DORA, NIS-2, CRA, EU Data Act ... Regulations in the area of data and IT security are becoming more and more strict in the face of increasing threats to information security and data protection. The result: ever greater demands on companies, authorities and institutions, especially those in the critical infrastructure. It is currently more important than ever for them to rely on strong, supportive and, above all, secure software for their day-to-day work.
From the very beginning, Stackfield has been committed to the best possible protection of your data in order to establish itself as the leading all-in-one tool for productive and, above all, secure collaboration. It is therefore a matter of course for us to keep an eye on the latest guidelines and standards and to obtain evidence that confirms our commitment to data security. This makes it evident to everyone: at Stackfield, data protection is a part of everyday life!
We are therefore proud to now have been awarded the C5 certificate from the German Federal Office for Information Security, which is impressive proof that Stackfield meets the strict criteria of the leading cloud computing standard for IT security in Germany. In this article, we take a closer look at the certificate and highlight the content it covers, the benefits it offers users and how it differs from other security standards.
What is the C5 certificate?
The Cloud Computing Compliance Criteria Catalogue (C5) is a standard for cloud service providers developed by the German Federal Office for Information Security (BSI). The C5 certificate assesses the information security of cloud service providers such as Stackfield based on various security measures and recommendations.
This certificate helps customers from Germany and Europe in particular to identify reliable cloud providers and make an informed decision about their security standards. For companies, this catalog of measures, which is recognized in Germany and respected internationally, is a helpful point of reference in the often confusing cloud market.
"Digitisation can only be successful if users can develop confidence in (new) technologies and use them safely and securely for their benefit."
From the BSI Cloud Computing Compliance Criteria Catalog, p. 11
Our path to the C5 certificate
Having already been successfully certified to ISO 27001 in 2022 as well as ISO 27017 and ISO 27018 in 2023, the step to C5 certification was the only logical one for us. The strict requirements of the BSI reliably show that a company gives the protection of its data in the cloud the highest priority. Preparations for this demanding step began back in 2023. Thanks to the good basis we had built up in the course of the ISO certifications and thanks to a powerful ISMS tool, this task was easy to implement despite the large number of requirements.
The C5 certificate was officially commissioned at the end of April 2024. After a few more months of intensive preparatory work, many technical enhancements and adjustments, an exciting gap analysis workshop in June / July and the expansion of the existing documentation, the time had come in November and we were able to welcome the auditor from an independent testing body to our premises. After two busy days, it was clear – Stackfield was awarded the C5 certificate!
What does the certificate involve?
The C5 certificate sets strict requirements for the organizational and technical security measures of a cloud service provider. The certificate covers 17 key areas in detail. These include, for example:
- Organization of information security: This includes the planning, implementation, maintenance and continuous improvement of an information security framework within the organization, for example through an information security management system (ISMS).
- Personnel: This includes the verifiable guarantee that employees understand their tasks, are aware of their responsibilities with regard to information security and that the organization's assets are protected in the event of a change in tasks or termination of employment.
- Physical security: This area includes the prevention of unauthorized physical access as well as protection against theft, damage, loss and operational downtime. The latter includes, for example, the provision of the cloud service from two locations that provide each other with redundancy.
- Cryptography and key management: This point deals with the appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. This includes, for example, a strong encryption process.
- Dealing with security incidents: This covers a consistent and comprehensive approach to recording, assessing, communicating and handling security incidents – from customer communication to reporting incidents to external bodies such as the BSI.
- Compliance: Avoiding breaches of legal, regulatory, self-imposed or contractual information security requirements is just as much a part of this point as checking compliance and regular audits.
The C5 certificate and its advantages
For you as a Stackfield user, the C5 certificate offers a clear advantage: it gives you the assurance that Stackfield has been independently tested and meets the highest security standards. Especially for companies that manage sensitive data or confidential documents, the C5 certificate offers an additional safety net. It also creates trust because the security measures are made transparent and are continuously reviewed.
The C5 certificate is particularly relevant for authorities and other public institutions. According to the BSI's minimum standard for the use of external cloud services, these bodies are obliged to use the C5 criteria as a minimum requirement when using cloud services. This makes it clear that Stackfield is evidently suitable for use without hesitation, even by federal authorities.
ISO certification, C5 certificate – what's the difference?
It's not easy to find your way through the jungle of technical terms. What is the difference between ISO certification and the C5 certificate? Don't they both simply have to do with data protection and information security? And what is more valuable?
While the C5 certificate is specifically designed for the security requirements in the cloud, the ISO 27001 certification, for example, deals more generally with a company's information security management system. The two standards complement each other: while ISO 27001 forms the foundation for security management, the C5 certificate focuses on cloud-specific challenges such as data transfer, scalability and the security of complex network infrastructures. In doing so, C5 explicitly bases and extends the criteria of various national and international data protection standards. These include:
- ISO 27001, ISO 27002 and ISO 27017
- The IT baseline protection compendium of the BSI
- CSA (Cloud Security Alliance)
- AICPA (American Institute of Certified Public Accountants)
- ANSSI (Agence nationale de la sécurité des systèmes d'information, French authority for the security of information systems)
- IDW (Institute of Public Auditors in Germany)
At Stackfield, information security comes first
The C5 certificate shows once again that Stackfield takes data protection and information security seriously. This makes us one of the few providers of a digital collaboration tool that is not only ISO-certified, but also meets the high BSI requirements. As a user, you can not only be sure that we meet the highest standards of information security, but also that we regularly review our security standards – so that you can always rest assured that your data is in safe hands.
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.