Federal Office for Information Security (BSI)

What is the ISO/IEC 27001 intended for?

ISO/IEC 27001 is the international standard for an information security management system (ISMS). This standard describes how such a management system has to designed. Furthermore, the Annex of ISO/IEC 27001 includes a list of requirements (controls) which have to be met. Suggestions for implementations (recommendations) can be found in ISO/IEC 27002.

Does the compliance controls catalogue adhere to ISO/IEC 27001?

The compliance controls catalogue includes all requirements of the ISO/IEC 27001 in the basic requirements. This means that a cloud provider who implemented the ISO/IEC 27001 has already implemented safeguards for many of the requirements in the catalogue.

In its basic requirements, the compliance controls catalogue requires a management system which is based on ISO/IEC 27001. However, it leaves it up to the cloud provider to also use others as long as the essential requirements of the ISO/IEC 27001 for such an ISMS are met in order to achieve the same security level. The higher-level requirement requires an ISMS certified according to ISO/IEC 27001.

And what about the “cloud” standards ISO/IEC 27017 and ISO/IEC 27018?

ISO/IEC 27017 "Code of practice for information security controls based on ISO/IEC 27002 for cloud services" expands ISO/IEC 27002 by adding a wide range of “Good Practices” for cloud users and cloud providers. These shall help during implementation and usage of cloud services. Moreover, ISO/IEC 27017 contains a set of additional cloud specific controls that cover particular requirements for the special relationship between cloud customers and cloud providers, for the operation of cloud services, additional requirements regarding access management in shared environments, logging, monitoring, and for network security management.

A direct comparison of the controls of and ISO/IEC 27017 and BSI Cloud Computing Compliance Controls Catalogue (C5) shows, that C5 covers most of the augmentations that come with ISO/IEC 27017 dedicated to cloud service providers. From the point of view of BSI the additional controls of ISO/IEC 27017 are all covered by C5 with one exception. This mapping is meant to provide a first overview that cannot substitute an in-depth analysis in the run-up to an audit.

ISO/IEC 27018 “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” covers the protection of personal data in cloud computing. It is largely based on European data protection, but does not have a normative character. Since the compliance controls catalogue does not cover data protection, ISO/IEC 27018 can be used as very helpful supplement for data protection.

Why is the French standard of the ANSSI referenced?

There is close cooperation between the ANSSI (Agence nationale de la sécurité des systèmes d'information) and the BSI with regard to the security of cloud computing. Both institutes aim to achieve the same security level even if they have different approaches. The ESCloud Label, based on BSI C5 and SecNumCloud of ANSSI, expresses it visibly.

What is the difference between C5 and IT-Grundschutz of BSI?

IT-Grundschutz is a standard for establishing and maintaining an appropriate protection of the information of an institution. The IT-Grundschutz Catalogues describe safeguards for typical business processes, IT systems and applications. On the other hand C5 is a pure audit standard. IT-Grundschutz addresses the protection of the own information of an enterprise, but C5 ist laid out for offers of a cloud service provider (CSP). Both standards take a holistic view on information security and are not limited to e. g. technical aspects. Over the years IT-Grundschutz has become the reference for information security in Germany in offering concrete measures. CSP provide their service often in a very different manner. Therefore it is advantageous for them to fulfill controls as it is feasible for them instead of implementing fixes measures.

Do both address the same level of security?

Despite the different structure both approaches address the same level of security for cloud services with their minimum requirements. Both include additional requirements resp. safeguards to achieve a higher security level.

How does a certification according to IT-Grundschutz compare to an BSI C5 attestation?

As described above certifications and attestation differ fundamentally. The structure of C5 and IT-Grundschutz distinguish a lot although both address the same security level for cloud services. Therefore it is not feasible to compare these alternatives across-the-board. From BSI's point of view both possibilities are suitable to proof the security of cloud services. Compliance regulations that either the cloud service provider or the cloud user has to follow may lead to a specific audit. The cloud customer should know which verification a more suitable and which kind of information is needed or expected from the cloud service provider. Nevertheless both assurances can be efficiently combined to serve even more customers.

What is the fundamental difference between both audit reports?

The audit report of a C5 audit is written for the customers of a cloud service provider. It expresses not only a vote of a public accountant but the cloud customer can comprehend in detail how the public accountant came to the conclusion. The is advantageous for the governance of the cloud customer. Reports of certification instead are made for the applicant and the certification body. These kind of reports are usually not shown to the cloud customer. Only a C5 audit report gives information according to the surrounding parameters for transparency along with security of the service.

How do both audits differ?

In each C5 audit all controls without exception are audited according to design and effectiveness during a whole past period (e. g. a year). To measure the effectiveness of the security measures a sample with a confidence interval of 95% is taken. A IT-Grundschutz audit analyses the information security management system a th specific point in time. The audit is performed in auditing documentation („Referenzdokumente“) and 7 to 10 IT-Grundschutz modules.

Is an C5 attestation issued automatically together with an IT-Grundschutz certificate of the BSI or an ISO/IEC 27001 certificate?

Having an IT-Grundschutz certificate or an ISO 27001 certificate does not qualify to receive a C5 attestation because the assurance methods differ too much.