Cloud Computing Compliance Criteria Catalogue (C5:2020)

The Cloud Computing Compliance Criteria Catalogue, also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001 to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers.
Google previously received an attestation for the BSI’s Cloud Computing Compliance Controls Catalog (“C5”). The BSI revised the guidance as C5:2020 in 2020. The C5:2020 expands the scope of C5 and addresses new requirements, including a section on product safety and security.

C5:2020 is based on established standards, including ISO/IEC 27001, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), AICPA Trust Services Principles and Criteria, BSI IT-Grundschutz Catalogue, and others. However, C5:2020 adds additional transparency controls to provide information on data location, provision of services, place of jurisdiction, existing certifications, and information disclosure obligations towards government agencies. This emphasis on transparency helps potential cloud customers decide whether the cloud services meet their compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.
NSPECT.IO Uses Google for marketplace and other operations which has achieved an attestation against the C5:2020 requirements. Current and potential customers can use the C5:2020 attestation as verification of compliance and as part of their assessment for using Google Cloud services.