BSI C5 – German BSI’s catalogue of requirements for more transparency in the Cloud

17 September, 2018

The German Federal Office for Information Security (BSI) commissioned PwC to develop the Cloud Computing Compliance Controls Catalogue.

When using Cloud services, Compliance is an important topic. For users however, it is often challenging to assess the corresponding compliance confirmations. Cloud Service Providers, on the other hand, are required to identify the requirements that are relevant for their customers and obtain the corresponding Compliance confirmations. For this reason, the German Federal Office for Information Security (BSI) commissioned PwC to develop the Cloud Computing Compliance Controls Catalogue (C5).

Cloud Computing Compliance Controls Catalogue - Cell phone

Cloud Computing is an integral part of modern IT infrastructures

Diversity of compliance schemes

Cloud Computing is an integral part of modern IT infrastructures. As varying the range of Cloud Service offerings is today, so diverse are the corresponding certifications and quality seals that Cloud Service Providers might obtain. One reason for this is that the Compliance Schemes consider information security from different perspectives and put different emphasis on different aspects of it. On the other hand, Cloud-specific Compliance Schemes, unlike those optimised for conventional IT, are still less established, despite the apparent need.

The challenge of multiple audits

This makes it challenging not only for users to keep track. Often, it is also difficult for Cloud Service Providers to understand the requirements relevant to their customers and to identify the corresponding Compliance confirmations. In addition, these then need to be maintained simultaneously and updated regularly. As Compliance Schemes partially overlap in content, many Cloud Service Providers experience that audits focus the same subject areas multiple times.

BSI recognised the need for action and commissioned PwC

As the national authority for cyber security, the BSI is aware of the current challenges. For Cloud-using authorities and companies, the BSI therefore wanted to define a minimum level of information security for Cloud providers that can be audited by an independent third party. Hence, in 2015, the BSI commissioned PwC to develop a Cloud-specific requirements catalogue. This catalogue was intended to reflect the high expectations of both Cloud users and the BSI with regard to information security and transparency while being realisable for the Cloud Service Providers with reasonable effort.

It was important to the BSI not to create another audit scheme – but rather, if the circumstances allowed for it, to use requirements from existing catalogues and best practices. Only where necessary, the BSI wanted to specify existing requirements or add their own requirements in order to increase transparency and clarity. The BSI C5 addresses the needs of both Cloud users and Cloud Service Providers and combines the existing consensus on Cloud security.

"For both Cloud Service Providers and Cloud users, we discern a very similar understanding of what constitutes information security in the Cloud. The BSI C5 reflects this overlap, enabling Cloud Service Providers to demonstrate transparency to their customers."

Markus Vehlow,PwC Partner and responsible for Cloud Computing

Design principles of the BSI C5

The BSI C5 is based on established Compliance Schemes, guidelines and best practices. This is especially beneficial for Cloud Providers who already have been audited on one or more of these schemes or plan to do so, as they can combine audits and hence, reduce the total effort required. In addition, the BSI C5 stands out due to the fact that the corresponding audit is carried out by Certified Public Accountants. Therefore, a BSI C5 audit is subject to the same high requirements as an annual financial audit, resulting in highly reliable audit reports.

Recognized standards as basis

BSI and PwC have incorporated recognised Compliance Schemes, guidelines and best practices into the development of the BSI C5. This enables Cloud Service Providers to combine multiple Compliance audits and reduce the overall effort required. For example, SOC 2 and BSI C5 audits can be planned in such a way that audit results can be used for both audit schemes.

Essentially, the BSI C5 is based on the following audit schemes, guidelines and best practices:

  • AICPA Trust Services Principles Criteria 2014 (SOC 2)
  • ANSSI Référentiel Secure Cloud v2.0
  • ISO/IEC 27001:2013
  • CSA - Cloud Controls Matrix 3.01 (CSA CCM)
  • IDW ERS FAIT 5
  • BSI IT-Grundschutz 14. EL 2014
  • BSI SaaS Sicherheitsprofile 2014

Further transparency is created through so-called surrounding parameters. These are a novelty and specifically require that the corresponding audit report contains a comprehensive system description as well as further information e.g. following aspects:

  • Information on jurisdiction and place of data storage and processing
  • Obligations of data disclosure towards and investigatory powers of authorities in these places
  • Certificates and attestations already obtained

This transparency helps the Cloud users to decide whether the Cloud Service Provider fulfils these requirements.

Cloud Computing Compliance Controls Catalogue - data centre

BSI C5 requirement domains

The BSI C5 is divided into 17 domains, which contain 114 basic requirements. Furthermore, for 52 of these basic requirements, there are additional requirements, which define a higher level of security. Cloud Service Providers have to ensure that they fulfil these requirements by appropriate technical and organisational safeguards, so-called controls. Audits according to BSI C5 therefore primarily focus the Cloud Service Provider’s internal control system as well as the corresponding processes.

BSI C5 requirement domains

  • Organisation of information security
  • Security policies and work instructions
  • Requirements for employees
  • Asset management
  • Physical security
  • Safeguards for regular operations
  • Identity and access management
  • Cryptography and key management
  • Communication security
  • Portability and interoperability
  • Procurement, development and maintenance and information systems
  • Control and monitoring of service providers and suppliers
  • Security incident management
  • Business continuity management
  • Security check and verification
  • Compliance and data protection
  • Mobile device management

Basic procedure of an audit according to the BSI C5

Basic procedure of an audit according to the BSI C5

Our expertise

In the past years, we have gained extensive experience in conducting audits regarding Cloud compliance. We specialised in BSI C5, SOC 1 and SOC 2 audits and carry out corresponding projects for large, international as well as smaller and mid-scale Cloud service providers. While for larger providers we typically focus their multi-dimensional, integrated compliance programs, we help smaller and mid-scale providers to determine the readiness of their internal control system for audits and set up the corresponding projects.

1. Global projects for compliance programs of large-scale Cloud providers

Especially for larger compliance programs, we put great emphasis on a thorough analysis of control systems in order to understand all relevant correlations. This allows us, for example, to identify overlaps between control sets of individual Cloud solutions and hence, increase efficiency by including this knowledge into our projects. This becomes particularly important in case a Cloud Service Provider strives to demonstrate compliance to the requirements of several compliance schemes. We thereby help Cloud Service Providers to standardise their internal control system and reduce the overall effort required for compliance audits.

In international projects, we work closely together with our colleagues from other PwC network firms. This is allows us to detect synergies which result from combining different audits carried out at different locations, for example BSI C5 and SOC 2. By doing so, we can implement global audit projects and deliver them out of one hand.

2. Tailored solutions for small and mid-scale Cloud service providers

We support small and mid-scale Cloud Service Providers in building, extending or optimising their control systems and compliance frameworks. For instance, this also involves providing consulting in the selection of available compliance schemes that meet the requirements of the Cloud users.

Before conducting the actual audit project, we offer to start with a small pre-project (Quick Check) that lasts a few days. This enables our client not only to see how we apply the respective compliance scheme, but also to get to know our approach and our testing methodology. In addition, based on the results of the Quick Check, we give precise recommendations for action and tailor our proposal for the actual audit project.

Example: BSI C5 Readiness Check

The objective of such a pre-project is to analyse the extent to which the implemented controls cover the 114 BSI C5 basic requirements. In the first step, we assign the appropriate controls (contained in your control set) to the BSI C5 basic requirements. For each requirement, we determine to which extent it is covered by the mapped controls. Based on the results of this coverage assessment we develop recommendations in order to support our client with preparing for the BSI C5 audit (Type 1 or Type 2).

Advantages for Cloud Service Prodivers and users:

Contact us

Markus Vehlow

Markus Vehlow

Partner, Risk Assurance Solutions, PwC Germany

Tel.: +49 160 7139416

Follow us