How to Prepare for Your C5 Examination: 5 Tips

This blog was originally published by Schellman here.

It was once remarked that “there are no rules of architecture for a castle in the clouds.”

Well, those of us in cloud services and compliance know that’s not the case at all. With the growing appeal of the cloud in the digital landscape, regulations have expanded so that information in clouds is adequately protected.

Several standards address cloud security—being assessed against ISO 27018, NIST CSF, FedRAMP, and others can help provide a certain level of assurance to customers that your cloud is well-defended.

But if you are a cloud service provider (CSP) with European customers, have offices in the European Union (EU), or if you are simply a company that seeks to find a comprehensive cloud computing control framework, we would also like you to meet C5.

Before you add it to your list of possible compliance initiatives, it would likely help to understand what exactly C5 is, and that’s what we’re going to detail in this article. Read on to understand better what C5 is and how you would need to prepare for a hypothetical assessment. Thereupon you’ll be more informed when deciding how your organization should proceed.

What is C5?

C5 is a convenient acronym—it stands for the Cloud Computing Compliance Criteria Catalogue.

• A few years ago, the Federal Office for Information Security (Bundesmat fur Sicherheit in der Informationstechnik, or “BSI”) in Germany was becoming increasingly concerned about the ever-growing need to consider information security in the cloud computing world.
• First published in 2016, C5 was their response. Rather than completely reinventing the wheel, BSI pulled from existing reputable frameworks and standards before then tacking on the controls that it felt established a foundation for a secure cloud service offering.
• C5’s baseline of security controls is an attempt to help develop transparent and trusted relationships between CSPs and cloud customers.

So what comprises this C5 catalogue? For the foundational standards, C5 pulls controls from:

• International Organization for Standardization (ISO) 27001;
• ISO 27002;
• ISO 27017; and
• The Cloud Control Matrix (CCM) of the Cloud Security Alliance (CSA).

During the initial construction of the standard, BSI also considered the Trust Services Criteria (TSC) established by the Association of International Certified Professional Accountants (AICPA) and the SecNumCloud established by the French Agence nationale de la sécurité des systèmes d'information.

Given this mixed bag of standards and frameworks that were taken into account, you’re probably thinking this sounds complicated—and you’re right. But as daunting as it may appear, the complexities of C5 can offer multiple benefits as well.

5 Tips for Organizations Considering C5 Attestation

C5 may be different in that it’s an aggregation of controls but other standards, but it does have at least one thing in common with other compliance initiatives—the need for thorough planning alongside your chosen auditor. That’s especially important if you’ve not yet completed a C5 audit.

1. Consider a Readiness Assessment.

• If you’ve not yet gone through a C5 attestation and don’t feel comfortable that you’re ready for the security requirements, a readiness or gap assessment is a great option.
• We recommend having the same firm perform both the readiness assessment and subsequent examination for the added advantages—it allows for familiarity with the system and processes to better prepare.
• Of course, you may have the resources to perform the readiness assessment internally. Review the standard itself to determine if you have sufficient resources that understand the requirements enough to determine if controls are in place to meet them. Even if you do, an external third party with specific expertise in this area can still prove beneficial.

2. Allow for Plenty of Time to Prepare and/or Remediate.

If you don’t opt for a readiness assessment:

• While the catalogue allows you to determine the requirements—both objectives and controls—that apply to you, the controls can be quite strict at times.
• Take time to read through and digest the controls to determine where you may have shortcomings and also where there may be flexibility in meeting a requirement.

If you do proceed with a readiness assessment:

• Once it’s complete, ensure that you have sufficient time for remediation before your examination date or review period starting date. Typically, the turnaround is not quick when having to design and implement requirements, so we recommend allowing at least two to three months for remediation.
• When doing so, ensure that controls are not only implemented but personnel is also trained on their responsibilities. For any requirements that do not apply to the scope, confirm the reasoning is fully documented for review by your auditor completing the examination.

3. Take Care in Choosing What Requirements to Be Assessed Against.

• You can decide whether you want to meet the ‘basic’ requirements of the catalogue of controls, or if you feel that the ‘additional’ requirements are necessary.
• BSI recommends working with your customers to determine which set of requirements would give them the assurance they need.

4. Choose a Qualified Assessor.

• When you’re ready to undergo a C5 examination, you need to understand the reporting requirements and secure a third party to perform your attestation that has the right qualifications.
• Your C5 assessor should have—at a minimum—professional experience with IT audits as a public audit firm or relevant certifications/examinations, such as Certified Information Systems Auditor (CISA), ISO 27001 Lead Auditor, or a Certificate of Cloud Security Knowledge (CCSK), among others.

5. Stay Vigilant Regarding Updates to the Standard.

• Since its publication in 2016, C5 has already been revised, and BSI plans to continue to update the catalogue periodically.
• It’s important to check the BSI website regularly to see if new control requirements have been added or modified.

Next Steps for Your C5 Examination

Though we’ve just finished outlining how you best can prepare for your C5 process, we should also mention your options regarding these controls if you already have a SOC 2 examination scheduled.

Because both SOC 2 and C5 requirements can be prepared together in accordance with the international audit standards ISAE 3000, you might consider performing both audits concurrently. Going through both at the same time would create more efficiencies with evidence during the process while yielding two separate reports that you would be able to leverage.

Depending on your resources and budget, this may make for an appealing option. To learn more, the BSI website has made helpful documents available to help map established standards/frameworks to controls defined in C5, and this includes mapping to SOC 2 criteria.