What is C5?
The German BSI’s security baseline that cloud providers attest to, proving a consistent set of controls to enterprise and public-sector buyers.
Definition
C5 (Cloud Computing Compliance Criteria Catalogue) is an attestation standard created by Germany’s Federal Office for Information Security (BSI). It defines a baseline set of security controls that cloud service providers should implement, verified through an independent audit that produces a C5 attestation report (an ISAE 3000 / SOC 2-style examination).
First published in 2016 and updated in 2020, C5 has become a widely referenced benchmark for cloud security in Germany and the wider DACH region — frequently requested by enterprises and government bodies evaluating cloud vendors.
What C5 covers
Organisation of information security
Governance, policies and clearly assigned security roles.
Physical & environmental security
Data-centre and facility controls protecting infrastructure.
Identity & access management
Authentication, authorisation and privileged-access controls.
Operations & cryptography
Logging, monitoring, encryption and key management.
Product security & incident handling
Secure development, vulnerability management and incident response.
Who needs to comply?
C5 is aimed at cloud service providers (IaaS, PaaS, SaaS) that want to demonstrate a recognised security baseline to customers in Germany and the DACH region. Enterprises and public-sector organisations frequently require a C5 attestation before onboarding a cloud vendor.
How ISpectra helps
ISpectra prepares your cloud environment for C5 attestation — mapping existing SOC 2 or ISO 27001 controls to the C5 criteria, closing gaps, and coordinating the independent examination so you reach attestation with minimal duplicate effort.
Talk to an advisor