Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Cloud compliance: SOC 2, ISO 27017, ISO 27018, CSA STAR and FedRAMP

Cloud compliance encompasses the full range of regulatory requirements and certification standards for cloud services: SOC 2 (Trust Service Criteria), ISO 27017 (cloud-specific security controls), ISO 27018 (data protection in the cloud), CSA STAR (Cloud Security Alliance), FedRAMP (U.S. federal agencies), C5 (BSI), and EUCS (EU Cloud Scheme). This article explains the differences, requirements, and certification processes.

Table of Contents (6 sections)

Cloud compliance addresses a key question for companies that use or provide cloud services: "How do we demonstrate that our cloud infrastructure is secure and compliant?" For cloud providers, compliance is a selling point—for cloud users, it is a risk management tool. Various standards address different aspects: technical security, data protection, availability, and industry-specific requirements.

Overview: Cloud Compliance Frameworks

Comparison of the most important cloud standards:

SOC 2 (AICPA):
  Scope:   U.S. standard, recognized worldwide
  Focus:             Trust Service Criteria (Security, Availability, Integrity,
                     Confidentiality, Privacy)
  Certification:    Audit by an accredited CPA (Certified Public Accountant)
  Types:             Type I (point-in-time), Type II (6–12-month period)
  For:               SaaS providers, managed service providers, cloud platforms
  Duration:             3–6 months for Type I; 6–12 months for Type II

ISO 27001:
  Scope:   International standard (ISO/IEC)
  Focus:             ISMS (Information Security Management System)
  Certification:    Accredited certification body (DAkkS in Germany)
  Cloud supplement:   ISO 27017 (Cloud Security Controls)
  Data Protection:       ISO 27018 (PII in the Cloud)
  For:               All companies, especially for the EU/DACH market

CSA STAR (Cloud Security Alliance):
  Scope:   Worldwide, cloud-specific
  Focus:             Cloud Security Controls Matrix (CCM v4.0)
  Levels:             Level 1 (Self-Assessment), Level 2 (Audit), Level 3 (Continuous)
  Basis:             Based on ISO 27001 (supplementary)
  Free Level: STAR Self-Assessment available for free registration

BSI C5 (Cloud Computing Compliance Criteria Catalogue):
  Scope:   Germany, increasingly European
  Focus:             Security requirements for cloud services
  Certification:    Audit by certified public accountants
  Mandatory:           For federal agencies in cloud procurement
  For:               Cloud providers wishing to serve the public sector

EUCS (EU Cloud Scheme, ENISA):
  Status:            Under development (ENISA, expected 2026)
  Focus:             EU-wide cloud security level scheme
  Levels:             Basic, Substantial, High
  Goal:              Harmonization of national cloud requirements across the EU
  High Level:        Corresponds to BSI C5 + GDPR requirements

FedRAMP (US):
  Scope:   USA – U.S. federal agencies
  Focus:             NIST 800-53 controls for cloud services
  Required:           For cloud services serving U.S. federal agencies
  Effort:           2–3 years, several million USD
  Relevant:          For international providers with U.S. government customers

SOC 2 in Detail

SOC 2 (Service Organization Control 2) – the most important US cloud standard:

Trust Service Criteria (TSC):
  1. Security (CC domain) – MANDATORY for all SOC 2:
     CC6: Logical and Physical Access Controls
     CC7: System Operations
     CC8: Change Management
     CC9: Risk Mitigation

  2. Availability (optional):
     Uptime requirements + SLA monitoring
     Disaster recovery + business continuity

  3. Processing Integrity (optional):
     Complete and accurate processing
     Relevant for: payment service providers, data processing

  4. Confidentiality (optional):
     Protection of confidential information
     Classification, Encryption, NDA Management

  5. Privacy (optional):
     Handling of Personal Data
     Relevant when: Customer data is processed

SOC 2 Type I vs. Type II:
  Type I:   Point-in-time - "Controls are IN PLACE as of Date X"
            Duration: 3-6 months preparation
            Value: Starting point, demonstrates design effectiveness

  Type II:  Period (6–12 months) – “Controls FUNCTION continuously”
            Duration: 12–18 months total
            Value: Proof of operational effectiveness – that’s what customers want!
            → Enterprise customers often require Type II

SOC 2 Audit Process:
  1. Readiness Assessment (2–3 months):
     Gap analysis: Where are the control gaps?
     Create/adapt policies
     Implement controls (logging, access reviews, incident response)

  2. Audit preparation:
     Evidence collection: logs, policies, training records
     Select CPA (AICPA-accredited)
     Define observation period (for Type II)

  3. Audit Execution:
     Interviews with employees
     Evidence review (ticket system, Git logs, HR records)
     Exception testing: Randomly test controls

  4. Report Preparation:
     Management assertion
     Auditor’s opinion (unqualified, qualified, adverse)
     Description of service organization
     Testing results

  5. Maintenance (annual):
     Annual re-audit for Type II
     Continuous evidence sampling recommended

Common SOC 2 controls:
  □ Logical Access: MFA for all production systems
  □ Change Management: Code review + approval prior to deployment
  □ Incident Response: documented process + tests
  □ Vendor Management: Third-party risk assessment
  □ Availability Monitoring: SLA tracking, alert thresholds
  □ Encryption: in-transit + at-rest for all customer data
  □ Background Checks: for staff with production access
  □ Security Training: annually for all employees

SOC 2 Costs (Estimates for 2026):
  Type I Readiness + Audit:   €30,000 - €80,000
  Type II Readiness + Audit:  €60,000 - €150,000
  Annual Maintenance:      €20,000 - €50,000
  Compliance tools (e.g., Vanta, Drata): €15,000 - €30,000/year

ISO 27017 and ISO 27018

ISO 27017 - Cloud-specific security controls:
  Supplements ISO 27001 with cloud-specific requirements
  Addresses roles: Cloud Service Customer (CSC) + Cloud Service Provider (CSP)

  7 cloud-specific controls (not in 27001):
  CLD.6.3.1:  Division of responsibilities between CSP and CSC (Shared Responsibility!)
  CLD.8.1.5:  Removal and return of cloud assets
  CLD.9.5.1:  Segregation of virtual environments (tenant segregation!)
  CLD.9.5.2:  Hardening of virtual machines
  CLD.12.1.5: Monitoring of cloud services
  CLD.12.4.5: Monitoring and Logging for Cloud Services
  CLD.13.1.4: Securing Virtualization Infrastructure

  Tenant Segregation (CLD.9.5.1) – particularly important:
    → All customer data logically isolated
    → No access between tenants (also restricted for CSP personnel)
    → Penetration testing recommended to confirm isolation

ISO 27018 - Data Protection in Public Cloud Services:
  Focus: Protection of personal data (PII) in the cloud
  Based on ISO 27001 + 27017

  Core principles:
  1. Consent: Process customer data only for agreed-upon purposes
  2. Control: Customers retain control over their data
  3. Transparency: CSP discloses sub-processors and locations
  4. Communication: Report data breaches to customers
  5. Employee access: Minimal access + confidentiality obligations
  6. Data transfer: Secure deletion upon contract termination

  ISO 27018 + GDPR:
    → ISO 27018 is not a GDPR certificate (not an Art. 42-42 certificate)
    → However: demonstrates good data protection practices
    → DPA (Data Processing Agreement) additionally required
    → Helps with GDPR compliance regarding "appropriate technical measures"

Certification Process 27017/27018:
  1. Basis: ISO 27001 certification (prerequisite)
  2. Extension Audit: Certification body reviews cloud-specific controls
  3. Single Combined Audit possible: 27001 + 27017 + 27018 simultaneously
  4. Validity period: 3 years (same as ISO 27001) with annual surveillance audits

BSI C5 (Germany)

C5 (Cloud Computing Compliance Criteria Catalogue):

Developed by: Federal Office for Information Security (BSI)
Published: 2016, updated 2020
Scope: Primarily Germany, increasingly relevant to the EU

C5 Criteria Groups (17 Domains):
  OIS: Organizational Information and Security
  HCM: Human Resources and Training
  AM: Asset Management
  PM: Physical Security
  IDM: Identity and Access Management
  KRY: Cryptography
  COM: Communication Security
  OPS: Operational IT Security
  SIM: Security Incidents
  CO: Compliance
  SCA: Cloud Service Procurement / Supply Chain
  PS: Portability and Interoperability
  CSN: Cloud Service Availability
  BCM: Business Continuity Management
  PI: Verifiability and Transparency
  SA: Application Security
  DS: Data Protection

C5 Transparency Criteria (Mandatory for Providers):
  → CSP must disclose "environmental parameters":
    - Cloud locations (countries, data centers)
    - Government access rights
    - Sub-service providers
    - Network infrastructure
    - Applicable jurisdiction
  → Transparency is explicit—not just security!

C5 Attestation (not "certificate"):
  → Certified Public Accountant (CPA) prepares audit report
  → Similar to SOC 2: Type I or Type II
  → BSI does NOT directly accredit auditors—IDW PS 860 standard for CPAs
  → Report: public (summary) + confidential (details)

C5 Relevance:
  → German federal authorities: BSI requires C5 evidence for cloud procurement
  → NIS2 Critical Infrastructures: C5 as preferred evidence
  → Data protection: C5 explicitly addresses data localization (Germany/EU)

Mapping C5 ↔ ISO 27001:
  → C5 is based ~80% on ISO 27001
  → Combined audit possible: ISO 27001 + C5 simultaneously
  → Additional effort for C5 compared to 27001: ~30% (transparency + cloud specifics)

CSA STAR

CSA STAR (Security Trust Assurance and Risk):

CSA Cloud Controls Matrix (CCM) v4.0:
  197 controls across 17 domains:
  AIS: Application Security
  BCR: Business Continuity Management
  CCC: Change Control and Configuration
  CEK: Cryptography, Encryption, Key Management
  DCS: Data Center Security
  DSP: Data Security and Privacy Lifecycle
  GRC: Governance, Risk & Compliance
  HRS: Human Resources
  IAM: Identity & Access Management
  IPY: Interoperability and Portability
  IVS: Infrastructure and Virtualization Security
  LOG: Logging and Monitoring
  SEF: Security Incident Management
  STA: Supply Chain Management
  TVM: Threat and Vulnerability Management
  UEM: Universal Endpoint Management

STAR Level 1 - Self-Assessment (free):
  → Complete the Consensus Assessments Initiative Questionnaire (CAIQ)
  → Publicly visible in the CSA STAR Registry
  → No external review → lowest credibility
  → Still useful: demonstrates the provider’s self-reflection

STAR Level 2 - Third-Party Assessment:
  SOC 2 + CCM: Auditor reviews CCM controls in addition to SOC 2
  ISO 27001 + STAR: Certification body reviews CCM in addition to ISO 27001
  → Combination is more efficient than separate audits

STAR Level 3 - Continuous Monitoring (STAR Continuous):
  → Continuous monitoring of controls (not annual)
  → Tool-based: Compliance as Code
  → Still not widely adopted (only a few CSPs)

STAR Registry:
  → Public database: cloudsecurityalliance.org/star
  → All CSPs with STAR status viewable
  → Customers can check STAR status during vendor assessments

Cloud Compliance Shared Responsibility

Shared Responsibility Model - Who is responsible for what?

AWS Shared Responsibility Model:
  AWS is responsible ("Security OF the Cloud"):
    → Physical security of data centers
    → Hypervisor security
    → Network infrastructure
    → Hardware maintenance and security
    → Compliance of the underlying infrastructure (ISO, SOC 2, C5)

  Customer’s responsibility (“Security IN the Cloud”):
    → Operating system patches (EC2)
    → Application security
    → Data encryption (AWS provides tools, customer enables them!)
    → IAM configuration (permissions, MFA)
    → Network configuration (security groups, NACLs)
    → Monitoring and logging configuration

  CRITICAL: AWS has SOC 2 and ISO 27001 – but THIS applies only to AWS infrastructure!
  → Customer must have their own application certified separately

Implications for compliance:
  "We use AWS; they are ISO 27001 certified" → NOT sufficient!

  Correct: "We use AWS (ISO 27001 for infrastructure) and have
   additionally had our ISMS certified to ISO 27001
   (including ISO 27017/27018 for cloud-specific controls)"

Compliance Matrix for Multi-Cloud:
  Control              AWS Provider  Customer
  Physical               ✓ AWS         -
  Hypervisor             ✓ AWS         -
  OS (EC2)               -             ✓
  OS (Lambda/ECS)        ✓ AWS         -
  Application Code         -             ✓
  Data Classification  -             ✓
  At-Rest Encryption  Tool: AWS     Config: Customer
  IAM                    Tool: AWS     Config: Customer
  Logging                Tool: AWS     Activation: Customer
  GDPR (Data)          -             ✓ Customer
  SLA                    AWS signed    ✓ Both

Compliance tools for the cloud:
  AWS: Security Hub (CIS Benchmark, PCI DSS, HIPAA, FSBP, NIST 800-53)
  Azure: Microsoft Defender for Cloud + Compliance Dashboard
  GCP: Security Command Center + Compliance Reports
  Multi-cloud: Wiz, Orca, Prisma Cloud (CSPM with compliance mapping)

Questions about this topic?

Our experts advise you free of charge and without obligation.

Free Consultation

About the Author

Oskar Braun
Oskar Braun

Abteilungsleiter Information Security Consulting

E-Mail
PGP 16154FF042E7431B

Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.

3 Publikationen
ISO 27001 Lead Auditor (IRCA) ISB (TÜV)
Vollständiges Profil ansehen
This article was last edited on 04.03.2026. Responsible: Oskar Braun, Abteilungsleiter Information Security Consulting at AWARE7 GmbH. License: CC BY 4.0 - free use with attribution: "AWARE7 GmbH, https://a7.de"

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung