Gold standard in the cloud industry: Open Telekom Cloud certified according to BSI C5:2020, and SOC 1, SOC 2, SOC 3

In this article you will read, 

• what the BSI C5:2020 from the German Federal Office for Information Security (BSI) certifies,
• why it is considered the gold standard in the cloud industry
• and what requirements the US test protocols SOC 1, SOC 2 and SOC 3 presuppose.

It is the most important certification in the area of public cloud computing: The C5:2020 catalogue of requirements from the Federal Office for Information Security (BSI) certifies that cloud providers offer the maximum level of security. The Open Telekom Cloud fulfills all the requirements of this catalogue since 2018 with the BSI C5 Type 2 certificate.

The requirements of BSI C5:2020 include the so-called environmental parameters: "They provide information on the data location, provision of services, place of jurisdiction, certifications and duties of investigation and disclosure towards government agencies and contain a system description," the BSI writes on its website. "The resulting transparency makes it possible for potential cloud customers to decide whether legal regulations (such as data protection), the customers’ own guidelines or also the threat scenario regarding industrial espionage make the use of the respective cloud service appear appropriate.”

BSI C5:2020 is considered the gold standard in the cloud industry. Many companies that want to use public cloud offerings require C5 certification (actually the C5 test certificate) as a condition when choosing their provider. To obtain the certificate, the Open Telekom Cloud had to provide evidence in 17 thematic areas ranging from the organization of information security to physical security.

While the BSI C5 Type 1 certificate is quite easy to obtain with self-declarations from the cloud provider, the BSI C5 Type 2 audit involves an external auditor spending weeks examining the technology and management of the cloud platform. The type 2 certificate is therefore of a much higher quality than type 1.  

In addition, with the certificate for BSI C5:2020, the Open Telekom Cloud has also fulfilled the requirements of the US test protocol SOC 2. SOC stands for Service Organization Control. The certificate complies with the requirements of the American Institute of Certified Public Accountants (AICPA). It assesses service providers with regard to security, availability, processes, integrity, confidentiality and data protection.

The Open Telekom Cloud currently meets the SOC 1, SOC 2 and SOC 3 requirements catalog according to Type II. The auditors have thus checked the platform's design using guidelines and process descriptions. 

"Cloud providers that have been tested accordingly cannot rest on their laurels: Providers are only considered compliant with both the BSI C5:2020 requirements catalogue and SOC 2 if they renew the corresponding proof at least every 12 months," says Daniel Fussy, IT security & privacy consultant at T-Systems. "We are proud to have successfully passed these audits time and time again since 2018."

The Open Telekom Cloud is comprehensively certified beyond BSI C5:2020 and the SOC family, for example with a wide range of ISO certificates. An overview of the certificates can be found here.