Federal Office for Information Security (BSI)

How to deal with aspects of C5 that are not include in ISAE 3000 audits?

C5 defines that all controls of C5 shall be audited according to ISAE 3000 or in an analogous manner to ISAE 3402 and SOC 2. Where C5 requires additional issues, the specification of C5 must be followed.This is the case in the documentation of the audit team in the report. In ISAE 3000 reports only the signing public accountant is known by name. A C5 report requires information about the audit team and its qualification. Also the system description in a C5 report has to include more aspects than in a ISAE 3000 report. in the latter one the cloud service provider delivers a system description that might be slightly altered by the auditor. With C5 the surrounding parameters for transparency (UP-01 to UP-04) demand exactly the content of the system description of the audited services. C5 needs more details as usual ISAE 3000 reports contain. These details may be part of the system description or are listed in an additional section.

How can a typical ISAE audit be extended to a C5 audit with minimal effort?

The conception of C5 enables most efficient audits in re-using the results of already performed audits of the same period. In this case the controls ot the ISAE 3000 audit of the CSP need to be aligned with those of C5 so that the differences become evident. If the ISAE 3000 controls requires the same or even more, an audit for C5 report must not be performed again. Where C5 demands more, the differences need to be audited. The more exact the differences are worked out, the more efficient a C5 audit can be made. This is only possible if an ISAE 3000 audit of type II was done that audits design an effectiveness as required for a C5 audit.

How can be ensured that an audit and a report are C5 compliant? Does the BSI verify C5 reports?

The BSI does not oversee C5 audits and does not provide a list with approved C5 attestations. C5 attestations are issued by public accountants and the BSI can not make sure that C5 attestation are issued when all controls of C5 are met. The appearance of a report leads not to a conclusion if an ISAE 3000 audit uses some of the controls of C5 or if all requirements of C5 were part of the audit. Section 3.6 states that it is necessary to examine audit reports. For a quick evaluation the following topics help.

  • C5 must be audited by a public accountant. If the C5 report is not signed by a public accountant, it is not C5 compliant.
  • C5 requires information about the audit team including qualification (and for at least half of the team certain experience and business qualification are necessary). If this information is missing in the report, it is not C5 compliant.
  • An ISAE report usually consists of three parts: conclusive audit opinion of the public accountant, system description and audit of the controls. C5 has special prerequisites in the surrounding parameters for transparency (UP-01 to UP-04) that need to be part of the system description. A report lacking these topics is not C5 compliant.
  • Deviations in a C5 compliant report need to be handled as follows: statements which measure will be taken to rectify the deviation, whether the deviation was already present in the last audit report and the circumstances under which the deviation was found. Otherwise the report is not C5 compliant.
  • All controls of section 5 of the C5 need to be audited for a complete report. If the auditor opinion of the report states that the cloud service fulfills all additional controls for confidentiality or availability (or both), all these respective controls must be listed.

If all these conditions are fulfilled, then the results of each control of C5 need to be looked at. It must be clear how the auditor come to the conclusion. In case of uncertainty of the results the cloud service provider should be asked.