BSI C5:2020 - Cloud Computing Compliance Criteria Catalogue
cloud-audit maps 88 checks to 134 BSI C5:2020 controls across 17 domains. 76 controls are automated, 58 require manual review (organizational, contractual, and procedural controls).
Readiness assessment, not attestation
BSI C5 compliance requires a formal audit by an independent auditor under ISAE 3000 / ISAE 3402. This tool automates assessment of technical infrastructure controls and generates evidence to support your audit preparation.
Coverage Summary
Automated includes both fully automated and partially automated controls - partial controls have some aspects verified by cloud-audit checks and some requiring manual review.
| Domain | Controls | Automated* | Manual |
|---|---|---|---|
| OIS - Organisation of Information Security | 7 | 2 | 5 |
| SP - Security Policies | 6 | 1 | 5 |
| HR - Human Resources | 5 | 0 | 5 |
| AM - Asset Management | 8 | 3 | 5 |
| PS - Physical Security | 10 | 0 | 10 |
| OPS - Operations Management | 14 | 10 | 4 |
| IDM - Identity and Access Management | 10 | 8 | 2 |
| CRY - Cryptography and Key Management | 6 | 5 | 1 |
| COM - Communication Security | 8 | 6 | 2 |
| PI - Portability and Interoperability | 5 | 1 | 4 |
| PSS - Procurement and Supply Chain | 4 | 0 | 4 |
| DEV - Development and Testing | 8 | 3 | 5 |
| SIM - Security Incident Management | 7 | 4 | 3 |
| BCM - Business Continuity Management | 8 | 5 | 3 |
| COS - Compliance and Standards | 6 | 1 | 5 |
| INQ - Inquiries and Investigations | 7 | 4 | 3 |
| MON - Monitoring and Logging | 15 | 13 | 2 |
| Total | 134 | 76 (57%) | 58 (43%) |
Usage
# Terminal output with readiness score
cloud-audit scan --compliance bsi_c5_2020
# HTML report for auditors
cloud-audit scan --compliance bsi_c5_2020 --format html --output bsi-c5-report.html
# Markdown for documentation
cloud-audit scan --compliance bsi_c5_2020 --format markdown --output bsi-c5-report.md
# List all frameworks
cloud-audit list-frameworks
# Preview controls without scanning
cloud-audit show-framework bsi_c5_2020
Key Domains
IDM - Identity and Access Management
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| IDM-01 | Identity and access management policy | Partial | aws-iam-005, aws-iam-010 |
| IDM-02 | User registration and deregistration | Auto | aws-iam-003, aws-iam-004, aws-iam-009, aws-iam-013 |
| IDM-03 | Privileged access management | Auto | aws-iam-005, aws-iam-007, aws-iam-008, aws-iam-014, aws-iam-017 |
| IDM-04 | Authentication mechanisms | Auto | aws-iam-001, aws-iam-002, aws-iam-006, aws-iam-015 |
| IDM-05 | Credential management | Auto | aws-iam-003, aws-iam-004, aws-ssm-002, aws-sm-001 |
| IDM-06 | Access reviews | Partial | aws-iam-012 |
| IDM-07 | Multi-factor authentication | Auto | aws-iam-001, aws-iam-002, aws-iam-015 |
| IDM-08 | Segregation of duties | Auto | aws-iam-005, aws-iam-010, aws-iam-016, aws-ecs-003 |
| IDM-09 | Federated identity management | Manual | - |
| IDM-10 | Session management | Auto | aws-iam-003, aws-iam-004 |
MON - Monitoring and Logging
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| MON-01 | Logging policy | Partial | aws-ct-001, aws-ct-002 |
| MON-02 | API activity logging | Auto | aws-ct-001, aws-ct-002, aws-ct-004, aws-ct-005, aws-ct-006, aws-ct-007, aws-ct-008 |
| MON-03 | Log integrity protection | Auto | aws-ct-005, aws-s3-005 |
| MON-04 | Log storage and retention | Auto | aws-ct-004, aws-ct-006, aws-ct-007 |
| MON-05 | Security event monitoring | Auto | aws-gd-001, aws-gd-002, aws-sh-001 |
| MON-06 | Alarm configuration | Auto | aws-cw-001 through aws-cw-016 |
| MON-07 | Network flow monitoring | Auto | aws-vpc-003 |
| MON-08 | Configuration monitoring | Auto | aws-cfg-001, aws-cfg-002 |
| MON-09 | Vulnerability monitoring | Auto | aws-inspector-001, aws-ssm-001, aws-ssm-003 |
| MON-10 | Anomaly detection | Auto | aws-gd-001, aws-gd-002 |
| MON-11 | Compliance monitoring | Partial | aws-cfg-001, aws-cfg-002, aws-sh-001 |
| MON-12 | Incident alerting | Auto | aws-cw-001 through aws-cw-016 |
| MON-13 | Monitoring coverage | Auto | aws-ct-001, aws-ct-003, aws-cfg-001 |
| MON-14 | Log analysis | Manual | - |
| MON-15 | Reporting | Manual | - |
COM - Communication Security
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| COM-01 | Network segmentation | Auto | aws-vpc-001, aws-vpc-002, aws-vpc-004, aws-vpc-005, aws-vpc-006 |
| COM-02 | Firewall management | Auto | aws-vpc-002, aws-vpc-004, aws-ec2-001 |
| COM-03 | Data in transit encryption | Auto | aws-s3-006, aws-rds-002, aws-efs-001 |
| COM-04 | Network monitoring | Auto | aws-vpc-003 |
| COM-05 | Remote access | Partial | aws-vpc-002, aws-ec2-004 |
| COM-06 | DNS security | Manual | - |
| COM-07 | Load balancer security | Auto | aws-ec2-001, aws-lambda-001 |
| COM-08 | Web application firewall | Partial | aws-waf-001 |
CRY - Cryptography and Key Management
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| CRY-01 | Encryption policy | Partial | aws-kms-001, aws-kms-002 |
| CRY-02 | Encryption at rest | Auto | aws-s3-002, aws-rds-002, aws-ec2-002, aws-ec2-006, aws-efs-001, aws-ct-005 |
| CRY-03 | Encryption in transit | Auto | aws-s3-006, aws-s3-007, aws-lambda-003, aws-ssm-002 |
| CRY-04 | Key management | Auto | aws-kms-001, aws-kms-002 |
| CRY-05 | Key rotation | Auto | aws-kms-001 |
| CRY-06 | Certificate management | Manual | - |
BCM - Business Continuity Management
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| BCM-01 | Continuity planning | Manual | - |
| BCM-02 | Backup strategy | Auto | aws-rds-003, aws-s3-003, aws-ec2-005, aws-backup-001 |
| BCM-03 | Backup verification | Partial | aws-backup-001 |
| BCM-04 | Disaster recovery | Manual | - |
| BCM-05 | Redundancy | Partial | aws-rds-003, aws-rds-004 |
| BCM-06 | Recovery testing | Manual | - |
| BCM-07 | Data retention | Auto | aws-ct-004, aws-ct-006, aws-s3-004 |
| BCM-08 | Availability monitoring | Auto | aws-cw-001 through aws-cw-016 |
Why 58 Controls Are Manual
BSI C5 covers organizational governance, physical security, human resources, procurement, and contractual obligations that cannot be verified by scanning AWS infrastructure. These require document review and on-site inspection by an auditor.
Examples:
- PS-01 through PS-10 (physical security) - data center access controls, environmental monitoring, fire suppression
- HR-01 through HR-05 (human resources) - background checks, security awareness training, termination procedures
- PSS-01 through PSS-04 (procurement) - supplier assessments, contract requirements, SLA monitoring
cloud-audit marks these as NOT_ASSESSED with actionable manual steps for each.
DACH Market Relevance
BSI C5 is the standard compliance framework for cloud providers operating in Germany and the DACH region. It is required by:
- German federal agencies and public sector institutions
- Organizations subject to KRITIS (critical infrastructure) regulations
- Financial sector entities regulated by BaFin
- Healthcare organizations under German data protection law
The framework aligns with ISO 27001 but adds cloud-specific controls for multi-tenancy, data portability, and transparency.
Attack Chain Integration
All 25 attack chain rules are mapped to BSI C5 controls. When a chain is detected, the compliance report shows which controls it violates:
| Chain | BSI C5 Controls Violated |
|---|---|
| AC-01 Internet-Exposed Admin Instance | IDM-03, COM-01, COM-02 |
| AC-02 SSRF to Credential Theft | COM-01, COM-05, IDM-05 |
| AC-12 Admin Without MFA | IDM-04, IDM-07 |
| AC-17 Exposed Database Without Audit Trail | COM-01, CRY-02, MON-02 |
| AC-29 Unpatched Instance Exposed to Internet | MON-09, COM-01, COM-02 |