Frequently Asked Questions

Here you’ll find answers to frequently asked questions about the platform, its features, and the registration process, to help you resolve any issues quickly.

To obtain a BSI C5 certification, you need to align your internal controls and security measures with the requirements of the BSI C5 standard. This includes undergoing an audit by an independent auditor who evaluates the design and effectiveness of your security controls. The process involves documenting the controls, performing internal testing, and finally completing the external audit.
A BSI C5 report provides assurance to your customers that your cloud services meet the highest security standards. Especially in regulated industries like finance or healthcare, customers often require this report to ensure their data is processed in a secure environment.
No, a BSI C5 report must be issued by an independent and qualified auditor. However, your company can prepare for the audit by documenting its controls, identifying weaknesses, and addressing them before the assessment.
Yes, in many cases it is. Customers want to ensure that their data is handled securely and in compliance with recognized standards. The BSI C5 report serves as trusted proof that your security controls have been reviewed and verified.
A BSI C5 report strengthens trust among your customers and partners. It positions your company as a reliable cloud service provider in a competitive market. Additionally, it helps meet regulatory requirements and reduces risk exposure.
Yes, general IT controls such as access control, change management, and physical security measures are a core part of the BSI C5 catalogue and are assessed during the audit.
The sample size depends on the complexity and scope of the controls being audited. Auditors often use risk-based approaches to determine the number of samples needed for a reliable assessment.
A subservice provider is a third party that delivers certain services on behalf of the main provider. A carve-out refers to areas excluded from the scope of the audit, such as services fully delivered by subservice providers.
Yes, “BSI C5 certification” is commonly used, although the BSI C5 report is primarily an audit report. It’s not a certification in the legal sense but a formal assessment of security controls based on the BSI C5 criteria.
Corporate governance refers to the principles and processes a company uses to ensure it operates transparently, responsibly, and in line with stakeholder interests. In the context of BSI C5, this includes compliance with security standards and fostering trust with clients and partners.