ISMSJan Kahmen6 min read

The BSI C5 Criteria

The BSI C5 includes specific controls and requirements that address nearly all relevant aspects of a cloud computing service.

Table of content

BSI - Cloud Computing Compliance Controls Catalog (C5)

The BSI Cloud Computing Compliance Criteria Catalogue (BSI C5) is a framework that organizations can use to ensure compliance with national and international cloud computing requirements and recommendations. The BSI C5 is based on the BSI Principles for Cyber Security Controls, which are internationally accepted practices for implementing cloud computing in the EU. The catalog consists of concrete controls and requirements that relate to the introduction, operation and termination of cloud computing services. It forms the basis for testing compliance with the requirements of the EU Cloud Computing Contracts Directive and gives companies an efficient way to ensure their compliance.

What Does the BSI C5 Criteria Cover ?

The BSI C5 includes specific controls and requirements that address nearly all relevant aspects of a cloud computing service, including:

Organization of Information Security (OIS): OIS encompasses the process, structure, and procedures for managing information security within an organization. An OIS seeks to create a secure environment in which sensitive data and mission-critical information is protected.

Security Policies and Work Instructions (SP): Security policies and work instructions define the rules that inform users how to handle sensitive data and information. Some policies may also include emergency procedures and instructions.

Human Resources (HR): HR creates the structure appropriate for appropriate personnel selection, compensation, and working conditions. HR also establishes rules for job security and determines an employee's level of competence.

Asset Management (AM): AM is a process to manage the hardware, software, and other assets that an organization owns. The purpose of asset management is to understand what assets an organization has in order to manage resources and costs efficiently and cost-effectively.

Physical Security (PS): PS refers to that process of ensuring that the building and its assets are protected. Some examples of PS measures include access control, security guards, video surveillance, and electronic locks.

Operationally Scheduled Service (OPS): Regular operations encompass the day-to-day operations of an organization and include the routine review, maintenance, and monitoring of information security.

Identity and Permission Management (IDM): Identity and credential management is the process of monitoring and verifying an individual's identity to gain access to protected applications and data.

Cryptography and Key Management (CRY): Cryptography and key management refers to the processes used to encrypt and decrypt information.

Communications Security (COS): Communication security refers to the security of the protocols, mechanisms, and applications used to communicate between different devices and computers.

Portability and Interoperability (PI): PI refers to the ability of a system to transfer capabilities between different platforms. This allows internal and external enterprise systems and applications to interact with each other.

Procurement, Development, and Modification of Information Systems (DEV): This refers to secure procurement and development processes that enable organizations to implement software requirements securely and cost-effectively.

Service provider and Supplier Oversight (SSO): SSO refers to measures that organizations can apply to ensure that service providers and suppliers perform these services in a compliant and secure manner.

Security Incident Management (SIM): SIM refers to processes and policies that enable an organization to respond to potential security incidents.

Business Continuity and Contingency Management (BCM): BCM encompasses the planning created to protect an organization from potential unforeseen or uncontrollable events.

Compliance (COM): COM refers to the specific policies and laws that organizations must adhere to. Primarily, policies that pertain to privacy compliance.

Managing Investigative Requests from Government Agencies (INQ): INQ refers to procedures that organizations must have in place and follow to respond to inquiries from government agencies.

Product Safety (PSS): PSS refers to the safety precautions that are included in the development of a product to avoid errors that could cause a potential safety incident.

Who Developed the Standard?

The BSI C5 was developed by the Federal Office for Information Security (BSI) of the Federal Republic of Germany. The BSI is working with the European Cloud Computing Forum (ECCF) to ensure that the BSI C5 is compliant with other European standards. The BSI C5 is also recommended by the European Commission for the implementation of the Cloud Computing Solutions Decision.

Who is This Standard Aimed At?

The BSI C5 is aimed at organizations of all sizes that contract or provide a cloud computing service to ensure compliance with data security, privacy, legality and data availability requirements for cloud computing services. The BSI C5 is particularly relevant for third-party providers that offer or use cloud computing services.

BSI C5 for International Purposes?

BSI C5 applies to international aspects that affect the use and provision of cloud computing services. This includes, for example, international availability of services, protection of personal data, data security, compliance with international regulations, and regulation of public cloud computing.

Case Study from BSI

C5:2020: SaaS Case Study: Application of Community Draft C5:2020 to SaaS providers without their own
Infrastructure compared to C5:2016.


In summary, the BSI C5 criteria are very helpful for the cloud context, but are less beneficial for companies operating internationally due to the national limitation. Therefore, it still offers more advantages to obtain ISO 27001 certification and still map the requirements of ISO 27018 through a contract processing agreement. An additional BSI C5 certificate offers no further added value here.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: