IBM Cloud VPC and PaaS services completed assessment for Cloud Computing Compliance Controls Catalog (C5) for all public global MZR data centers.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) launched the Cloud Computing Compliance Controls Catalog (C5) in 2016 (C5:2016) as a certification framework and basic security criteria for cloud service providers (CSPs) used by public sector organizations in Germany. An updated catalog version was published in 2020 (C5:2020).

Government/public sector agencies in Germany are required to use C5-compliant CSPs for any cloud-based workloads. Private sector organizations are also adopting C5 as a baseline standard framework. Audits for C5 requirements by independent third-party assessors yield attestation reports. These reports detail the design and operating effectiveness of controls of the systems that CSPs utilize to process users’ data and how those controls meet the applicable C5 basic criteria.

C5 attestation reports share criteria, requirements and controls in common with SOC 2 and add additional unique control criteria. The audits are performed in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information and represent a period of time during which controls were assessed.

C5 is based on IT security standards like ISO 27001, BSI IT-Grundschutz and the Cloud Security Alliance Cloud Controls Matrix (CSA CCM)—the basis for CSA STAR Level 1 Self-Assessments/CAIQs and Level 2 certifications. The BSI C5 framework aligns with the SecNumCloud standard in France and was a reference for the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) from the European Union Agency for Cybersecurity (ENISA).

IBM Cloud and C5

IBM Cloud has expanded its C5 Type 2 certification scope to include Virtual Private Cloud (VPC) and Platform as a Service (PaaS) offerings across global, public multi-zone regions (MZRs) and data centers (DCs), building upon the previously existing IaaS Classic C5 attestation. C5 reports provide assurance and transparency to clients regarding how IBM Cloud helps address risks related to data protection, security and cyberattacks. IBM Cloud C5 reports help German public and private sector organizations accelerate their cloud transformation projects by reducing cost and due diligence assessments as they move workloads to IBM Cloud.

The C5 reports for the VPC and PaaS/Cloudant services listed below are protected and available upon request. Request C5 reports by contacting an IBM representative.

The following services are in scope in the VPC C5 report:

  • IBM Cloud Backup for VPC
  • IBM Cloud Block Storage for Virtual Private Cloud
  • IBM Cloud Block Storage Snapshots for VPC
  • IBM Cloud Direct Link Connect (2.0)
  • IBM Cloud Direct Link Dedicated (2.0)
  • IBM Cloud DNS Services
  • IBM Cloud Flow Logs for VPC
  • IBM Cloud Transit Gateway
  • IBM Cloud Virtual Private Cloud
  • IBM Cloud Virtual Private Cloud Load Balancer for VPC: Application Load Balancer and Network Load Balancer
  • IBM Cloud Virtual Private Cloud – VPN for VPC: Site-to-Site Gateway
  • IBM Cloud Virtual Private Endpoint for VPC
  • IBM Cloud Virtual Server for VPC
  • IBM Cloud Virtual Server for VPC – Auto Scale for VPC
  • IBM Cloud Virtual Server for VPC – Dedicated Host for VPC

The following services are in scope in the PaaS/Cloudant C5 report:

  • IBM Cloud App ID
  • IBM Cloud App Service
  • IBM Cloud Code Engine
  • IBM Cloud Container Registry
  • IBM Cloud Continuous Delivery
  • IBM Cloud Databases for DataStax
  • IBM Cloud Databases for Elasticsearch
  • IBM Cloud Databases for EnterpriseDB
  • IBM Cloud Databases for etcd
  • IBM Cloud Databases for MongoDB
  • IBM Cloud Databases for MySQL
  • IBM Cloud Databases for PostgreSQL
  • IBM Cloud Databases for Redis
  • IBM Cloud for VMware Solutions (Dedicated)
  • IBM Cloud for VMware Solutions Shared
  • IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
  • IBM Cloud Messages for RabbitMQ
  • IBM Cloud Object Storage
  • IBM Cloud Platform – Core Services (BSS, Console, Shell, Global Catalog, Global Search and Tagging, and Identity and Access Management)
  • IBM Cloud Satellite
  • IBM Cloud Schematics
  • IBM Cloud Secrets Manager
  • IBM Cloud Security and Compliance Center
  • IBM Cloudant for IBM Cloud
  • IBM Event Streams for IBM Cloud (Standard)
  • IBM Event Streams for IBM Cloud (Enterprise)
  • IBM Key Protect for IBM Cloud

Learn more

More from Announcements

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM and MuleSoft expand global relationship to accelerate modernization on IBM Power 

2 min read - As companies undergo digital transformation, they rely on APIs as the backbone for providing new services and customer experiences. While APIs can simplify application development and deliver integrated solutions, IT shops must have a robust solution to effectively manage and govern them to ensure that response times and costs are kept low for all applications. Many customers use Salesforce’s MuleSoft, named a leader by Gartner® in full lifecycle API management for seven consecutive times, to manage and secure APIs across…

IBM Consulting augments expertise with AWS Competencies: A win-win for clients 

3 min read - In today's dynamic economic landscape, businesses demand continuous innovation and speed of execution. At IBM Consulting®, our unwavering focus on partnerships and shared commitment to delivering enterprise-level solutions to mutual clients have been core to our success.   We are thrilled to announce that IBM® has recently gained five competencies from Amazon Web Services (AWS) in vital domains including Cloud Operations, Internet of Things (IoT), Life Sciences, Mainframe Modernization, and Telecommunications. With these credentials, IBM further establishes its position as a…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters