BSI C5 Compliance on Azure: What German Enterprises Need to Know
A practical guide to BSI C5 compliance on Azure — covering the C5 criteria catalogue, Azure's attestation scope, customer responsibilities, and audit preparation for German enterprises.
For German enterprises — particularly in public sector, finance, and critical infrastructure — BSI C5 attestation is not optional. It is a prerequisite for cloud adoption, often mandated by procurement policies, sector-specific regulation, or the organisations own compliance framework.
Azure has C5 attestation. But having a provider with C5 attestation does not make your workload C5-compliant. Understanding the shared responsibility model — what Microsoft covers and what you must implement yourself — is the difference between compliance and a false sense of security.
What BSI C5 Covers
The Cloud Computing Compliance Criteria Catalogue (C5) was published by the Bundesamt für Sicherheit in der Informationstechnik (BSI) in 2016 and updated in 2020. It defines:
- 17 domains covering organisation, personnel, asset management, cryptography, identity management, operations, and more
- 121 criteria (basic + extended) that cloud providers must demonstrate
- Shared responsibility model that distinguishes provider obligations from customer obligations
The 17 C5 Domains
- Organisation of information security
- Security policies
- Personnel
- Asset management
- Physical security
- Operations management
- Identity and access management
- Cryptography and key management
- Communication security
- Portability and interoperability
- Procurement and supply chain
- Compliance
- Handling of security incidents
- Business continuity
- Security assessment and verification
- Security in development
- Additional criteria (transparency, data location)
Azure's C5 Attestation Scope
What Is Covered
Microsoft's C5 Type 2 attestation covers:
- Azure infrastructure services (Compute, Storage, Networking)
- Azure platform services (App Service, Azure SQL, Cosmos DB, Key Vault)
- Azure data services (Azure Data Factory, Synapse, Databricks)
- Identity services (Entra ID, Azure AD B2C)
- Security services (Defender for Cloud, Sentinel, Key Vault)
- Management services (Azure Monitor, Azure Policy, Azure Resource Manager)
The attestation covers Azure regions in Germany (Frankfurt/Berlin) and broader EU regions.
What Is NOT Covered
- Your workload's configuration — A misconfigured Azure SQL database is your responsibility
- Your application code — Security of custom applications running on Azure
- Your identity policies — Conditional Access, MFA configuration, access reviews
- Your data classification — Determining what data can be stored where
- Your operational procedures — Incident response, backup testing, change management
Shared Responsibility Overview
Customer Responsibilities by C5 Domain
Domain 7: Identity and Access Management
Microsoft's responsibility: Platform-level identity infrastructure, physical access to data centres, internal access controls.
Your responsibility:
- Implementing MFA for all users (Conditional Access policies)
- Privileged access management (PIM, just-in-time access)
- Regular access reviews (quarterly for privileged roles)
- Service account governance
- Offboarding processes (timely deactivation of departed users)
Domain 8: Cryptography and Key Management
Microsoft's responsibility: Encryption of data at rest (platform-managed keys), encryption in transit (TLS 1.2+), HSM infrastructure.
Your responsibility:
- Customer-managed keys for sensitive workloads (Azure Key Vault with HSM)
- Key rotation policies
- Certificate lifecycle management
- Determining which workloads require BYOK vs. platform-managed keys
Domain 13: Handling of Security Incidents
Microsoft's responsibility: Platform-level incident detection and response, notification of security incidents affecting your tenant within contractual SLAs.
Your responsibility:
- Application-level incident detection (Sentinel, Defender for Cloud)
- Incident response procedures and runbooks
- Regular IR testing and tabletop exercises
- Communication plans for customer notification
- Evidence preservation for forensics
Audit Preparation Checklist
When preparing for a C5-related audit (either your own assessment or responding to customer requirements):
Documentation Required
- Security concept — Architecture documentation showing how C5 criteria are addressed
- Risk assessment — Documented risk analysis for the cloud workload
- Access management policy — Who has access to what, how access is granted/revoked
- Encryption concept — What is encrypted, with which keys, managed by whom
- Incident response plan — Procedures, responsibilities, communication paths
- Business continuity plan — RTO/RPO targets, DR configuration, test results
- Compliance mapping — Document showing which C5 criteria are addressed by Azure vs. customer
Evidence Collection
For each customer-responsible criterion, prepare evidence:
Tools for Continuous Compliance
- Microsoft Defender for Cloud — Regulatory compliance dashboard with C5 mapping
- Azure Policy — Enforce C5-relevant configurations (encryption, network isolation, logging)
- Azure Monitor — Continuous evidence collection for operational criteria
- Compliance Manager — Assessment workflows and evidence management
C5 and Other Frameworks
C5 does not exist in isolation. Map it to other frameworks your organisation may already follow:
| C5 Domain | ISO 27001 | SOC 2 |
|---|---|---|
| IDM (Identity) | A.9 Access Control | CC6.1-6.8 |
| CRY (Cryptography) | A.10 Cryptography | CC6.1, CC6.7 |
| OPS (Operations) | A.12 Operations | CC7.1-7.5 |
| BCM (Continuity) | A.17 Business Continuity | A1.1-A1.3 |
If you already have ISO 27001 certification, approximately 70% of C5 evidence overlaps — significantly reducing the additional effort.
Practical Recommendations for German Enterprises
- Start with Defender for Cloud's regulatory compliance view — It shows your current C5 posture with specific recommendations
- Focus on the gaps — Azure handles the provider side. Your effort goes into customer-responsible controls
- Automate evidence collection — Manual evidence gathering does not scale. Use Azure Policy compliance reports and diagnostic settings
- Request Azure's C5 attestation report from Microsoft through the Service Trust Portal — share it with your auditor
- Consider German regions for regulated workloads — Frankfurt and Berlin regions are explicitly in-scope of the C5 attestation
Preparing for C5 compliance on Azure? Contact us — we help German enterprises navigate BSI requirements and build audit-ready Azure environments.
Topics