Why You Might Need BSI C5 Compliance for Your Cloud Infrastructure

With numerous cloud security best practices and standards available on the market, Germany's Federal Office for Information Security...
Muhammad Ihsan Haikal Sukmana
3 min read
Why You Might Need BSI C5 Compliance for Your Cloud Infrastructure
Muhammad Ihsan Haikal Sukmana
Muhammad Ihsan Haikal Sukmana
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

With numerous cloud security best practices and standards available on the market, Germany's Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) launched its cloud security standard called Cloud Computing Compliance Criteria Catalogue (C5). This post will help you understand what BSI C5 is and how it might benefit your cloud if you comply with it.

Overview of BSI C5

BSI C5 was first launched in 2016 to support the security aspect of the digitalization wave using cloud computing to secure the cloud infrastructure and confidential information and operations running on it. It is built on established information security standards, such as ISO 27001 and Cloud Security Alliance's Cloud Control Matrix (CCM). Its latest version was published in 2020 to respond to the rapid development in cloud computing in recent years.


The C5  standard consists of criteria catalogues from various vital aspects of ensuring secure cloud infrastructures, such as cryptography, monitoring, identity and access management. It primarily aims at three main targets: cloud providers, auditors, and customers operating in Germany.

  • When cloud providers would like to comply with BSI C5, they could implement the criteria catalogues directly to their service-related internal control systems, or they will test their internal control systems if they provide the same level of control as the specified catalogues.
  • Independent third-party cloud auditors will check the cloud providers if their internal control systems for their offered cloud services and cloud resources to the cloud customers comply with BSI C5's security requirements. Once everything has been checked, the cloud providers will achieve the attestation for BSI C5.
  • Cloud customers could use the cloud provider's attestation result for compliance verification and security assessment needs as they use the cloud or are looking for a suitable cloud.

The Difference with BSI IT-Grundschutz

Although BSI also has another information security standard called IT-Grundschutz, it is very different from the C5 standard. IT-Grundschutz applies to information security management systems (ISMS) that help to provide and maintain safeguards for information in the organization's personnel, business process, IT systems, and applications. Meanwhile, C5 helps to ensure cloud infrastructure is secure for cloud customers to build their infrastructures, run their applications and services, and store their data on the cloud.

Why BSI C5 Compliance Could Be Good for You

BSI C5 is voluntary, meaning cloud providers and you, as cloud customers,  do not have to comply with it.

Cloud providers might comply with cloud security standards and best practices, including BSI C5, as part of the shared responsibility model in cloud computing. It shows cloud customers their commitment that their cloud infrastructures, including their offered cloud services and available resources, are secure and standardized. Cloud customers would then be confident to store their confidential data and build their infrastructure on the provided cloud.

Although it is optional for cloud customers to comply with BSI C5, there are some arguments for why this could be good for you (and your cloud):

  1. First, as cloud customers, you are responsible for securely configuring your cloud infrastructure as part of the cloud provider's shared responsibility model. Complying with cloud security standards and best practices, such as BSI C5, would help you ensure no misconfigured cloud resources that unauthorized users can exploit.
  2. Suppose your organization operates in critical infrastructure or financial areas in Germany. In that case, it might be required to use cloud providers that have BSI C5 attestation to host your (customer) data and applications. Achieving compliance with BSI C5's criteria catalogues for your cloud infrastructure would help with the necessary German regulations and increase the cloud customer's confidence in you securing your cloud.

However, there are several things that you need to be aware of when you are trying to achieve compliance with BSI C5.

How Mitigant Can Help to Achieve BSI C5 Compliance

Mitigant helps organizations to continuously achieve and monitor the compliance of their cloud with cloud security best practices and standards, such as Center for Internet Security (CIS) benchmarks, Payment Card Industry Data Security Standard (PCI-DSS), and BSI C5. Ensure your cloud resources are permanently securely configured and compliant with an easy and fast onboarding process in a unified and easy-to-use interface.

Read more about Mitigant's continuous compliance management at https://www.mitigant.io/compliance.

Ready to Secure Your Cloud Infrastructures?
Connect with the Mitigant Team and proactively protect your clouds today.

Join The Cloud Security Revolution Today!

Take control of your cloud security in minutes. No credit card required.
Start 30-day Free Trial