Federal Office for Information Security (BSI)

C5 and IT revision

Target groups

"C5 and IT revision" aims mainly at (IT) auditors that audit cloud services in first and second party audits.

Role: Cloud Auditor (primary), Cloud Providers (secondary)
Target group: Professionals (primary), Management (secondary)


The expert group "Cloud Computing" of ISACA Germany Chapter and the Federal Office for Information Security (BSI) created and published the guidelines on using the C5 catalog for internal auditing and information security (original "Anwendung des BSI C5 durch Interne Revision und Informationssicherheit"). The brief publication gives an overview on how the C5 can be used in internal auditing and for information security management within the sector of IT governance.

The C5 contains requirements on security, transparency (e.g. surrounding parameters) and auditing. For internal auditing or second party auditing (cloud customer audits cloud provider), the C5‘s security controls can be used. Specific C5 auditing requirements (like applicable auditing standards) may be neglected. If the cloud service provider already received a BSI C5 attestation, an auditor can make use of a well detailed audit documentation, based on a formal auditing process. This will serve as a baseline for his audit. Information about surrounding parameters, such as system description or information about subcontractors may come in very handy. Even if a cloud provider cannot present a C5 attestation the C5 can still be used to define the corner stones for an audition in collaboration with the cloud provider. The C5, as a widely accepted standard, provides the best conditions.

The catalog can also be used for internal IT controlling purposes, such as Governance, Risk & Compliance within the organization's own information security management. In a Cloud Service's life-cycle model, it can be used within all phases (Strategy, Design, Transition, Operation and Transformation).

C5 has proven itself, due to its neutrality, scope, compactness and testability, as a stable foundation for internal auditing and for information security management. This is the common opinion of the ISACA Germany Chapter and the Federal Office of Information Security (BSI).