C5 is a catalogue that defines controls for cloud computing compliance. It is divided into 17 sections, each with an objective for the cloud provider to fulfill through organizational and technical measures. Requirements are assigned to each objective and specify principles and procedures for meeting the objective. Basic requirements are essential for an audit, while additional optional requirements focus on confidentiality, availability, or both. Surrounding parameters precede the requirements and provide transparency on the general conditions of the cloud service.
C5 is a catalogue that defines controls for cloud computing compliance. It is divided into 17 sections, each with an objective for the cloud provider to fulfill through organizational and technical measures. Requirements are assigned to each objective and specify principles and procedures for meeting the objective. Basic requirements are essential for an audit, while additional optional requirements focus on confidentiality, availability, or both. Surrounding parameters precede the requirements and provide transparency on the general conditions of the cloud service.
C5 is a catalogue that defines controls for cloud computing compliance. It is divided into 17 sections, each with an objective for the cloud provider to fulfill through organizational and technical measures. Requirements are assigned to each objective and specify principles and procedures for meeting the objective. Basic requirements are essential for an audit, while additional optional requirements focus on confidentiality, availability, or both. Surrounding parameters precede the requirements and provide transparency on the general conditions of the cloud service.
Cloud Computing ComplianCe Controls Catalogue (C5) | struCture and Contents oF C5
2 Structure and contents of C5
2.1 Structure of C5 starting point for requirements which the cloud
customers could specify based on their individual Cloud services in terms of C5 are IT services use case. which are made available to the customer by a service company (cloud provider, provider or ser- The cloud provider is responsible for the design, vice provider) over a network. Cloud services are description, implementation and effective opera- offered, used and billed elastically and adapted to tions of organizational and operational measures the requirements by defined technical interfaces (controls) with which the requirements are imple- and protocols. The range of the services offered mented at the cloud provider. The entirety of the within the cloud computing framework covers required measures is part of their internal control the entire spectrum of information technology system concerning the cloud services. The design and, among other things, includes infrastructure of this internal control system depends on the (e. g. computing power, storage), platforms and type of cloud service provided, the requirements software. of the cloud customers and the company goals of the cloud provider as well as on the associated C5 itself is subdivided into 17 sections (see specific risks. section 2.2). A speciality in C5 are the so-called surrounding An objective is assigned to each section (see parameters for transparency which precede the section 2.2). The objective provides the cloud requirements. Surrounding parameters for trans- provider a summarised target which they have to parency address the transparency with respect fulfill in the related section through correspond- to the general conditions according to which the ing organisational and operational measures and cloud service is provided (e. g. the place of juris- (procedural) organisation. diction). By means of the information resulting from auditing these surrounding parameters for Individual requirements are assigned to each transparency, the customer can decide on the objective (see section 5). The requirements specify general suitability of the cloud service according general principles, procedures and measures to their internal targets. for fulfilling the objective. In this respect, a distinction is made between basic requirements and additional, optional requirements. The basic requirements are essential and the cloud provider has to meet and at least comply with as part of an audit according to this catalogue.
In addition to some basic requirements, addi-
tional, optional requirements are defined. They are classified as to whether especially confiden- tiality (C), availability (A) or both properties at the same time (C/A) are addressed with respect to the data processed in the cloud service. It turned out that there are no effective higher-level requirements for integrity (I) in addition to the basic requirements, which is why this category is missing here. The additional requirements are a