C5 Zertifizierung? It does not exist.
Anyone selling you „C5-zertifiziert“ is selling you a category error. C5 ends in a Testat, issued by a Wirtschaftsprüfer. The distinction is not cosmetic. It decides what you may claim to customers, sales, and the Krankenkasse.
The short version: Testat, not certificate
A certificate is typically issued by an accredited body against a standard (e.g. ISO 27001). C5 works differently: the BSI criteria catalogue is examined by a Wirtschaftsprüfer under ISAE 3000 or IDW PS 860. The result is a Testat, not a certification document.
The defensible phrasing is: „C5 Testat Typ 2, dated [date]“, or in English „attested against BSI C5“. Never „C5-certified“, never „C5-compliant“ as a promise, never „audit-proof“.
Typ 1 vs. Typ 2, and what §393 SGB V actually requires
A Type 1 Testat confirms, on a specific date, that controls are suitably designed. A Type 2 Testat confirms, over a period, that those controls operated effectively. §393 SGB V has required a Type 2 Testat since 01.07.2025. Systems new to market (after 30.06.2025) get an 18-month lane with a Type 1 transition.
Your hyperscaler's Testat (AWS, Azure, GCP) does not cover you. It covers their layers, not your SaaS layer. The prevailing legal view on §393: the SaaS vendor itself needs the Testat.
Why the confusion is expensive
Saying „certified“ when you mean „testiert“ invites competition-law warnings and Krankenkasse follow-ups in the DiGA and §393 context. Market signals for a Type 2 Testat sit at €60k to €120k, plus 3 to 6 months of auditor waitlist. Preparation quality is the biggest cost lever, and the one you control.
What to clarify before your first auditor call
Lock scope and Trust Service Criteria. Map your ISMS baseline against the C5 catalogue. Collect evidence for the 121 basic criteria with clean versioning. For C5:2026, plan for the delta fields and 39 new criteria now, instead of auditing twice. All of that is preparation, not audit. awedit detects gaps, experts decide, auditors attest.
Orientation, not evidence. This guide is not legal or auditor advice.
awedit is a sumthink brand operated by Die Quadratur UG. awedit provides readiness analysis, gap assessments and remediation support. awedit does not perform audits under ISAE 3000 / IDW PS 860 and does not issue Testate; these are performed exclusively by Wirtschaftsprüfer. Self-check and scan results are orientation, not evidence, and do not satisfy §393 SGB V or any other legal requirement. No liability for completeness; no legal advice.