PwC performed audit for Alibaba Cloud to receive C5 attestation

View this page in: 繁體中文版

Hong Kong, 20 December 2017 - PwC performed an audit of the cloud services of Alibaba Cloud, the cloud computing arm of Alibaba Group, on the basis of the Cloud Computing Compliance Controls Catalogue (C5) of the German Federal Office for Information Security (BSI). Markus Vehlow, Partner at PwC Germany and responsible for the Cloud unit, presented the C5 attestation to Alibaba Cloud on December 13, 2017 in Hong Kong. Alibaba Cloud is the first Asian cloud provider to receive a C5 attestation.

Arne Schönbohm, President of the German Federal Office for Information Security (BSI), commented, “Information security is a critical success factor for the digitization. The C5 standard is a well-established and valuable decision guidance in the cloud market for all companies that want to use cloud services in the course of their digitization.”

PwC is commissioned by Alibaba Cloud with the audit of seven of its cloud services on the basis of the Cloud Computing Compliance Controls Catalogue (C5). PwC had developed this cloud-specific compliance controls catalogue in the year 2015 on behalf of the German Federal Office for Information Security (BSI). C5 has been established as de-facto standard for cloud audits in private industry – nationally as well as internationally.


About C5

  • C5 is a cloud-specific catalogue.
  • It outlines the requirements that cloud providers should meet in order to ensure a minimum security level of their cloud services.
  • The catalogue is divided into 17 topics, including the organisation of information security or physical security.
  • Compared to other security standards, the so-called surrounding parameters are a novelty.
  • They require the audit report to include information on issues, such as kind of services provided and data location, place of jurisdiction, certifications and duties of disclosure towards government agencies, and contain a system description.
  • By including this information, C5 ensures an extensive level of transparency regarding information security.


Interview with PwC Partner Markus Vehlow ,  Jim Woods and Li XIAO, General Manager of Alibaba Cloud Security Business:

You developed the C5 on behalf of the BSI. How important is this standard in the market?

Markus Vehlow: The leading cloud service providers worldwide rely on C5 as established proof of compliance. At the same time, more and more cloud customers require a C5 attestation from bidders in calls for tender. It is therefore all the more pleasing that C5 is now also appreciated in China and that Alibaba Cloud as the first Asian cloud provider receives a C5 attestation.


What was the decisive factor for Alibaba to entrust PwC with the audit?

Markus Vehlow: Alibaba Cloud has confidence in PwC’s knowledge and expertise during this project because PwC developed the C5 on behalf of the BSI. We can therefore offer deep insights into the subject. In addition, we have worked with Alibaba Cloud for a while now: Parallel to the C5 audit, which I carried out with my German team of auditors in Hangzhou, China, PwC China was conducting SOC 1, 2 and 3 audits for Alibaba Cloud.


What was the benefit for Alibaba to entrust PwC with the C5 and SOC audit?

Jim Woods: SOC for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. The C5 standard can be mapped to some of the SOC standard, users of the SOC standards can evaluate to which extend they have reached the security level of the particular control in C5. Benefitting from PwC’s knowledge and experience in both C5 and SOC area, we can therefore offer the integrated C5 and SOC audit in some particular controls for dual purpose.


Why did Alibaba Cloud choose an audit based on C5?

Li XIAO: Alibaba Cloud is the world’s first cloud provider to achieve this attestation with the additional requirements. C5 is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It has 114 basic requirements and 52 additional requirements structured in 17 distinct domains that the cloud providers either have to comply with. It is a required assessment for working with the public sector in Germany and is being increasingly adopted by the private sector. The philosophy behind C5 is to unify the currently fragmented certification of cloud provisions that are measured against no agreed standards and possess no coherent oversight.


What is the benefit of a C5 attestation for Alibaba Cloud?

Li XIAO: Alibaba Cloud’s commitment to applying the highest levels of compliance in controls and security is shown by meeting the C5 standard that serves not only as a benchmark for the German market, but also increasingly as a benchmark for institutions across Europe.    

Contact us

Peter Craughwell
Senior Manager, PwC Hong Kong
Tel: +[852] 2289 8696

Follow us