+GC-06 Information on certifications or attestations

1. Übersicht

GC-06 Information on certifications or attestations

In the description of the cloud service provider's system of internal control relevant to the development and operation of the cloud service, the cloud service provider presents comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service:

1. Compliance of the management systems for information security, business continuity and quality with applicable international standards;
2. Compliance with the European General Data Protection Regulation (GDPR);
3. Suitability of the design and operating effectiveness of the internal control system in relation to the applicable criteria;
4. Certifications or attestations (assurance reports) according to industry specific requirements of cloud service customers; and
5. Certifications or attestations (assurance reports) related to environmental, social and governance standards (ESG).

To the extent applicable for the certification or attestation, the following information are provided:

1. Date of issuance;
2. Issuing organisation;
3. Applicable scope; and
4. Date or period of validity or coverage.

The scope of the information corresponds to the needs of the subject matter experts of the cloud service customers who define specifications on information security, implement these or validate their implementation and assess the suitability of the cloud service from a legal and regulatory point of view (e.g. IT, compliance, internal audit).

Transparency can be additionally increased by disclosing SLAs based on ISO/IEC 19086 or comparable standards.

Compliance of the management systems for information security, business continuity and quality may be demonstrated, for example, with certificates in accordance with ISO/IEC 27001, ISO 22301 and ISO 9001.

Examples for ESG reporting include reporting according to the EU Corporate Sustainability Reporting Directive (CSRD) and certifications such as ISO 50001, ISO 14001 and the German ecolabel Blue Angel.

Fulfilment of the General Condition does not require the cloud service provider to hold a certification or attestation for all listed aspects.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html