The BSI C5 Criteria

BSI - Cloud Computing Compliance Criteria Catalogue (C5)

The BSI Cloud Computing Compliance Criteria Catalogue (BSI C5) is a framework that organizations can use to ensure compliance with national and international cloud computing requirements and recommendations. It is based on the BSI Principles for Cyber Security Controls, which serve as an internationally recognized approach to implementing cloud computing within the EU. The catalogue consists of concrete controls and requirements covering the introduction, operation, and termination of cloud computing services. It provides the foundation for verifying compliance with the EU Cloud Computing Contracts Directive and offers organizations an efficient way to demonstrate their conformity.

What Do the BSI C5 Criteria Cover?

The BSI C5 includes specific controls and requirements that address nearly all relevant aspects of a cloud computing service, including:

• Organization of Information Security (OIS): OIS encompasses the structures and processes for managing information security within an organization. Its goal is to create a secure environment in which sensitive data and mission-critical information are protected.

• Security Policies and Work Instructions (SP): Security policies and work instructions define the rules that inform personnel how to handle sensitive data and information. They may also include emergency procedures and operational instructions.

• Human Resources (HR): This domain establishes the framework for appropriate personnel selection, compensation, and working conditions. It also defines rules for workplace security and competency requirements for employees.

• Asset Management (AM): Asset management covers the administration of hardware, software, and other assets owned by an organization. Its purpose is to maintain a complete overview of all existing assets in order to manage resources and costs efficiently.

• Physical Security (PS): Physical security encompasses all measures designed to protect buildings and their assets. Common examples include access controls, security personnel, video surveillance, and electronic locking systems.

• Regular Operations (OPS): Regular operations cover the day-to-day activities of an organization, including routine review, maintenance, and monitoring of information security.

• Identity and Access Management (IDM): Identity and access management describes the processes for monitoring and verifying identities in order to control access to protected applications and data.

• Cryptography and Key Management (CRY): This domain covers the processes for encrypting and decrypting information, as well as the secure management of cryptographic keys.

• Communications Security (COS): Communications security concerns the protection of protocols, mechanisms, and applications used for communication between different devices and systems.

• Portability and Interoperability (PI): Portability and interoperability refer to a system's ability to transfer capabilities and data between different platforms, enabling internal and external systems and applications to work together seamlessly.

• Procurement, Development, and Modification of Information Systems (DEV): This domain covers secure procurement and development processes that enable organizations to implement software requirements in a secure and cost-effective manner.

• Service Provider and Supplier Oversight (SSO): SSO encompasses the measures organizations can apply to ensure that service providers and suppliers deliver their services in a compliant and secure manner.

• Security Incident Management (SIM): SIM describes the processes and policies that enable an organization to respond appropriately to security incidents.

• Business Continuity and Emergency Management (BCM): BCM encompasses the planning and preparation needed to protect an organization from unforeseen or uncontrollable events and maintain business operations.

• Compliance (COM): Compliance refers to the specific policies and laws that organizations must adhere to -- particularly those concerning data protection.

• Handling Investigative Requests from Government Agencies (INQ): INQ describes the procedures that organizations must have in place to respond properly to inquiries from government authorities.

• Product Security (PSS): Product security covers the security precautions built into the development of a product to prevent defects that could lead to security incidents.

Who Developed the Standard?

The BSI C5 was developed by the Federal Office for Information Security (BSI) of the Federal Republic of Germany. The BSI collaborates with the European Cloud Computing Forum (ECCF) to ensure that the BSI C5 aligns with other European standards. The European Commission also recommends the BSI C5 as a foundation for implementing cloud computing solutions.

Who Is This Standard Aimed At?

The BSI C5 is aimed at organizations of all sizes that commission or provide cloud computing services and need to ensure compliance with data security, data protection, legal, and data availability requirements. The standard is particularly relevant for third-party providers that offer or use cloud computing services.

BSI C5 for International Purposes?

The BSI C5 also addresses international aspects related to the use and provision of cloud computing services. These include the international availability of services, the protection of personal data, data security, compliance with international regulations, and the governance of public cloud computing.

Case Study from BSI

C5:2020: SaaS Case Study: Application of Community Draft C5:2020 to SaaS providers without their own infrastructure, compared to C5:2016.

Conclusion

In summary, the BSI C5 criteria are highly useful in a cloud computing context but offer limited benefits for internationally operating organizations due to their national scope. In many cases, it is more advantageous to pursue ISO 27001 certification and address the requirements of ISO 27018 through a data processing agreement. An additional BSI C5 attestation provides little added value in this scenario.