Federal Office for Information Security (BSI)

Cloud Certification

Target group

Certificates and attestations demonstrate proof of the offered information security of a cloud provider. However, the cloud user must know the significance of the certificate/attestation to be able to assess whether their own security targets can thus be complied with.

Role: Cloud Users (primary) and Cloud Providers (primary)
Target group: Management (primary), Professionals (secondary)

Certification/attestation

The basic idea behind certificates/attestations is that a cloud provider submits to a set of controls and can be audited by an independent third party verifying compliance with these controls. The audit is carried out on the basis of the audit scheme for the certificate/attestation and the audit result is documented in a defined format.

The user (or customer) can compare their controls with those on which the certificate/attestation is based and decide if their own controls are covered. Certificates and attestations, however, also serve to build trust, since the cloud provider makes their own security safeguards transparent to an external party and publishes the result or at least parts of it.

The complexity of cloud computing makes it even more difficult for cloud users to inform themselves of the security safeguards of the cloud provider, which is why the call for (internationally accepted) certificates regarding cloud security is strong.

Overview of Certifications

Some certificates for cloud offers have already been on the market. The most well-known include the SaaS seal of approval of EuroCloud, CSA STAR, TÜV Trust IT.
The BSI’s IT-Grundschutz certificate can also be used by cloud users, as IT-Grundschutz was supplemented by several cloud-specific topics.

Attestation in accordance with the BSI’s Cloud Computing Compliance Controls Catalogue (C5)

The BSI’s Cloud Computing Compliance Controls Catalogue (C5) can be attested via an ISAE 3404 like audit which ends in a SOC 2 report in order to demonstrate proof of compliance with the controls. This attestation, however, is not issued by the BSI, but by a certified public auditor.

All information are also available in German.