BSI C5 Audit Preparation: A Step-by-Step Guide for Cloud Teams 2026

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the German federal standard for cloud security. Originally designed for cloud service providers, it is increasingly required in enterprise procurement and referenced by NIS2 implementation guidelines in Germany. This guide explains what C5 audits check and how to prepare efficiently. What is BSI C5? Published by Germany's Federal Office for Information Security (BSI), C5 defines 17 control domains covering the security requirements for cloud services. Two attestation levels exist: Type 1 : Point-in-time assessment — confirms controls are designed appropriately Type 2 : Period-based assessment (typically 6-12 months) — confirms controls operate effectively over time Type 2 is required for most public sector contracts and is increasingly expected by German enterprise buyers. The 17 C5 control domains C5 2020 covers: Organization of Information Security (OIS) Security Policies (SP) Human Resources (HR) Asset Management (AM) Physica