Germany C5:2020 overview
In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Criteria Catalogue (C5) as an auditing standard. It is intended for cloud service providers (CSPs), their auditors, and customers of the CSPs. C5 established a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.
In 2019, BSI reworked and updated the C5 Catalogue, and the new version C5:2020 was finalized and released in January 2020. C5:2020 expands the scope of C5 by adding new requirements, adapting existing requirements, and adding two new domains on product safety and security and investigation requests from government agencies.
C5:2020 is based on established standards, including ISO/IEC 27001, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), AICPA Trust Services Principles and Criteria, BSI IT-Grundschutz Catalogue, and others. However, C5:2020 adds additional transparency controls to provide information on data location, provision of services, place of jurisdiction, existing certifications, and information disclosure obligations towards government agencies. The emphasis on transparency helps potential cloud customers decide whether the cloud services meet their compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.
Azure and Germany C5:2020
According to C5:2020 Section 3.3 “Connection to Other Audits”, a C5:2020 audit can be combined with a SOC 2 audit to reuse parts of the system description and audit results for overlapping controls. Microsoft Azure provides customers with a SOC 2 Type 2 attestation based on a rigorous independent third-party audit conducted by a reputable certified public accountant (CPA) firm. The Azure SOC 2 Type 2 attestation is conducted according to:
- SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
- SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
- TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- BSI Cloud Computing Compliance Criteria Catalogue (C5:2020)
At the conclusion of a SOC 2 audit, the auditor renders an opinion in a SOC 2 Type 2 report, which describes the CSP’s system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
- Azure Government
Services in scope
Microsoft cloud services in audit scope are shown in the Azure SOC 2 Type 2 attestation report.
Office 365 and Germany C5
For more information about Office 365 compliance, see Office 365 Germany C5 documentation.
Audit reports and certificates
The Azure SOC 2 Type 2 attestation report includes an assessment of C5:2020 controls.
Frequently asked questions
What's the difference between the C5:2020 and IT-Grundschutz catalogues? C5:2020 is an auditing standard from BSI that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. IT-Grundschutz supplies the specific methodology to help organizations identify and implement security measures for IT systems, and is one of the elements upon which the C5:2020 standard is built.
Does the Azure SOC 2 Type 2 attestation also include compliance coverage for Germany C5:2020? Yes. A C5:2020 audit can be combined with a SOC 2 audit to leverage parts of the system description and audit results for overlapping controls. Azure publishes a combined attestation report (C5:2020, SOC 2 Type 2, CSA STAR Attestation) based on the audit assessment performed by an independent auditor, which provides proof of compliance with C5:2020.
How often are Azure SOC reports issued? SOC reports for Azure, Dynamics 365, and other online services are based on a rolling 12-month run window (audit period) with new reports issued semi-annually (period ends are 31-Mar and 30-Sep). Bridge letters are issued during the first week of each quarter to cover the prior three-month period. For example, the January letter covers 1-Oct through 31-Dec, the April letter covers 1-Jan through 31-Mar, the July letter covers 1-Apr through 30-Jun, and the October letter covers 1-Jul through 30-Sep.
How can I get the Azure SOC audit documentation including bridge letters? For links to audit documentation, see Audit reports and certificates.