FAQ C5 and Trusted Cloud
What is Trusted Cloud?
After the ending of the program Trusted Cloud of the Federal Ministry of Economic Affairs and Energy (Bundesministerium für Wirtschaft und Energie, BMWi) the nonprofit association "Kompetenznetzwerk Trusted Cloud" was founded. BMWi took the patronage for it.
The offer of Trusted Cloud consists of:
- The website www.trusted-cloud.de is a platform for information concerning the use of cloud services. Through guides, check lists and use cases the whole life cycle of cloud services is covered and completed by a catalogue with remarks to other standards.
- Trusted Cloud offers the Trusted Cloud label that is based on its own criteria catalogue. To receive the label cloud service provider must fulfill all aspects of this catalogue are fulfilled and described in a self assessment. Trusted Cloud uses a third-party audit process.
- All cloud service provider holding the Trusted Cloud label are listed on the website. The cloud services are specified in detail.
- Additional a list of service provider (e.g. consultants) that meet the transparency criteria by Trusted Cloud is available.
How do C5 and Trusted Cloud compare?
Trusted Cloud is mainly directed towards small and medium enterprises, both cloud service provider and cloud service user. C5 is mainly directed towards medium an large cloud service provider and their professional customers. But both catalogues are not limited to these audiences.
The criteria catalogue of Trusted Cloud comprises not only of aspects of data security but also of criteria for quality and transparency as well as data protection and contractual issues. C5 focuses on information security (and transparency) and is more extensive compared to the Trusted Cloud criteria catalogue, the security requirements are more explicit and targets for a a higher security level, if comparing the minimum requirements. Extend and manner of the C5 audit are more elaborate and result in a much more detailed statement of the security. The criteria catalogue of Trusted Cloud addresses more topics cloud user are interested in.
In this respect both catalogues complement one another and are not competitors.
What is TCDP (Trusted Cloud Data Protection Profile)?
A major aspect of the expired program "Trusted Cloud" of BMWi was data protection. It was a goal to build a solid base for a data protection certification especially for cloud services. In a unique constellation research, data protection authorities, cloud service provider and cloud service user worked together to achieve a common solution. So TCDP, the Trusted Cloud Data Protection Profile (www.tcdp.de) developed that is now managed by Stiftung Datenschutz.
Is it possible to use TCDP in conjunction with C5?
TCDP and C5 overlap in many requirements. Data (or information) security plays an important role in data protection, described in the so called technical and organizational measures (TOM). There are many commonalities between TCDP and C5, so that together within a C5 audit also a data protection certification can be performed in an efficient way. However C5 does not cover any legal aspects of data protection. TCDP (like the Trusted Cloud Label) is based on the German Bundesdatenschutzgesetz (BDSG) but will be adopted a the EU data protecion directive .