IBM Cloud VPC and PaaS services completed assessment for Cloud Computing Compliance Controls Catalog (C5) for all public global MZR data centers.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) launched the Cloud Computing Compliance Controls Catalog (C5) in 2016 (C5:2016) as a certification framework and basic security criteria for cloud service providers (CSPs) used by public sector organizations in Germany. An updated catalog version was published in 2020 (C5:2020).

Government/public sector agencies in Germany are required to use C5-compliant CSPs for any cloud-based workloads. Private sector organizations are also adopting C5 as a baseline standard framework. Audits for C5 requirements by independent third-party assessors yield attestation reports. These reports detail the design and operating effectiveness of controls of the systems that CSPs utilize to process users’ data and how those controls meet the applicable C5 basic criteria.

C5 attestation reports share criteria, requirements and controls in common with SOC 2 and add additional unique control criteria. The audits are performed in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information and represent a period of time during which controls were assessed.

C5 is based on IT security standards like ISO 27001, BSI IT-Grundschutz and the Cloud Security Alliance Cloud Controls Matrix (CSA CCM)—the basis for CSA STAR Level 1 Self-Assessments/CAIQs and Level 2 certifications. The BSI C5 framework aligns with the SecNumCloud standard in France and was a reference for the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) from the European Union Agency for Cybersecurity (ENISA).

IBM Cloud and C5

IBM Cloud has expanded its C5 Type 2 certification scope to include Virtual Private Cloud (VPC) and Platform as a Service (PaaS) offerings across global, public multi-zone regions (MZRs) and data centers (DCs), building upon the previously existing IaaS Classic C5 attestation. C5 reports provide assurance and transparency to clients regarding how IBM Cloud helps address risks related to data protection, security and cyberattacks. IBM Cloud C5 reports help German public and private sector organizations accelerate their cloud transformation projects by reducing cost and due diligence assessments as they move workloads to IBM Cloud.

The C5 reports for the VPC and PaaS/Cloudant services listed below are protected and available upon request. Request C5 reports by contacting an IBM representative.

The following services are in scope in the VPC C5 report:

  • IBM Cloud Backup for VPC
  • IBM Cloud Block Storage for Virtual Private Cloud
  • IBM Cloud Block Storage Snapshots for VPC
  • IBM Cloud Direct Link Connect (2.0)
  • IBM Cloud Direct Link Dedicated (2.0)
  • IBM Cloud DNS Services
  • IBM Cloud Flow Logs for VPC
  • IBM Cloud Transit Gateway
  • IBM Cloud Virtual Private Cloud
  • IBM Cloud Virtual Private Cloud Load Balancer for VPC: Application Load Balancer and Network Load Balancer
  • IBM Cloud Virtual Private Cloud – VPN for VPC: Site-to-Site Gateway
  • IBM Cloud Virtual Private Endpoint for VPC
  • IBM Cloud Virtual Server for VPC
  • IBM Cloud Virtual Server for VPC – Auto Scale for VPC
  • IBM Cloud Virtual Server for VPC – Dedicated Host for VPC

The following services are in scope in the PaaS/Cloudant C5 report:

  • IBM Cloud App ID
  • IBM Cloud App Service
  • IBM Cloud Code Engine
  • IBM Cloud Container Registry
  • IBM Cloud Continuous Delivery
  • IBM Cloud Databases for DataStax
  • IBM Cloud Databases for Elasticsearch
  • IBM Cloud Databases for EnterpriseDB
  • IBM Cloud Databases for etcd
  • IBM Cloud Databases for MongoDB
  • IBM Cloud Databases for MySQL
  • IBM Cloud Databases for PostgreSQL
  • IBM Cloud Databases for Redis
  • IBM Cloud for VMware Solutions (Dedicated)
  • IBM Cloud for VMware Solutions Shared
  • IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
  • IBM Cloud Messages for RabbitMQ
  • IBM Cloud Object Storage
  • IBM Cloud Platform – Core Services (BSS, Console, Shell, Global Catalog, Global Search and Tagging, and Identity and Access Management)
  • IBM Cloud Satellite
  • IBM Cloud Schematics
  • IBM Cloud Secrets Manager
  • IBM Cloud Security and Compliance Center
  • IBM Cloudant for IBM Cloud
  • IBM Event Streams for IBM Cloud (Standard)
  • IBM Event Streams for IBM Cloud (Enterprise)
  • IBM Key Protect for IBM Cloud

Learn more


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…