This document outlines the structure and contents of the Cloud Computing Compliance Controls Catalogue (C5). It discusses how C5 is structured into different control areas and is based on national and international standards. It also describes how conformity with C5 requirements can be proven through an independent audit. The audit would be conducted according to auditing standards and cover the system description and controls in place. The auditor would report on the objective of ensuring requirements are met and note any exceptions.
This document outlines the structure and contents of the Cloud Computing Compliance Controls Catalogue (C5). It discusses how C5 is structured into different control areas and is based on national and international standards. It also describes how conformity with C5 requirements can be proven through an independent audit. The audit would be conducted according to auditing standards and cover the system description and controls in place. The auditor would report on the objective of ensuring requirements are met and note any exceptions.
This document outlines the structure and contents of the Cloud Computing Compliance Controls Catalogue (C5). It discusses how C5 is structured into different control areas and is based on national and international standards. It also describes how conformity with C5 requirements can be proven through an independent audit. The audit would be conducted according to auditing standards and cover the system description and controls in place. The auditor would report on the objective of ensuring requirements are met and note any exceptions.
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
1.2 Uniform requirements based on exist
2 Structure and contents of C5 13
2.1 Structure of C5 13
2.2 Content-related presentation of the controls areas 14
2.3 Underlying national and international standards 16
3 Proving conformity with the requirements by an independent audit 18
3.1 Introduction 18
3.2 Auditing standards and criteria 18
3.2.1 ISAE 3000 (Revised) as auditing standard 18
3.2.2 Correspondingly applying further auditing standards 19 3.2.3 Criteria 20
3.3 Subject of the audit including system description 20
3.3.1 Subject of the audit 20
3.3.2 System description of the cloud provider 21 3.3.3 Use of evidence from other audits 22
3.4 Audit objective and reporting 23
3.4.1 Audit objective 23
3.4.2 Reporting of the auditor 23
3.5 Separate and supplementary requirements of the BSI 23
3.5.1 Qualification of the auditor 23
3.5.2 Reporting on existing and/or identified exceptions to the requirements 24 3.5.3 Information on the limitation of liability 24 3.5.4 Updates of C5 25
3.6 Application notes for potential cloud customers: Regular