We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government's "Security Recommendations for Cloud Providers".
The C5 attestation can be used by AWS customers and their compliance advisors to understand security controls implemented by AWS to meet the C5 requirements as they move their workloads to the cloud. C5 adds the regulatory defined IT-Security level equivalent to the IT-Grundschutz with the addition of cloud specific controls.
C5 includes additional control requirements relating to data location, service provisioning, place of jurisdiction, existing certifications, information disclosure obligations, and a full-service description. Using this information, customers can evaluate how legal regulations (i.e. data privacy), their own policies, or the threat environment relate to their use of cloud computing services.
C5 (Cloud Computing Compliance Controls Catalogue) is the “cloud computing IT-Security” standard in Germany. Designed and first released by the BSI in 2016, the C5 control set offers additional assurance to customers in Germany as they move their complex and regulated workloads to Cloud Computing Service providers such as AWS.
The current C5 was released in 2020 and includes requirements from the following standards and publications:
ISO/IEC 27001:2013 – Information security management systems – Requirements
ISO/IEC-27002:2016 – IT security procedures – Guidelines for information security measures
ISO/IEC 27017:2015 – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
AICPA Trust Service Principles Criteria 2017 (AICPA - American Institute of Certified Public Accountants)
ANSSI(Agence nationale de la sécurité des systèmes d’information, National Cybersecurity Agency of France) – Providers of cloud computing services v. 3.1 (SecNumCloud)
IDW (Institut der Wirtschaftsprüfer, the German Institute of Certified Public Accountants) RS FAIT 5 – Statement on Financial Reporting: “Principles of Orderly Accounting for the Outsourcing of Financial Reporting-Related Services including Cloud Computing”, as at November 4, 2015
Who created the C5 standard?
Germany’s national cybersecurity authority Bundesamt für Sicherheit in der Informationstechnik (BSI) developed the C5 standard in 2016. The BSI defines the IT-Security requirements for all governmental systems, and most German companies align their IT-Security strategy with BSI standards. The BSI reworked and updated the C5 catalogue in 2019. A new version (C5:2020) was finalised in January 2020.
What are the customer benefits of this standard?
The C5 report provides our European customers with an independent third-party attestation on the suitability of the design and operational effectiveness of our controls to meet the C5 basic and additional criteria. Specifically in Germany, customers are used to looking for cloud services which are assessed against the C5 criteria. C5 provides customers with a framework documenting an IT-Security level equivalent to the IT-Grundschutz covering all IT-Security aspects for Cloud Computing. For federal authorities, a C5 attestation is a basic requirement in the procurement process.
AWS Regions in scope for C5 include Frankfurt, Ireland, London, Paris, Milan, Stockholm, Singapore, Zurich and Spain, as well as Edge locations in Germany, Ireland, England, France, Singapore, Sweden, Italy, Spain and Switzerland.
Which services are in scope?
The covered AWS services that are already in scope for C5 can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.
BSI has aligned this work with ANSSI and their upcoming SecNumCloud Label. The C5 standard has been influenced by and, in turn, has influenced the SecNumCloud standard in France, with the clear goal to have the option for mutual recognition under a common label called ESCloud. Also, the draft version of the European Union Agency for Cybersecurity (ENISA)’s European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) draws significantly from C5’s security standard.
What is the difference between a certification and an attestation?
A certification is issued by an accredited specialized company and often lasts between one and three years. An attestation can be received during a compliance audit or an accounting audit by qualified personnel. An attestation focuses more on the continuous implementation aspect, which means that the re-audit cycle is much shorter – down to 6 months. According to ISAE 3000 / 3402, the audit process delivers evidence of appropriateness and effectiveness over a past range of time. A certification is just a snapshot in time.
