This article has been indexed from The Duo Blog
We are pleased to announce Duo has completed a Type 1 C5 attestation! Germany has provided the world with so many fantastic inventions: Aspirin, The Settlers of Catan board game, the printing press, Club-Mate(!)… but when I think of Germany, my compliance-loving-heart immediately thinks of Germany’s C5 standard.
What is C5?
C5 is the convenient shorthand for the Cloud Computing Compliance Criteria Catalogue. C5 is a standard designed and managed by Germany’s Federal Office for Information Security or Bundesamt für Sicherheit in der Informationstechnik (BSI). The standard was introduced in 2016 to provide a set of baseline security requirements for cloud service providers, so customers could more thoroughly vet vendors prior to purchase.
To complete our attestation, Duo was audited by a qualified, independent auditor, Coalfire, who assessed Duo’s implementation of C5 controls and verified their operating effectiveness. A C5 attestation is generally valid for one year.
C5 has two types of reports, which inform the manner of testing performed.
Type 1 reports: The auditor expresses an opinion on whether the controls are adequately designed and implemented at the time of the audit to provide reasonable assurance that the C5 criteria are met (suitability of the design).
Type 2 reports: In addition to the statement on suitability, the auditor’s opinion includes a statement on the operational effectiveness of the controls in a given audit period.
Source: BSI Underlying audit methodology
Duo’s current report is a Type 1, and we expect to complete a Type 2 in the near future.
What Is the Benefit of a C5 Attestation to Our Customers?
For our customers within Germany, C5 provides a verifiable method to demonstrate that Duo meets the BSI’s mandatory baseline standards for use in the German public sector.
While C5 was designed to serve the German market. The attestation has been well-received across Europe and beyond, and has been adopted by numerous organizations outside of Germany as a required attestation.
Link to Duo’s C5 attestation:
Duo Has Completed a Type 1 C5 Attestation!