C5 - Cloud Computing Compliance Criteria Catalogue
The Cloud Compliance Criteria Catalogue (C5), created by the German Federal Office for Information Technology Security (BSI), certifies that cloud service providers are offering the highest level of security. It helps organisations demonstrate their operational security against common cyber attacks when using cloud services within the context of the German Government's “Security Recommendations for Cloud Providers”. According to the most recent certificate, OVHcloud fulfils all the requirements of this catalogue.
- IDW RS FAIT 5 04.11.2014: “Generally accepted accounting principles for the outsourcing of accounting-related services, including cloud computing”, version dated 4 November 2014
- BSI IT-Grundschutz Catalogues, 14th version 2014
- BSI SaaS Sicherheitsprofile 2014 [BSI SaaS Security Profiles 2014]
- ISO/IEC 27001:2013 (ISO - International Organization for Standardization)
- CSA Cloud Controls Matrix 3.01 (CSA - Cloud Security Alliance)
- AICPA Trust Service Principles Criteria 2014 (AICPA - American Institute of Certified Public Accountants)
C5 - Cloud Computing Compliance Controls
The German Federal Office for Information Technology Security (BSI) created the Cloud Computing Compliance Controls Catalogue (C5) as an audit standard. This standard was last updated in 2020. For OVHcloud customers and partners, C5 certification can be used to prove and attest that a platform complies with the relevant security controls. C5 adds a regulation-defined IT Security level that is equivalent to the IT-Grundschutz, with the addition of cloud specific controls.
Parameters and certificates
The requirements analysed as part of the C5 certification process include environmental parameters. As the BSI explains on its website: “They provide information on the data location, provision of services, jurisdiction, certifications, and duties of investigation and disclosure to government agencies and contain a system description [...] The resulting transparency makes it possible for potential cloud customers to decide whether legal regulations (such as data protection), the customers’ own policies or potential threats relating to industrial espionage make the usage of the respective cloud service seem appropriate.”
SOC 2 Type 2 reports
According to Section 3.3 of C5:2020 - Connection to other audits, a C5: 2020 audit can be combined with a SOC 2 audit so that parts of the system description and audit results can be reused for overlapping controls. OVHcloud provides its customers with a SOC 2 Type 2 certificate based on an independent audit rigorously conducted by the American Institute of Certified Public Accountants (AICPA) - AICPA SSAE 16 or ISAE 3402 Type 2 certificate for the control of security, availability and confidentiality.
Certifications and reports
Our customers can request access to our certifications and reports. They may also obtain documents relating to our certifications under certain conditions.
We only authorise audits carried out by third parties for the purpose of certifying all relevant parties. Contact our sales department to access this type of service.