Cloud Security Certification & Attestation
Independent, conflict-free audits against the world’s leading cloud-security standards — ISO/IEC 27017, ISO/IEC 27018 and Germany’s BSI C5. We assess and attest; your cloud customers trust the result.
27017
27018
C5
Your ISO 27001 certificate stops at the cloud’s edge
Standard information-security certification wasn’t written for shared-responsibility cloud environments. Independent cloud-specific assurance shows customers, regulators and partners that the controls unique to cloud — segregation, provider/customer responsibility, data location and PII handling — have been tested by an accredited third party.
Prove shared responsibility
ISO/IEC 27017 makes the split between what the cloud provider secures and what the customer secures explicit — and audited.
Safeguard personal data
ISO/IEC 27018 demonstrates you protect the personally identifiable information you process on behalf of your customers.
Unlock the EU market
A BSI C5 attestation is the expected cloud-assurance benchmark for German government and regulated EU buyers.
One partner for every cloud-assurance standard
Whether your customers ask for an ISO certificate or a German C5 report, Cianaa runs the independent assessment and issues the outcome — often as a single, efficient integrated audit alongside your ISO/IEC 27001 ISMS.
Cloud Security Controls
Certified as an extension to ISO/IEC 27001
A code of practice adding cloud-specific guidance and seven extra controls to ISO 27002 — covering provider/customer roles, virtual segregation, admin operations and data location.
- For cloud providers & cloud customers
- Audited alongside your ISO 27001 ISMS
- Certificate issued on a successful audit
PII in Public Clouds
Certified as an extension to ISO/IEC 27001
A code of practice for protecting personally identifiable information when you act as a public-cloud PII processor — consent, transparency, data return and disclosure controls.
- For public-cloud providers processing PII
- Pairs naturally with ISO 27017 & 27701
- Strong privacy signal for enterprise buyers
German Cloud Attestation
Type 1 & Type 2 · reported under ISAE 3000
The German Federal Office for Information Security (BSI) Cloud Computing Compliance Criteria Catalogue — an independent auditor’s attestation over your cloud service’s controls.
- Type 1 — control design at a point in time
- Type 2 — operating effectiveness over a period
- Expected by German & EU public-sector buyers
Note on ISO 27017 & 27018: these are codes of practice audited and certified together with an ISO/IEC 27001 management system, not standalone certificates — so we scope them into a single, efficient assessment.
A clear, independent assessment path
The same rigorous, impartial process behind every Cianaa certification — adapted for cloud. You prepare; we assess and attest.
Scoping
We define the cloud services, systems and standards (27017 / 27018 / C5) in scope and agree the plan.
Readiness review
Stage 1 documentation review for ISO; C5 system-description review — we confirm you’re ready.
Assessment
Stage 2 evidence testing of your cloud controls against each standard’s requirements.
Report & decision
Certification decision for ISO 27017/27018; an independent C5 attestation report (Type 1 or 2).
Surveillance
Ongoing surveillance across the 3-year ISO cycle and periodic C5 Type 2 re-attestation.
Impartiality by design. As an independent certification and attestation body, Cianaa does not design, implement or remediate your controls — doing so would compromise the objectivity of our audit. We assess what you’ve built and attest to it. That independence is exactly what gives your certificate and C5 report their value.
Cloud providers and the businesses that trust them
Independent by mandate, expert by practice
- A true, conflict-free auditor
We audit and attest only — never consult on the controls we assess (ISO/IEC 17021-1).
- One integrated assessment
ISO 27001 + 27017 + 27018, and C5, scoped together to save you time and cost.
- Senior, credentialed auditors
QSA and Lead-Auditor-led engagements — no junior hand-offs.
- Local presence, global standards
Based in New Zealand & Australia, serving APAC and the EU.
Cloud assurance, without the conflict
Buyers increasingly demand third-party proof that their cloud is secure. An independent Cianaa certificate or C5 report is that proof.
Cloud certification & attestation, explained
Is ISO/IEC 27017 a standalone certification?
What’s the difference between ISO 27017 and ISO 27018?
What is BSI C5 and who needs it?
What’s the difference between a C5 Type 1 and Type 2?
Can Cianaa help us implement the controls first?
How long does it take?
Get independent proof your cloud is secure
Talk to a senior Cianaa auditor about ISO/IEC 27017, ISO/IEC 27018 and BSI C5 — and the most efficient path to certification and attestation for your cloud services.