C5 Compliance Can Increase the Transparency of Data Protection

by Kim Koch, Partner, and Priya Kumar, Manager, IT Compliance Services

Cloud service providers (CSP) are finding it increasingly difficult to distinguish their services from other providers.

For customers, the increased use of cloud services—and the heightened awareness of data use and privacy—makes it equally difficult to understand which provider will best safeguard their information.

The Cloud Computing Compliance Criteria Catalogue (C5) by the German Federal Office for Information Security (BSI) combines cloud computing and information security in a comprehensive framework. It provides baseline security controls geared towards safeguarding data and structuring how it’s secured and managed in the cloud.

C5 guidelines push for a risk-oriented approach to guide the CSP in identifying critical data, services, and processes. Then, customers have the ability to incorporate these findings into their risk management program.

Living in the cloud is risky. C5 provides guidelines on shared responsibilities for all parties including vendors, auditors, users, security providers, and customers. C5’s setup alters access responsibility over an application or infrastructure, which parts of the services are provided by the CSP on behalf of the customer, and which parts are implemented by the tenant on top of the provided service layers.

Below, we cover the background and components of C5, as well as how it can provide time- and cost-saving measures while increasing customer security and trust.

What Is C5?

C5 was developed in 2016; it’s a set of compliance criteria intended for cloud service providers with European customers or offices in the European Union (EU).

The overall objective of C5 is to increase the transparency of data protection in the cloud as organizations move away from traditional application and infrastructure responsibilities and towards a spectrum of evolving applications, services, and virtualized infrastructure.

This transparency helps cloud users know whether the CSP has fulfilled their requirements. These requirements can include:

  • Consideration of security elements from identity and access management—securing the authorization and authentication of users to prevent unauthorized access
  • Availability—timeliness and reliability of access to and use of data
  • Isolation—tracking of changes and transactions without adversely affecting their execution
  • Cybersecurity threats—safeguards to protect against malicious attacks
  • Monitoring—reviewing and managing operational workflows

The C5 framework also combines existing security standards from international certifications such as:

  • Information Security Management (ISO) and International Electrotechnical Commission (IEC) 27001
  • Trust Services Criteria (TSC) established by the Association of International Certified Professional Accountants (AICPA)
  • Cloud Controls Matrix of the Cloud Security Alliance (CSA CCM)

Benefits of C5

Built-In Security

Along with using existing security standards, C5 also applies its own security criteria. It’s divided into 17 domains, and an objective is assigned to each domain alongside a total of 121 requirements that specify the general procedures and controls needed to satisfy the objectives.

Within the 121 requirements are a set of basic criteria and additional criteria. In their description of the system, the CSP is required to explain if the basic or additional criteria are applicable, as they relate to the design of the cloud service or procedures of the CSP. While this documentation can be cumbersome, it establishes trust with customers by holding the CSP to a higher security standard.

The overall objective of C5 is to increase the transparency of data protection in the cloud as organizations move away from traditional application and infrastructure responsibilities and towards a spectrum of evolving applications, services, and virtualized infrastructure.

CSPs may have already conformed to a variety of other standards. However, by aligning these standards with C5, CSPs are able to:

  • Use audit documentation over multiple engagements
  • Create greater efficiency
  • Align controls and processes with use of system description

While there are many available standards that point to various portions of safeguarding data, there’s also a lot of overlap. With the combination of the audits listed above, along with the various other standards and C5, your organization can achieve potential time- and cost-saving measures.

Transparency

C5 also requires CSPs to provide a system description and further detail around the surrounding parameters for the intended system. The details should include the following aspects:

  • Jurisdictional information on how data is stored and processed
  • Availability and recovery of information
  • Availability of certifications already issued

The design of C5 allows some flexibility when it comes to the details of implementing controls. Your organization is given a set of standards and requirements to help determine your security measures, but you aren’t told how to go about implementing those standards. This creates an opportunity to synchronize your security procedures against other relevant audits or certifications, which can help you reduce redundant audits.

2020 Changes

With an ever-changing technological landscape and subsequent changes in standards, BSI plans to periodically update their requirements.

In January 2020, BSI updated C5 to include focus around the following key areas:

  • Product security with respect to the EU Cybersecurity Act
  • Management of investigation requests
  • Concepts around development and operations
  • Complementary customer criteria, similar to the American Institute of Certified Public Accountants concept of complementary user entity controls
  • Option to perform a direct engagement as opposed to an attestation engagement

As of October 2020, C5 is required in Germany if you're providing cloud services to government agencies, but the compliance isn’t restricted to Germany-based providers. An increasing number of CSPs have opted to obtain C5 compliance; it could be that the private sector isn’t too far behind.

The design of C5 allows some flexibility when it comes to the details of implementing controls… This creates an opportunity to synchronize your security procedures against other relevant audits or certifications, which can help you reduce redundant audits.

Integrating C5

BSI provides specific mapping of how C5 applies to ISO, CSA, and AICPA Trust Service Criteria. It’s important to understand that while this explanation may exist, it relies on the nature of the control itself and how it does or doesn’t apply across the board.

Below are some of the common audits that can be performed in conjunction with C5.

Service Organization Control (SOC) 2 Audit

According to BSI, a C5 audit can be combined with a SOC 2 audit to reuse parts of the system description and audit evidence for overlapping controls.

A SOC 2 audit focuses on system reliability as it relates to five trust service categories:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Similar to C5, the SOC has predefined criteria for each category that requires controls and procedures to be in place. It also has the concept of basic criteria—security category—with additional criteria—the other 4 categories listed above—to be included as needed. 

Additionally, both are attestation engagements where an opinion from an independent auditor is provided with reasonable assurance that the description fairly represents the CSP's service commitments and system requirements.

The controls in the description are required to be designed as of a date—Type 1—or operating effectively—Type 2. Some controls are both.

C5 differs because it also performs direct engagements versus attestation engagements. In an attestation agreement, the CSP creates a system description, and the procedures and controls, in advance of the audit. In a direct engagement, the independent auditors are required to inquire about procedures and controls in place, and then validate, with evidence, those controls are operating effectively versus the existence of a system description. Both SOC 2 and C5 can be planned in a way that audit results can be used for both audit schemes.

General Data Protection Regulation (GDPR)

When enterprises host sensitive information in the cloud, there can be increased risks of information distribution and accessibility. For example, when information is stored in the cloud, pinpointing the exact geographical location where it’s stored can become difficult. Data can also get transferred between locations, making it a challenge to monitor the data flow; your organization may not fully understand the applicable privacy laws in those areas.

GDPR is an EU regulation that focuses on processing of personal data for EU data subjects and privacy and protection measures in place. Both C5 and GDPR place great emphasis on data processing, and most of the requirements of C5 also happen to be included in the security requirements of the GDPR.

ISO 27001 and IEC 27001

ISO 27001 and IEC 27001, international standards for cloud security, formed the basis for the C5 criteria.

ISO 27001 focuses on information security management system (ISMS)—a set of rules an organization needs to establish to identify risks, define safeguards, and establish continuous monitoring. All aspects of ISO 27001 relate to the confidentiality, integrity and availability of information.

What C5 doesn’t specify are technical requirements of the system in question. However, several other information security standards have been developed to provide guidance particularly ISO and IEC 27017.

BSI also outlines how to map from C5 to ISO 27002 and IEC 27001 and 27017 where the engagements could be planned in tandem.

CSA CCM

CSA CCM also helped form the basis of C5’s criteria. It’s a framework designed to provide security principles to cloud vendors and cloud customers helping them assess security risk for a cloud provider.

Security concepts and principles are broken down to 13 domains and closely relates to C5 domains. While CSA focuses on data computing, C5 places a greater emphasis on both cloud computing and information security.

Next Steps

For organizations that haven’t previously prepared for the cloud security requirements mentioned above, performing a C5 readiness assessment would be beneficial to help identify how prepared the organization is for a C5 audit. It would also be beneficial to review the BSI catalog requirements to determine if there are sufficient internal resources or if third-party assistance is required.

For organizations who have performed SOC or ISO audits, BSI provides mapping from those frameworks to criteria within C5, which can result in greater efficiency for overlapping audits.

We’re Here to Help

If you have any questions about how your organization can utilize C5, please contact your Moss Adams professional.

Kim Koch has practiced public accounting since 2001 and has over 15 years of experience conducting System and Organization Control (SOC) readiness assessments and audits, compliance audits, and internal controls evaluations. She can be reached at 206-302-6425 or kim.koch@mossadams.com.

Priya Kumar has provided IT consulting and compliance services since 2013. She provides expertise in SOC readiness assessments and SOC 1 and SOC 2 engagements; in addition to evaluating and testing the design and operational effectiveness of IT general controls. She can be reached at 310-481-1302 or priya.kumar@mossadams.com.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC.

Related Topics

A SOC Examination for Cybersecurity Could Combat Risk for Remote Work
Why It’s Key for Technology Companies to Prove Integrity of Internal Controls
Protect Your Company from Cyberthreats with Information Security Governance
Best Practices for Data Management and Predictive Analytics