Federal Office for Information Security (BSI)

What evidence is sufficient for proving compliance?

The BSI cannot specify bindingly what a customer has to accept as sufficient evidence proving compliance. This is at the discretion of the respective customer. The customer usually demands compliance with the requirements from the cloud provider contractually. This is clearly more binding than a mere self-assessment by the cloud provider, but raises the question of how the customer can verify or make plausible compliance with the requirements. The cloud provider must be interested in addressing these customer queries as efficiently as possible in order to avoid “audit tourism” in their computer centres. It therefore makes sense to have the audit carried out by independent third parties.

How is compliance with the requirements proven?

The compliance controls catalogue describes a procedure which goes, in terms of bindingness, beyond mere contractual assurance (without making it obsolete), can be developed efficiently for a cloud provider and allows extensions for special customer needs. It specifies that a public auditor issues an attestation for the cloud services examined according to an internationally recognised procedure. This attestation (for details, see below) addresses the suitability of the design of the implemented safeguards and, in addition, their effectiveness over the audit period. The basis for the attestation is an audit report in which the auditor demonstrates whether the requirements were met and implemented effectively.

Why is there no BSI certificate for the compliance controls catalogue?

As cloud computing is often established internationally, it was important to the BSI to not introduce a new national certificate, but to instead draw on proven certificates and processes in the international environment as far as possible. Moreover, maintaining a new certification process would be very complex. With the IT-Grundschutz, the BSI already has a certificate in their portfolio which also covers cloud computing and can be applied nationally.

Why do public auditors prepare the attestation?

A large number of cloud providers are legally obliged to have an annual audit carried out by public auditors. A considerable part of it includes an audit of the IT systems which are relevant to accounting and the preparation of the annual financial statements. This part is becoming more and more extensive and can be expanded relatively easily to IT systems which provide cloud services for customers.

Are public auditors really able to accomplish this technically?

An annual audit is usually not carried out by a public auditor in person, but by a team. This team also includes IT experts. In order to attest the compliance controls catalogue, team members must verify that they are qualified (see Section 3.5.1). Possible certifications of personnel are, for example, from the ISACA (CISA, CISM, CRISC), the CSA (CCSK) or ISO 27001 and IT-Grundschutz auditors. These qualifications must be listed and verified in the attestation.

What is the difference between an attestation and a certificate?

In case of a certificate, there are three different parties: party audited, auditor, certification body. The audit report of the auditor accredited by the certification body is sent to the certification body for review. If the report complies with the regulations of the certification, a corresponding certificate is issued by the certification body. Involving these three parties is intended to ensure the quality and comparability of the certificates. Furthermore, such an approach avoids “certificates by courtesy” or makes them more difficult.

In case of an attestation, there are only two parties: the party audited and the auditor. The auditor is engaged by the party audited to perform an audit and paid by them. Thus, there is a dependency of the auditor on the party audited, which can have an adverse effect on the quality of the attestation. In order to counteract this, a procedure in which the auditor is usually liable for their performance (see Section 3.5.3) has been chosen for the compliance controls catalogue.

What is to be borne in mind with regard to the attestation?

With an attestation of a cloud provider, the cloud customer must ensure that the following framework conditions set out by the BSI are fulfilled.

The auditing and reporting processes are carried out in accordance with the internationally used and proven standard ISAE 3000 (Revised) "Assurance Engagements Other than Audits or Reviews of Historical Financial Information". This standard describes general requirements for the qualification and conduct of an auditor (e.g. expert assessment and skepticism) as well as for accepting, planning and carrying out (see Section 3.2.1). Moreover, there are further regulations which should be applied correspondingly: ISAE 3402 "Assurance Reports on Controls at a Service Organization", IDW PS 951 n.v. "Die Prüfung des internen Kontrollsystems bei Dienstleistungsunternehmen" [The auditing of the internal control system of a service provider] and others (see Section 3.2.2).

The essential principles for the attestation include: relevance, completeness, reliability, neutrality and comprehensibility. The audit report must be prepared in the form of a SOC 2 report (Service Organization Control).

How efficient is the audit of this compliance controls catalogue?

The BSI’s objective is to not place an undue burden on cloud providers by an additional audit of standard requirements. If an audit is carried out by a public auditor, the cloud provider has the advantage that public auditors audit the annual financial statements anyway each year so that an audit according to this compliance controls catalogue can easily be combined with the annual audit. Here, some of the requirements already overlap so that one and the same audit can be used for two different reports. Moreover, a cloud provider can combine further audits, for example according to ISO standards, with this audit by expanding the audit team by corresponding auditors. This results in further synergy potential.

What is a SOC 2 report?

SOC 2 reports according to the specifications of the AICPA (American Institute of Certified Public Accountants) serve to understand the internal control system of a service provider with regard to security, availability, processes, integrity, confidentiality and data protection. This report provides the customer of the service provider with information necessary for their own control system and risk management.
The audit must be carried out and documented so that an expert third party can still understand after 10 years how the audit result was obtained.
In general, a distinction is made between two different types of reports: type 1 and type 2.

What are the differences between a type 1 SOC 2 report and a type 2 SOC 2 report?

In case of a type 1 SOC 2 report, it is checked whether the "design" is appropriate in the sense that the requirements of the compliance controls catalogue are met. In a type 2 SOC 2 report, the effectiveness of the safeguards implemented in the audit period is also audited. This is the main difference to many other certifications in the field of IT security. When an audit is performed for the first time, it may be possible that still too few statements regarding the effectiveness can be made. For this period, only a type 1 report can be prepared, in which, however, statements on the effectiveness of the safeguards are also made where possible. In the next audit period, a type 2 report must then be requested.

Are there special requirements for the attestation for the compliance controls catalogue?

For a BSI-conform attestation of a cloud service, the report must include the following information:

  • detailed system description of the cloud service (see Section 3.3.2)
  • qualification of the auditor (see Section 3.5.1)
  • any identified deviations from the requirements (see Section 3.5.2)
  • information on the limitation of liability (see Section 3.5.3)

Are there advantages when an attestation is issued if other certificates have already been available?

As a matter of principle, certificates are not accepted as part of the attestation. This is mainly due to two reasons:

  • The type of the certificates differs from the attestation, because, for example, the effectiveness of the safeguards in the past is not checked.
  • Since the public auditor signs the attestation and is liable for it, they can draw on reports of other certificates to a limited extent, but they will usually want to perform the audit irrespective of them.

And are there advantages if the attestation and the certification are carried out at the same time?

In this case, the attestation has the following major advantage: as all requirements of the ISO/IEC 27001 are also listed in the compliance controls catalogue, the principle “audit once – certify many” can be applied when attestation and certification are carried out at the same time. This means that the result of the audit of a requirement can be used for different audits, i.e. for the compliance controls catalogue and for a certificate according to ISO/IEC 27001. This reduces the time and effort significantly when the audit is performed. In this respect, the matrix showing the requirements of the catalogue with regard to other standards is very useful.

And how are the certificates/attestations of subcontractors dealt with?

Ideally, the subcontractor who renders services for the cloud provider also has an attestation according to the compliance controls catalogue. It can easily be used by the public auditor and seamlessly integrates into their own audit. All other certificates can be considered as indicators for the security achieved, but are checked by the auditor.