How to deal with aspects of C5 that are not include in ISAE 3000 audits?
C5 defines that all controls of C5 shall be audited according to ISAE 3000 or in an analogous manner to ISAE 3402 and SOC 2. Where C5 requires additional issues, the specification of C5 must be followed.This is the case in the documentation of the audit team in the report. In ISAE 3000 reports only the signing public accountant is known by name. A C5 report requires information about the audit team and its qualification. Also the system description in a C5 report has to include more aspects than in a ISAE 3000 report. in the latter one the cloud service provider delivers a system description that might be slightly altered by the auditor. With C5 the surrounding parameters for transparency (UP-01 to UP-04) demand exactly the content of the system description of the audited services. C5 needs more details as usual ISAE 3000 reports contain. These details may be part of the system description or are listed in an additional section.
How can a typical ISAE audit be extended to a C5 audit with minimal effort?
The conception of C5 enables most efficient audits in re-using the results of already performed audits of the same period. In this case the controls ot the ISAE 3000 audit of the CSP need to be aligned with those of C5 so that the differences become evident. If the ISAE 3000 controls requires the same or even more, an audit for C5 report must not be performed again. Where C5 demands more, the differences need to be audited. The more exact the differences are worked out, the more efficient a C5 audit can be made. This is only possible if an ISAE 3000 audit of type II was done that audits design an effectiveness as required for a C5 audit.
How can be ensured that an audit and a report are C5 compliant? Does the BSI verify C5 reports?
The BSI does not oversee C5 audits and does not provide a list with approved C5 attestations. C5 attestations are issued by public accountants and the BSI can not make sure that C5 attestation are issued when all controls of C5 are met. The appearance of a report leads not to a conclusion if an ISAE 3000 audit uses some of the controls of C5 or if all requirements of C5 were part of the audit. Section 3.6 states that it is necessary to examine audit reports. For a quick evaluation the following topics help.
If all these conditions are fulfilled, then the results of each control of C5 need to be looked at. It must be clear how the auditor come to the conclusion. In case of uncertainty of the results the cloud service provider should be asked.