nexalign

Glossary term

BSI C5

Also: Cloud Computing Compliance Criteria Catalogue, C5 attestation

Cloud audit catalogue of the German BSI that defines minimum security baseline and transparency duties. Evidenced via an ISAE 3000 C5 attestation. De facto standard for cloud procurement in the German market.

C5 is not a certificate but an attestation under ISAE 3000. It confirms that a cloud provider meets the C5 criteria at a point in time (Type 1) or over a period (Type 2). Current version: C5:2020.

C5 aligns with ISO 27001/27017/27018 plus cloud-specific requirements: tenant separation, transparency on data locations, employee background checks, sub-processor management, auditability. In regulated procurement (banks under BAIT, insurers under VAIT) C5 Type 2 is often required as minimum evidence.

Microsoft Azure, AWS, Google Cloud and SAP hold C5 attestations. Smaller SaaS providers without C5 are often not viable in banking and insurance procurement.

Related terms

ISO 27001

International standard for information security management systems. Current version ISO/IEC 27001:20

Sovereign cloud

A cloud deployment model that guarantees operational, legal and technical control of data and worklo

SOC 2 Type 2

Audit report by a US public accountant under AICPA SSAE 18 standard, confirming the operating effect

BAIT

BaFin circular that concretises IT requirements for credit institutions. Specifies MaRisk AT 7.2 for

BCM

Discipline for maintaining critical business processes during disruptions. Standards: ISO 22301, BSI

AI Act Conformity Assessment

Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed

AI Act Risk Categories

Four-tier classification under the EU AI Act: prohibited (Art. 5), high-risk (Annex I/III), limited

Audit-ready decision

A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a thir

← All termsBook a demo →