Back to Frameworks
C5 (Germany)
Germany
v2023
38 domains
121 controls
Cloud Computing Compliance Criteria Catalogue by BSI Germany
Verified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (38)
Asset Management
0 controls
C5 (Germany): Cloud Governance
0 controls
Governance of cloud security (C5 (Germany))
C5 (Germany): Cloud Infrastructure Security
0 controls
Securing cloud infrastructure (C5 (Germany))
C5 (Germany): Cloud Operations & Monitoring
0 controls
Operating and monitoring cloud securely (C5 (Germany))
C5 (Germany): Data Protection in Cloud
0 controls
Protecting data in cloud services (C5 (Germany))
C5 (Germany): Identity & Access in Cloud
0 controls
Identity management in cloud environments (C5 (Germany))
C5: Asset Management
6 controls
| Code | Title |
|---|---|
| C5-AM-01 | Asset Inventory |
| C5-AM-02 | Acceptable Use and Safe Handling of Assets Policy |
| C5-AM-03 | Commissioning of Hardware |
| C5-AM-04 | Decommissioning of Hardware |
| C5-AM-05 | Commitment to Permissible Use, Safe Handling and Return of Assets |
| C5-AM-06 | Asset Classification and Labelling |
C5: Business Continuity Management
4 controls
| Code | Title |
|---|---|
| C5-BCM-01 | Top management responsibility |
| C5-BCM-02 | Business impact analysis policies and instructions |
| C5-BCM-03 | Planning business continuity |
| C5-BCM-04 | Verification, updating and testing of the business continuity |
C5: Communication Security
8 controls
| Code | Title |
|---|---|
| C5-COS-01 | Technical safeguards |
| C5-COS-02 | Security requirements for connections in the Cloud Service Provider's network |
| C5-COS-03 | Monitoring of connections in the Cloud Service Provider's network |
| C5-COS-04 | Cross-network access |
| C5-COS-05 | Networks for administration |
| C5-COS-06 | Segregation of data traffic in jointly used network environments |
| C5-COS-07 | Documentation of the network topology |
| C5-COS-08 | Policies for data transmission |
C5: Compliance
4 controls
| Code | Title |
|---|---|
| C5-COM-01 | Identification of applicable legal, regulatory, self-imposed or contractual requirements |
| C5-COM-02 | Policy for planning and conducting audits |
| C5-COM-03 | Internal audits of the information security management system |
| C5-COM-04 | Information on information security performance and management assessment of the ISMS |
C5: Control and Monitoring of Service Providers and Suppliers
5 controls
| Code | Title |
|---|---|
| C5-SSO-01 | Policies and instructions for controlling and monitoring third parties |
| C5-SSO-02 | Risk assessment of service providers and suppliers |
| C5-SSO-03 | Directory of service providers and suppliers |
| C5-SSO-04 | Monitoring of compliance with requirements |
| C5-SSO-05 | Exit strategy for the receipt of benefits |
C5: Cryptography and Key Management
4 controls
| Code | Title |
|---|---|
| C5-CRY-01 | Policy for the use of encryption procedures and key management |
| C5-CRY-02 | Encryption of data for transmission (transport encryption) |
| C5-CRY-03 | Encryption of sensitive data for storage |
| C5-CRY-04 | Secure key management |
C5: Dealing with Investigation Requests from Government Agencies
4 controls
| Code | Title |
|---|---|
| C5-INQ-01 | Legal Assessment of Investigative Inquiries |
| C5-INQ-02 | Informing Cloud Customers about Investigation Requests |
| C5-INQ-03 | Conditions for Access to or Disclosure of Data in Investigation Requests |
| C5-INQ-04 | Limiting Access to or Disclosure of Data in Investigation Requests |
C5: Human Resources
6 controls
| Code | Title |
|---|---|
| C5-HR-01 | Verification of qualification and trustworthiness |
| C5-HR-02 | Employment terms and conditions |
| C5-HR-03 | Security training and awareness programme |
| C5-HR-04 | Disciplinary measures |
| C5-HR-05 | Responsibilities in the event of termination or change of employment |
| C5-HR-06 | Confidentiality agreements |
C5: Identity and Access Management
9 controls
| Code | Title |
|---|---|
| C5-IDM-01 | Policy for user accounts and access rights |
| C5-IDM-02 | Granting and change of user accounts and access rights |
| C5-IDM-03 | Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins |
| C5-IDM-04 | Withdraw or adjust access rights as the task area changes |
| C5-IDM-05 | Regular review of access rights |
| C5-IDM-06 | Privileged access rights |
| C5-IDM-07 | Access to cloud customer data |
| C5-IDM-08 | Confidentiality of authentication information |
| C5-IDM-09 | Authentication mechanisms |
C5: Operations
24 controls
| Code | Title |
|---|---|
| C5-OPS-01 | Capacity Management - Planning |
| C5-OPS-02 | Capacity Management - Monitoring |
| C5-OPS-03 | Capacity Management - Controlling of Resources |
| C5-OPS-04 | Protection Against Malware - Concept |
| C5-OPS-05 | Protection Against Malware - Implementation |
| C5-OPS-06 | Data Backup and Recovery - Concept |
| C5-OPS-07 | Data Backup and Recovery - Monitoring |
| C5-OPS-08 | Data Backup and Recovery - Regular Testing |
| C5-OPS-09 | Data Backup and Recovery - Storage |
| C5-OPS-10 | Logging and Monitoring - Concept |
| C5-OPS-11 | Logging and Monitoring - Metadata Management Concept |
| C5-OPS-12 | Logging and Monitoring - Access, Storage and Deletion |
| C5-OPS-13 | Logging and Monitoring - Identification of Events |
| C5-OPS-14 | Logging and Monitoring - Storage of the Logging Data |
| C5-OPS-15 | Logging and Monitoring - Accountability |
| C5-OPS-16 | Logging and Monitoring - Configuration |
| C5-OPS-17 | Logging and Monitoring - Availability of the Monitoring Software |
| C5-OPS-18 | Managing Vulnerabilities, Malfunctions and Errors - Concept |
| C5-OPS-19 | Managing Vulnerabilities, Malfunctions and Errors - Penetration Tests |
| C5-OPS-20 | Managing Vulnerabilities, Malfunctions and Errors - Measurements, Analyses and Assessments of Procedures |
| C5-OPS-21 | Involvement of Cloud Customers in the Event of Incidents |
| C5-OPS-22 | Testing and Documentation of known Vulnerabilities |
| C5-OPS-23 | Managing Vulnerabilities, Malfunctions and Errors - System Hardening |
| C5-OPS-24 | Separation of Datasets in the Cloud Infrastructure |
C5: Organisation of Information Security
7 controls
| Code | Title |
|---|---|
| C5-OIS-01 | Information Security Management System (ISMS) |
| C5-OIS-02 | Information Security Policy |
| C5-OIS-03 | Interfaces and Dependencies |
| C5-OIS-04 | Segregation of Duties |
| C5-OIS-05 | Contact with Relevant Government Agencies and Interest Groups |
| C5-OIS-06 | Risk Management Policy |
| C5-OIS-07 | Application of the Risk Management Policy |
C5: Physical Security
7 controls
| Code | Title |
|---|---|
| C5-PS-01 | Physical Security and Environmental Control Requirements |
| C5-PS-02 | Redundancy model |
| C5-PS-03 | Perimeter Protection |
| C5-PS-04 | Physical site access control |
| C5-PS-05 | Protection from fire and smoke |
| C5-PS-06 | Protection against interruptions caused by power failures and other such risks |
| C5-PS-07 | Surveillance of operational and environmental parameters |
C5: Portability and Interoperability
3 controls
| Code | Title |
|---|---|
| C5-PI-01 | Documentation and safety of input and output interfaces |
| C5-PI-02 | Contractual agreements for the provision of data |
| C5-PI-03 | Secure deletion of data |
C5: Procurement, Development and Modification of Information Systems
10 controls
| Code | Title |
|---|---|
| C5-DEV-01 | Policies for the development/procurement of information systems |
| C5-DEV-02 | Outsourcing of the development |
| C5-DEV-03 | Policies for changes to information systems |
| C5-DEV-04 | Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools |
| C5-DEV-05 | Risk assessment, categorisation and prioritisation of changes |
| C5-DEV-06 | Testing changes |
| C5-DEV-07 | Logging of changes |
| C5-DEV-08 | Version Control |
| C5-DEV-09 | Approvals for provision in the production environment |
| C5-DEV-10 | Separation of environments |
C5: Product Safety and Security
12 controls
| Code | Title |
|---|---|
| C5-PSS-01 | Guidelines and Recommendations for Cloud Customers |
| C5-PSS-02 | Identification of Vulnerabilities of the Cloud Service |
| C5-PSS-03 | Online Register of Known Vulnerabilities |
| C5-PSS-04 | Error handling and Logging Mechanisms |
| C5-PSS-05 | Authentication Mechanisms |
| C5-PSS-06 | Session Management |
| C5-PSS-07 | Confidentiality of Authentication Information |
| C5-PSS-08 | Roles and Rights Concept |
| C5-PSS-09 | Authorisation Mechanisms |
| C5-PSS-10 | Software Defined Networking |
| C5-PSS-11 | Images for Virtual Machines and Containers |
| C5-PSS-12 | Locations of Data Processing and Storage |
C5: Security Incident Management
5 controls
| Code | Title |
|---|---|
| C5-SIM-01 | Policy for security incident management |
| C5-SIM-02 | Processing of security incidents |
| C5-SIM-03 | Documentation and reporting of security incidents |
| C5-SIM-04 | Duty of the users to report security incidents to a central body |
| C5-SIM-05 | Evaluation and learning process |
C5: Security Policies and Instructions
3 controls
| Code | Title |
|---|---|
| C5-SP-01 | Documentation, communication and provision of policies and instructions |
| C5-SP-02 | Review and Approval of Policies and Instructions |
| C5-SP-03 | Exceptions from Existing Policies and Instructions |
Communications
0 controls
Compliance
0 controls
Continuity
0 controls
Cryptography
0 controls
Government Investigations
0 controls
Identity and Access
0 controls
Incident Management
0 controls
Operations
0 controls
Organization of Information Security
0 controls
Personnel
0 controls
Physical Security
0 controls
Procurement, Development
0 controls
Product Safety and Security
0 controls
Security Policies and Instructions
0 controls
Suppliers
0 controls
Your Compliance Coverage
If you comply with C5 (Germany), you already cover:
Maps to 3 other frameworks
121 total controls
ISO 27001:2022
28 source controls mapped|24 target controls covered
23%
SOC 2
27 source controls mapped|22 target controls covered
22%
ISO 27017
9 source controls mapped|7 target controls covered
7%
Frequently Asked Questions
What is C5 (Germany)?
C5 (Germany) is a compliance framework from Germany with 38 domains and 121 controls. Cloud Computing Compliance Criteria Catalogue by BSI Germany It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does C5 (Germany) have?
C5 (Germany) has 121 controls organised across 38 domains. The largest domains are C5: Operations (24 controls), C5: Product Safety and Security (12 controls), C5: Procurement, Development and Modification of Information Systems (10 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does C5 (Germany) map to?
C5 (Germany) maps to 3 other compliance frameworks. The top mapping partners are ISO 27001:2022 (23% coverage), SOC 2 (22% coverage), ISO 27017 (7% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with C5 (Germany) compliance?
Start your C5 (Germany) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about C5 (Germany) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 121 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required