IBM Cloud® compliance: Cloud Computing Compliance Controls Catalog (C5), Germany

Illustration showing two people standing on platforms, with one person looking at a map display and the other regarding a security shield
What is C5?

The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) to provide a framework for assessing the cybersecurity of a cloud service provider and to ensure controls are in place in the event of a cyberattack. 

C5 outlines the requirements that cloud service providers must meet in order to provide a minimum security level for their services. The standard combines existing security standards such as ISO 27001, SOC 2 and the BSI’s IT-Grundschutz catalogs with additional C5-specific requirements for increased transparency in data processing.

C5 compliance is required for cloud services used by the German government and organizations that work with Germany's public sector. C5 assessments are performed in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.

Reports and other documentation

The C5 reports for the services listed in the “services in scope” section are protected and available upon request. To request the IBM Cloud infrastructure, IBM Cloud VPC, and/or IBM Cloud PaaS/Cloudant C5 reports:
IBM position

Current and potential IBM clients can use the C5:2020 reports as verification of cloud security compliance and as part of their assessment for using IBM Cloud.

The C5 reports are of particular interest to IBM’s clients, with offices in the European Union (EU), or other global clients that seek to find a comprehensive cloud computing control framework.

C5 reports may be provided for IBM services that have implemented controls in accordance with the C5 framework and have been assessed by an independent auditor, demonstrating proof of compliance with C5.

The services listed below have a C5 report available, representing a period of time during which controls were assessed.

IBM Service Descriptions (SD) indicate if a given offering maintains C5 compliance status. Services below issue C5 reports at least once each year.

Services

  1.  IBM Cloud Activity Tracker Event Routing 
  2. IBM Cloud App Configuration
  3. IBM Cloud App ID
  4. IBM Cloud Backup
  5. IBM Cloud Backup for VPC
  6. IBM Cloud Bare Metal
  7. IBM Cloud Bare Metal Servers for VPC
  8. IBM Cloud Block Storage 
  9. IBM Cloud Block Storage for Virtual Private Cloud
  10. IBM Cloud Block Storage Snapshots for VPC
  11. IBM Cloud Code Engine
  12. IBM Cloud Container Registry
  13. IBM Cloud Continuous Delivery
  14. IBM Cloud Databases for Elasticsearch
  15. IBM Cloud Databases for EnterpriseDB
  16. IBM Cloud Databases for etcd
  17. IBM Cloud Databases for MongoDB
  18. IBM Cloud Databases for MySQL
  19. IBM Cloud Databases for PostgreSQL
  20. IBM Cloud Databases for Redis
  21. IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
  22. IBM Cloud Direct Link Connect (2.0)
  23. IBM Cloud Direct Link Dedicated (2.0)
  24. IBM Cloud DNS Services
  25. IBM Cloud Event Notifications
  26. IBM Cloud File Storage
  27. IBM Cloud File Storage for Virtual Private Cloud
  28. IBM Cloud Flow Logs for VPC
  29. IBM Cloud for VMware Cloud Foundation as a Service
  30. IBM Cloud for VMware Cloud Foundation for Classic 
  31. IBM Cloud for VMware Solutions (Dedicated)
  32. IBM Cloud Internet Services Enterprise Next (via Cloudflare)
  33. IBM Cloud Internet Services Enterprise (via Cloudflare)
  34. IBM Cloud Internet Services Enterprise Usage (via Cloudflare)
  35. IBM Cloud Internet Services Standard (via Cloudflare)
  36. IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
  37. IBM Cloud Load Balancer
  38. IBM Cloud Logs 
  39. IBM Cloud Messages for RabbitMQ
  40. IBM Cloud Object Storage
  41. IBM Cloud Object Storage (IaaS)
  42. IBM Cloud Platform - Core Services: IBM Cloud Account Management and Billing, IBM Cloud Global Catalog, IBM Cloud Console, IBM Cloud Logs Routing, IBM Cloud Metric Routing, IBM Cloud Global Search and Tagging, IBM Cloud Identity and Access Management, and IBM Cloud Shell
  43. IBM Cloud Priviledged Access Gateway
  44. IBM Cloud Satellite
  45. IBM Cloud Schematics
  46. IBM Cloud Secrets Manager
  47. IBM Cloud Security and Compliance Center
  48. IBM Cloud Transit Gateway 
  49. IBM Cloud Virtual Private Cloud
  50. IBM Cloud Virtual Private Cloud - Private Path Service for VPC 
  51. IBM Cloud Virtual Private Cloud Load Balancer for VPC: Application Load Balancer and Network Load Balancer
  52. IBM Cloud Virtual Private Cloud - VPN for VPC: Site-to-Site Gateway and Client-to-Site Server
  53. IBM Cloud Virtual Private Endpoint for VPC
  54. IBM Cloud Virtual Server for VPC
  55. IBM Cloud Virtual Server for VPC - Auto Scale for VPC
  56. IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
  57. IBM Cloud Virtual Servers
  58. IBM Cloudant Dedicated Cluster
  59. IBM Cloudant for IBM Cloud
  60. IBM Event Streams for IBM Cloud (Standard)
  61. IBM Event Streams for IBM Cloud (Enterprise)
  62. IBM Key Protect for IBM Cloud
  63. IBM Managed Dedicated Storage Cluster on IBM Cloud.  
Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

  2. See more compliance programs