Cloud Security · Independent Audit & Attestation

Cloud Security Certification & Attestation

Independent, conflict-free audits against the world’s leading cloud-security standards — ISO/IEC 27017, ISO/IEC 27018 and Germany’s BSI C5. We assess and attest; your cloud customers trust the result.

Cloud-specific controlsBeyond ISO 27001 — for the cloud
Recognised globallyISO & German BSI frameworks
Protects personal dataISO 27018 PII in the cloud
EU market accessC5 opens German & EU trust
ISO
27017
Cloud Security ControlsCertified alongside ISO/IEC 27001
ISO
27018
PII in Public CloudsProtecting personal data as a processor
BSI
C5
German Cloud AttestationType 1 & Type 2 · ISAE 3000
Independent certification body — ISO/IEC 17021-1 impartialityQSA & Lead-Auditor ledServing New Zealand · Australia · APAC · EU
Why cloud security assurance

Your ISO 27001 certificate stops at the cloud’s edge

Standard information-security certification wasn’t written for shared-responsibility cloud environments. Independent cloud-specific assurance shows customers, regulators and partners that the controls unique to cloud — segregation, provider/customer responsibility, data location and PII handling — have been tested by an accredited third party.

Prove shared responsibility

ISO/IEC 27017 makes the split between what the cloud provider secures and what the customer secures explicit — and audited.

Safeguard personal data

ISO/IEC 27018 demonstrates you protect the personally identifiable information you process on behalf of your customers.

Unlock the EU market

A BSI C5 attestation is the expected cloud-assurance benchmark for German government and regulated EU buyers.

The three frameworks we audit

One partner for every cloud-assurance standard

Whether your customers ask for an ISO certificate or a German C5 report, Cianaa runs the independent assessment and issues the outcome — often as a single, efficient integrated audit alongside your ISO/IEC 27001 ISMS.

ISO / IEC 27017

Cloud Security Controls

Certified as an extension to ISO/IEC 27001

A code of practice adding cloud-specific guidance and seven extra controls to ISO 27002 — covering provider/customer roles, virtual segregation, admin operations and data location.

  • For cloud providers & cloud customers
  • Audited alongside your ISO 27001 ISMS
  • Certificate issued on a successful audit
ISO / IEC 27018

PII in Public Clouds

Certified as an extension to ISO/IEC 27001

A code of practice for protecting personally identifiable information when you act as a public-cloud PII processor — consent, transparency, data return and disclosure controls.

  • For public-cloud providers processing PII
  • Pairs naturally with ISO 27017 & 27701
  • Strong privacy signal for enterprise buyers
BSI C5 (Germany)

German Cloud Attestation

Type 1 & Type 2 · reported under ISAE 3000

The German Federal Office for Information Security (BSI) Cloud Computing Compliance Criteria Catalogue — an independent auditor’s attestation over your cloud service’s controls.

  • Type 1 — control design at a point in time
  • Type 2 — operating effectiveness over a period
  • Expected by German & EU public-sector buyers

Note on ISO 27017 & 27018: these are codes of practice audited and certified together with an ISO/IEC 27001 management system, not standalone certificates — so we scope them into a single, efficient assessment.

How the audit works

A clear, independent assessment path

The same rigorous, impartial process behind every Cianaa certification — adapted for cloud. You prepare; we assess and attest.

Scoping

We define the cloud services, systems and standards (27017 / 27018 / C5) in scope and agree the plan.

Readiness review

Stage 1 documentation review for ISO; C5 system-description review — we confirm you’re ready.

Assessment

Stage 2 evidence testing of your cloud controls against each standard’s requirements.

Report & decision

Certification decision for ISO 27017/27018; an independent C5 attestation report (Type 1 or 2).

Surveillance

Ongoing surveillance across the 3-year ISO cycle and periodic C5 Type 2 re-attestation.

Impartiality by design. As an independent certification and attestation body, Cianaa does not design, implement or remediate your controls — doing so would compromise the objectivity of our audit. We assess what you’ve built and attest to it. That independence is exactly what gives your certificate and C5 report their value.

Who this is for

Cloud providers and the businesses that trust them

Cloud service providersIaaS, PaaS and SaaS platforms
SaaS companiesSelling to enterprise & EU customers
Managed service providersManaged & hosted cloud operators
EU-facing businessesNeeding C5 for the German market
Government & regulated cloudPublic-sector & critical services
Data-heavy platformsProcessing PII at scale (27018)
Why Cianaa

Independent by mandate, expert by practice

  • A true, conflict-free auditor

    We audit and attest only — never consult on the controls we assess (ISO/IEC 17021-1).

  • One integrated assessment

    ISO 27001 + 27017 + 27018, and C5, scoped together to save you time and cost.

  • Senior, credentialed auditors

    QSA and Lead-Auditor-led engagements — no junior hand-offs.

  • Local presence, global standards

    Based in New Zealand & Australia, serving APAC and the EU.

Cloud assurance, without the conflict

Buyers increasingly demand third-party proof that their cloud is secure. An independent Cianaa certificate or C5 report is that proof.

3Cloud standards under one roof
100%Conflict-free — audit only
27001Integrated with your ISMS
EUC5 market-access ready
Common questions

Cloud certification & attestation, explained

Is ISO/IEC 27017 a standalone certification?
No. ISO/IEC 27017 (and 27018) are codes of practice audited and certified alongside an ISO/IEC 27001 management system, not on their own. If you already hold — or are pursuing — ISO 27001, we scope the cloud controls into the same assessment.
What’s the difference between ISO 27017 and ISO 27018?
ISO 27017 covers cloud-security controls and the shared-responsibility split between provider and customer. ISO 27018 focuses specifically on protecting personal data (PII) when you process it as a public-cloud provider. They’re complementary and commonly certified together.
What is BSI C5 and who needs it?
C5 (Cloud Computing Compliance Criteria Catalogue) is the German Federal Office for Information Security’s cloud-assurance benchmark. It’s delivered as an independent auditor’s attestation, and is widely expected of cloud providers serving German government and regulated EU customers.
What’s the difference between a C5 Type 1 and Type 2?
A Type 1 attestation assesses whether controls are suitably designed at a point in time. A Type 2 assesses whether those controls operated effectively over a period (typically 6–12 months) — much like SOC 2 Type 1 vs Type 2.
Can Cianaa help us implement the controls first?
No — and that’s deliberate. As an independent certification and attestation body we can’t design or remediate the controls we then audit, because it would compromise our impartiality. We assess what you’ve built and attest to it. We’re happy to share the standards’ requirements so you know exactly what will be assessed.
How long does it take?
It depends on scope, the number of standards and whether you already hold ISO 27001. Because we scope 27017, 27018 and C5 into an integrated assessment where possible, most cloud engagements are more efficient than running each separately. Book a discovery call for an indicative timeline.
Ready when you are

Get independent proof your cloud is secure

Talk to a senior Cianaa auditor about ISO/IEC 27017, ISO/IEC 27018 and BSI C5 — and the most efficient path to certification and attestation for your cloud services.