C5 attestation for Oracle Cloud Applications

Alessandro Costa - Principal, SaaS Compliance

March 2024 | 3 minutes

The topics of IT and information security have become omnipresent in today's world. Not a day goes by without news of cyberattacks or other events that impact organizations’ businesses. As a result, ensuring secure IT operations is a major concern for organizations, which becomes even more important when they decide to move from legacy environments to cloud solutions. Considering that the cloud brings with it security-related questions and that only a few countries have created a cloud-specific legal framework, companies and especially those operating in a highly regulated sector should place an additional focus on IT and information security when considering the adoption of a cloud solution for their organization.

The Cloud Computing Compliance Controls Catalogue (C5) was developed and published by the German Federal Office for Information Security (BSI) and is based on internationally recognized IT security standards like ISO/IEC 27001:2013. In BSI’s own words, the C5 criteria catalogue specifies minimum requirements for secure cloud computing and is primarily intended for professional cloud providers, their auditors, and customers.

Oracle Cloud Applications are audited on an annual basis by an independent auditor against the C5 requirements and the attestation report is available to interested customers.

The Oracle Cloud Applications in scope for the C5 attestation are:

  • Oracle Fusion Applications Suite,
  • Oracle Enterprise Performance Management (EPM),
  • Oracle Eloqua,
  • Oracle CX Unity,
  • Oracle Infinity, and
  • Oracle Transportation Management.

The Oracle European Union Restricted Access (EURA) is also part of the attestation scope.

Obtaining an attestation report for C5 is an important milestone for Oracle Cloud Applications and demonstrates Oracle’s commitment to assisting existing and potential customers in meeting their own compliance obligations as it relates to their use of cloud applications and cloud-specific requirements in Germany.

Organizations are encouraged to leverage the report to find answers they may have regarding their adoption of Oracle Cloud Applications.

C5 attestation is of interest to every company in every sector in Germany. It is a government-backed verification framework implemented by BSI and it helps determine which cloud providers meet the German government's baseline security level. Many other EU member states are accepting and interested in viewing C5 attestation reports as well. While customers maintain responsibility for complying with regulations applicable to their own specific industry and applicable jurisdictions, it must be noted that, even though C5 is a German criteria catalogue, the Oracle controls tested in the C5 attestation audit may be applicable to other cloud security frameworks outside of Germany. Hence, the C5 attestation report for Oracle Cloud Applications may be of interest to customers internationally.

Please reach out to your Sales Representative and/or Account Manager to request access to the attestation report. To learn more of our compliance activities, check out the Compliance page on our website and Compliance Considerations for Cloud Services blogpost.

Alessandro Costa Alessandro Costa

Principal with over 9 years of experience in IT security and compliance.
Alessandro manages Oracle Cloud Applications’ compliance programs and initiatives for Germany, Switzerland, and Italy, with extended support to the broader EALAD (Europe, Africa, Latin America) region.