Federal Office for Information Security (BSI)

Compliance Controls Catalogue (C5)

Target groups

The Cloud Computing Compliance Controls Catalogue (abbreviated "C5") is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It is defined which requirements (also referred to as controls in this context) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet.

Role: Cloud Providers (primary), Cloud Users (secondary)
Target group: Professionals (primary), Management (secondary)


Cloud computing is a game changer for the ICT sector and its customers and promises both cost benefits and high flexibility. Generally speaking, there are many security recommendations, standards and certificates in this sector. Despite different perspectives on cloud security, the standards are also very similar with regard to their contents. However, a generally recognised baseline for security in cloud computing is not available yet. Certifications on the basis of these standards often only exist side by side and are simultaneously maintained, partly with great effort. For customers, it is often difficult to assess whether a cloud service offers the necessary security.

With the publication of the Cloud Computing Compliance Controls Catalogue (C5) to assess the information security of cloud services, a baseline for cloud security is defined from the BSI’s perspective. An established verification process which is only minor additional effort for the cloud provider is used.

The catalogue is divided into 17 thematic sections (e.g. organisation of information security, physical security). Here, the BSI makes use of recognised security standards such as 27001, the Cloud Controls Matrix of the Cloud Security Alliance as well as BSI publications and uses these requirements wherever appropriate. If these requirements had to be specified in more detail, they were put in concrete terms; if there were no requirements in other standards, new requirements were defined. In addition to these basic requirements, the catalogue also includes further requirements which either address confidentiality or availability, or both security objectives at the same time, for many requirements.

In addition to the Cloud Computing Compliance Controls Catalogue (C5) itself, the requirements were referenced to the standards mentioned above. This information provides a quick overview of where the requirements of the catalogue can be found in other standards and whether the requirements go beyond the standards or not.

Compared to other security standards, the so-called surrounding parameters for transparency are a novelty. They provide information on the data location, provision of services, place of jurisdiction, certifications and duties of investigation and disclosure towards government agencies and contain a system description. The resulting transparency makes it possible for potential cloud customers to decide whether legal regulations (such as data protection), the customers’ own policies or also the threat scenario regarding economic espionage make the usage of the respective cloud service seem appropriate.

A SOC 2 report proves that a cloud provider complies with the requirements of the catalogue and that the statements made on transparency are correct. This report is based on the internationally recognised attestation system of the ISAE 3000, which is used by public auditors. When auditing the annual financial statements, the auditors are already on site and auditing according to the Cloud Computing Compliance Controls Catalogue (C5) can be performed with not too great additional effort.

With respect to the Cloud Computing Compliance Controls Catalogue (C5), the answers to the frequently asked questions can be found here: FAQ Compliance Controls Catalogue


Supplementary material (editable form):

All information are also available in German.