Cloud Computing Compliance Controls Catalog (C5) by the Federal Office for Information Security

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) Cloud Computing Compliance Controls Catalog (C5) certification provides companies with a competitive edge, proving that their security protocols are among the most robust and reliable on the market. This certification also helps to demonstrate compliance with any legal or regulatory requirements that may apply to a company’s operations. As a result, it’s an integral part of any comprehensive security program and is essential for companies wanting to protect their data, systems, and reputation.

BSI C5 certification is difficult to obtain due to its stringent requirements and the significant amount of resources required to ensure compliance. Fortunately, we can help make the lengthy certification process more efficient to achieve Germany’s highest level of security compliance. Trust Us to Get You There.

Contact Us Now

38North Is Your Expert BSI C5 Advisor

38North is recognized as an expert security organization for Germany’s compliance certification process. We prepare organizations to tackle the C5 — working side-by-side with them throughout the full process.

A little or a lot, we can provide guidance — or help with documentation development, gap analyses, and security engineering — to help you achieve your BSI C5.

Our Advisory Process

The BSI C5 Process

The German BSI C5 certification is one of the most difficult security certifications to obtain due to its stringency. It requires an extensive audit, testing and assessment of existing information systems as well as new implementations to ensure that they are able to withstand multiple attack scenarios. Furthermore, the German BSI C5 certification involves a lot of manual labor in terms of process analysis, security reviews, and the implementation of additional controls. No matter where you are in your C5 process, 38North can make certification easier. ‌Talk with one of our BSI C5 experts.

Self-Evaluation

BSI sets out criteria for evaluation based on five key areas: system architecture, data management and protection, authentication and authorization, network protection, and system operation. Let 38North take care of the self-evaluation for you in preparation for the audit.

Audit

The German BSI C5 certification process is carried out by accredited German BSI auditors. Auditors assess the system’s security levels according to the German standards and guidelines for secure IT systems that have been established by BSI. Additionally, audits require a full examination of the system architecture, as well as a review of networks, protocols and security measures. 38North partners with German BSI auditors who have a long history of expert in-country security services.

Committee Evaluation

BSI reviews the auditor’s findings to determine whether or not German C5 certification can be awarded.

Certification

Finally, German C5 certification is granted upon successful completion of all the previous steps.

BSI C5 Certification Challenges

Companies must also implement comprehensive policies and procedures to ensure their systems remain secure over time. To pass German BSI C5 certification, companies must demonstrate an exceptionally high level of security protocols that are enforced by regularly conducting ongoing monitoring activities.

Scoping

Contractors must have a detailed understanding of their business and risk posture to properly scope their cybersecurity practices to meet the requirements of the BSI C5 certification process. An incomplete plan can result in an C5 audit showing the implementation of controls is neither appropriate nor effective across the environment.

Expertise

Many in-house teams are challenged to understand Germany’s complex security standards and frameworks. Along with extensive knowledge needed of how Germany’s requirements are applied. 38North is one of the few companies in the United States that partners with certified BSI auditors that have a long history of expert in-country security services.

Continuous Maturity

In order to maintain certification, applicants must ensure all their practices are consistently compliant to current and updated standards. BSI C5 certifications must be renewed every three years in order to remain valid.

38North BSI C5 Certification Services

38North can help you with your BSI C5, no matter where you are in the process.

BSI C5 Scoping

We start by helping you understand what data you have that must be protected and at which level. This lets us know what assets are in scope, and excludes those that aren’t.

BSI C5 Workshops

Our workshops get you started — with BSI C5 training and consulting. We also help you understand IRAP confusion by using Australian Federal Government practices to design systems and approaches that will withstand BSI C5 audits.

BSI C5 Gap Analysis

Gap analyses help cloud providers and contractors understand what they need to do to comply with the BSI C5. Our BSI C5 gap analysis will find your gaps against the varying levels and deliver a prioritized roadmap of actions required to close gaps and ensure a clean audit.

BSI C5 Advisory Support

38North’s senior security advisors can help you design, deploy, document and maintain a scalable security approach that meets your desired BSI C5 level. We can also help you plan for a more secure future by laying the groundwork for achieving higher security maturity levels.

BSI C5 Remediation Support

If you must remediate findings from the assessment, 38North is your team to help. We will assist or lead in the planning, development, and implementation of remedial measures to get you back on track quickly.

Get Started Now

Your BSI C5
Certification Starts Here

Book an initial BSI C5 conversation with one of our German cloud security experts today and we’ll help you achieve your goal of BSI C5 compliance — and stronger security.

Contact Us

Name(Required)

First Name Last Name

Company Name

Email Address

Phone Number

Message

(Please do not provide additional PII in this box)

Comments

This field is for validation purposes and should be left unchanged.