ISpectra Technologies
Cloud Security · Attestation

What is C5?

The German BSI’s security baseline that cloud providers attest to, proving a consistent set of controls to enterprise and public-sector buyers.

Definition

C5 (Cloud Computing Compliance Criteria Catalogue) is an attestation standard created by Germany’s Federal Office for Information Security (BSI). It defines a baseline set of security controls that cloud service providers should implement, verified through an independent audit that produces a C5 attestation report (an ISAE 3000 / SOC 2-style examination).

First published in 2016 and updated in 2020, C5 has become a widely referenced benchmark for cloud security in Germany and the wider DACH region — frequently requested by enterprises and government bodies evaluating cloud vendors.

What C5 covers

1

Organisation of information security

Governance, policies and clearly assigned security roles.

2

Physical & environmental security

Data-centre and facility controls protecting infrastructure.

3

Identity & access management

Authentication, authorisation and privileged-access controls.

4

Operations & cryptography

Logging, monitoring, encryption and key management.

5

Product security & incident handling

Secure development, vulnerability management and incident response.

Who needs to comply?

C5 is aimed at cloud service providers (IaaS, PaaS, SaaS) that want to demonstrate a recognised security baseline to customers in Germany and the DACH region. Enterprises and public-sector organisations frequently require a C5 attestation before onboarding a cloud vendor.

How ISpectra helps

ISpectra prepares your cloud environment for C5 attestation — mapping existing SOC 2 or ISO 27001 controls to the C5 criteria, closing gaps, and coordinating the independent examination so you reach attestation with minimal duplicate effort.

Talk to an advisor