How a C5 audit works – explained step by step

C5 audits have become commonplace wherever sensitive workloads are stored in the cloud, for example in the public sector, at banks and insurance companies, or at operators of critical infrastructure. They are increasingly regarded as a benchmark for secure and compliant cloud services. The exciting question is: what actually happens in such an audit – and how does it differ from traditional ISO certifications?

This article summarises the C5 audit process, highlights the key differences between C5 and ISO 27001 and similar formats, and provides tips on how purchasing, IT and compliance departments can use C5 reports in practice.

What is C5?

The Cloud Computing Compliance Controls Catalogue (C5) is a control framework published by the German Federal Office for Information Security (BSI) specifically for cloud services. It defines concrete, verifiable requirements relating to information security, data protection, operation and transparency. Unlike general ‘best practices’, C5 provides a catalogue of control objectives against which a specific cloud service can be audited.

The key difference to ISO 27001: While ISO 27001 assesses the information security management system (ISMS) of an entire organisation, C5 focuses specifically on the operation of a specific cloud service. It is therefore less about the abstract management level and more about questions such as: How are logging, incident handling or backup and recovery implemented for this specific service? It is precisely this service proximity that makes C5 interesting for cloud customers.

Why the process is important – not just the certificate

A C5 audit is not just a simple tick in the RfP, but a clearly structured process with several phases. Typically, it includes defining the scope, preparation, mapping of own controls to the C5 catalogue, a comprehensive document review, interviews and process walkthroughs, technical spot checks, and evaluation with subsequent findings and a report.

Those who are familiar with these steps can plan internal efforts more realistically, better assess the significance of a C5 report, and integrate the report in a more targeted manner into outsourcing and sourcing decisions. The most important factor here is the comparison of the paper situation and actual practice in combination with technical spot checks – this is where C5 differs significantly from more formal audit formats.

C5 audit process explained in brief

Scope and preparation

The first step in a C5 audit is to define the scope: this involves determining which specific cloud service is to be audited – for example, an IaaS platform or a SaaS specialist application – and which regions or data centres are involved. In addition, the processes within the scope are defined, such as incident and change management, authorisation processes, backup and recovery, and business continuity. At the same time, the provider creates or updates a system description documenting the architecture and components of the service, the relevant data flows, the roles and responsibilities, and the sub-service providers used (such as data centres and platform providers). In addition, all relevant evidence is compiled, including security guidelines, process documentation, risk analyses, emergency plans, existing certificates, and previous C5 reports.

Control mapping: Own controls vs. C5

In the next step, the existing controls are compared with the requirements of the C5 catalogue. The provider systematically checks which of its existing technical and organisational measures cover which C5 control objectives and where specific gaps exist. This identifies weaknesses, such as missing log review processes or insufficiently documented client separation, and prioritises measures that should be implemented before the audit. This control mapping also helps to identify areas that are likely to be particularly critical and audit-intensive.

Document review

Based on this preparation, the actual document review begins. The auditor reviews offsite policies, process descriptions, order processing contracts, concepts for managing subcontractors, and technical documents, for example on network segmentation, client separation, or logging strategies. The focus is explicitly on cloud specifics such as data location, dealing with subcontractors, and the practical implementation of the shared responsibility model. During this phase, the auditor often asks initial questions, clarifies contradictions and forms an opinion as to whether the documented processes are fundamentally suitable for meeting the C5 requirements.

Interviews and process walkthroughs

This is followed by interviews and process walkthroughs with the parties involved on the provider side. These usually include the CISO or information security officer, cloud architects, operations managers, service owners, and colleagues from the data protection and compliance departments. Critical processes are run through using real-life examples, such as a security incident from the initial report to the final assessment, or a critical change in production, including testing and approval. The aim is to check whether the processes described are actually being implemented and whether cloud-specific risks are being adequately taken into account in practice, i.e. whether not only the documents look good, but also whether everyday operations are running smoothly.

Technical spot checks

A key added value of the C5 audit is the technical spot checks. The auditor is not satisfied with concepts alone, but asks to see specific logs, tickets and protocols. Log analyses cover, for example, admin access, configuration changes, security-related events or failed logins, and whether these are not only recorded but also regularly evaluated. Ticket spot checks use specific incident and change tickets to show how incidents and changes were actually handled. Authorisation checks look at onboarding and offboarding processes as well as recertification protocols to ensure that roles and rights are properly maintained. In the area of backup and disaster preparedness, the auditor checks restore logs, documented RPO and RTO values, and the results of disaster recovery tests. These spot checks combine the theoretical world of policies with tangible evidence from ongoing operations.

Assessment, findings and report

Based on the information gathered, the auditor assesses whether the controls are appropriately designed, correctly implemented and effectively executed throughout the audit period. Deviations are documented as ‘findings’ and provided with a description, a severity rating, a risk assessment and specific recommendations for action. The result is a detailed audit report, usually in ISAE format, and the actual C5 attestation. In addition to a summary of the results, the report also contains a system description, an overview of the controls audited, the audit approach and the deviations found. This provides customers with significantly more insight than a pure ISO certificate.

Differences from ISO audits – in a nutshell

Essentially, C5 audits differ from ISO audits in four ways. Firstly, in terms of the object of the audit: C5 considers a clearly defined cloud service with specified regions, processes and sub-service providers, while ISO 27001 assesses the ISMS of an organisation or a larger group of systems. Secondly, in the depth of evidence. C5 requires operational evidence such as logs, tickets or restore tests, while ISO audits remain more at the management system level and focus on policies, processes and maturity levels.

Thirdly, the focus on the cloud plays a significant role. C5 explicitly addresses cloud specifics: topics such as client separation, data location, subcontractor chains and the division of responsibilities in the shared responsibility model are central components. These points may occur in ISO audits, but they are not necessarily the focus. Fourthly, the type of reporting differs: C5 reports are usually comprehensive, service-specific documents with detailed descriptions and findings, while ISO certificates are more compact confirmations that say little about the specific design of an individual service.

Conclusion

C5 audits bring structure and depth to the evaluation of cloud services. They consider not only policies and processes, but also logs, tickets and backups. This addresses precisely those cloud-specific risks that are particularly critical in regulated industries. Those who understand the process and see C5 not just as a logo in their offering, but as a source of information, can use C5 reports specifically for procurement, risk management and regulatory compliance. This transforms C5 audits from a mandatory requirement into a genuine tool for better cloud decisions.

This is where adesso can provide support: we understand our customers' technical and regulatory requirements as well as the technical details of cloud architectures and operating models. In projects, we help to design cloud services to be C5-compliant from the outset, make existing environments audit-ready and integrate C5 reports into outsourcing, compliance and sourcing processes in a meaningful way. This turns the C5 audit from a tedious checkpoint into a building block for sustainable, trustworthy cloud strategies – technically sound, regulatory compliant and operationally feasible.