Home cloud Compliance Cloud Computing Compliance Controls Catalog (C5) IBM Cloud® compliance: Cloud Computing Compliance Controls Catalog (C5), Germany
Illustration showing two people standing on platforms, with one person looking at a map display and the other regarding a security shield
What is C5?

The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) to provide a framework for assessing the cybersecurity of a cloud service provider and to ensure controls are in place in the event of a cyberattack. 

C5 outlines the requirements that cloud service providers must meet in order to provide a minimum security level for their services. The standard combines existing security standards such as ISO 27001, SOC 2 and the BSI’s IT-Grundschutz catalogs with additional C5-specific requirements for increased transparency in data processing.

C5 compliance is required for cloud services used by the German government and organizations that work with Germany's public sector. C5 assessments are performed in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.

Reports and other documentation

The C5 reports for the services listed in the “services in scope” section are protected and available upon request. To request the IBM Cloud infrastructure, IBM Cloud VPC, and/or IBM Cloud PaaS/Cloudant C5 reports:
Related programs

ISO 27001

IT Grundschutz
IBM position

Current and potential IBM clients can use the C5:2020 reports as verification of cloud security compliance and as part of their assessment for using IBM Cloud.

The C5 reports are of particular interest to IBM’s clients, with offices in the European Union (EU), or other global clients that seek to find a comprehensive cloud computing control framework.

C5 reports may be provided for IBM services that have implemented controls in accordance with the C5 framework and have been assessed by an independent auditor, demonstrating proof of compliance with C5.

The services listed below have a C5 report available, representing a period of time during which controls were assessed.

IBM Service Descriptions (SD) indicate if a given offering maintains C5 compliance status. Services below issue C5 reports at least once each year.

Services

  1. IBM Cloud App Configuration
  2. IBM Cloud App ID
  3. IBM Cloud Backup for VPC
  4. IBM Cloud Bare Metal Servers for VPC
  5. IBM Cloud Block Storage for Virtual Private Cloud
  6. IBM Cloud Block Storage Snapshots for VPC
  7. IBM Cloud Code Engine
  8. IBM Cloud Container Registry
  9. IBM Cloud Continuous Delivery
  10. IBM Cloud Databases for DataStax
  11. IBM Cloud Databases for Elasticsearch
  12. IBM Cloud Databases for EnterpriseDB
  13. IBM Cloud Databases for etcd
  14. IBM Cloud Databases for MongoDB
  15. IBM Cloud Databases for MySQL
  16. IBM Cloud Databases for PostgreSQL
  17. IBM Cloud Databases for Redis
  18. IBM Cloud Direct Link Connect (2.0)
  19. IBM Cloud Direct Link Dedicated (2.0)
  20. IBM Cloud DNS Services
  21. IBM Cloud Event Notifications
  22. IBM Cloud Flow Logs for VPC
  23. IBM Cloud for VMware Solutions (Dedicated)
  24. IBM Cloud for VMware Solutions Shared
  25. IBM Cloud Internet Services Enterprise Next (via Cloudflare)
  26. IBM Cloud Internet Services Enterprise (via Cloudflare)
  27. IBM Cloud Internet Services Enterprise Usage (via Cloud
  28. IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
  29. IBM Cloud Messages for RabbitMQ
  30. IBM Cloud Object Storage
  31. IBM Cloud Platform - Core Services: IBM Cloud Account Management and Billing, IBM Cloud Catalog, IBM Cloud Console, IBM Cloud Global Search and Tagging, IBM Cloud Identity and Access Management, and IBM Cloud Shell
  32. IBM Cloud Satellite
  33. IBM Cloud Schematics
  34. IBM Cloud Secrets Manager
  35. IBM Cloud Security and Compliance Center
  36. IBM Cloud Transit Gateway 
  37. IBM Cloud Virtual Private Cloud
  38. IBM Cloud Virtual Private Cloud Load Balancer for VPC: Application Load Balancer and Network Load Balancer
  39. IBM Cloud Virtual Private Cloud - VPN for VPC: Site-to-Site Gateway and Client-to-Site Server
  40. IBM Cloud Virtual Private Endpoint for VPC
  41. IBM Cloud Virtual Server for VPC
  42. IBM Cloud Virtual Server for VPC - Auto Scale for VPC
  43. IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
  44. IBM Cloudant for IBM Cloud
  45. IBM Event Streams for IBM Cloud (Standard)
  46. IBM Event Streams for IBM Cloud (Enterprise)
  47. IBM Key Protect for IBM Cloud
Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs