BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the German federal standard for cloud security. Originally designed for cloud service providers, it is increasingly required in enterprise procurement and is referenced by NIS2 implementation guidelines in Germany. This guide explains what C5 audits check and how to prepare efficiently.
What is BSI C5?
Published by Germany's Federal Office for Information Security (BSI), C5 defines 17 control domains covering the security requirements for cloud services. Two attestation levels exist:
- Type 1: Point-in-time assessment — confirms controls are designed appropriately
- Type 2: Period-based assessment (typically 6-12 months) — confirms controls operate effectively over time
Type 2 is required for most public sector contracts and is increasingly expected by German enterprise buyers.
The 17 C5 control domains
C5 2020 covers:
- Organization of Information Security (OIS)
- Security Policies (SP)
- Human Resources (HR)
- Asset Management (AM)
- Physical Security (PS)
- Operations Security (OS)
- Identity and Access Management (IAM)
- Cryptography and Key Management (CKM)
- Communication Security (CS)
- Portability and Interoperability (PI)
- Availability of Services (AVL)
- Incident Management (IM)
- Procurement, Development and Maintenance (PDM)
- Compliance (CO)
- Information Security Policies for Suppliers (SSO)
- Security Testing (ST)
- Penetration Testing (PT)
Infrastructure controls auditors check first
C5 auditors focus heavily on these areas when reviewing cloud infrastructure:
IAM (C5-IAM)
- MFA enforced for privileged accounts
- Privileged access managed via PAM tooling or temporary elevation
- IAM reviews performed at least quarterly
- Service accounts follow least-privilege principle
- Access revoked immediately on employee departure
Cryptography (C5-CKM)
- Encryption at rest for all data classified as confidential
- KMS key rotation enabled (annual minimum)
- TLS 1.2+ enforced everywhere
- No deprecated cipher suites (SSLv3, TLS 1.0, TLS 1.1)
- Customer-managed KMS keys for highly sensitive data
Operations Security (C5-OS)
- CloudTrail multi-region, log file validation enabled
- Centralized log management with tamper protection
- Change management process for infrastructure (IaC, no manual changes)
- Vulnerability scanning on all EC2 and container workloads
- Patch management within defined SLAs
Availability (C5-AVL)
- RDS Multi-AZ enabled for production
- Automated backups with tested restore procedures
- Backup retention ≥ 30 days for regulated data
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented
Evidence collection: the biggest audit bottleneck
The hardest part of a C5 audit is not the controls themselves — it is collecting evidence that they work. Auditors need configuration exports, log samples, access review records, and more. Manual collection takes weeks.
ConformScan automates evidence collection by running 193+ checks against your AWS infrastructure and generating a structured PDF report mapped to BSI C5 control domains. You get:
- Pass/fail status for every C5-relevant control
- Timestamped scan history for Type 2 audit evidence
- German-language reports accepted by BSI-certified auditors
- Remediation code (Terraform/CLI) for every finding
Timeline: how long does a C5 audit take?
- Preparation: 2-6 months (documentation, gap remediation)
- Type 1 assessment: 2-4 weeks
- Type 2 assessment period: 6-12 months of evidence collection
- Auditor review and reporting: 4-8 weeks
Starting automated scanning early gives you a continuous evidence trail — making Type 2 assessment much faster and cheaper.
BSI C5 vs ISO 27001 vs NIS2
These frameworks overlap significantly. BSI C5 aligns closely with ISO 27001 Annex A controls and satisfies most NIS2 Article 21 requirements. Companies pursuing all three can use ConformScan's cross-framework scanning to identify gaps across all standards simultaneously.
Ready to check your infrastructure?
1 free scan/month · No credit card · Results in under 2 minutes · Hosted in Germany