Supporting Programme 2018
it-sa insights: BSI C5: The Game Changer in Cloud Compliance Attestation
This it-sa insight provides an overview of the Cloud Computing Compliance Controls Catalogue (C5). The C5 has been developed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) with support of PwC Germany in 2016. The presentation will outline the benefits for cloud providers which adopt the C5, elaborate on the C5’s objectives as well as its criteria and depict the adoption approach. Furthermore, it will be shown which prerequisites cloud providers have to meet and how a C5 attestation seamlessly integrates with other compliance audits, such as AICPA SOC 2.
German authorities are required to only use public cloud services which hold a C5 attestation. Cloud providers of any size adopted the C5 and also cloud users picked it up, rapidly. Hence, the C5 has paved its way into the private sector as for cloud users it is an ideal instrument which supports cloud provider selections by providing insights into the control over operation processes. The fulfilment of the C5 criteria is tested by a third party (audit firms) and creates a high level of both assurance and transparency. In addition, many Internal Audit units apply the C5 in internal assessments and perform supplier audits along its criteria.
The C5 integrates several, internationally established compliance schemes such as CSA CCM, IAASB ISAE 3402 and AICPA SOC 2 or ISO/IEC 27001 etc. It is structured into 17 domains containing 114 basic and 52 optional criteria to which the cloud provider’s technical and organisational safeguards (controls) are matched. Furthermore, 4 innovative parameters for transparency require additional information on e.g. location of data storage and processing, jurisdiction or investigatory powers of and data disclosure duties towards government agencies.
--- Date: 11.10.2018 Time: 10:00 AM - 10:20 AM Location: Forum I10 - International