Transparency and security: C5 attestation for Cloud providers

“Cloud computing is a key component of digitisation”, says Arne Schönbohm, President of the German Federal Office for Information Security (BSI). BSI has set up a requirements catalogue for Cloud Computing (C5) that defines the minimum parameters a Cloud provider must meet to offer adequate information security with regard to statutory provisions (e.g. data protection) and the guidelines of an organisation, and to be able to assess the risk of corporate espionage through the use of a Cloud service.

Fabasoft is passing the probably toughest Cloud security audit on the market

In March 2017, Fabasoft was the first European provider of Cloud services to be awarded the attestation according to the requirements of the Cloud Computing Compliance Controls Catalogue (“C5”) of BSI. The attestation was issued by KPMG Alpen-Treuhand GmbH Wirtschaftsprüfungs- und Steuerberatungsgesellschaft. Klaus Schatz, Managing Director of KPMG Austria, explains: “Cloud service providers are becoming more and more heterogeneous. It is therefore all the more important for customers to be able to assess the security promises made by Fabasoft. C5 provides the defined regulatory IT security level which is comparable to the IT baseline protection enhanced by Cloud controls.”

A new benchmark for Cloud security

Up until now, many different security recommendations, standards and certificates have been on the market, but there has been no generally acknowledged guideline relating to the security of Cloud services. Organisations have therefore hardly been able to assess whether a Cloud service is offering the required security.
In an audit according to the C5 requirements catalogue, BSI checks the so-called “surrounding parameters”. These parameters provide information on important aspects of the Cloud services such as data location, service provisions, jurisdiction, certifications as well as determination and disclosure obligations towards public authorities. They also comprise a system description. C5 is the first security standard to consider these parameters.

Based on the results of a successful BSI Cloud requirements audit, potential Cloud customers can now draw on a level of transparency that has never been available before. The audit also helps to compare the services of the constantly growing number of Cloud providers. BSI President Arne Schönbohm highlights the significance of this attestation: “With C5, BSI has issued an IT security standard that sets new market standards as the benchmark of cyber security in Cloud computing.”
Fabasoft is the first European provider of Cloud services to be awarded the attestation according to the C5 requirements catalogue (Cloud Computing Compliance Controls Catalogue, “C5”) issued by the German Federal Office for Information.