Tag: cloud compliance

BSI C5 Cloud Certification

Resilience, SECURITY, Sovereignty Series 20th Feb 2026 Martin-Peter Lambert
BSI C5 Cloud Certification

A Guide for Public Authorities

Meta Description: BSI C5 Cloud certification for the public sector. Audit readiness, compliance requirements, and the BSI-compliant cloud security concept.

What is BSI C5?

BSI C5 is the German standard for cloud security, developed by the Federal Office for Information Security (BSI). It defines minimum requirements for cloud services and is often mandatory for the public sector.

Is cloud migration for the public sector possible without BSI C5? It’s risky. Tenders for cloud migration usually demand it, and the procurement process for cloud service providers verifies the certification.

The Structure of BSI C5

BSI C5 comprises 17 requirement domains, from organization to incident management. Each domain contains specific controls that must be demonstrated.

The 17 Domains at a Glance:

Information Security Organization, Security Policies, Human Resources, Asset Management, Physical Security, Operations Security, Identity and Access Management, Cryptography, Communication Security, Portability and Interoperability, Procurement and Development, Supplier Relationships, Security Incident Management, Compliance, Data Protection, Product Security, Interoperability.

Type 1 vs. Type 2 Attestation

BSI C5 has two attestation types, and the difference is important.

Type 1 Attestation

This assesses the appropriateness of the controls at a specific point in time.
– Are the controls designed?
– Are they implemented?

Type 2 Attestation

This assesses the effectiveness of the controls over a period of at least six months.
– Do the controls work?
– Are they being followed?

For public authorities, a Type 2 attestation is usually required. It offers more security and demonstrates continuous compliance.

Quick Checklist: BSI C5 Readiness

DomainCheckpointStatus
OrganizationISMS Established
PoliciesSecurity Policies Documented
PersonnelAwareness Training Conducted
AssetsInventory Complete
AccessIAM Implemented
CryptographyEncryption Active
LoggingLogging Enabled
IncidentProcess Defined

To-Do List for BSI C5 Certification

  1. Month 1: Conduct a gap analysis.
  2. Month 2: Create an action plan.
  3. Months 3-6: Implement controls.
  4. Month 7: Perform an internal audit.
  5. Month 8: Conduct an external pre-audit.
  6. Months 9-10: Undergo the Type 1 audit.
  7. Months 11-16: Operational phase.
  8. Month 17: Undergo the Type 2 audit.

The Path to Attestation

Becoming BSI C5 compliant is a project. It requires planning, resources, and expertise.

Step 1: Gap Analysis

Where do you stand today? Which controls are missing? IT baseline protection consulting helps with the assessment. The gap analysis shows the way forward.

Step 2: Action Planning

  • What measures are necessary?
  • In what order? With what budget?
  • The action plan is created and when is it due?

Step 3: Implementation

  • Controls are introduced
  • Processes are established
  • Documentation is created
  • The BSI-compliant cloud security concept is developed

Step 4: Audit

An auditor conducts the review. The controls are tested. Evidence is collected. The attestation is issued.

Cloud Providers and BSI C5

Major cloud providers like Azure, GCP, and AWS have BSI C5 attestations. But that’s not enough to claim that using them makes you compliant—quite the opposite. Because of the shared responsibility model, you still need to implement the right controls and operate them correctly. Only then can you be C5-compliant.

Azure migration and GCP migration must consider BSI C5. An Azure Landing Zone and a GCP Landing Zone should incorporate BSI C5 controls. The Cloud Adoption Framework for Azure helps with this.

Insight42 BSI C5 Services

We guide public authorities to BSI C5 compliance, from gap analysis to the audit. By provide the BSI-compliant cloud security concept from a single source and the implementation of those, we make your life easy, compliant and reliable.

Our cloud consulting services for authorities with a BSI C5 focus and cloud managed services for continuous compliance are delivered on Critical (KRITIS) level and have been withstanding audits and security challenges.

Become BSI C5 compliant. Contact us.

Figure: The Path to BSI C5 Certification

Blog Post 2: Preparing for a BSI C5 Audit – Practical Tips for the Public Sector

Meta Description: BSI C5 audit preparation for public authorities. Practical tips, documentation, and evidence collection. Create a BSI-compliant cloud security concept.

The Audit is Approaching

You have decided on BSI C5. Implementation is underway. Now comes the audit. How do you prepare? What can you expect?

BSI C5 audits are thorough. Auditors want to see evidence, not just documents, but also established practices. This article prepares you.

Documentation is Everything

No attestation without documentation. Auditors can only audit what is documented. Every control needs evidence. Every process needs a description.

What must be documented:
Security policies and their approval, process descriptions with responsibilities, configuration standards and their implementation, employee training records, and logs as proof.

The Most Common Audit Findings

Preparation also means avoiding mistakes. These findings are common:

Incomplete Documentation

Controls exist but are not documented, or the documentation is outdated. Solution: Keep documentation current by automising it via IT, BI & AI. We do that all the time, ensuring reality and documentation are always in sync.

Missing Evidence

Processes are followed but not logged.
Solution: Enable logging and recording.

Inconsistent Implementation

Policies exist but are not followed.
Solution: Conduct regular internal audits.

Unclear Responsibilities

No one feels responsible. Solution: Create a RACI matrix.

Quick Checklist: Audit Preparation

DocumentContentCurrent?
ISMS ManualOverall Security Overview
Security PoliciesAll Policies
Risk AnalysisCurrent Assessment
Asset RegisterComplete Inventory
Access MatrixPermissions Documented
Incident LogIncidents Logged
Training RecordsAll Employees
Audit TrailChanges Traceable

To-Do List for Audit Readiness

  • 8 weeks prior: Fully review documentation.
  • 6 weeks prior: Conduct an internal pre-audit.
  • 4 weeks prior: Remediate findings.
  • 2 weeks prior: Compile evidence.
  • 1 week prior: Brief interview partners.
  • Audit Day: Stay calm, cooperate.
  • After Audit: Remediate findings promptly.

The BSI-Compliant Cloud Security Concept

The security concept is the centerpiece. It comprehensively describes your cloud security. Auditors will read it carefully.

Contents of the Security Concept:

Scope and demarcation of cloud use, risk analysis and assessment, technical and organizational measures, responsibilities and processes, and emergency and business continuity management.

IT baseline protection consulting helps with its creation. ISO 27001 based on IT-Grundschutz provides the structure. The result: an audit-proof document.

Mastering Interviews

Auditors conduct interviews. They want to understand how controls are put into practice.
Preparation is of the utmost importance!

Continuous Compliance

BSI C5 is not a one-time project; it is a continuous process. After the audit is before the audit.

Cloud managed services for authorities help with this through continuous monitoring, regular reviews, and automated compliance checks.

Azure managed services and GCP operations provide support with dashboards showing compliance status and alerts for deviations.

Insight42 Audit Support

We guide you through the audit: preparation, execution, and follow-up, with experienced consultants by your side.

We create the BSI-compliant cloud security concept together. IT baseline protection consulting is our core business. BSI C5 compliance is our goal.

Pass your audit. Talk to us.

Figure: BSI C5 Audit Preparation Overview

#BSIC5 #CloudSecurity #Audit #Compliance #PublicSector #GovTech #SecurityConcept #ITBaselineProtection #CloudMigration #Certification #InfoSec #ISMS #CloudFirst #AzureMigration #GCPMigration #ManagedServices #DigitalTransformation #Cybersecurity #Insight42 #Germany

Insight42 – Cloud Migration & Security Consulting

www.insight42.de

IT Baseline Protection – ISO 27001 (Based on IT Baseline Protection)

Resilience, SECURITY 15th Feb 2026 Martin-Peter Lambert
IT Baseline Protection – ISO 27001 (Based on IT Baseline Protection)

ISO 27001 Based on IT Baseline Protection – The Royal Road for Public Authorities

Meta Description: ISO 27001 certification based on IT Baseline Protection (IT-Grundschutz). The proven path for the public sector. BSI-compliant, secure, and efficient.

Why IT Baseline Protection is the Standard for Public Authorities

The BSI’s IT Baseline Protection is more than a recommendation; it is the de facto standard for information security in German public administration. It offers concrete measures, field-tested building blocks, and a clear methodology, which makes it incredibly valuable.

An ISO 27001 certification is internationally recognized and demonstrates a functioning Information Security Management System (ISMS). Combining these two worlds is ideal: the specific guidelines of IT Baseline Protection fulfill the abstract requirements of ISO 27001.

The Synergy of IT Baseline Protection and ISO 27001

ISO 27001 requires an ISMS but does not specify how to implement it. IT Baseline Protection provides exactly that: a detailed guide. Those who implement IT Baseline Protection have already done most of the work for an ISO 27001 certification.

The advantages of this combination:

  • Concrete and Field-Tested: IT Baseline Protection offers ready-made building blocks.
  • BSI-Recognized: The methodology is well-established within the German public sector.
  • Efficient: It avoids duplication of effort.
  • Internationally Recognized: The ISO 27001 certification builds trust.

The Path to Certification

Step 1: Structural Analysis

Which information, processes, and IT systems need protection? The structural analysis defines the scope of the ISMS.

Step 2: Protection Needs Assessment

How critical is the data? Normal, high, or very high? The protection needs assessment evaluates the requirements for confidentiality, integrity, and availability.

Step 3: Modeling According to IT Baseline Protection

The identified systems are mapped to the building blocks of the IT-Grundschutz Compendium. The result is a list of relevant requirements.

Step 4: Basic Security Check

This is a gap analysis. Which requirements are already implemented? Where are the gaps? The basic security check identifies the need for action.

Step 5: Implementation and Audit

The gaps are closed. The ISMS is put into practice. An external auditor verifies conformity and issues the ISO 27001 certificate.

Quick Checklist: ISO 27001 Based on IT Baseline Protection

PhaseTaskStatus
1. PreparationDefine Scope
2. AnalysisConduct Structural Analysis
3. AssessmentDetermine Protection Needs
4. ModelingMap IT Baseline Protection Building Blocks
5. Gap AnalysisPerform Basic Security Check
6. ImplementationExecute Action Plan
7. AuditCertification Audit

To-Do List for Project Managers

  1. Immediately: Secure management commitment.
  2. Week 1: Appoint an ISMS team.
  3. Week 2: Commission IT Baseline Protection consulting.
  4. Month 1: Start the structural analysis.
  5. Month 2: Complete the protection needs assessment.
  6. Quarter 2: Conduct the basic security check.
  7. Quarters 3-4: Implement measures.
  8. Next Year: Plan the certification audit.

IT Baseline Protection in the Cloud

The principles of IT Baseline Protection also apply in the cloud, but the implementation differs. Responsibility is shared. Cloud providers (Azure, GCP) deliver a secure foundation, while the authority is responsible for secure configuration and use (Shared Responsibility Model).

An ISO 27001 certification based on IT Baseline Protection for cloud workloads is possible. It requires a clear understanding of responsibilities. BSI C5 Cloud requirements are also integrated here. The BSI-compliant cloud security concept documents the implementation.

Insight42: Your Partner for IT Baseline Protection

We are experts in ISO 27001 based on IT Baseline Protection. We understand the requirements of the public sector. Our IT Baseline Protection consulting is field-tested and efficient.

We guide you from the initial analysis to successful certification and beyond, with managed services for continuous security and compliance.

Start on the secure path. Contact us.

Figure: The Synergy of IT Baseline Protection and ISO 27001

Blog Post 2: IT Baseline Protection in the Cloud – Practical Implementation in Azure and GCP

Meta Description: Practically implement IT Baseline Protection in the cloud. ISO 27001 based on IT-Grundschutz for Azure and GCP. BSI C5 compliant, secure, and for public authorities.

IT Baseline Protection Meets the Cloud

IT Baseline Protection is not limited to on-premises environments. Its principles are universal, but implementation in the cloud requires a new way of thinking. The Shared Responsibility Model is key. Who is responsible for what? This question must be answered clearly.

For the public sector, cloud migration means reinterpreting IT Baseline Protection. The building blocks do not change, but the way the requirements are met does. Automation and cloud-native tools play a central role.

The Shared Responsibility Model in Detail

  • Cloud Provider (e.g., Azure, GCP): Responsible for the security of the cloud. This includes the physical security of data centers, the security of the virtualization layer, and the basic infrastructure.
  • Customer (Authority): Responsible for security in the cloud. This includes service configuration, identity and access management, data protection, and operating system patching.

IT Baseline Protection consulting helps to define this demarcation clearly. The BSI-compliant cloud security concept documents it.

Implementing Baseline Protection Building Blocks in the Cloud

OPS.1.1.5: Logging

  • Azure: Azure Monitor, Log Analytics, Microsoft Sentinel
  • GCP: Cloud Logging, Cloud Monitoring, Chronicle SIEM
  • Implementation: Enable logging for all services. Define retention periods. Automate analysis.

CON.1: Cryptography

  • Azure: Azure Key Vault, Always Encrypted, Transparent Data Encryption
  • GCP: Cloud Key Management Service, Confidential Computing
  • Implementation: Enforce data-in-transit and data-at-rest encryption. Centralize key management.

ORP.4: Identity and Access Management

  • Azure: Entra ID, Conditional Access, Privileged Identity Management (PIM)
  • GCP: Cloud Identity, Identity-Aware Proxy (IAP), IAM Conditions
  • Implementation: Apply Zero Trust principles. Enforce MFA. Implement least privilege.

NET.1.1: Network Architecture

  • Azure: Virtual Network, Network Security Groups, Azure Firewall
  • GCP: Virtual Private Cloud (VPC), Firewall Rules, Cloud Armor
  • Implementation: Use hub-and-spoke or VPC peering. Enforce network segmentation. Activate DDoS protection.

Quick Checklist: IT Baseline Protection in the Cloud

Baseline Protection Building BlockCloud Tool (Azure Example)Implemented?
ORP.4 (IAM)Entra ID, PIM
CON.1 (Crypto)Key Vault, TDE
OPS.1.1.5 (Logging)Log Analytics, Sentinel
NET.1.1 (Network)VNet, NSGs, Firewall
SYS.1.1 (Server)Azure Policy, Defender for Cloud
DER.1 (Secure Development)Azure DevOps Security

To-Do List for Cloud Baseline Protection

  • Week 1: Understand and document the Shared Responsibility Model.
  • Week 2: Conduct a cloud-specific risk analysis.
  • Month 1: Create a mapping of Baseline Protection building blocks to cloud services.
  • Month 2: Build a landing zone with Baseline Protection configurations (Policy-as-Code).
  • Month 3: Centralize logging and monitoring.
  • Ongoing: Monitor compliance status with cloud tools (e.g., Defender for Cloud).

The Role of BSI C5

BSI C5 and IT Baseline Protection are complementary. BSI C5 is a requirements catalog specifically for cloud services. Many C5 requirements can be met directly with Baseline Protection measures. Anyone implementing IT Baseline Protection in the cloud is well on their way to BSI C5 compliance.

The BSI-compliant cloud security concept should integrate both frameworks. It demonstrates how the requirements of C5 and Baseline Protection are met through technical and organizational measures in the cloud.

Insight42: Your Partner for Cloud Security

We translate IT Baseline Protection for the cloud. We show you how to operate Azure and GCP securely and compliantly. Our IT Baseline Protection consulting is specialized for cloud scenarios.

We build secure landing zones that incorporate ISO 27001 and BSI C5 requirements from the start. With Cloud Managed Services, we ensure ongoing secure operations.

Make your cloud Baseline Protection-compliant. Talk to us.

Figure: Implementing IT Baseline Protection Principles in a Cloud Architecture

#ITBaselineProtection #ISO27001 #CloudSecurity #BSIC5 #PublicSector #GovTech #InfoSec #ISMS #Azure #GCP #CloudMigration #Compliance #Cybersecurity #SecurityConcept #CloudFirst #ManagedServices #Insight42 #DigitalTransformation