Global CDN Made in Germany achieves BSI C5 certification 

MYRA NEWS | 15 August 2022

Myra Security is among the few security-as-a-service providers worldwide to hold a BSI C5 test certificate. The Cloud Computing Compliance Criteria Catalogue (C5) follows a comprehensive approach to demonstrate optimal protection of all processes and systems according to the state of the art.

The BSI C5 test certificate serves companies as proof of compliance with the highest requirements and standards for information security, data protection and transparency. While the requirements for C5 are defined by the German Federal Office for Information Security (BSI), the audit and certification are performed by auditors.

Sascha Schumann, founder and CEO of Myra Security, explains what challenges, but also opportunities, the C5 test certificate brings with it.

Why does Myra invest in complex testates like C5?

Sascha Schumann: In principle, both our customers and potential new customers benefit when a service provider has a C5 test certificate, as it transparently ensures compliance with the highest standards of IT security and data protection. We demonstrate these high standards anew with the certificate.

With Myra, we have a strong focus on companies from highly regulated sectors such as banking, insurance, healthcare, or public services. In addition to a high degree of legal certainty, we also offer these companies the option of using the C5 certificate for their own risk management. The certificate is also particularly relevant for public authorities, as they are partly obliged under EVB-IT to use cloud service providers with C5 certification.

BSI C5 is based on these standards

  • AICPA Trust Services Principles Criteria 2014 (SOC 2)

  • ANSSI Référentiel Secure Cloud v2.0

  • ISO/IEC 27001:2013

  • CSA – Cloud Controls Matrix 3.01 (CSA CCM)


  • BSI IT-Grundschutz 14. EL 2014

  • BSI SaaS Sicherheitsprofile 2014

What is the significance of the C5 test certificate in cloud business?

Sascha Schumann: As a cloud-specific catalog of requirements, BSI C5 is one of the strictest IT security standards in the world. The test certificate brings together the most established international standards, is recognized worldwide, and accordingly pays off our strategy of increasingly positioning Myra as one of the few DSGVO-compliant providers on the market. 

What is being audited for C5?

Sascha Schumann: The special feature of C5 is that the catalog of requirements is not limited purely to technical and process-related specifications. Here, the cloud provider is much more scrutinized. In addition to cyber security, compliance and data protection, topics such as personnel requirements, physical security or procurement and development therefore also play a role. A total of 17 requirement areas are examined, defining 125 basic requirements with some optional additional requirements.

How extensive is the C5 audit?

Sascha Schumann: Myra has taken a C5 Type 2 test. This means that in addition to examining the appropriateness, the effectiveness of the specified criteria is also examined - and this is done over a period of twelve months. Myra's C5 audit involved all areas of the company, including IT Operations, IT Development, Human Resources and our Information Security & Compliance Management. In total, the time spent on the audit across all departments amounted to well over 500 working hours. During the approximately three-month follow-up alone, various performance records and audit documents had to be prepared for the entire audit period.

I am proud of the performance of our teams and very happy to have our high level of quality and safety formally confirmed once again for customers and the market.

These are the requirement areas of BSI C5
  • Organization of information security

  • Security guidelines and work instructions

  • Requirements for personnel

  • Asset management

  • Physical security

  • Measures for regular operations

  • Identity and authorization management

  • Cryptography and key management

  • Communication security

  • Portability and interoperability

  • Procurement, development and modification of information systems

  • Control and monitoring of service providers and suppliers

  • Security incident management

  • Business continuity and emergency management

  • Security auditing and verification

  • Compliance and data protection

  • Mobile device management

Related articles