSI), acts as a framework for evaluating and verifying the security implementations that cloud service providers have in place.

What does the Cloud Computing Compliance Criteria Catalogue entail?

The C5 Catalogue is a set of criteria published by the Federal Office for Information Security in 2016. It outlines the minimum standards for secure cloud computing and compiles the requirements that cloud service providers need to fulfill in order to be recognized as reliable partners for handling and processing sensitive data.

Currently, the criteria catalog includes 17 topics and addresses more than 120 criteria. The latest edition of the catalog, released in 2020, outlines requirements in various areas such as:

  • Organization of information security
  • Security policies and operating procedures
  • Physical security
  • Standard operating procedures
  • Identity and access management
  • Cryptography and key management
  • Secure communications
  • Security incident management

Who are the C5 compliance criteria relevant for?

The criteria described in the catalog are primarily aimed at organizations and companies that provide cloud services. The C5 catalog is particularly important for German cloud service providers and cloud storage providers that manage or store sensitive data. With its uniform standards, it offers a framework that providers can use as a guide to ensure the personal data they store is safe and that security risks are minimized.

It’s not only providers who benefit. Cloud service clients can utilize the criteria catalog to get an understanding of the key aspects of information security within cloud computing. This allows them to make a well-informed choice regarding where to store and place their personal data.

IONOS Object Storage
Secure, affordable storage

Cost-effective, scalable storage that integrates into your application scenarios. Protect your data with highly secure servers and individual access control.

What distinguishes C5-certified providers?

Generally, providers that achieve the C5 certification distinguish themselves by adhering to the rigorous security standards outlined in the BSI’s Cloud Computing Compliance Criteria Catalogue. As this catalog encompasses all aspects of information security, C5-certified cloud providers are typically regarded as secure. While this does not imply that security incidents are entirely preventable, customers can trust that their data is protected and that any events will be handled in a professional way.

Exactly which criteria are met depends on the individual service provider, as the criteria catalog distinguishes between basic and additional criteria. Basic criteria must be met to receive certification. Additional criteria, on the other hand, may be fulfilled optionally in order to achieve an even higher level of protection.

What are other security certifications?

The C5 certification isn’t the only relevant certification for cloud providers. The criteria in the C5 catalog come from a range of national and international standards, each of which holds its own significance:

  • ISO/IEC 27001 certification: Requirements for introducing, implementing, monitoring and improving a documented information security management system
  • BSI IT Basic Protection guide: Best practices for implementing security measures
  • ISO/IEC 27002 certification: Information on implementing security mechanisms in information security management systems and on other aspects of information security.

The ISO 27001 standard is of particular importance for IT service providers and cloud providers. It is much broader than the C5 Cloud Computing Compliance Criteria Catalogue and covers not only cloud services, but also various aspects of information security management. In this way, it creates a more general framework for information security.

Was this article helpful?
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.
Page top