Skip to main content
BSI C5:2020 Cloud Computing Compliance Controls Catalogue

BSI C5:2020 — Cloud Computing Compliance Controls Catalogue

The German Federal Office for Information Security's (BSI) cloud security catalogue. 17 domains, ~130 controls, mandatory for cloud services used by German government agencies. Available on the Premium plan.

Try it Yourself Blog Posts

Germany's mandatory standard
for cloud security compliance

The BSI Cloud Computing Compliance Controls Catalogue (C5) was developed by Germany's Federal Office for Information Security (BSI) to provide a verifiable baseline for the security of cloud services. C5:2020 is the current version and is closely aligned with ISO 27001, NIST CSF, and the Cloud Security Alliance (CSA) Cloud Controls Matrix.

C5 is mandatory for cloud services procured by German federal government agencies and is widely required by German enterprises in regulated sectors — financial services, healthcare, and critical infrastructure — when selecting cloud service providers.

Unlike ISO 27001, C5 is cloud-specific and requires an independent audit producing a Type 1 or Type 2 attestation report, which cloud customers can use as evidence of supplier security compliance.

17
Security domains
~130
Controls
Type 1/2
Audit types
BSI
Issuing authority

All 17 C5 domains — what cloud providers must demonstrate

C5 covers the full cloud security lifecycle — from physical infrastructure through architecture, operations, identity management, incident response, and supply chain.

OIS

Organisation of Information Security

Security governance, roles and responsibilities, security policies, and management commitments for cloud service operations.

SCA

Security of Cloud-Specific Architecture

Isolation between tenants, secure multi-tenancy, hypervisor and container security, and cloud-native architecture controls.

AM

Asset Management

Inventory of information assets, data classification, and lifecycle management of assets in cloud environments.

BC

Business Continuity

Business continuity planning, disaster recovery, RTO/RPO requirements, backup and restoration procedures for cloud services.

COS

Compliant Operation of Services

Legal and regulatory compliance monitoring, data protection requirements (GDPR), and cloud-specific compliance obligations.

CSM

Change and Configuration Management

Secure change management processes, configuration baselines, patch management, and change testing requirements.

DKM

Data and Key Management

Encryption key lifecycle management, customer-managed key options, data classification, and secure data deletion.

IDM

Identity and Access Management

Identity governance, privileged access management, MFA requirements, and access provisioning and deprovisioning.

IVS

Interoperability and Portability

Data portability, API standards, cloud exit strategies, and dependencies on proprietary cloud features.

IPSL

Information Security for Service Providers

Security requirements for third-party suppliers and sub-processors, including supply chain risk management.

OPS

Operations Security

Secure operations management, capacity management, event logging and monitoring, and malware protection.

PI

Product Security

Secure software development lifecycle, vulnerability management, and security testing for cloud service software.

PL

Physical and Environmental Security

Data centre physical access controls, environmental protections, and equipment security for cloud infrastructure.

SA

Security Assessments

Internal audits, penetration testing, vulnerability scanning, and independent security assessments of cloud services.

SI

Security Incident Management

Incident detection, response procedures, customer notification obligations, and post-incident analysis.

TVM

Threat and Vulnerability Management

Vulnerability identification, risk assessment, remediation tracking, and threat intelligence for cloud environments.

CC

Cryptography and Encryption

Encryption standards, algorithm selection, encryption in transit and at rest, and cryptographic key management.

How C5 attestation
works in practice

Cloud providers undergo a C5 audit by a BSI-recognised firm. The resulting attestation report is shared with customers as proof of security compliance — replacing individual customer audits.

Type 1 Audit

Point-in-time assessment confirming controls are designed and in place. Faster and less expensive — suitable for first-time C5 attestation.

Type 2 Audit

Effectiveness assessment over a defined period (typically 12 months). Provides stronger assurance for customers — required by German government procurement.

Who can audit

Audits must be conducted by a qualified auditor recognised by BSI. The audit report is shared with customers under NDA as proof of compliance.

Renewal

C5 attestation is valid for 12–18 months. Continuous monitoring and regular Type 2 audits are recommended for enterprise cloud customers.

BSI C5:2020 vs ISO 27001 — what's the difference?

C5 and ISO 27001 overlap significantly (~70%) but serve different purposes. Many cloud providers obtain both — ISO 27001 for global credibility, C5 for German market access.

CriteriaBSI C5:2020ISO 27001
OriginBSI (German Federal Office for IT Security)ISO/IEC (International)
ScopeCloud services onlyAll ISMS environments
CertificationBSI-recognised audit report by accredited auditorThird-party certification by accredited body
Overlap~70% mapped to ISO 27001 Annex A controlsBidirectional mapping
German gov requirementMandatory for BSI-approved cloud servicesNot mandated by German government
NIS2 alignmentStrong — preferred by German authoritiesStrong — ~60–70% overlap

How Unicis supports BSI C5:2020 compliance

Who needs BSI C5 compliance?

Cloud service providers (IaaS, PaaS, SaaS) targeting the German market — especially those serving financial services, healthcare, public sector, or critical infrastructure customers. C5 is mandatory for any cloud service used by German federal agencies (BSI Grundschutz requirement).

Cloud Providers (IaaS/PaaS/SaaS)Financial ServicesHealthcareGerman Public SectorCritical InfrastructureManaged Service ProvidersSaaS Vendors
Blog Posts Try it Yourself Atlassian Marketplace Official BSI C5

Multi-Framework Support

11 Compliance Frameworks Supported

From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.

MVSP v1.0 Community GDPR Community ISO/IEC 27001 Premium EU NIS2 Premium CIS CSC v8.1 Premium
C5 Premium Current
OWASP ASVS v5 Premium ISO/IEC 42001 Premium NIST CSF 2.0 Ultimate SOC 2 Ultimate PCI DSS v4.0.1 Ultimate
Community (Free) Premium Ultimate
View All Frameworks Try it Free

Start managing BSI C5:2020 compliance with Unicis

Track all 17 C5 domains with automated GAP analysis and cross-framework mapping to ISO 27001, NIS2, and GDPR. Available on the Premium plan.

Try it Yourself Learn More