Pros and Cons of a C5 Examination

This blog was originally published by Schellman here.

Written by Kristen Wilbur, Schellman.

When Daenerys Targaryen made the decision to march north with Jon Snow in HBO’s Game of Thrones, she weighed the pros and the cons.

The pros? Possibly saving the world. The cons? Dying in a mass ice zombie attack.

Regardless of what you thought of that show over the course of its 10-year run, that decision by the Mother of Dragons was fairly straightforward. Not only are your circumstances likely less dire than hers, but your decision to press forward with a C5 examination is not as clear cut.

After all, there are a lot of compliance possibilities out there, so why choose this one?

Daenerys had her advisors and allies to break down her options—you have us. C5 is one of Schellman’s many services within our full suite, and having performed this attestation for several clients, we’ve come to understand how it matches up against your other compliance options.

In this article, we’ll share some of that insight that will help you weigh both sides of a C5. After reading our outline of the benefits and the drawbacks, your decision that may not seem open-and-shut right now will be made much easier.

What is C5?

We wrote an entire article detailing C5’s particulars, but for the sake of establishing a baseline, we’ll provide a brief overview here:

• Alongside the growing relevancy of cloud technology, concern regarding security and privacy also grew.
• Organizations moving to the cloud or that were considering doing so worried about how cloud service providers (CSPs) could help ensure data protection and service reliability.
• To help ease these apprehensions, C5 was created as a baseline of security controls developed by the Federal Office for Information Security in Germany, BSI.
• C5 stands for Cloud Computing Compliance Criteria Catalogue. Under this program, you can seek assistance from a third party to validate controls of potential cloud providers so that you’re better informed and more comfortable when selecting a CSP.

It’s important assurance to have. According to LogicMonitor’s Cloud 2025 study back in 2020, 87% of global IT decision-makers agree that the COVID-19 pandemic will cause organizations to accelerate their migration to the cloud.

That tells us that C5 becoming more and more relevant—but is it relevant for you?

What are the Benefits of a C5 Examination?

You might be saying this to yourself at this point—"there are many security frameworks available that will evaluate the same for CSPs.” But the C5 examination is particularly beneficial for both CSPs themselves and potential customers.

Let’s get into why.

You’ll be held to high security standards.

• C5’s security controls were actually purposefully designed to be difficult to meet in an attempt to help organizations avoid multiple, or possibly redundant, audits, or certifications.
• But by holding yourself to such high, comprehensive requirements, your organization can be that much more confident in its security.

There’s opportunity to increase trust and transparency with customers.

• Because they indicate a greater level of protection, those higher security standards will help you increase trust with customers.
• Knowing such rigorous requirements have been met helps prospects feel more comfortable, making them more likely to utilize those examined services for critical business or confidential data.
• But it’s not just about security. Upon completion, the C5 attestation report also provides transparency about exactly how the CSP is securing the service and the data it holds. With that information readily available, your customers can easily compare cloud providers’ security controls when scouting for services.

There’s some flexibility when you get started.

• Though the requirements within C5 could be considered difficult to meet with the bar so high, that doesn’t mean they’re absolutely stringent. There is flexibility available in a C5 audit, as you can choose to only include certain services or certain regions in your scope.
• For those just starting with C5 audits, this can make for much easier initial steps. You can take things a bit slower and get your feet wet rather than trying to apply the requirements to your entire organization and all services and regions immediately.

C5 is internationally accepted.

• Does your organization operate in several countries? You likely already understand the appeal of internationally accepted attestations and certifications then, which continue to become more and more appealing.
• C5 compliance makes particular sense if you offer cloud services in Germany, as it’s the home of BSI, who created the standard. (In fact, if you provide cloud services to German federal agencies, C5 compliance is actually required.) But you don’t need to be based in Germany to obtain a C5 attestation.
• German companies especially may consider C5 compliance an important factor when seeking services offered by cloud providers, but an attestation of C5 compliance can serve you well in other places as well. Many of the leading CSPs have opted to undergo C5 for this reason, despite many not being based or operating in Germany.

What are Common Drawbacks of the C5 Examination?

The benefits clearly speak for themselves, and it’s no wonder that there is growing demand for C5.

But, of course, there are still some sticky wickets that you may face when attempting to conform to the C5 requirements, and so that you have the full picture for consideration, here’s why.

C5’s requirement catalog is huge.

• We already noted how difficult the standard is, which is great when you meet the requirements, but when you’re actually going through the process, it can be overwhelming.
• That’s because of the sheer size of the catalogue, which includes 121 basic requirements across a total of 17 domains. Not only that, but when you drill down, it’s incredibly detailed, which makes it easier for things to slip through the cracks.
• We can think of a specific example—one of the seemingly more tricky C5 objectives focuses on the management of metadata. The basic premise is that any organization should be aware of the usage data that is maintained/collected from their systems. But this is a cloud standard, and naturally, there’s where most of the focus goes—onto cloud customer data and ensuring that logical security safeguards are in place there. But that means metadata is often forgotten or placed on the backburner.

C5’s requirements are prescriptive, particularly regarding documentation.

• C5 mandates that policies and procedures need to be recorded in a particular manner. You’ll be asked to provide a laundry list of details that include, but are not limited to, the following:
  • Your objective,
  • Your scope,
  • Roles and responsibilities, and
  • Steps for the execution of your security strategy.
• This kind of required detail is a reappearing theme within C5, and that additional step of documenting things in a stipulated manner within your established policies and procedures may become problematic or necessitate extra steps.

Moving Forward with Your C5 Attestation

While trying to win the Game of Thrones, Daenerys Targaryen had to do a lot of savvy maneuvering to work her way upwards. Much of her legend depended on making the right strategic moves, and the same goes for you. Trying to parse through the many different compliance options out there to find the best one for you will take work, but now you understand the pros and the cons of one—C5.

To understand some of your other, but similar options, check out our other content to become even more well-versed in the world of compliance:

• 5 Big Benefits to Getting ISO 27001 Certified
• What is the ISO 27001 Certification Process?
• CSA CCM v.3.01 vs v.4.0

About the Author

Kristen Wilbur is a Director at Schellman, with over 10 years of experience in providing IT attestation and compliance services. Kristen has evaluated risk and controls for Global 1000, Fortune 500, and regional companies during the course of her career with a strong focus in the technology sector. Kristen currently leads the New York City practice at Schellman where she specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In her portfolio she also oversees large scale engagements that include assessments around FedRAMP, HITRUST, and Privacy. Kristen has a strong passion for giving back and recently helped to establish the corporate social responsibility program at Schellman called SchellmanCARES.