Your organization is given a set of standards and requirements to help determine your security measures, but you aren’t told how to go about implementing those standards.
2020 Changes
With an ever-changing technological landscape and subsequent changes in standards, BSI plans to periodically update their requirements.
In January 2020, BSI updated C5 to include focus around the following key areas:
- Product security with respect to the EU Cybersecurity Act
- Management of investigation requests
- Concepts around development and operations
- Complementary customer criteria, similar to the American Institute of Certified Public Accountants concept of complementary user entity controls
- Option to perform a direct engagement as opposed to an attestation engagement
As of October 2020, C5 is required in Germany if you're providing cloud services to government agencies, but the compliance isn’t restricted to Germany-based providers. An increasing number of CSPs have opted to obtain C5 compliance; it could be that the private sector isn’t too far behind.
Integrating C5
BSI provides specific mapping of how C5 applies to ISO, CSA, and AICPA Trust Service Criteria. It’s important to understand that while this explanation may exist, it relies on the nature of the control itself and how it does or doesn’t apply across the board.
Below are some of the common audits that can be performed in conjunction with C5.
Service Organization Control (SOC) 2 Audit
According to BSI, a C5 audit can be combined with a SOC 2 audit to reuse parts of the system description and audit evidence for overlapping controls.
A SOC 2 audit focuses on system reliability as it relates to five trust service categories:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
Similar to C5, the SOC has predefined criteria for each category that requires controls and procedures to be in place. It also has the concept of basic criteria—security category—with additional criteria—the other 4 categories listed above—to be included as needed.
Additionally, both are attestation engagements where an opinion from an independent auditor is provided with reasonable assurance that the description fairly represents the CSP's service commitments and system requirements.
The controls in the description are required to be designed as of a date—Type 1—or operating effectively—Type 2. Some controls are both.
C5 differs because it also performs direct engagements versus attestation engagements. In an attestation agreement, the CSP creates a system description, and the procedures and controls, in advance of the audit. In a direct engagement, the independent auditors are required to inquire about procedures and controls in place, and then validate, with evidence, those controls are operating effectively versus the existence of a system description.