Alibaba Cloud receives C5 attestation for its Cloud services

10 January, 2018

PwC audited the Cloud services of Alibaba Cloud according to the Cloud Computing Compliance Controls Catalogue (C5) of the German Federal Office for Information Security (German BSI). Markus Vehlow, Partner at PwC Germany and responsible for the Cloud unit, presented the C5 attestation to Alibaba Cloud on December 13, 2017 in Hong Kong.

Alibaba Cloud is the first Asian Cloud provider to receive a C5 attestation.
Alibaba Cloud, the Cloud Computing arm of the Chinese e-commerce platform Alibaba Group, commissioned PwC with the audit of seven of its cloud services on the basis of the C5. PwC had developed this Cloud-specific compliance controls catalogue in the year 2015 for the German BSI. The C5 has been established as de-facto standard for Cloud provider audits – nationally as well as internationally.

Alibaba Cloud Team

Fltr.: Immo Regener (PwC Germany, Project Lead C5), Chun Yin Cheung (PwC China, Partner, Engagement Partner SOC Audit), Jim Woods (PwC Hongkong, Partner, Global Leader Risk Assurance), Markus Vehlow (PwC Germany, Engagement Partner C5), Arne Schönbohm (German BSI, President of the German BSI), Ye Ming Wang (Alibaba Cloud International, General Manager), Larry Liu (Alibaba Cloud International, Head of Compliance), William Lam (PwC China, Global Relationship Partner for Alibaba)

“Information security is a critical success factor for the digitization. The C5 is a well-established and valuable decision guidance in the Cloud market for all companies that want to use Cloud services in the course of their digitization.”

Arne Schönbohm,BSI-President

About C5

  • C5 is a Cloud-specific requirements catalogue. 
  • It outlines the requirements that Cloud Service Providers must meet in order to ensure a minimum security level of their Cloud services. 
  • The catalogue is divided into 17 domains, such as Organisation of Information Security, Identity and Access Management or Physical Security. 
  • Compared to other security standards, the so-called surrounding parameters are a novelty.
  • They require the assurance report to contain a system description and include information on, amongst others, nature of the Cloud service provided, data location, applicable jurisdiction, certifications held by the provider as well as investigatory powers of government agencies. 
  • By including this information, the C5 ensures an extensive level of transparency for the Cloud users. 

Interview with PwC Partner Markus Vehlow

You developed the C5 for the BSI. How important is the C5 in the market?

Markus Vehlow: The leading Cloud Service Providers worldwide will rely on the C5 as leading proof of compliance. At the same time, more and more Cloud customers require a C5 from bidders in calls for tender. This is underlined by the fact that the C5 is appreciated in China and that Alibaba Cloud receives a C5 attestation.

Why did Alibaba Cloud choose an audit based on C5?

Markus Vehlow: Alibaba Cloud strives for a high degree of Information Security. They would like to demonstrate this to their customers in Europe and especially in Germany by obtaining an internationally recognized assurance report. A strong argument in favour of C5 is that the catalogue reflects the high standards of German authorities regarding Information Security.

What was the decisive factor for Alibaba to entrust PwC with the audit?

Markus Vehlow: Alibaba Cloud has high confidence in PwC’s knowledge and expertise because we developed the C5. Therefore, we have deep insights into the subject. In addition, we have worked with Alibaba Cloud for a while now: Parallel to the C5 audit, which I carried out with my German team of auditors in Hangzhou, China, PwC China was conducting SOC 1, 2 and 3 audits for Alibaba Cloud.

What is the benefit of a C5 attestation for Alibaba Cloud?

Markus Vehlow: For Alibaba Cloud’s European customers, a C5 assurance report issued by a German auditing firm is highly significant and appreciated. The C5 audit is an important prerequisite for Alibaba Cloud to enter the German and Central European markets.

Contact us

Markus Vehlow

Markus Vehlow

Partner, Risk Assurance Solutions, PwC Germany

Follow us