The "Cloud Computing" expert group of ISACA Germany Chapter and the BSI have created a guide titled "Anwendung des BSI C5 durch Interne Revision und Informationssicherheit" [Using the BSI C5 Catalogue for Internal Auditing and Information Security]. This brief publication provides an overview of how to use C5 in internal auditing and for information security management within the sector of IT governance.

C5 contains criteria for security, transparency and auditing. For internal auditing or second-party auditing (carried out by the cloud customer on the cloud provider), the C5 security criteria are used. Specific C5 auditing criteria (e.g. applicable auditing standards) can be ignored in such cases. If the cloud provider has already obtained a C5 attestation, the auditor can make use of detailed audit documentation, which has already been subjected to a standardised auditing process. Information relating to the system description or subcontractors may be useful to the auditor. But even if a cloud provider cannot present a C5 report, the C5 audit catalogue can still be used to define the key points of an audit together with the cloud provider. C5, which is now a widely accepted and well-known criteria catalogue, provides the best conditions for this.

However, C5 can also be used for internal IT controlling purposes (such as Governance, Risk & Compliance) within the organisation's own information security management. It can be used within all phases (Strategy, Design, Transition, Operation & Transformation) of a cloud service's lifecycle model.

C5 has proven itself, due to its neutrality, scope, compactness and auditability of C5 requirements, to be a stable foundation for internal auditing and for information security management. This is the view of the BSI and the ISACA Germany Chapter.

The guide was drawn up based on C5:2016.

Downloads

• Guide "Anwendung des BSI C5 durch Interne Revision und Informationssicherheit" [Using the BSI C5 Catalogue for Internal Auditing and Information Security]