My IBM Log in

IBM Cloud Expands C5 Compliance

6 April 2023

3 min read

IBM Cloud VPC and PaaS services completed assessment for Cloud Computing Compliance Controls Catalog (C5) for all public global MZR data centers.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) launched the Cloud Computing Compliance Controls Catalog (C5) in 2016 (C5:2016) as a certification framework and basic security criteria for cloud service providers (CSPs) used by public sector organizations in Germany. An updated catalog version was published in 2020 (C5:2020).

Government/public sector agencies in Germany are required to use C5-compliant CSPs for any cloud-based workloads. Private sector organizations are also adopting C5 as a baseline standard framework. Audits for C5 requirements by independent third-party assessors yield attestation reports. These reports detail the design and operating effectiveness of controls of the systems that CSPs utilize to process users’ data and how those controls meet the applicable C5 basic criteria.

C5 attestation reports share criteria, requirements and controls in common with SOC 2 and add additional unique control criteria. The audits are performed in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information and represent a period of time during which controls were assessed.

C5 is based on IT security standards like ISO 27001, BSI IT-Grundschutz and the Cloud Security Alliance Cloud Controls Matrix (CSA CCM)—the basis for CSA STAR Level 1 Self-Assessments/CAIQs and Level 2 certifications. The BSI C5 framework aligns with the SecNumCloud standard in France and was a reference for the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) from the European Union Agency for Cybersecurity (ENISA).

     

    IBM Cloud and C5

    IBM Cloud has expanded its C5 Type 2 certification scope to include Virtual Private Cloud (VPC) and Platform as a Service (PaaS) offerings across global, public multi-zone regions (MZRs) and data centers (DCs), building upon the previously existing IaaS Classic C5 attestation. C5 reports provide assurance and transparency to clients regarding how IBM Cloud helps address risks related to data protection, security and cyberattacks. IBM Cloud C5 reports help German public and private sector organizations accelerate their cloud transformation projects by reducing cost and due diligence assessments as they move workloads to IBM Cloud.

    The C5 reports for the VPC and PaaS/Cloudant services listed below are protected and available upon request. Request C5 reports by contacting an IBM representative (link resides outside ibm.com).

    The following services are in scope in the VPC C5 report:

    • IBM Cloud Backup for VPC
    • IBM Cloud Block Storage for Virtual Private Cloud
    • IBM Cloud Block Storage Snapshots for VPC
    • IBM Cloud Direct Link Connect (2.0)
    • IBM Cloud Direct Link Dedicated (2.0)
    • IBM Cloud DNS Services
    • IBM Cloud Flow Logs for VPC
    • IBM Cloud Transit Gateway
    • IBM Cloud Virtual Private Cloud
    • IBM Cloud Virtual Private Cloud Load Balancer for VPC: Application Load Balancer and Network Load Balancer
    • IBM Cloud Virtual Private Cloud – VPN for VPC: Site-to-Site Gateway
    • IBM Cloud Virtual Private Endpoint for VPC
    • IBM Cloud Virtual Server for VPC
    • IBM Cloud Virtual Server for VPC – Auto Scale for VPC
    • IBM Cloud Virtual Server for VPC – Dedicated Host for VPC

    The following services are in scope in the PaaS/Cloudant C5 report:

    • IBM Cloud App ID
    • IBM Cloud App Service
    • IBM Cloud Code Engine
    • IBM Cloud Container Registry
    • IBM Cloud Continuous Delivery
    • IBM Cloud Databases for DataStax
    • IBM Cloud Databases for Elasticsearch
    • IBM Cloud Databases for EnterpriseDB
    • IBM Cloud Databases for etcd
    • IBM Cloud Databases for MongoDB
    • IBM Cloud Databases for MySQL
    • IBM Cloud Databases for PostgreSQL
    • IBM Cloud Databases for Redis
    • IBM Cloud for VMware Solutions (Dedicated)
    • IBM Cloud for VMware Solutions Shared
    • IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
    • IBM Cloud Messages for RabbitMQ
    • IBM Cloud Object Storage
    • IBM Cloud Platform – Core Services (BSS, Console, Shell, Global Catalog, Global Search and Tagging, and Identity and Access Management)
    • IBM Cloud Satellite
    • IBM Cloud Schematics
    • IBM Cloud Secrets Manager
    • IBM Cloud Security and Compliance Center
    • IBM Cloudant for IBM Cloud
    • IBM Event Streams for IBM Cloud (Standard)
    • IBM Event Streams for IBM Cloud (Enterprise)
    • IBM Key Protect for IBM Cloud

    Learn more

    • BSI C5 main page (German) (link resides outside ibm.com) (English) (link resides outside ibm.com)
    • BSI C5:2020 catalog (German) (link resides outside ibm.com) (English) (link resides outside ibm.com)
    • IBM Cloud compliance: BSI C5

    Author

    Michele Kersey

    IBM Cloud Compliance Senior Product Manager

    Tina Belani

    IBM Cloud Compliance Program Director
    Overview Annual report Corporate social responsibility Inclusion@IBM Financing Investor Newsroom Security, privacy & trust Senior leadership Careers with IBM Website Blog Publications Automotive Banking Consumer Good Energy Government Healthcare Insurance Life Sciences Manufacturing Retail Telecommunications Travel Our strategic partners Find a partner Become a partner - Partner Plus Partner Plus log in IBM TechXChange Community LinkedIn X Instagram YouTube Subscription Center Participate in user experience research Podcasts United States — English Contact IBM Privacy Terms of use Accessibility