Legal regulations are constantly increasing in all industries, and compliance is becoming even more challenging and can only be achieved with the help of digitalization and automation. Accordingly, the range of specific software products offered is also growing, which in turn makes it more difficult to choose the right tool.
The advantages of cloud software are now obvious – keyword: single source of truth, offering authorized users access at any time, regardless of the device they are using. In Europe, there are extensive regulatory requirements in this area, particularly with regard to data protection and IT security – both for cloud service providers (CSPs) and their customers (cloud users). Compliance with these regulations is proven by internationally recognized audit reports and certificates.
But what exactly are certifications, and what has to be taken into account with regard to the wide range of existing “conformance testings“[1]? What standards or requirements do they cover, what is their scope (systems, processes, products and services, compliance, etc.[2]), and how are audits conducted?
Relevance and advantages of certifications
The term “certification“[3] refers to an audit procedure in which an independent external body checks and ultimately confirms that a person or organization, a product, service, or process meets certain requirements. These criteria are defined in internationally valid norms and standards, including ISO (International Organization for Standardization)[4] and ISAE (International Standard on Assurance Engagements)[5]. In order to continuously verify compliance, regular reviews are carried out in the form of surveillance audits and recertifications.
Audit reports and certificates offer a number of advantages for the audited companies and their customers or partners[6]: they not only ensure compliance, but also increase efficiency and reduce legal and liability claims, etc. In addition they open up decisive competitive advantages and new business opportunities, contribute to a positive image, and create a solid basis of trust.
Security audits according to ISO and ISAE: An overview
With regard to data and information security, ISO certificates on the one hand and ISAE audit reports on the other certify the conformity, i.e., compliance, of a cloud provider or its products and services for the defined scope[7]. Checking this carefully plays an important role when selecting the CSP and cloud software. Because certified data center security does not automatically apply to software products or cloud services, for example.
Generally, independent certification bodies – such as CIS (Certification & Information Security Services GmbH), Quality Austria Certification GmbH, TÜV Austria (Technical Inspection Association), or DQS (German Society for the Certification of Quality Assurance Systems) – evaluate management systems as part of ISO audits. Auditing companies – such as KPMG (KPMG Alpen-Treuhand GmbH Wirtschaftsprüfungs- und Steuerberatungsgesellschaft) or PwC (PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft) – assess the implementation and effectiveness of internal control systems (ICS) in accordance with ISAE.
The following management system and control audits are particularly relevant as evidence of the highest security and data protection standards in cloud computing: the ISO 27001 certificate, the C5 attestation issued by the Federal Office for Information Security (BSI), and the EU Cloud Code of Conduct, Level 3.
ISO 27001 information security management systems (ISMS)
ISO 27001 is the leading international standard for the planning, implementation, review, and continuous improvement of a comprehensive information security management system (ISMS)[8] in organizations of all sizes and industries. ISO certificates therefore apply to the entire company, including its product and service portfolio.
The requirements cover the areas of risk analysis and assessment of information processes, implementation of security controls, and ongoing improvement of the ISMS. The aim is to protect the confidentiality, integrity, and availability of sensitive and personal data and to minimize the risks of security incidents[9].
Authorized external experts verify compliance with the requirements in the form of pre-audits, certification audits, and annual surveillance audits. The focus is on the analysis and evaluation of the management system (level 1) and, in the next step, the effectiveness of the management processes (level 2). After the audit, an accredited certification body evaluates the results and awards the certificate. Recertification every three years continuously demonstrates compliance with the requirements.
Fabasoft was awarded ISO 27001 certification in June 2008 and ISO 27018 certification in 2015 and successfully passed the ISO 27001:2022 surveillance audit (including ISO 27018:2019) conducted by CIS – Certification & Information Security Services GmbH in November 2024. ISO 27018 defines data protection requirements for cloud service providers. They have to undertake major obligations regarding notification, information, transparency and burden of proof in order to build trust with clients and public institutions concerning the processing of personal data within the cloud. The scope covers the development and sale of software products, cloud services, SaaS applications, and appliances, as well as the provision of related services at all locations of the entire Fabasoft Group.
Cloud Computing Compliance Criteria Catalogue (C5)
C5, a standard issued by the German Federal Office for Information Security (BSI), is a catalog of criteria[10] setting out minimum requirements for cloud providers with regard to IT security and transparency of their cloud services. A C5 attestation does not apply to a CSP or its entire infrastructure as a whole, but rather to the audited cloud services in the specified geographical regions[11].
First published in 2016 and revised in 2020, the catalog currently comprises 121 criteria from 17 subject areas, including physical security (access control, fire protection, etc.), communication and network security, admission and access controls, and emergency management.
The audit is based on the international ISAE 3000 standard and is conducted by independent auditing firms. It focuses on the cloud service provider's internal control system for maintaining information security. Type 1 audits evaluate the adequacy and implementation of controls, while Type 2 audits also assess their effectiveness. C5 attestations refer to a past, completed period; the audits are usually conducted annually.
Fabasoft was the first European cloud service provider to receive the BSI C5 attestation in 2017 and has since demonstrated compliance with high security standards in cloud computing at the prescribed intervals. In 2025, PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft, Germany once again confirmed Fabasoft's compliance and commitment to data protection and IT security. The final audit results are available as an ISAE audit report. The attestation applies to the Fabasoft Cloud and all currently available solutions based on it, as well as Mindbreeze InSpire SaaS.
EU Cloud Code of Conduct, Level 3
The EU Data Protection Code of Conduct for Cloud Service Providers, or EU Cloud Code of Conduct (EU Cloud CoC), is a comprehensive code of conduct for the European cloud industry and gives top priority to consistently uniform enforcement of European data protection standards based on the General Data Protection Regulation (GDPR – Articles 28 and 40)[12]. It invites CSPs of all sizes and sectors to join and offers different membership options[13]. Developed by SCOPE Europe in collaboration with cloud providers and EU authorities, it covers the full spectrum of cloud services, including software (SaaS), platform (PaaS), and infrastructure (IaaS).
The Code contains provisions on GDPR-compliant processing of personal data (data protection) and on the implementation of appropriate technical and organizational measures for data protection (security requirements). It also describes mechanisms for monitoring compliance and internal structures and processes for implementation (internal governance)[14]. The requirements of the EU Cloud CoC are defined in a control catalog.
As an independent monitoring body, SCOPE Europe assesses and confirms compliance with the Code on an annual basis. Cloud providers can document their compliance with the requirements in three compliance levels: Level 1 requires internal confirmation by the CSP, which is validated by the external monitoring body. Level 2 requires official conformity assessments from security audits in addition to internal assessments, while Level 3, the highest level that can be achieved, is based entirely on internationally recognized attestations and certificates[15].
With the "Fabasoft Cloud" Fabasoft is the first company in the world to reach the third and highest compliance level – Level 3 of the EU Cloud Code of Conduct.
Cloud compliance opens up new business opportunities
Data protection and IT security are inextricably linked to the ongoing digitalization and automation, which the increasing regulation in all industries requires. Cloud computing has proven to be helpful here – and has become established.
In Europe, strict security standards apply to cloud providers and users. Compliance with these standards is a legal requirement, which is why international certifications, attestations and awards are so important as proof of conformity. These not only demonstrate the special commitment of cloud service providers in the specified area of application, but also offer reliable orientation for private companies and administrative organizations when selecting cloud software and services. In particular, the ISO 27001 certificate, the C5 attestation issued by the Federal Office for Information Security (BSI), and the EU Cloud Code of Conduct, Level 3 demonstrate cloud compliance – and open up decisive competitive advantages and new business opportunities.
P.S.: Fabasoft software products and cloud services have been awarded numerous international certifications and attestations for their reliability, data and data center security, and accessibility. Details can be found here.
[1] https://www.austrian-standards.at/de/shop/din-en-iso-iec-17000-2020-09~p2547111
https://en.wikipedia.org/wiki/Conformance_testing
[2] https://www.dgq.de/fachbeitraege/das-audit-kurz-und-kompakt-erklaert/
[3] https://en.wikipedia.org/wiki/Certification
[4] https://www.iso.org/home.html
[5] https://de.wikipedia.org/wiki/International_Standards_for_Assurance_Engagements
[6] https://www.din-iso-zertifizierung-qms-handbuch.de/zertifizierung/
[7] https://pwc-cert.com/wp-content/uploads/2017/07/PwC-Certification-Services-GmbH-Infoblatt-Auditierung-und-Zertifizierung-2.0.pdf
[8] https://www.dqsglobal.com/de-de/zertifizieren/iso-27001-zertifizierung
https://www.iso.org/standard/27001
[9] https://www.secjur.com/blog/isms-zertifizierung
[10] https://www.bsi.bund.de/dok/13368652
[11] https://www.bsi.bund.de/dok/C5-FAQ
[12] https://eucoc.cloud/en/home
[13] https://eucoc.cloud/en/participate/membership-options/
[14] https://www.edpb.europa.eu/system/files/2024-02/eucloudcoc.pdf
[15] https://eucoc.cloud/en/public-register/levels-of-compliance
