Integrating C5
BSI provides specific mapping of how C5 applies to ISO, CSA, and AICPA Trust Service Criteria. It’s important to understand that while this explanation may exist, it relies on the nature of the control itself and how it does or doesn’t apply across the board.
Below are some of the common audits that can be performed in conjunction with C5.
Service Organization Control (SOC) 2 Audit
According to BSI, a C5 audit can be combined with a SOC 2 audit to reuse parts of the system description and audit evidence for overlapping controls.
A SOC 2 audit focuses on system reliability as it relates to five trust service categories:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
Similar to C5, the SOC has predefined criteria for each category that requires controls and procedures to be in place. It also has the concept of basic criteria—security category—with additional criteria—the other 4 categories listed above—to be included as needed.
Additionally, both are attestation engagements where an opinion from an independent auditor is provided with reasonable assurance that the description fairly represents the CSP's service commitments and system requirements.
The controls in the description are required to be designed as of a date—Type 1—or operating effectively—Type 2. Some controls are both.
C5 differs because it also performs direct engagements versus attestation engagements. In an attestation agreement, the CSP creates a system description, and the procedures and controls, in advance of the audit. In a direct engagement, the independent auditors are required to inquire about procedures and controls in place, and then validate, with evidence, those controls are operating effectively versus the existence of a system description. Both SOC 2 and C5 can be planned in a way that audit results can be used for both audit schemes.
General Data Protection Regulation (GDPR)
When enterprises host sensitive information in the cloud, there can be increased risks of information distribution and accessibility. For example, when information is stored in the cloud, pinpointing the exact geographical location where it’s stored can become difficult. Data can also get transferred between locations, making it a challenge to monitor the data flow; your organization may not fully understand the applicable privacy laws in those areas.
GDPR is an EU regulation that focuses on processing of personal data for EU data subjects and privacy and protection measures in place. Both C5 and GDPR place great emphasis on data processing, and most of the requirements of C5 also happen to be included in the security requirements of the GDPR.
ISO 27001 and IEC 27001
ISO 27001 and IEC 27001, international standards for cloud security, formed the basis for the C5 criteria.
ISO 27001 focuses on information security management system (ISMS)—a set of rules an organization needs to establish to identify risks, define safeguards, and establish continuous monitoring. All aspects of ISO 27001 relate to the confidentiality, integrity and availability of information.
What C5 doesn’t specify are technical requirements of the system in question. However, several other information security standards have been developed to provide guidance particularly ISO and IEC 27017.
BSI also outlines how to map from C5 to ISO 27002 and IEC 27001 and 27017 where the engagements could be planned in tandem.
CSA CCM
CSA CCM also helped form the basis of C5’s criteria. It’s a framework designed to provide security principles to cloud vendors and cloud customers helping them assess security risk for a cloud provider.
Security concepts and principles are broken down to 13 domains and closely relates to C5 domains. While CSA focuses on data computing, C5 places a greater emphasis on both cloud computing and information security.
Next Steps
For organizations that haven’t previously prepared for the cloud security requirements mentioned above, performing a C5 readiness assessment would be beneficial to help identify how prepared the organization is for a C5 audit. It would also be beneficial to review the BSI catalog requirements to determine if there are sufficient internal resources or if third-party assistance is required.
For organizations who have performed SOC or ISO audits, BSI provides mapping from those frameworks to criteria within C5, which can result in greater efficiency for overlapping audits.
We’re Here to Help
If you have any questions about how your organization can utilize C5, please contact your Moss Adams professional.