IBM Cloud VPC and PaaS services completed assessment for Cloud Computing Compliance Controls Catalog (C5) for all public global MZR data centers.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) launched the Cloud Computing Compliance Controls Catalog (C5) in 2016 (C5:2016) as a certification framework and basic security criteria for cloud service providers (CSPs) used by public sector organizations in Germany. An updated catalog version was published in 2020 (C5:2020).

Government/public sector agencies in Germany are required to use C5-compliant CSPs for any cloud-based workloads. Private sector organizations are also adopting C5 as a baseline standard framework. Audits for C5 requirements by independent third-party assessors yield attestation reports. These reports detail the design and operating effectiveness of controls of the systems that CSPs utilize to process users’ data and how those controls meet the applicable C5 basic criteria.

C5 attestation reports share criteria, requirements and controls in common with SOC 2 and add additional unique control criteria. The audits are performed in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information and represent a period of time during which controls were assessed.

C5 is based on IT security standards like ISO 27001, BSI IT-Grundschutz and the Cloud Security Alliance Cloud Controls Matrix (CSA CCM)—the basis for CSA STAR Level 1 Self-Assessments/CAIQs and Level 2 certifications. The BSI C5 framework aligns with the SecNumCloud standard in France and was a reference for the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) from the European Union Agency for Cybersecurity (ENISA).

IBM Cloud and C5

IBM Cloud has expanded its C5 Type 2 certification scope to include Virtual Private Cloud (VPC) and Platform as a Service (PaaS) offerings across global, public multi-zone regions (MZRs) and data centers (DCs), building upon the previously existing IaaS Classic C5 attestation. C5 reports provide assurance and transparency to clients regarding how IBM Cloud helps address risks related to data protection, security and cyberattacks. IBM Cloud C5 reports help German public and private sector organizations accelerate their cloud transformation projects by reducing cost and due diligence assessments as they move workloads to IBM Cloud.

The C5 reports for the VPC and PaaS/Cloudant services listed below are protected and available upon request. Request C5 reports by contacting an IBM representative.

The following services are in scope in the VPC C5 report:

  • IBM Cloud Backup for VPC
  • IBM Cloud Block Storage for Virtual Private Cloud
  • IBM Cloud Block Storage Snapshots for VPC
  • IBM Cloud Direct Link Connect (2.0)
  • IBM Cloud Direct Link Dedicated (2.0)
  • IBM Cloud DNS Services
  • IBM Cloud Flow Logs for VPC
  • IBM Cloud Transit Gateway
  • IBM Cloud Virtual Private Cloud
  • IBM Cloud Virtual Private Cloud Load Balancer for VPC: Application Load Balancer and Network Load Balancer
  • IBM Cloud Virtual Private Cloud – VPN for VPC: Site-to-Site Gateway
  • IBM Cloud Virtual Private Endpoint for VPC
  • IBM Cloud Virtual Server for VPC
  • IBM Cloud Virtual Server for VPC – Auto Scale for VPC
  • IBM Cloud Virtual Server for VPC – Dedicated Host for VPC

The following services are in scope in the PaaS/Cloudant C5 report:

  • IBM Cloud App ID
  • IBM Cloud App Service
  • IBM Cloud Code Engine
  • IBM Cloud Container Registry
  • IBM Cloud Continuous Delivery
  • IBM Cloud Databases for DataStax
  • IBM Cloud Databases for Elasticsearch
  • IBM Cloud Databases for EnterpriseDB
  • IBM Cloud Databases for etcd
  • IBM Cloud Databases for MongoDB
  • IBM Cloud Databases for MySQL
  • IBM Cloud Databases for PostgreSQL
  • IBM Cloud Databases for Redis
  • IBM Cloud for VMware Solutions (Dedicated)
  • IBM Cloud for VMware Solutions Shared
  • IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
  • IBM Cloud Messages for RabbitMQ
  • IBM Cloud Object Storage
  • IBM Cloud Platform – Core Services (BSS, Console, Shell, Global Catalog, Global Search and Tagging, and Identity and Access Management)
  • IBM Cloud Satellite
  • IBM Cloud Schematics
  • IBM Cloud Secrets Manager
  • IBM Cloud Security and Compliance Center
  • IBM Cloudant for IBM Cloud
  • IBM Event Streams for IBM Cloud (Standard)
  • IBM Event Streams for IBM Cloud (Enterprise)
  • IBM Key Protect for IBM Cloud

Learn more

More from Announcements

IBM and SAP unlock business and industry value with new generative AI solutions 

3 min read - IBM Consulting is delivering on our commitment to co-innovate with SAP and collaborate with our clients. As part of our Value Generation Partnership initiative announced earlier this month with SAP, we are releasing the first 10 of 100 planned AI solutions to help clients transform their industries, optimize their business processes and successfully deliver their SAP programs.  Delivering AI business and industry innovation at scale  With the recently announced Value Generation Partnership initiative, IBM and SAP are co-innovating intelligent industry…

IBM SevOne 7.0: Reaching application-centric multicloud network observability  

2 min read - As enterprises increasingly rely on network connectivity to support cloud-based applications and remote workers, network managers require new methods to monitor and safeguard connectivity across diverse environments, including corporate networks, software-defined WANs and multiple public cloud providers.   According to the recent EMA Network Megatrends Report, responding network professionals believe that 53% of network outages and performance issues could be prevented with improved network management tools, yet only 9% find it very easy to hire skilled networking personnel. This is why…

IBM Hybrid Cloud Mesh and Red Hat Service Interconnect: A new era of app-centric connectivity 

2 min read - To meet customer demands, applications are expected to be performing at their best at all times. Simultaneously, applications need to be flexible and cost effective, and therefore supported by an underlying infrastructure that is equally reliant, performant and secure as the applications themselves.   Easier said than done. According to EMA's 2024 Network Management Megatrends report only 42% of responding IT professionals would rate their network operations as successful.   In this era of hyper-distributed infrastructure where our users, apps, and data…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters