What is the difference between the C5:2020 and IT-Grundschutz catalogues?

C5:2020 is a BSI auditing standard that establishes a mandatory minimum basis for cloud security and the adoption of public cloud solutions by German government agencies and organisations working with the government. IT-Grundschutz provides the specific methodology to help organisations identify and implement security measures for IT systems, and is one of the elements that provides the basis of the C5:2020 standard.

C5

Q: Does the OVHcloud SOC 2 Type 2 attestation also include German C5:2020 compliance?

Yes. A C5:2020 audit can be combined with an SOC 2 audit so that parts of the system description and audit results can be used for overlapping controls.

C5 - Cloud Computing Compliance Controls Catalogue

C5 - Cloud Computing Compliance Criteria Catalogue

The Cloud Compliance Criteria Catalogue (C5), created by the German Federal Office for Information Technology Security (BSI), certifies that cloud service providers are offering the highest level of security. It helps organisations demonstrate their operational security against common cyber attacks when using cloud services within the context of the German Government's “Security Recommendations for Cloud Providers”. According to the most recent certificate, OVHcloud fulfils all the requirements of this catalogue.

German standards covered

IDW RS FAIT 5 04.11.2014: “Generally accepted accounting principles for the outsourcing of accounting-related services, including cloud computing”, version dated 4 November 2014
BSI IT-Grundschutz Catalogues, 14th version 2014
BSI SaaS Sicherheitsprofile 2014 [BSI SaaS Security Profiles 2014]

International standards covered

ISO/IEC 27001:2013 (ISO - International Organization for Standardization)
CSA Cloud Controls Matrix 3.01 (CSA - Cloud Security Alliance)
AICPA Trust Service Principles Criteria 2014 (AICPA - American Institute of Certified Public Accountants)

Would you like more information, or to place an order?

You can request a free callback from an OVHcloud advisor.

Get a callback

C5-Contrôles_de_Conformité_du_Cloud_Computing

C5 - Cloud Computing Compliance Controls

The German Federal Office for Information Technology Security (BSI) created the Cloud Computing Compliance Controls Catalogue (C5) as an audit standard. This standard was last updated in 2020. For OVHcloud customers and partners, C5 certification can be used to prove and attest that a platform complies with the relevant security controls. C5 adds a regulation-defined IT Security level that is equivalent to the IT-Grundschutz, with the addition of cloud specific controls.

Find out more about the C5 criteria

federal_office_for_information_security-c5

Parameters and certificates

The requirements analysed as part of the C5 certification process include environmental parameters. As the BSI explains on its website: “They provide information on the data location, provision of services, jurisdiction, certifications, and duties of investigation and disclosure to government agencies and contain a system description [...] The resulting transparency makes it possible for potential cloud customers to decide whether legal regulations (such as data protection), the customers’ own policies or potential threats relating to industrial espionage make the usage of the respective cloud service seem appropriate.”

Find out more about the BSI

SOC 2 Type 2 reports

According to Section 3.3 of C5:2020 - Connection to other audits, a C5: 2020 audit can be combined with a SOC 2 audit so that parts of the system description and audit results can be reused for overlapping controls. OVHcloud provides its customers with a SOC 2 Type 2 certificate based on an independent audit rigorously conducted by the American Institute of Certified Public Accountants (AICPA) - AICPA SSAE 16 or ISAE 3402 Type 2 certificate for the control of security, availability and confidentiality.

OVHcloud SOC reports and attestations

Additional services

Certifications and reports

Our customers can request access to our certifications and reports. They may also obtain documents relating to our certifications under certain conditions.

On-site audits

We only authorise audits carried out by third parties for the purpose of certifying all relevant parties. Contact our sales department to access this type of service.