A logo represent compliance

Cloud Computing Compliance Controls Catalog (C5)

Find out how Azure, Azure Government, and Azure Germany demonstrated proof of compliance with the Cloud Computing Compliance Controls Catalog (C5).

Microsoft and C5

Microsoft cloud services are audited at least annually against SOC 2 (AT Section 101) standards. According to BSI, a C5 audit can be combined with a SOC 2 audit to reuse parts of the system description and audit results for overlapping controls. Microsoft Azure, Azure Government, and Azure Germany maintains a combined report (C5, SOC 2 Type 2, CSA STAR Attestation) based on the audit assessment performed by an independent auditor, which demonstrates proof of compliance with C5.

Microsoft in-scope cloud services

  • Azure, Azure Government, and Azure Germany detailed list
  • Office 365 Germany

C5 Overview

In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Controls Catalog (C5). C5 is an audited standard that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.

The purpose of the C5 catalog of requirements is to provide a consistent security framework for certifying cloud service providers and to give their customers assurance that their data will be managed securely.

C5 is based on internationally recognized IT security standards like ISO/IEC 27001:2013, the Cloud Security Alliance Cloud Controls Matrix 3.0.1, and BSI’s own IT-Grundschutz Catalogues. The catalog consists of 114 requirements across 17 domains—for example, the organization of information security and physical security—with security requirements basic to all cloud service providers, and additional requirements for processing highly confidential data and situations requiring high availability.

The BSI also puts emphasis on transparency. As part of an audit, the cloud provider must include a detailed system description and disclose environmental parameters like jurisdiction and data processing location, provision of services, and other certifications issued to the cloud services, and information about the cloud provider’s disclosure obligations to public authorities. This helps potential cloud customers decide whether the cloud services meet their essential requirements such as compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.

female working on laptop with male colleague looking at her screen
female working on laptop with male colleague looking at her screen

Assess your GDPR compliance

Find out if your organization meets personal data protection requirements. Take our quick, interactive 10-question evaluation to assess your readiness to comply with the GDPR today.

Take the assessment

Frequently asked questions

Expand all

Yes. You may use the attestation of Microsoft cloud services as the foundation for any program or initiative that requires C5. However, you will need to achieve your own C5 attestation for components outside or built on top of these services.

IT-Grundschutz supplies the specific methodology to help organizations identify and implement security measures for IT systems and is one of the elements upon which the C5 standards are built. C5 provides a set of audit standards for cloud service providers but leaves the details of implementation up to the cloud service provider.

Microsoft Cloud Germany is physically based in Germany, adhering to the requirement of German privacy law, which limits the transfer of personal data to other countries and offers protection against access by authorities from other jurisdictions who could violate domestic laws. Azure Germany delivers Azure services from German datacenters with data residency in Germany, and it delivers strict data access and control measures provided through a unique data trustee model governed under German law.

Sign up for a free Azure account and get just what you need