“Adapts to our changing needs”
Kertos adapts to our changing needs so we can focus on growing our business.
<h1 class="heading-style-h1"><span class="text-color-secondary">C5 </span>Compliance with Zero Effort</h1>
C5 is the standard that proves your cloud is secure enough for regulated German and European workloads. With Kertos, you implement and monitor the C5 criteria efficiently and reach your attestation faster — with expert auditors and automation working side by side.

.webp)


.png)

.avif)
.webp)
<h2 class="heading-style-h2"><span class="text-color-secondary">C5 </span>for cloud and SaaS providers serving regulated markets</h2>
With Kertos, you map the 121 C5 criteria to controls you already run — and keep them audit-ready continuously.
C5 (Cloud Computing Compliance Criteria Catalogue) was published by Germany's Federal Office for Information Security (BSI) and defines the minimum requirements for secure cloud computing. For providers selling to the public sector, finance, and healthcare, a C5 attestation is increasingly the precondition for doing business in Germany.
Meet the security baseline German enterprises and regulators expect from cloud providers
Cover both technical and organizational requirements across 17 areas
Win regulated workloads — including health data — that require a C5 Type 2 attestation

The Kertos platform streamlines the road to your C5 attestation through automation. Identify relevant assets, run your risk management, and collect evidence continuously — while certified experts guide you from preparation through to the auditor's report.
Automated asset inventory and data discovery across your cloud environment
Structured risk management aligned to the C5 requirement areas
Continuous evidence collection that keeps you ready for Type 2 testing
.webp)













.avif)
.avif)

.avif)













Compliance that convinces: Whether B2C, B2B, startup, or scaleup, Kertos is the right solution for companies looking to grow quickly.
<h2 class="heading-style-h2">Ready to make your<span class="text-color-secondary"> cloud C5 attestation-ready</span>?</h2>

Find useful whitepapers, videos, and practical tools that help you efficiently achieve your compliance goals.
Information about the Kertos compliance platform
C5 (Cloud Computing Compliance Criteria Catalogue) is a security standard published by Germany's Federal Office for Information Security (BSI). It defines the minimum requirements for secure cloud computing and has become the reference point German enterprises and regulators use to evaluate cloud providers.
No. C5 results in an attestation, not a certificate. An independent auditor examines your controls against the C5 criteria and issues a report under the ISAE 3000 / IDW PS 860 standard — comparable in form to a SOC 2 report.
A Type 1 attestation confirms your controls are appropriately designed at a single point in time. A Type 2 attestation goes further and tests whether those controls operated effectively over a period of typically 6 to 12 months. Type 2 is what regulated customers usually expect.
C5:2020 comprises 121 criteria across 17 requirement areas — from information security management, HR and physical security to cryptography, identity and access management, incident and change management, business continuity, and supply chain security.
C5 overlaps substantially with both. Many providers maintain combined reports, and controls you already run for ISO 27001 or SOC 2 can be reused for C5 — which is exactly what the Kertos platform does for you.
Kertos maps the 121 C5 criteria to your existing controls, automates evidence collection and monitoring, and pairs you with certified experts who guide you from preparation through to the auditor's report.
Our team is happy to assist you with any questions regarding our platform, different frameworks, and your compliance.