BSI criteria catalog C5:2020 — introduction

The German security standard for cloud services.

The BSI’s Cloud Computing Compliance Criteria Catalogue defines the minimum information-security requirements for the cloud. We support you from gap analysis to the Type 2 attestation — standards-aligned, audit-ready, and pragmatic.

Check C5 readiness What is C5?

C5:2020 at a glance

2016first published, fundamentally revised in 2020
121audit criteria across base and additional criteria
17requirement areas from OIS to PCS
§ 393SGB V — mandatory in healthcare since July 2025
ISAE3000 / IDW PS 860 — assurance by certified auditors

121

audit criteria

requirement areas

report types (Type 1 / 2)

C5:2026

next version in progress

Overview

What is the C5 catalog?

The German audit and attestation standard for cloud services — developed by the Federal Office for Information Security to make a generally accepted security level demonstrable.

The standard

C5 translates established frameworks such as ISO/IEC 27001, ISO/IEC 27017, and the AICPA Trust Services Criteria into an auditable, cloud-specific criteria catalog — and is the benchmark for cloud security in the DACH region.

The principle

BSI defines what must be met — not how. Implementation lies with the cloud provider; independent assurance lies with certified auditors per ISAE 3000 (revised) or IDW PS 860.

The duty

Federal authorities require C5 under EVB-IT Cloud. Since 1 July 2025, § 393 SGB V (DigiG) requires cloud services in healthcare to provide a C5 Type 2 attestation or equivalent evidence.

Structure

The 17 requirement areas of C5.

Each area contains concrete, auditable base criteria as well as optional additional criteria for higher protection levels. The codes follow BSI nomenclature and form the basis of your control matrix.

OIS

Organization of information security

Roles, responsibilities, management commitment

Security policies & instructions

Documented policies, approval, and review

Human resources

Hiring, awareness, off-boarding

Asset management

Inventory, classification, handling

Physical security

Data centers, access, environmental controls

Regular operations

Capacity, logging, vulnerability management

IDM

Identity & access management

IAM, privileged access, MFA

KRY

Cryptography & key management

Algorithms, keys, lifecycle

KOS

Communication security

Network segmentation, TLS, transmission

Portability & interoperability

Export, standards, data return

BEI

Procurement, development & change

Secure SDLC, change management

DLL

Service providers & suppliers

Subservice providers, oversight, monitoring

SIM

Security incident management

Detection, response, post-incident review

BCM

Business continuity & BCM

BIA, recovery, testing

COM

Compliance

Legal, regulatory, and contractual requirements

INQ

Government investigation requests

Lawfulness, transparency, processes

PCS

Product security

Secure provisioning and operation of the cloud service

+ TRANS

Transparency requirements

Disclosure of subcontractors, data storage locations, legal systems

Report types

Type 1 or Type 2 — which fits when?

C5 has two report types. BSI recommends Type 2, since only the operating effectiveness assessment provides meaningful coverage over a period of time.

Type 1

Suitability of design

Assesses on a single date whether the service-related internal control system is suitably designed to meet the C5 criteria. Useful as an initial assessment when entering the standard — per BSI not intended for repeated reporting.

AssessmentSingle date

AssuranceDesign only

Type 2

Operating effectiveness

Assesses over a defined period (typically 6–12 months) whether the controls are not only suitably designed but also operating effectively. The evidence expected by the market — and, since DigiG, by the legislator.

AssessmentPeriod

AssuranceDesign + operation

The path to attestation

In five steps to a C5 attestation.

As your GRC and information security partner, we accompany you through every phase in a structured way — from the first gap analysis to the auditor’s attestation.

Gap analysis

Compare your ISMS with the 121 criteria

System description

Service documentation per Section 3.4.4

Implementation

Control design, policies, evidence collection

Readiness

Internal audit, evidence review

Attestation

Audit per ISAE 3000 / IDW PS 860

Audiences

Who is C5 relevant for?

C5 affects both cloud providers that need to demonstrate an attestation and cloud users in regulated industries who require an attestation from their providers.

Cloud service providers

SaaS, PaaS, and IaaS providers who want to demonstrate their security maturity to customers, auditors, and regulators.

→ Build a C5 attestation

Healthcare

Hospitals, health insurers, and providers under § 393 SGB V — as of July 2025 with a statutory evidence requirement for their cloud service providers.

→ Require evidence

Public sector

Federal, state, and municipal authorities procuring external cloud services under EVB-IT Cloud and BSI minimum standards.

→ Secure procurement

Regulated industries

Financial services, energy providers, and KRITIS companies establishing C5 as a complement to ISO 27001, DORA, or NIS2.

→ Raise security level

FAQ

Common questions about C5.

Is C5 a certification?

No. C5 is an attestation standard. An independent auditor performs an examination per ISAE 3000 (revised) or IDW PS 860 and issues a report with attestation. BSI itself does not perform audits and does not issue certificates.

How does C5 relate to ISO 27001?

An existing ISO/IEC 27001 certificate is a strong foundation. Many C5 criteria reference Annex A controls directly. BSI provides cross-reference tables that let you identify gaps between an ISMS and the cloud-specific C5 requirements efficiently.

What’s the difference between base criteria and additional criteria?

For a C5 attestation, all applicable base criteria must be fully met — they form the minimum level. Additional criteria are optional and address elevated protection needs. Customers with particularly sensitive workloads often require them explicitly.

How long does it take to get a first Type 2 attestation?

Realistically 9 to 18 months, depending on the maturity of the existing ISMS. Typically 3–6 months for gap analysis and implementation, 6–12 months for the operating-effectiveness period, plus the actual examination and reporting.

What changes with C5:2026?

The successor C5:2026 builds on C5:2020 and adds references to NIS2, CEN/TS 18026, and updated AICPA Trust Services Criteria, among others. Already attested cloud services keep their status — new examination periods follow the new criteria per BSI transition rules.

Does C5 apply if we use subservice providers?

Yes — and it explicitly addresses that case. Controls that fall within the responsibility of subservice providers (e.g. IaaS providers for SaaS services) are included as Complementary Subservice Organization Controls in the system description. Section 3.4.5 of C5:2020 details this.

Valeri MilkeFounder & CEO · VamiSec GmbH

Your contact

"C5 isn’t a checkbox on a list — it’s the evidence of trust that regulated customers expect from cloud providers today. We build the internal control system so it holds under audit — not just passes formally."

ISO/IEC 27001

Information security management system (ISMS)

ISO/IEC 42001

AI management system (AIMS)

BSI C5

Cloud Computing Compliance Criteria Catalogue

ISAE 3000 / IDW PS 860

Audit by certified auditors

Book a meeting with Valeri LinkedIn

Free initial consultation

Ready for the C5 standard?

30 minutes with Valeri Milke: we clarify your starting point, evaluate your cloud architecture, and outline a realistic path to a Type 2 attestation — including effort estimate and timeline.

Book a meeting

Free · no obligation · personal assessment