0% found this document useful (0 votes)

94 views287 pages

C5 2020 Changelog

Uploaded by

IuliusHutuleac

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

94 views287 pages

C5 2020 Changelog

Uploaded by

IuliusHutuleac

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 287

ID ID

Area Title
C5:2016 C5:2020

Organisation of OIS-01 OIS-01 Information Security

Information Security Management System
(OIS) (ISMS)

Organisation of OIS-02 OIS-02 Information Security

Information Security Policy
(OIS)

Organisation of OIS-03 OIS-03 Interfaces and

Information Security Dependencies
(OIS)
Organisation of OIS-04 OIS-04 Segregation of Duties
Information Security
(OIS)

Organisation of OIS-05 OIS-05 Contact with Relevant

Information Security Government Agencies
(OIS) and Interest Groups

Organisation of OIS-06 OIS-06 Risk Management Policy

Information Security
(OIS)
Organisation of OIS-07 OIS-07 Application of the Risk
Information Security Management Policy
(OIS)

Security Policies SA-01 SP-01 Documentation,

and Instructions communication and
(SP) provision of policies and
instructions
Security Policies SA-02 SP-02 Review and Approval of
and Instructions Policies and Instructions
(SP)

Security Policies SA-03 SP-03 Exceptions from Existing

and Instructions Policies and Instructions
(SP)

Personnel (HR) HR-01 HR-01 Verification of

qualification and
trustworthiness

Personnel (HR) HR-02 HR-02 Employment terms and

conditions
Personnel (HR) HR-03 HR-03 Security training and
awareness programme

Personnel (HR) HR-04 HR-04 Disciplinary measures

Personnel (HR) HR-05 HR-05 Responsibilities in the

event of termination or
change of employment
Personnel (HR) KOS-08 HR-06 Confidentiality
agreements

Asset Management AM-01 AM-01 Asset Inventory

(AM) AM-02
MDM-01
Asset Management AM-03 AM-02 Acceptable Use and Safe
(AM) AM-05 Handling of Assets Policy
AM-06
MDM-01

Asset Management - AM-03 Commissioning of

(AM) Hardware

Asset Management - AM-04 Decommissioning of

(AM) Hardware
Asset Management AM-04 AM-05 Commitment to
(AM) MDM-01 Permissible Use, Safe
Handling and Return of
Assets

Asset Management AM-05 AM-06 Asset Classification and

(AM) AM-06 Labelling
Physical Security - PS-01 Physical Security and
(PS) Environmental Control
Requirements

Physical Security - PS-02 Redundancy model

(PS)

Physical Security PS-01 PS-03 Perimeter Protection

(PS)
Physical Security PS-02 PS-04 Physical site access
(PS) control
Physical Security PS-03 PS-05 Protection from fire and
(PS) smoke
Physical Security PS-04 PS-06 Protection against
(PS) BCM-05 interruptions caused by
power failures and other
such risks

Physical Security - PS-07 Surveillance of

(PS) operational and
environmental
parameters

Operations (OPS) RB-01 OPS-01 Capacity Management -

Planning
Operations (OPS) RB-02 OPS-02 Capacity Management -
Monitoring

Operations (OPS) RB-04 OPS-03 Capacity Management -

Controlling of Resources

Operations (OPS) RB-05 OPS-04 Protection Against

Malware - Concept

Operations (OPS) RB-05 OPS-05 Protection Against

Malware - Implementation

Operations (OPS) RB-06 OPS-06 Data Protection and

Recovery - Concept

Operations (OPS) RB-07 OPS-07 Data Backup and

Recovery - Monitoring
Operations (OPS) RB-08 OPS-08 Data Backup and
Recovery - Regular
Testing

Operations (OPS) RB-09 OPS-09 Data Backup and

Recovery - Storage

Operations (OPS) RB-10 OPS-10 Logging and Monitoring -

Concept
Operations (OPS) RB-11 OPS-11 Logging and Monitoring -
Metadata Management
Concept

Operations (OPS) - OPS-12 Logging and Monitoring -

Access, Storage and
Deletion

Operations (OPS) RB-12 OPS-13 Logging and Monitoring -

SIM-05 Identification of Events

Operations (OPS) RB-13 OPS-14 Logging and Monitoring -

Storage of the Logging
Data
Operations (OPS) RB-14 OPS-15 Logging and Monitoring -
Accountability

Operations (OPS) RB-15 OPS-16 Logging and Monitoring -

Configuration

Operations (OPS) RB-16 OPS-17 Logging and Monitoring -

Availability of the
Monitoring Software

Operations (OPS) RB-17 OPS-18 Managing Vulnerabilities,

Malfunctions and Errors -
Concept

Operations (OPS) RB-18 OPS-19 Managing Vulnerabilities,

Malfunctions and Errors -
Penetration Tests
Operations (OPS) RB-19 OPS-20 Managing Vulnerabilities,
Malfunctions and Errors -
Measurements, Analyses
and Assessments of
Procedures

Operations (OPS) RB-20 OPS-21 Involvement of Cloud

customers in the event of
incidents

Operations (OPS) RB-21 OPS-22 Testing and

Documentation of known
Vulnerabilities

Operations (OPS) RB-22 OPS-23 Managing Vulnerabilities,

Malfunctions and Errors -
System Hardening

Operations (OPS) RB-23 OPS-24 Separation of Datasets in

the Cloud Infrastructure
Identity and Access IDM-01 IDM-01 Policy for user accounts
Management (IDM) and access rights

Identity and Access IDM-02 IDM-02 Granting and change of

Management (IDM) IDM-03 user accounts and
access rights
Identity and Access - IDM-03 Locking and withdrawal
Management (IDM) of user accounts in the
event of inactivity or
multiple failed logins

Identity and Access IDM-04 IDM-04 Withdraw or adjust

Management (IDM) access rights as the task
area changes

Identity and Access IDM-05 IDM-05 Regular review of access

Management (IDM) rights

Identity and Access IDM-06 IDM-06 Privileged access rights

Management (IDM) IDM-12
Identity and Access - IDM-07 Access to cloud customer
Management (IDM) data

Identity and Access IDM-07 IDM-08 Confidentiality of

Management (IDM) authentication information
Identity and Access IDM-08 IDM-09 Authentication
Management (IDM) IDM-11 mechanisms

- IDM-12 - -

- IDM-13 - -
Cryptography and KRY-01 CRY-01 Policy for the use of
Key Management encryption procedures
(CRY) and key management

Cryptography and KRY-02 CRY-02 Encryption of data for

Key Management transmission (transport
(CRY) encryption)

Cryptography and KRY-03 CRY-03 Encryption of sensitive

Key Management data for storage
(CRY)
Cryptography and KRY-04 CRY-04 Secure key management
Key Management
(CRY)

Communication KOS-01 COS-01 Technical safeguards

Security (COS)

Communication - COS-02 Security requirements for

Security (COS) connections in the Cloud
Service Provider's
network
Communication KOS-02 COS-03 Monitoring of connections
Security (COS) in the Cloud Service
Provider's network

Communication KOS-03 COS-04 Cross-network access

Security (COS)

Communication KOS-04 COS-05 Networks for

Security (COS) administration

Communication KOS-05 COS-06 Segregation of data traffic

Security (COS) in jointly used network
environments

Communication KOS-06 COS-07 Documentation of the

Security (COS) network topology
Communication KOS-07 COS-08 Policies for data
Security (COS) transmission

Portability and PI-01 PI-01 Documentation and

Interoperability (PI) PI-04 safety of input and output
interfaces

Portability and PI-02 PI-02 Contractual agreements

Interoperability (PI) PI-03 for the provision of data

Portability and PI-05 PI-03 Secure deletion of data

Interoperability (PI)
Procurement, BEI-01 DEV-01 Policies for the
Development and development/procuremen
Modification of t of information systems
Information Systems
(DEV)

Procurement, BEI-02 DEV-02 Outsourcing of the

Development and development
Modification of
Information Systems
(DEV)
Procurement, BEI-03 DEV-03 Policies for changes to
Development and information systems
Modification of
Information Systems
(DEV)

Procurement, - DEV-04 Safety training and

Development and awareness programme
Modification of regarding continuous
Information Systems software delivery and
(DEV) associated systems,
components or tools.

Procurement, BEI-04 DEV-05 Risk assessment,

Development and BEI-05 categorisation and
Modification of BEI-06 prioritisation of changes
Information Systems
(DEV)
Procurement, BEI-07 DEV-06 Testing changes
Development and
Modification of
Information Systems
(DEV)

Procurement, IDM-13 DEV-07 Logging of changes

Development and
Modification of
Information Systems
(DEV)

Procurement, BEI-08 DEV-08 Version Control

Development and
Modification of
Information Systems
(DEV)
Procurement, BEI-09 DEV-09 Approvals for provision in
Development and the production
Modification of environment
Information Systems
(DEV)

- BEI-10 - -

Procurement, BEI-11 DEV-10 Separation of

Development and environments
Modification of
Information Systems
(DEV)
- BEI-12 - -

Control and DLL-01 SSO-01 Policies and instructions

Monitoring of for controlling and
Service Providers monitoring third parties
and Suppliers (SSO)
Control and - SSO-02 Risk assessment of
Monitoring of service providers and
Service Providers suppliers
and Suppliers (SSO)

Control and - SSO-03 Directory of service

Monitoring of providers and suppliers
Service Providers
and Suppliers (SSO)
Control and DLL-02 SSO-04 Monitoring of compliance
Monitoring of with requirements
Service Providers
and Suppliers (SSO)

Control and - SSO-05 Exit strategy for the

Monitoring of receipt of benefits
Service Providers
and Suppliers (SSO)
Security Incident SIM-01 SIM-01 Policy for security
Management (SIM) incident management

#N/A SIM-02 Klassifizierung #N/A

vonKundensys
temen

Security Incident SIM-03 SIM-02 Processing of security

Management (SIM) incidents

Security Incident SIM-04 SIM-03 Documentation and

Management (SIM) reporting of security
incidents
Security Incident SIM-06 SIM-04 Duty of the users to
Management (SIM) report security incidents
to a central body

Security Incident SIM-07 SIM-05 Evaluation and learning

Management (SIM) process

Business Continuity BCM-01 BCM-01 Top management

Management (BCM) responsibility
Business Continuity BCM-02 BCM-02 Business impact analysis
Management (BCM) policies and instructions
Business Continuity BCM-03 BCM-03 Planning business
Management (BCM) continuity

Business Continuity BCM-04 BCM-04 Verification, updating and

Management (BCM) testing of the business
continuity

Compliance (COM) COM-01 COM-01 Identification of

applicable legal,
regulatory, self-imposed
or contractual
requirements
Compliance (COM) COM-02 COM-02 Policy for planning and
conducting audits

Compliance (COM) SPN-02 COM-03 Internal audits of the

SPN-03 information security
COM-03 management system

Compliance (COM) SPN-01 COM-04 Information on

information security
performance and
management assessment
of the ISMS

Dealing with - INQ-01 Legal Assessment of

investigation Investigative Inquiries
requests from
government
agencies (INQ)
Dealing with - INQ-02 INQ-02 Informing Cloud
investigation Customers about
requests from Investigation Requests
government
agencies (INQ)
Dealing with - INQ-03 Conditions for Access to
investigation or Disclosure of Data in
requests from Investigation Requests
government
agencies (INQ)
Dealing with - INQ-04 Limiting Access to or
investigation Disclosure of Data in
requests from Investigation Requests
government
agencies (INQ)

Product Safety and - PSS-01 Guidelines and

Security (PSS) Recommendations for
Cloud Customers
Product Safety and - PSS-02 Identification of
Security (PSS) Vulnerabilities of the
Cloud Service

Product Safety and - PSS-03 Online Register of Known

Security (PSS) Vulnerabilities
Product Safety and - PSS-04 Error handling and
Security (PSS) Logging Mechanisms

Product Safety and - PSS-05 Authentication

Security (PSS) Mechanisms

Product Safety and - PSS-06 Session Management

Security (PSS)
Product Safety and IDM-07 PSS-07 Confidentiality of
Security (PSS) Authentication
Information

Product Safety and - PSS-08 Roles and Rights

Security (PSS) Concept

Product Safety and IDM-09 PSS-09 Authorisation

Security (PSS) Mechanisms

Product Safety and - PSS-10 Software Defined

Security (PSS) Networking
Product Safety and - PSS-11 Images for Virtual
Security (PSS) Machines and Containers

Product Safety and RB-03 PSS-12 Locations of Data

Security (PSS) Processing and Storage
Basic Requirements
C5:2016

The top management initiates, controls and monitors an information

security management system (ISMS) which is based on ISO standards of
the 2700x series.
• The instruments and methods used allow a comprehensible control of the
following tasks and activities to permanently maintain and ensure
information security: Planning, implementing the plan and/or carrying out
the project
• Performance review and/or monitoring the achievement of objectives
• Eliminating discovered flaws and weaknesses and continuous
improvement.
The ISMS also includes the IT processes for the development and
operation of the cloud service.

A security policy with security objectives and strategic parameters for

achieving these objectives is documented. The security objectives are
derived from the corporate objectives and business processes, relevant
laws and regulations as well as the current and future expected threat
environment with respect to information security.
The strategic targets constitute essential framework conditions which in
further policies and instructions are specified in more detail (see SA- 01).
The security policy is adopted by the top management and communicated
to all concerned internal and external parties of the cloud provider (e. g.
cloud customers, subcontractors).

Responsibilities shared between the cloud provider and cloud customers,

duties to cooperate as well as interfaces for the reporting of security
incidents and malfunctions are defined, documented, assigned depending
on the respective cloud model (infrastructure, platform or software as a
service) and the contractual duties and communicated to all concerned
internal and external parties (e. g. cloud customers, subcontractors of the
cloud provider). On the part of the cloud provider, at least the following
roles (or comparable equivalents) are described in the security policy or
associated policies and corresponding responsibilities assigned:
• Head of IT (CIO)
• IT Security Officer (CISO)
• Representative for the handling of IT security incidents (e. g. Head of
CERT)
Changes to the responsibilities and interfaces are communicated internally
and externally in such a timely manner that all internal and external parties
concerned (e. g. cloud customers) are able to respond to them
appropriately with organisational and technical safeguards, before the
change becomes effective.
Organisational and technical controls are established in order to ensure the
separation of roles and responsibilities (also referred to the "separation of
duties") which are incompatible with respect to the confidentiality, integrity
and availability of information of the cloud customers. Controls for the
separation of functions are established in the following areas in particular:
• Administration of roles, granting and assignment of access authorisations
for users under the responsibility of the cloud provider
• Development and implementation of changes to the cloud service
• Maintenance of the physical and logical IT infrastructure relevant to the
cloud service (networks, operating systems, databases) and the IT
applications if they are in the cloud provider's area of responsibility
according to the contractual agreements with the cloud customers
Operative and controlling functions should not be performed by one and the
same person at the same time. If it is not possible to achieve a separation
of duties for organisational or technical reasons, appropriate compensating
controls are established in order to prevent or uncover improper activities.

Appropriate and relevant contacts of the cloud provider with government

agencies and interest groups are established to be always informed about
current threat scenarios and countermeasures.

Policies and instructions for the general procedure applicable to the

identification, analysis, assessment and handling of risks and IT risks in
particular are documented, communicated and provided according to SA-
01.
The procedures for the identification, analysis, assessment and handling of
risks, including the IT risks relevant to the cloud service are done at least
once a year in order to take internal and external changes and influencing
factors into account. The identified risks are comprehensibly documented,
assessed and provided with mitigating safeguards according to the
safeguards of the risk management.

Policies and instructions for information security or related topics derived

from the security policy are documented in an uniform structure. They are
communicated and made available to all internal and external employees of
the cloud provider properly and adequately.
Policies are versioned and approved by top management of the cloud
provider.
The policies and instructions describe at least the following aspects:
• Goals
• Scopes of application
• Roles and responsibilities, including requirements for the qualification of
the personnel and the establishment of substitution arrangements
• Coordination of different company departments
• Security architecture and safeguards for the protection of data, IT
applications and IT infrastructures which are managed by the cloud
provider or third parties
• Safeguards for the compliance with legal and regulatory requirements
(compliance)
The policies and instructions for information security are reviewed with
respect to their appropriateness and effectiveness by specialists of the
cloud provider who are familiar with the topic at least once a year.
At least the following aspects are taken into account in the review:
• Organisational changes at the cloud provider
• Current and future expected threat environment regarding information
security
• Legal and technical changes in the cloud provider's environment
Revised policies and instructions are approved by committees or bodies of
the cloud provider authorised to do so before they become valid.

Exceptions of policies and instructions for information security are approved

by committees or bodies of the cloud provider authorised to do so in a
documented form.
The appropriateness of approved exceptions and the assessment of the
risks resulting from this are reviewed by specialists of the cloud provider
who are familiar with the topic against the backdrop of the current and
future expected threat environment regarding information security at least
once a year.

The background of all internal and external employees of the cloud provider
with access to data of the cloud customers or of the shared IT infrastructure
is checked according to the local legislation and regulation by the cloud
provider prior to the start of the employment relationship. To the extent
permitted by law, the security check includes the following areas:
• Verification of the person by means of the identity card
• Verification of the curriculum vitae
• Verification of academic titles and degrees
• Request of a police clearance certificate for sensitive posts in the
company

Employment agreements include the obligations of the cloud provider's

internal and external employees to comply with relevant laws, regulations
and provisions regarding information security (see KOS- 10).
The security policy as well as the policies and instructions for information
security derived from this are added to the employment agreement
documents. Corresponding compliance is confirmed by the employee by a
written statement before they can access the data of the cloud customers
or the (shared) IT infrastructure.
A security training and awareness-raising programme tailored to specific
target groups on the topic of information security is available and
mandatory for all internal and external employees of the cloud provider. The
programme is updated at regular intervals with respect to the applicable
policies and instructions, the assigned roles and responsibilities as well as
the known threats and must then be run through again.
The programme includes at least the following contents:
• Regular and documented instruction on the secure configuration and
secure operation of
the IT applications and IT infrastructure required for the cloud service,
including mobile terminal devices
• Appropriate handling of data of the cloud customers
• Regular and documented instruction on known basic threats and
• Regular and documented training on the behaviour in case of security-
relevant events.
External service providers and suppliers of the cloud provider, who
contribute to the development or operation of the cloud service, are obliged
by contract to make their employees and subcontractors aware of the
specific security requirements of the cloud provider and train their
employees generally in the subject of information security.

A process for performing disciplinary measures is implemented and

communicated to the employees in order to make the consequences of
violations of the applicable policies and instructions as well as legal
provisions and laws transparent.

Internal as well as external employees are informed that the obligations to

comply with relevant laws, regulations and provisions regarding information
security remain valid even if the area of responsibility changes or the
employment relationship is terminated.
The non-disclosure or confidentiality agreements to be concluded with
internal employees, external service providers and suppliers of the cloud
provider are based on the requirements of the cloud provider in order to
protect confidential data and business details.
The requirements must be identified, documented and reviewed at regular
intervals (at least once a year). If the review shows that the requirements
have to be adjusted, new non-disclosure or confidentiality agreements are
concluded with the internal employees, the external service providers and
the suppliers of the cloud provider.
The non-disclosure or confidentiality agreements must be signed by internal
employees, external service providers or suppliers of the cloud provider
prior to the start of the contract relationship and/or before access to data of
the cloud users is granted.

AM-01:
The assets (e. g. PCs, peripheral devices, telephones, network
components, servers, installation documentation, process instructions, IT
applications, tools) used to render the cloud service are identified and
inventoried.
By means of appropriate processes and safeguards, it is ensured that this
inventory remains complete, correct, up-to-date and consistent. A history of
the changes to the entries in the inventory is kept in a comprehensible
manner. If no effective automatic procedures are established for this, this is
ensured by a manual review of the inventory data of the assets which takes
place at least once a month.

AM-02:
All inventoried assets are assigned to a person responsible on the part of
the cloud provider. The persons responsible of the cloud provider are
responsible over the entire life cycle of the assets to ensure that they are
inventoried completely and classified correctly.

MDM-01:
Policies and instructions with technical and organisational safeguards for
the proper use of mobile terminal devices in the cloud provider's area of
responsibility, which allow access to IT systems for the development and
operation of the cloud service, are documented, communicated and
provided according to SA-01.
These policies and instructions include at least the following aspects,
insofar as they are applicable to the cloud provider's situation:
• Encryption of the devices and data transmission
• Increased access protection
• Extended identity and authorisation management
• Ban on jailbreaking/rooting
• Installation only of approved applications from "App Stores" classified as
trusted
• Bring your own device (BYOD) minimum requirements for private terminal
devices
AM-03:
Policies and instructions with technical and organisational safeguards for
the proper handling of assets are documented, communicated and provided
according to SA-01 in the respectively current version.

AM-05:
The cloud provider uses a uniform classification of information and assets
which are relevant to the development and rendering of the cloud service.

AM-06:
Work instructions and processes for the implemented classification scheme
of information and assets are in place in order to ensure the labeling of
information as well as the corresponding handling of assets. This only
refers to assets which store or process information.

-
AM-04:
All internal and external employees of the cloud provider are obliged to
return or irrevocably delete all assets which were handed over to them in
relation to the cloud service and/or for which they are responsible as soon
as the employment relationship has been terminated.

AM-05:
The cloud provider uses a uniform classification of information and assets
which are relevant to the development and rendering of the cloud service.

The perimeter of premises or buildings which house sensitive or critical

information, information systems or other network infrastructure are
protected in a physically solid manner and by means of appropriate security
safeguards that conform to the current state of the art.
Access to the premises or buildings which house sensitive or critical
information, information systems or other network infrastructure is secured
and monitored by means of physical site access controls in order to avoid
unauthorised site access.
Structural, technical and organisational safeguards are taken to protect
premises or buildings which house sensitive or critical information,
information systems or other network infrastructure against fire, water,
earthquakes, explosions, civil disturbances and other forms of natural
threats and threats caused by humans.
At two geo-redundant sites, at least the following safeguards are carried
out:
Structural safeguards:
• Setup of a separate fire zone for the computer centre
• Use of fire-resistant materials according to DIN 4102-1 or EN 13501
(period of fire resistance of at least 90 minutes)
Technical safeguards:
• Sensors to monitor temperature and humidity
• Connecting the building to a fire alarm system with notification of the local
fire department
• Early fire detection and extinguishing systems
Organisational safeguards:
• Regular fire drills and fire safety inspections to check compliance with fire
protection measures
PS-04:
Precautions against the failure of supply services such as power, cooling or
network connections are taken by means of suitable safeguards and
redundancies in coordination with safeguards for operational reliability.
Power and telecommunication supply lines which transport data or supply
information systems must be protected against interception and damage.

BCM-05:
The supply of the computing centres (e. g. water, electricity, temperature
and moisture control, telecommunications and Internet connection) is
secured, monitored and is maintained and tested at regular intervals in
order to guarantee continuous effectiveness. It has been designed with
automatic fail-safe mechanisms and other redundancies.
Maintenance is performed in compliance with the maintenance intervals
and targets recommended by the suppliers as well as only by personnel
authorised to do so.
Maintenance protocols including any suspected or detected deficiencies are
stored for the duration of the period of time previously agreed upon. After
this period of time has expired, the maintenance protocols are destroyed
properly and permanently:

The planning of capacities and resources (personnel and IT resources)

follows an established procedure in order to avoid capacity bottlenecks.
The procedures include forecasts of future capacity requirements in order
to identify use trends and master system overload risks.
Technical and organisational safeguards for the monitoring and
provisioning and de-provisioning of cloud services are defined. Thus, the
cloud provider ensures that resources are provided and/or services are
rendered according to the contractual agreements and that compliance with
the service level agreements is ensured.
In case of IaaS/PaaS, the cloud customer is able to control and monitor the
distribution of the system resources assigned to them for administration/use
(e. g. computing capacity or storage capacity) in order to prevent resources
from being congested.
The logical and physical IT systems which the cloud provider uses for the
development and rendering of the cloud service as well as the network
perimeters which are subject to the cloud provider's area of responsibility
are equipped with anti-virus protection and repair programs which allow for
a signature- and behaviour-based detection and removal of malware.
The programs are updated according to the contractual agreements
concluded with the manufacturer(s), but at least once a day.

The logical and physical IT systems which the cloud provider uses for the
development and rendering of the cloud service as well as the network
perimeters which are subject to the cloud provider's area of responsibility
are equipped with anti-virus protection and repair programs which allow for
a signature- and behaviour-based detection and removal of malware.
The programs are updated according to the contractual agreements
concluded with the manufacturer(s), but at least once a day.

Policies and instructions with technical and organisational safeguards in

order to avoid losing data are documented, communicated and provided
according to SA-01.
They provide reliable procedures for the regular backup (backup as well as
snapshots, where applicable) and restoration of data.
The scope, frequency and duration of the retention comply with the
contractual agreements concluded with the cloud customers as well as the
cloud provider's business requirements. Access to the data backed up is
limited to authorised personnel. Restoration procedures include control
mechanisms that ensure that restorations are carried out only after they
have been approved by persons authorised to do so according to the
contractual agreements with the cloud customers or the internal policies of
the cloud provider.

The process of backing up data is monitored by means of technical and

organisational safeguards. Malfunctions are examined and eliminated
promptly by qualified employees in order to ensure compliance with the
contractual duties towards the cloud customers or the cloud provider's
business requirements with respect to the scope, frequency and duration of
the retention.
Backup media and restoration procedures must be tested with dedicated
test media by qualified employees at regular intervals. The tests are
designed in such a way that the reliability of the backup media and the
restoration time can be audited with sufficient certainty.
The tests are carried out by qualified employees and the results
documented comprehensibly. Any occurring errors are eliminated in a
timely manner.

The data to be backed up is transmitted to a remote site (e. g. another data

centre of the cloud provider) or transported to a remote site on backup
media. If the backup of the data is transmitted to the remote site via a
network, this is carried out in an encrypted form that conforms to the state
of the art. The distance to the main site should be large enough to ensure
that catastrophes there do not lead to a loss of data at the remote site and,
at the same time, short enough to be able to fulfill the contractual duties
regarding the restoration times. The safeguards taken to ensure the
physical and environment-related security at the remote site corresponds to
the level at the main site.

Policies and instructions with technical and organisational safeguards are

documented, communicated and provided according to SA-01 in order to
log events on all assets which are used for the development or operation of
the cloud service and to store them in a central place. The logging includes
defined events which may impair the security and availability of the cloud
service, including logging the activation, stopping and pausing of different
logs. In case of unexpected or unusual events, the logs are checked by
authorised personnel due to special events in order to allow for a timely
examination of malfunctions and security incidents as well as for the
initiation of suitable safeguards.
Policies and instructions with technical and organisational safeguards for
the secure handling of meta data (user data) are documented,
communicated and provided according to SA-01. The meta data is
collected and used only for accounting and billing purposes, for eliminating
malfunctions and errors (incident management) as well as for processing
security incidents (security incident management). The meta data is not
used for commercial purposes.
Meta data must be deleted immediately once it is no longer required to fulfill
the legitimate purpose according to this requirement.
The period of time during which meta data is retained is determined by the
cloud provider. It is reasonably related to the purposes pursued with the
collection of meta data.

RB-12:
The cloud provider maintains a list of all assets critical in terms of logging
and monitoring and reviews this list for their currency and correctness at
regular intervals. For these critical assets, advanced logging and monitoring
safeguards were defined.

SIM-05:
Logged incidents are centrally aggregated and consolidated (event
correlation). Rules for identifying relations between incidents and assessing
them according to their criticality are implemented. These incidents are
handled according to the security incident management process.

The generated logs are stored on central logging servers on which they are
protected against unauthorised access and changes. Logged data must be
deleted immediately once they are no longer required to fulfill the purpose.
Authentication takes place between the logging servers and the logged
assets in order to protect the integrity and authenticity of the transmitted
and stored information. The transmission is encrypted that conforms to the
state of the art or via a separate administration network (out-of-band
management).
The generated logs allow for a clear identification of user access to the
tenant level in order to support (forensic) analyses in the case of a security
incident.

The access and management of the logging and monitoring functionalities

is limited to selected and authorised employees of the cloud provider.
Changes to the logging and monitoring are checked by independent and
authorised employees and approved beforehand.

The availability of the logging and monitoring software is monitored

independently. In case the logging and monitoring software fails, the
responsible employees are informed immediately.

Policies and instructions with technical and organisational safeguards are

documented, communicated and provided according to SA-01 in order to
ensure the prompt identification and addressing of vulnerabilities over all
levels of the cloud service, for which they are responsible. The safeguards
include among other things:
• Regular identification and analysis of vulnerabilities
• Regular follow-up of safeguards in order to address identified safeguards
(e. g. installation of security updates according to internal target
specifications)

The cloud provider has penetration tests performed by qualified internal

personnel or external service providers at least once a year. The
penetration tests are carried out according to documented test methods
and include the infrastructure components defined to be critical to the
secure operation of the cloud service, which were identified as such as part
of a risk analysis.
Type, scope, time/period of time and results are documented
comprehensibly for an independent third party.
Determinations from the penetration tests are assessed and, in case of
medium or high criticality regarding the confidentiality, integrity or
availability of the cloud service, followed up and remedied. The assessment
of the criticality and the mitigating safeguards for the individual
determinations are documented.
Policies and instructions with technical and organisational safeguards for
the handling of critical vulnerabilities are documented, communicated and
provided according to SA-01.
The safeguards are coordinated with the activities of the change
management and the incident management.

The cloud customer is informed by the cloud provider of the status of the
incidents affecting them in a regular and an appropriate form that
corresponds to the contractual agreements or is involved into
corresponding remedial actions.
As soon as an incident was remedied from the cloud provider's point of
view, the cloud customer is informed of the safeguards taken. This
information is sufficiently detailed so that the cloud customer can use it in
their security management.

The IT systems which the cloud provider uses for the development and
rendering of the cloud service are checked automatically for known
vulnerabilities at least once a month.
In the event of deviations from the expected configurations (for example,
the expected patch level), the reasons for this are analysed in a timely
manner and the deviations remedied or documented according to the
exception process (see SA-03).

System components which are used for the rendering of the cloud service
are hardened according to generally established and accepted industry
standards.
The hardening instructions used are documented as well as the
implementation status.

Data is separated securely and strictly on jointly used virtual and physical
resources (storage network, memory) according to a documented concept
in order to guarantee the confidentiality and integrity of the stored and
processed data.
A role and rights concept based on the business and security requirements
of the cloud provider as well as a policy for the management of system and
data access authorisations are documented, communicated and provided
according to SA-01 and address the following areas:
• Granting and change (provisioning) of data access authorisations on the
basis of the "least-privilege principle" and as is necessary for performing the
required tasks ("need-to-
know principle")
• Separation of functions between operative and controlling functions (also
referred to as "separation of duties")
• Separation of functions in the administration of roles, approval and
granting of data access authorisations
• Regular review of granted authorisations,
• Withdrawal of authorisations (de-provisioning) in case of changes to the
employment relationship
• Requirements for the approval and documentation of the management of
system and data access authorisations

IDM-02:
System access authorisations for users under the responsibility of the cloud
provider (internal and external employees) are granted in a formal
procedure.
Organisational and/or technical safeguards make sure that unique user IDs
which clearly identify each user are granted.

IDM-03:
Granting and change of data access authorisations for users under the
responsibility of the cloud provider comply with the policy for the
management of system and data access authorisations.
Organisational and/or technical safeguards make sure that the granted
access authorisations meet the following requirements:
• Data access authorisations comply with the "least- Privilege principle".
• When granting data access authorisations, only access authorisations
necessary to perform the corresponding tasks should be granted ("need-to-
know principle").
• Formal approval is given by an authorised person, before the data access
authorisations are set up (i. e. before the user can access data of the cloud
customers or components of the shared IT infrastructure).
• Technically assigned data access authorisations do not exceed the formal
approval.
-

Data access authorisations of users under the cloud provider's

responsibility (internal and external employees) are withdrawn in the case
of changes to the employment relationship (dismissal, transfer, longer
period of absence/sabbatical/parental leave) promptly, but 30 days after its
coming into force at the latest and/or suspended temporarily.
Any access is deactivated completely as soon as the employment
relationship has expired.

Data access authorisations of users under the cloud provider's

responsibility (internal and external employees) are reviewed at least once
a year in order to adjust them promptly to changes to the employment
relationship (dismissal, transfer, longer period of
absence/sabbatical/parental leave). The review is performed by persons
authorised to do so from corresponding part of the cloud provider, who are
able to review the appropriateness of the granted authorisations due to their
knowledge of the responsibilities.
The review as well as the adjustments to the authorisations are
documented comprehensibly.

IDM-06:
Granting and change of data access authorisations for internal and external
users with administrative or extensive authorisations under the
responsibility of the cloud provider comply with the policy or the
management of system and data access authorisations (see IDM-01) or a
separate policy. The authorisations are granted in a personalised manner
and as is necessary for performing the corresponding tasks ("need-to-know
principle").
Organisational and/or technical safeguards make sure that granting these
authorisations does not result in undesired, critical combinations which
violate the principle of the separation of duties (e. g. assigning
authorisations for the administration of both the database and the operating
system). If this is not possible in certain selected cases, appropriate,
compensating controls are established in order to identify any misuse of
these authorisations (e. g. logging and monitoring by an SIEM (security
information and event management) solution).

IDM-12:
The use of service programs and management consoles (e. g. for the
management of the hypervisor or virtual machines), which allow extensive
access to the data of the cloud customers, is restricted to authorised
persons.
Granting and changes to corresponding data access authorisations comply
with the policy for the management of system and data access
authorisations.
Access is controlled by means of strong authentication techniques,
including multi-factor authentication (see KOS-06).
-

Secret authentication credentials (e. g. passwords, certificates, security

token) is assigned to internal and external users of the cloud provider or
cloud customer, provided that this is subject to organisational or technical
procedures of the cloud provider, in a proper organised procedure which
ensures the confidentiality of the information.
If it is assigned initially, it is valid only temporarily, but not longer than 14
days. Moreover, users are forced to change it when using it for the first
time. Access of the cloud provider to the authentication information of the
cloud customer is strictly regulated, communicated with the cloud customer
and only takes place if it is necessary to perform the corresponding tasks
("need-to-know principle").
Access is documented and reported to the cloud customer.
IDM-08:
The confidentiality of the login information of internal and external users
under the cloud provider's responsibility is protected by the following
safeguards:
• Identity check by trusted procedures
• Use of recognised industry standards for the authentication and
authorisation (e. g. multi- factor authentication, no use of jointly used
authentication information, automatic expiry)
• Multi-factor authentication for administrators of the cloud provider (e. g.
using a smart card or biometric characteristics) is absolutely necessary

IDM-11:
Security parameters on the network, operating system (host and guest),
database and application level (where relevant to the cloud service) are
configured appropriately to avoid unauthorised access.
If no two-factor authentication or use of one-time passwords is possible, the
use of secure passwords on all levels and devices (including mobile
devices) under the cloud provider's responsibility is forced technically or
must be ensured organisationally in a password policy. The targets must at
least meet the following requirements:
• Minimum password length of 8 characters
• At least two of the following character types must be included: Capital
letters, minor letters, special characters and numbers
• Maximum validity of 90 days, minimum validity of 1 day
• Password history of 6
• Transmission and storage of the passwords in an encrypted procedure
that conforms to the state of the art.

The use of service programs and management consoles (e. g. for the
management of the hypervisor or virtual machines), which allow extensive
access to the data of the cloud customers, is restricted to authorised
persons.
Granting and changes to corresponding data access authorisations comply
with the policy for the management of system and data access
authorisations.
Access is controlled by means of strong authentication techniques,
including multi-factor authentication (see KOS-06).

Access to the source code and supplementary information that is relevant

to the development of the cloud service (e. g. architecture documentation,
test plans) is granted restrictively and monitored in order to prevent
unauthorised functions from being introduced and unintended changes from
being made.
Policies and instructions with technical and organisational safeguards for
encryption procedures and key management are documented,
communicated and provided according to SA-01, in which the following
aspects are described:
• Using strong encryption procedures (e. g. AES) and the use of secure
network protocols that correspond to the state of the art (e. g. TLS, IPsec,
SSH)
• Risk-based regulations for the use of encryption which are compared to
schemes for the classification of information and take the communication
channel, type, strength and quality of the encryption into account
• Requirements for the secure generation, storage, archiving, retrieval,
distribution, withdrawal and deletion of the keys
• Taking the relevant legal and regulatory obligations and requirements into
consideration

Procedures and technical safeguards for strong encryption and

authentication for the transmission of data of the cloud customers (e. g.
electronic messages transported via public networks) are established.

Procedures and technical safeguards for the encryption of sensitive data of

the cloud customers for the storage are established. Exceptions apply to
data that cannot be encrypted for the rendering of the cloud service for
functional reasons. The private keys used for encryption are known only to
the customer according to applicable legal and regulatory obligations and
requirements. Exceptions (e. g. use of a master key by the cloud provider)
are based on a controlled procedure and must be agreed upon jointly with
the cloud customer.
Procedures and technical safeguards for secure key management include
at least the following aspects:
• Generation of keys for different cryptographic systems and applications
• Issuing and obtaining public-key certificates
• Provisioning and activation of the keys for customers and third parties
involved
• Secure storage of own keys (not those of the cloud customers or other
third parties) including the description as to how authorised users are
granted access
• Changing or updating cryptographic keys including policies defining under
which conditions and in which manner the changes and/or updates are to
be realised
• Handling of compromised keys
• Withdrawal and deletion of keys, for example in the case of compromising
or staff changes
• Storage of the keys of the cloud users not at the cloud provider (i. e. at the
cloud user or a trusted third party)

Based on the results of a risk analysis carried out according to OIS-06, the
cloud provider has implemented technical safeguards which are suitable to
promptly detect and respond to network-based attacks on the basis of
irregular incoming or outgoing traffic patterns (e. g. by MAC spoofing and
ARP poisoning attacks) and/or Distributed Denial- of-Service (DDoS)
attacks.

-
Physical and virtualised network environments are designed and configured
in such a way that the connections between trusted and untrusted networks
must be restricted and monitored.
At defined intervals, it is reviewed whether the use of all services, logs and
ports serve a real commercial purpose. In addition, the review also includes
the justifications for compensating controls for the use of logs which are
considered to be insecure.

Each network perimeter is controlled by security gateways. The system

access authorisation for cross- network access is based on a security
assessment on the basis of the customer requirements.

There are separate networks for the administrative management of the

infrastructure and for the operation of management consoles, which are
separated logically or physically by the network of the cloud customers and
are protected against unauthorised access by means of multi-factor
authentication (see IDM-08).
Networks which are used for the purposes of the migration or the
generation of virtual machines must also be separated physically or
logically by other networks.

The data traffic in jointly used network environments is segregated

according to documented concept for the logical segmentation between the
cloud customers on the network level in order to guarantee the
confidentiality and integrity of the data transmitted.
The architecture of the network is documented comprehensibly and
currently (e. g. in the form of diagrams) in order to avoid errors in the
management during live operation and ensure timely restoration according
to the contractual duties in the event of damage.
Different environments (e. g. administration network and shared network
segments) and data flows become apparent from the documentation.
Furthermore, the geographical locations, in which the data is stored, are
specified.
Policies and instructions with technical and organisational safeguards in
order to protect the transmission of data against unauthorised interception,
manipulation, copying, modification, redirection or destruction (e. g. use of
encryption) are documented, communicated and provided according to SA-
01.
The policy and instructions establish a reference to the classification of
information (see AM-05).

PI-01:
In order to guarantee the interoperability of cloud services, data regarding
documented input and output interfaces and in recognised industry
standards (e. g. the Open Virtualization Format for virtual appliances) is
available in order to support the communication between different
components and the migration of applications.

PI-04:
The cloud provider uses secure network protocols for the import and export
of information as well as for the management of the service in order to
ensure the integrity, confidentiality and availability of the transported data.

PI-02:
At the end of the contract, the cloud customer can request the data to
which they are entitled according to the contractual framework conditions,
from the cloud provider and receives them in processable electronic
standard formats such as CSV or XML.

PI-03:
If no individual agreements between the cloud provider and cloud customer
regulate the interoperability and portability of the data, policies and
instructions with technical and organisational safeguards are documented,
communicated and provided according to SA-01 in order to ensure the
respective requirements and duties of the cloud customer.

Both when changing the storage media for maintenance purposes and
upon request of the cloud customer or the termination of the contract
relationship, the content data of the cloud customer, including the data
backups and the meta data (as soon as they are no longer required for the
proper documentation of the accounting and billing), is deleted completely.
The methods used for this (e. g. by overwriting data several times, deletion
of the key) prevent the data from being restored via forensic methods.
Policies and instructions with technical and organisational safeguards for
the proper development and/or procurement of information systems for the
development or operation of the cloud service, including middleware,
databases, operating systems and network components are documented,
communicated and provided according to SA-01.
The policies and instructions describe at least the following aspects:
• Security in software development methods in compliance with security
standards established in the industry (e. g. OWASP for web applications)
• Security of the development environment (e. g. separate
development/test/production environments)
• Programming policies for each programming language used (e. g.
regarding buffer overflows, hiding internal object references towards users)
• Security in version control

If the development of the cloud service (or parts thereof) is outsourced

regarding the design, development, test and/or provision of source code of
the cloud service, a high level of security is required. Therefore, at least the
following aspects must be agreed upon contractually between the cloud
provider and external service providers:
• Requirements for a secure software development process (especially
design, development and testing)
• Provision of evidence demonstrating that adequate testing was carried out
by the external service provider
• Acceptance test of the quality of the services rendered according to the
functional and non- functional requirements agreed upon
• The right to subject the development process and controls to testing, also
on a random basis
Policies and instructions with technical and organisational safeguards for
the proper management of changes to information systems for the
development or operation of the cloud service, including middleware,
databases, operating systems and network components are documented,
communicated and provided according to SA-01. At least the following
aspects are to be taken into account in this respect:
• Criteria for the classification and prioritisation of changes and related
requirements for the type and scope of tests to be carried out and permits
to be obtained
• Requirements for the notification of affected cloud customers according to
the contractual agreements
• Requirements for the documentation of tests as well as for the application
and permit of changes
• Requirements for the documentation of changes to the system, operating
and user documentation

BEI-04:
The principal of a change performs a risk assessment beforehand. All
configuration objects which might be affected by the change are assessed
with regard to potential impacts. The result of the risk assessment is
documented appropriately and comprehensively.

BEI-05:
All changes are categorised on the basis of a risk assessment (e. g. as
insignificant, significant or far- reaching impacts) in order to obtain an
appropriate authorisation prior to making the change available to the
production environment.

BEI-06:
All changes are prioritised on the basis of a risk assessment (e. g. as low,
normal, high, emergency) in order to obtain an appropriate authorisation
prior to making the change available to the production environment.
All changes to the cloud service are subjected to tests (e. g. for integration,
regression, security and user acceptance) during the development and
before they are made available to the production environment. The tests
are carried out by adequately qualified personnel of the cloud provider.
According to the service level agreement (SLA), changes are also tested by
the customers (tenants) suitable for this.

Access to the source code and supplementary information that is relevant

Processes are defined in order to be able to roll back required changes as

a result of errors or security concerns and restore affected systems or
services into its previous state.

Before a change is released to the production environment, it must be

reviewed by an authorised body or a corresponding committee whether the
planned tests have been completed successfully and the required
approvals are granted.

Emergency changes are to be classified as such by the change manager

who creates the change documentation before applying the change to the
production environment.
Afterwards (e. g. within 5 working days), the change manager supplements
the change documentation with a justification and the result of the
application of the emergency change. This justification must show why the
regular change process could not have been run through and what the
consequences of a delay resulting from compliance with the regular
process would have been.
The change documentation is forwarded to the customers concerned and a
subsequent release by authorised bodies is obtained according to the
contractual agreements.

Production environments are separated physically or logically by non-

production environments in order to avoid unauthorised access or changes
to the production data. Production data is not replicated in test or
development environments in order to maintain their confidentiality.
Change management procedures include role- based authorisations in
order to ensure an appropriate separation of duties regarding the
development, release and migration of changes between the environments.

Policies and instructions for ensuring the protection of information accessed

by other third parties (e. g. service providers and/or suppliers of the cloud
provider), who contribute significant parts to the development or operation
of the cloud service, are documented, communicated and provided
according to SA-01.
The corresponding controls are used to mitigate risks which may result from
the potential access to information of the cloud customers. The following
aspects are at least to be taken into account for this:
• Definition and description of minimum security requirements with regard to
the information
processed, which are based on recognised industry standards such as
ISO/IEC 27001
• Legal and regulatory requirements, including data protection, intellectual
property right, copyright, handling of meta data (see RB-11) as well as a
description as to how they are ensured (e. g. site of data processing and
liability, see surrounding parameters for transparency)
• Requirements for incident and vulnerability management (especially
notifications and collaborations when eliminating malfunctions)
• Disclosure and contractual obligation to the minimum security
requirements also to subcontractors if they do not only contribute
insignificant parts to the development or operation of the cloud service (e.
g. service provider of the computing centre)
The definition of the requirements is integrated into the risk management of
the cloud provider. According to requirements OIS-07, they are checked at
regular intervals for their appropriateness.
-

-
Procedures for the regular monitoring and review of agreed services and
security requirements of third parties (e.g. service providers and/or
suppliers of the cloud provider) who contribute essential parts to the
development or operation of the cloud service are established.
The safeguards include at least the following aspects:
• Regular review of service reports (e. g. SLA reports) if they are provided
by third
parties
• Review of security-relevant incidents, operational disruptions or failures
and interruptions that are related to the service
• Unscheduled reviews after essential changes to the requirements or
environment. The essentiality must be assessed by the cloud provider and
documented comprehensibly for audits
Identified deviations are subjected to a risk analysis according to
requirement OIS-07 in order to effectively address them by mitigating
safeguards in a timely manner.

-
Policies and instructions with technical and organisational safeguards are
documented, communicated and provided according to SA-01 in order to
ensure a fast, effective and proper response to all known security incidents.
On the part of the cloud provider, at least the roles listed in OIS-03 must be
filled, requirements for the classification, prioritisation and escalation of
security incidents defined and interfaces with the incident management and
the business continuity management created.
In addition to this, the cloud provider has established a "computer
emergency response team" (CERT), which contributes to the coordinated
solution of specific security incidents. Customers affected by security
incidents are informed in a timely manner and appropriate form.

All customer systems are classified according to the agreements (SLA)

between the cloud provider and cloud customer regarding the criticality for
the rendering of services. The assignment of classifications is reviewed
regularly as well as after essential changes / events for all customer
systems. Deviations are followed up and eliminated in a timely manner.
Moreover, the classification shows which parameters regarding the
recovery of a system were agreed upon with the cloud customer.

Events which could represent a security incident are classified, prioritised

and subjected to a cause analysis by qualified personnel of the cloud
provider or in connection with external security service providers.

After a security incident has been processed, the solution is documented

according to the contractual agreements and the report is forwarded for
final information or, if necessary, as confirmation to the customers affected.
The employees and external business partners are informed of their duties.
If necessary, they agree to or commit themselves contractually to promptly
report all security events to a previously specified central body.
Furthermore, information is provided that "incorrect notifications" of events
which have not turned out to be incidents afterwards, do not have any
negative consequences for the employees.

Mechanisms are in place to be able to measure and monitor the type and
scope of the security incidents as well as to report them to supporting
bodies. The information gained from the evaluation is used to identify
recurring incidents or incidents involving significant consequences and to
determine the need for advanced safeguards.

The top management (and/or a member of the top management) is

specified as the process owner of the business continuity and contingency
management and bears the responsibility for the establishment of the
process in the company and compliance with the policies. They must
ensure that adequate resources are made available for an effective
process.
Members of the top management and persons in other relevant leadership
positions demonstrate leadership and commitment with respect to this
topic, for example by asking and/or encouraging the employees to actively
contribute to the effectiveness of the business continuity and contingency
management.
Policies and instructions for determining impacts of possible malfunctions of
the cloud service or company are documented, communicated and
provided according to SA-01.
At least the following aspects are taken into consideration:
• Possible scenarios based on a risk analysis (e. g. loss of personnel,
failure of building, infrastructure and service providers)
• Identification of critical products and services
• Identification of dependencies, including the processes (incl. the
resources required for this), applications, business partners and third
parties
• Identification of threats to critical products and services
• Determination of consequences resulting from planned and unplanned
malfunctions and changes over time
• Determination of the maximum acceptable duration of malfunctions
• Determination of the priorities for the restoration
• Determination of time-limited targets for the recovery of critical products
and services within the maximum acceptable period of time (recovery time
objective, RTO)
• Determination of time-limited targets for the maximum acceptable period
of time during which data is lost and cannot be restored (recovery point
objective, RPO)
• Estimation of the resources required for recovery
Based on the business impact analysis, a uniform framework for planning
the business continuity and business plan is introduced, documented and
applied in order to ensure that all plans (e. g. of the different sites of the
cloud provider) are consistent. The planning depends on established
standards which is documented comprehensibly in a "statement of
applicability".
Business continuity plans and contingency plans take the following aspects
into consideration:
• Defined purpose and scope by taking the relevant dependencies into
account
• Accessibility and comprehensibility of the plans for persons who have to
take action in line with these plans
• Ownership by at least one appointed person who is responsible for
review, updating and approval
• Defined communication channels, roles and responsibilities including the
notification of the customer
• Restoration procedures, manual temporary solutions and reference
information (by taking the prioritisation into account for the recovery of
cloud infrastructure components and services as well as orienting to
customers)
• Methods used for the implementation of the plans
• Continuous improvement process of the plans
• Interfaces with the security incident management

The business impact analysis as well as the business continuity plans and
contingency plans are verified, updated and tested at regular intervals (at
least once a year) or after essential organisational or environment-related
changes. The tests also involve affected customers (tenants) and relevant
third parties (e. g. critical suppliers). The tests are documented and results
are taken into account for future business continuity safeguards.

Legally, regulatory and statutory prescribed requirements, as well as the

procedure to comply with these requirements and regulations must be
identified, documented and updated regularly by the cloud provider for the
cloud service related to the respective application.
Independent audits and assessments of systems or components which
contribute to the rendering of the cloud services are planned by the cloud
provider in such a way that the following requirements are met:
• There is only read access to software and data.
• Activities which might impair the availability of the systems or components
and thus result in a violation of the SLA are carried out outside regular
business hours and/or not at load peak times.
• The activities performed are logged and monitored.

SPN-02:
Qualified personnel (e. g. internal revision) of the cloud provider or expert
third parties commissioned by the cloud provider audit the compliance of
the internal IT processes with the corresponding internal policies and
standards as well as the legal, regulatory and statutory prescribed
requirements relevant to the cloud service on an annual basis.
The deviations identified are prioritised and, depending on their criticality,
safeguards for their elimination are defined, followed up and implemented
in a timely manner.

SPN-03:
At least on an annual basis, qualified personnel (e. g. internal revision) of
the cloud provider or expert third parties commissioned by the cloud
provider audit the compliance of the IT systems, provided that they are
completely or partially in the cloud provider's area of responsibility and are
relevant to the development or operation of the cloud service, with the
corresponding internal policies and standards as well as the legal,
regulatory and statutory prescribed requirements relevant to the cloud
service.
The deviations identified are prioritised and, depending on their criticality,
safeguards for their elimination are defined, followed up and implemented
in a timely manner.

COM-03:
Audits and assessments of processes, IT systems and IT components,
provided that they are completely or partially in the cloud provider's area of
responsibility and are relevant to the development or operation of the cloud
service, are carried out by independent third parties (e. g. certified public
auditor) at least once a year in order to identify non-conformities with
legally, regulatory and statutory prescribed requirements. The deviations
identified are prioritised and, depending on their criticality, safeguards for
their elimination are defined, followed up and implemented in a timely
manner.

The top management is informed of the status of the information security on

the basis of security checks by means of regular reports and is responsible
for the prompt elimination of determinations resulting from them.

-
-

-
Secret authentication credentials (e. g. passwords, certificates, security
token) is assigned to internal and external users of the cloud provider or
cloud customer, provided that this is subject to organisational or technical
procedures of the cloud provider, in a proper organised procedure which
ensures the confidentiality of the information.
If it is assigned initially, it is valid only temporarily, but not longer than 14
days. Moreover, users are forced to change it when using it for the first
time. Access of the cloud provider to the authentication information of the
cloud customer is strictly regulated, communicated with the cloud customer
and only takes place if it is necessary to perform the corresponding tasks
("need-to-know principle").
Access is documented and reported to the cloud customer.

The use of emergency users (for activities which cannot be carried out with
personalised, administrative users, see IDM-06) is documented, to be
justified and requires the approval by an authorised person, which takes the
principle of the separation of functions into account. The emergency user is
only activated as long as it is necessary to perform the corresponding
tasks.

-
-

The cloud customer is able to determine the locations (city/country) of the

data processing and storage including data backups.
Basic Criteria
C5:2020

The Cloud Service Provider operates an information security management

system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS
covers the Cloud Service Provider's organisational units, locations and
procedures for providing the cloud service.
The measures for setting up, implementing, maintaining and continuously
improving the ISMS are documented.
The documentation includes:

• Scope of the ISMS (Section 4.3 of ISO/IEC 27001);

• Declaration of applicability (Section 6.1.3), and

• Results of the last management review (Section 9.3).

The top management of the Cloud Service Provider has adopted an

information security policy and communicated it to internal and external
employees as well as cloud customers.
The policy describes:

• the importance of information security, based on the requirements of cloud

customers in relation to information security;

• the security objectives and the desired security level, based on the
business goals and tasks of the Cloud Service Provider;

• the most important aspects of the security strategy to achieve the security
objectives set; and

• the organisational structure for information security in the ISMS

application area.

Interfaces and dependencies between cloud service delivery activities

performed by the Cloud Service Provider and activities performed by third
parties are documented and communicated. This includes dealing with the
following events:

• Vulnerabilities;

• Security incidents; and

• Malfunctions.

The type and scope of the documentation is geared towards the information
requirements of the subject matter experts of the affected organisations in
order to carry out the activities appropriately (e.g. definition of roles and
responsibilities in guidelines, description of cooperation obligations in
service descriptions and contracts).

The communication of changes to the interfaces and dependencies takes

place in a timely manner so that the affected organisations and third parties
can react appropriately with organisational and technical measures before
the changes take effect.
Conflicting tasks and responsibilities are separated based on an OIS-06
risk assessment to reduce the risk of unauthorised or unintended changes
or misuse of cloud customer data processed, stored or transmitted in the
cloud service.

The risk assessment covers the following areas, insofar as these are
applicable to the provision of the Cloud Service and are in the area of
responsibility of the Cloud Service Provider:

• Administration of rights profiles, approval and assignment of access and

access authorisations (cf. IDM-01);

• Development, testing and release of changes (cf. DEV-01); and

• Operation of the system components.

If separation cannot be established for organisational or technical reasons,

measures are in place to monitor the activities in order to detect
unauthorised or unintended changes as well as misuse and to take
appropriate actions.

The Cloud Service Provider leverages relevant authorities and interest

groups in order to stay informed about current threats and vulnerabilities.
The information flows into the procedures for handling risks (cf. OIS-06)
and vulnerabilities (cf. OPS-19).
Policies and instructions for risk management procedures are documented,
communicated and provided in accordance with SP-01 for the following
aspects:

• Identification of risks associated with the loss of confidentiality, integrity,

availability and authenticity of information within the scope of the ISMS and
assigning risk owners;

• Analysis of the probability and impact of occurrence and determination of

the level of risk;

• Evaluation of the risk analysis based on defined criteria for risk

acceptance and prioritisation of handling;

• Handling of risks through measures, including approval of authorisation

and acceptance of residual risks by risk owners; and

• Documentation of the activities implemented to enable consistent, valid

and comparable results.
The Cloud Service Provider executes the process for handling risks as
needed or at least once a year. The following aspects are taken into
account when identifying risks, insofar as they are applicable to the cloud
service provided and are within the area of responsibility of the Cloud
Service Provider:

• Processing, storage or transmission of data of cloud customers with

different protection needs;

• Occurrence of weak points and malfunctions in technical protective

measures for separating shared resources;

• Attacks via access points, including interfaces accessible from public

networks;

• Conflicting tasks and areas of responsibility that cannot be separated for

organisational or technical reasons; and

• Dependencies on subservice organisations.

The analysis, evaluation and treatment of risks, including the approval of

actions and acceptance of residual risks, is reviewed for adequacy at least
annually by the risk owners.

Policies and instructions (incl. concepts and guidelines) are derived from
the information security policy and are documented according to a uniform
structure. They are communicated and made available to all internal and
external employees of the Cloud Service Provider in an appropriate
manner.

The policies and instructions are version controlled and approved by the top
management of the Cloud Service Provider or an authorised body.

The policies and instructions describe at least the following aspects:

• Objectives;

• Scope;

• Roles and responsibilities, including staff qualification requirements and

the establishment of substitution rules;

• Roles and dependencies on other organisations (especially cloud

customers and subservice organisations);

• Steps for the execution of the security strategy; and

• Applicable legal and regulatory requirements.

Information security policies and instructions are reviewed at least annually
for adequacy by the Cloud Service Provider's subject matter experts.

The review shall consider at least the following aspects:

• Organisational and technical changes in the procedures for providing the

cloud service; and

• Legal and regulatory changes in the Cloud Service Provider's

environment.

Revised policies and instructions are approved before they become

effective.

Exceptions to the policies and instructions for information security as well

as respective controls go through the OIS-06 risk management process,
including approval of these exceptions and acceptance of the associated
risks by the risk owners. The approvals of exceptions are documented,
limited in time and are reviewed for appropriateness at least annually by the
risk owners.

The competency and integrity of all internal and external employees of the
Cloud Service Provider with access to cloud customer data or system
components under the Cloud Service Provider's responsibility who are
responsible to provide the cloud service in the production environment shall
be verified prior to commencement of employment in accordance with local
legislation and regulation by the Cloud Service Provider.

To the extent permitted by law, the review will cover the following areas:

• Verification of the person through identity card;

• Verification of the CV;

• Verification of academic titles and degrees;

• Request of a police clearance certificate for applicants;

• Certificate of good conduct or national equivalent; and

• Evaluation of the risk to be blackmailed.

The Cloud Service Provider's internal and external employees are required
by the employment terms and conditions to comply with applicable policies
and instructions relating to information security.

The information security policy, and the policies and instructions based on
it, are to be acknowledged by the internal and external personnel in a
documented form before access is granted to any cloud customer data or
system components under the responsibility of the Cloud Service Provider
used to provide the cloud service in the production environment.
The Cloud Service Provider operates a target group-oriented security
awareness and training program, which is completed by all internal and
external employees of the Cloud Service Provider on a regular basis. The
program is regularly updated based on changes to policies and instructions
and the current threat situation and includes the following aspects:

• Handling system components used to provide the cloud service in the

production environment in accordance with applicable policies and
procedures;

• Handling cloud customer data in accordance with applicable policies and

instructions and applicable legal and regulatory requirements;

• Information about the current threat situation; and

• Correct behaviour in the event of security incidents.

In the event of violations of policies and instructions or applicable legal and

regulatory requirements, actions are taken in accordance with a defined
policy that includes the following aspects:

• Verifying whether a violation has occurred; and

• Consideration of the nature and severity of the violation and its impact.

The internal and external employees of the Cloud Service Provider are
informed about possible disciplinary measures.

The use of disciplinary measures is appropriately documented.

Internal and external employees have been informed about which

responsibilities, arising from the guidelines and instructions relating to
information security, will remain in place when their employment is
terminated or changed and for how long.
The non-disclosure or confidentiality agreements to be agreed with internal
employees, external service providers and suppliers of the Cloud Service
Provider are based on the requirements identified by the Cloud Service
Provider for the protection of confidential information and operational
details.

The agreements are to be accepted by external service providers and

suppliers when the contract is agreed. The agreements must be accepted
by internal employees of the Cloud Service Provider before authorisation to
access data of cloud customers is granted.

The requirements must be documented and reviewed at regular intervals

(at least annually). If the review shows that the requirements need to be
adapted, the non-disclosure or confidentiality agreements are updated.

The Cloud Service Provider must inform the internal employees, external
service providers and suppliers and obtain confirmation of the updated
confidentiality or non-disclosure agreement.

The Cloud Service Provider has established procedures for inventorying

assets.

The inventory is performed automatically and/or by the people or teams

responsible for the assets to ensure complete, accurate, valid and
consistent inventory throughout the asset lifecycle.

Assets are recorded with the information needed to apply the Risk
Management Procedure (Cf. OIS-07), including the measures taken to
manage these risks throughout the asset lifecycle. Changes to this
information are logged.
Policies and instructions for acceptable use and safe handling of assets are
documented, communicated and provided in accordance with SP-01 and
address the following aspects of the asset lifecycle as applicable to the
asset:

• Approval procedures for acquisition, commissioning, maintenance,

decommissioning, and disposal by authorised personnel or system
components;

• Inventory;

• Classification and labelling based on the need for protection of the

information and measures for the level of protection identified;

• Secure configuration of mechanisms for error handling, logging,

encryption, authentication and authorisation;

• Requirements for versions of software and images as well as application

of patches;

• Handling of software for which support and security patches are not
available anymore;

• Restriction of software installations or use of services;

• Protection against malware;

• Remote deactivation, deletion or blocking;

• Physical delivery and transport;

• dealing with incidents and vulnerabilities; and

• Complete and irrevocable deletion of the data upon decommissioning.

The Cloud Service Provider has an approval process for the use of
hardware to be commissioned, which is used to provide the cloud service in
the production environment, in which the risks arising from the
commissioning are identified, analysed and mitigated. Approval is granted
after verification of the secure configuration of the mechanisms for error
handling, logging, encryption, authentication and authorisation according to
the intended use and based on the applicable policies.

The decommissioning of hardware used to operate system components

supporting the cloud service production environment under the
responsibility of the Cloud Service Provider requires approval based on the
applicable policies.

The decommissioning includes the complete and permanent deletion of the

data or proper destruction of the media.
The Cloud Service Provider's internal and external employees are provably
committed to the policies and instructions for acceptable use and safe
handling of assets before they can be used if the Cloud Service Provider
has determined in a risk assessment that loss or unauthorised access could
compromise the information security of the Cloud Service.

Any assets handed over are provably returned upon termination of

employment.

Assets are classified and, if possible, labelled. Classification and labelling of

an asset reflects the protection needs of the information it processes,
stores, or transmits.

The need for protection is determined by the individuals or groups

responsible for the assets of the Cloud Service Provider according to a
uniform schema. The schema provides levels of protection for the
confidentiality, integrity, availability, and authenticity protection objectives.
Security requirements for premises and buildings related to the cloud
service provided, are based on the security objectives of the information
security policy, identified protection requirements for the cloud service and
the assessment of risks to physical and environmental security. The
security requirements are documented, communicated and provided in a
policy or concept according to SP-01.

The security requirements for data centres are based on criteria which
comply with established rules of technology. They are suitable for
addressing the following risks in accordance with the applicable legal and
contractual requirements:

• Faults in planning;

• Unauthorised access;

• Insufficient surveillance;

• Insufficient air-conditioning;

• Fire and smoke;

• Water;

• Power failure; and

• Air ventilation and filtration.

If the Cloud Service Provider uses premises or buildings operated by third

parties to provide the Cloud Service, the document describes which
security requirements the Cloud Service Provider places on these third
parties.

The appropriate and effective verification of implementation is carried out in

accordance with the criteria for controlling and monitoring subcontractors
(cf. SSO-01, SSO-02).
The cloud service is provided from two locations that are redundant to each
other. The locations meet the security requirements of the Cloud Service
Provider (cf. PS-01 Security Concept) and are located in an adequate
distance to each other to achieve operational redundancy. Operational
redundancy is designed in a way that ensures that the availability
requirements specified in the service level agreement are met. The
functionality of the redundancy is checked at least annually by suitable tests
and exercises (cf. BCM-04 - Verification, updating and testing of business
continuity).

The structural shell of premises and buildings related to the cloud service
provided are physically solid and protected by adequate security measures
that meet the security requirements of the Cloud Service Provider (cf. PS-
01 Security Concept).

The security measures are designed to detect and prevent unauthorised

access in a timely manner so that it does not compromise the information
security of the cloud service.

The outer doors, windows and other construction elements reach a level
appropriate to the security requirements and withstand a burglary attempt
for at least 10 minutes.

The surrounding wall constructions as well as the locking mechanisms meet

the associated requirements.
At access points to premises and buildings related to the cloud service
provided, physical access controls are set up in accordance with the Cloud
Service Provider's security requirements (cf. PS-01 Security Concept) to
prevent unauthorised access.

Access controls are supported by an access control system.

The requirements for the access control system are documented,

communicated and provided in a policy or concept in accordance with SP-
01 and include the following aspects:

• Specified procedure for the granting and revoking of access authorisations

(cf. IDM-02) based on the principle of least authorisation ("least-privilege-
principle") and as necessary for the performance of tasks ("need-to-know-
principle");

• Automatic revocation of access authorisations if they have not been used

for a period of 2 month;

• Automatic withdrawal of access authorisations if they have not been used

for a period of 6 months;

• Two-factor authentication for access to areas hosting system components

that process cloud customer information;

• Visitors and external personnel are tracked individually by the access

control during their work in the premises and buildings, identified as such
(e.g. by visible wearing of a visitor pass) and supervised during their stay;
and

• Existence and nature of access logging that enables the Cloud Service
Provider, in the sense of an effectiveness audit, to check whether only
defined personnel have entered the premises and buildings related to the
cloud service provided.
Premises and buildings related to the cloud service provided are protected
from fire and smoke by structural, technical and organisational measures
that meet the security requirements of the Cloud Service Provider (cf. PS-
01 Security Concept) and include the following aspects:

a) Structural Measures:

Establishment of fire sections with a fire resistance duration of at least 90

minutes for all structural parts.

b) Technical Measures:

• Early fire detection with automatic voltage release. The monitored areas
are sufficiently fragmented to ensure that the prevention of the spread of
incipient fires is proportionate to the maintenance of the availability of the
cloud service provided;

• Extinguishing system or oxygen reduction; and

• Fire alarm system with reporting to the local fire department.

c) Organisational Measures

• Regular fire protection inspections to check compliance with fire protection

requirements; and

• Regular fire protection exercises.

Measures to prevent the failure of the technical supply facilities required for
the operation of system components with which information from cloud
customers is processed, are documented and set up in accordance with the
security requirements of the Cloud Service Provider (cf. PS-01 Security
Concept) with respect to the following aspects:

a) Operational redundancy (N+1) in power and cooling supply

b) Use of appropriately sized uninterruptible power supplies (UPS) and

emergency power systems (NEA), designed to ensure that all data remains
undamaged in the event of a power failure. The functionality of UPS and
NEA is checked at least annually by suitable tests and exercises (cf. BCM-
04 - Verification, updating and testing of business continuity).

c) Maintenance (servicing, inspection, repair) of the utilities in accordance

with the manufacturer's recommendations.

d) Protection of power supply and telecommunications lines against

interruption, interference, damage and eavesdropping. The protection is
checked regularly, but at least every two years, as well as in case of
suspected manipulation by qualified personnel regarding the following
aspects:

• Traces of violent attempts to open closed distributors;

• Up-to-datedness of the documentation in the distribution list;

• Conformity of the actual wiring and patching with the documentation;

• The short-circuits and earthing of unneeded cables are intact; and

• Impermissible installations and modifications.

The operating parameters of the technical utilities (cf. PS-06) and the
environmental parameters of the premises and buildings related to the
cloud service provided are monitored and controlled in accordance with the
security requirements of the Cloud Service Provider (cf. PS-01 Security
Concept). When the permitted control range is exceeded, the responsible
departments of the Cloud-Provider are automatically informed in order to
promptly initiate the necessary measures for return to the control range.

The planning of capacities and resources (personnel and IT resources)

follows an established procedure in order to avoid possible capacity
bottlenecks. The procedures include forecasting future capacity
requirements in order to identify usage trends and manage system
overload.

Cloud Service Providers take appropriate measures to ensure that they

continue to meet the requirements agreed with cloud customers for the
provision of the cloud service in the event of capacity bottlenecks or
outages regarding personnel and IT resources, in particular those relating
to the dedicated use of system components, in accordance with the
respective agreements.
Technical and organisational safeguards for the monitoring and
provisioning and de-provisioning of cloud services are defined. Thus, the
Cloud Service Provider ensures that resources are provided and/or services
are rendered according to the contractual agreements and that compliance
with the service level agreements is ensured.
Depending on the capabilities of the respective service model, the cloud
customer can control and monitor the allocation of the system resources
assigned to the customer for administration/use in order to avoid
overcrowding of resources and to achieve sufficient performance.
Policies and instructions that provide protection against malware are
documented, communicated, and provided in accordance with SP-01 with
respect to the following aspects:

• Use of system-specific protection mechanisms;

• Operating protection programs on system components under the

responsibility of the Cloud Service Provider that are used to provide the
cloud service in the production environment; and

• Operation of protection programs for employees' terminal equipment.

System components under the Cloud Service Provider's responsibility that

are used to deploy the cloud service in the production environment are
configured with malware protection according to the policies and
instructions. If protection programs are set up with signature and behaviour-
based malware detection and removal, these protection programs are
updated at least daily.

Policies and instructions for data backup and recovery are documented,
communicated and provided in accordance with SP-01 regarding the
following aspects.

• The extent and frequency of data backups and the duration of data
retention are consistent with the contractual agreements with the cloud
customers and the Cloud Service Provider's operational continuity
requirements for Recovery Time Objective (RTO) and Recovery Point
Objective (RPO);

• Data is backed up in encrypted, state-of-the-art form;

• Access to the backed-up data and the execution of restores is performed

only by authorised persons; and

• Tests of recovery procedures (cf. OPS-08).

The execution of data backups is monitored by technical and organisational

measures. Malfunctions are investigated by qualified staff and rectified
promptly to ensure compliance with contractual obligations to cloud
customers or the Cloud Service Provider's business requirements regarding
the scope and frequency of data backup and the duration of storage.
Restore procedures are tested regularly, at least annually. The tests allow
an assessment to be made as to whether the contractual agreements as
well as the specifications for the maximum tolerable downtime (Recovery
Time Objective, RTO) and the maximum permissible data loss (Recovery
Point Objective, RPO) are adhered to (cf. BCM-02).

Deviations from the specifications are reported to the responsible personnel

or system components so that these can promptly assess the deviations
and initiate the necessary actions.

The Cloud Service Provider transfers data to be backed up to a remote

location or transports these on backup media to a remote location. If the
data backup is transmitted to the remote location via a network, the data
backup or the transmission of the data takes place in an encrypted form
that corresponds to the state-of-the-art. The distance to the main site is
chosen after sufficient consideration of the factors recovery times and
impact of disasters on both sites. The physical and environmental security
measures at the remote site are at the same level as at the main site.

The Cloud Service Provider has established policies and instructions that
govern the logging and monitoring of events on system components within
its area of responsibility. These policies and instructions are documented,
communicated and provided according to SP-01 with respect to the
following aspects:

• Definition of events that could lead to a violation of the protection goals;

• Specifications for activating, stopping and pausing the various logs;

• Information regarding the purpose and retention period of the logs.

• Define roles and responsibilities for setting up and monitoring logging;

• Time synchronisation of system components; and

• Compliance with legal and regulatory frameworks.

Policies and instructions for the secure handling of metadata (usage data)
are documented, communicated and provided according to SP-01 with
regard to the following aspects:

• Metadata is collected and used solely for billing, incident management

and security incident management purposes;

• Exclusively anonymous metadata to deploy and enhance the cloud

service so that no conclusions can be drawn about the cloud customer or
user;

• No commercial use;

• Storage for a fixed period reasonably related to the purposes of the

collection;

• Immediate deletion if the purposes of the collection are fulfilled and further
storage is no longer necessary.

• Provision to cloud customers according to contractual agreements.

The requirements for the logging and monitoring of events and for the
secure handling of metadata are implemented by technically supported
procedures with regard to the following restrictions:

• Access only to authorised users and systems;

• Retention for the specified period; and

• Deletion when further retention is no longer necessary for the purpose of

collection.

The logging data is automatically monitored for events that may violate the
protection goals in accordance with the logging and monitoring
requirements. This also includes the detection of relationships between
events (event correlation).

Identified events are automatically reported to the appropriate departments

for prompt evaluation and action.

The Cloud Service Provider retains the generated log data and keeps these
in an appropriate, unchangeable and aggregated form, regardless of the
source of such data, so that a central, authorised evaluation of the data is
possible. Log data is deleted if it is no longer required for the purpose for
which they were collected.

Between logging servers and the assets to be logged, authentication takes

place to protect the integrity and authenticity of the information transmitted
and stored. The transfer takes place using state-of-the-art encryption or a
dedicated administration network (out-of-band management).
The log data generated allows an unambiguous identification of user
accesses at tenant level to support (forensic) analysis in the event of a
security incident.

Interfaces are available to conduct forensic analyses and perform backups

of infrastructure components and their network communication.

Access to system components for logging and monitoring in the Cloud

Service Provider’s area of responsibility is restricted to authorised users.
Changes to the configuration are made in accordance with the applicable
policies (cf. DEV-03).

The Cloud Service Provider monitors the system components for logging
and monitoring in its area of responsibility. Failures are automatically and
promptly reported to the Cloud Service Provider’s responsible departments
so that these can assess the failures and take required action.

Guidelines and instructions with technical and organisational measures are

documented, communicated and provided in accordance with SP-01 to
ensure the timely identification and addressing of vulnerabilities in the
system components used to provide the cloud service. These guidelines
and instructions contain specifications regarding the following aspects:

• Regular identification of vulnerabilities;

• Assessment of the severity of identified vulnerabilities;

• Prioritisation and implementation of actions to promptly remediate or

mitigate identified vulnerabilities based on severity and according to defined
timelines; and

• Handling of system components for which no measures are initiated for

the timely remediation or mitigation of vulnerabilities.

The Cloud Service Provider has penetration tests carried out by qualified
internal personnel or external service providers at least once a year. The
penetration tests are carried out according to a documented test
methodology and include the system components relevant to the provision
of the cloud service in the area of responsibility of the Cloud Service
Provider, which have been identified as such in a risk analysis.

The Cloud Service Provider assess the severity of the findings made in
penetration tests according to defined criteria.

For findings with medium or high criticality regarding the confidentiality,

integrity or availability of the cloud service, actions must be taken within
defined time windows for prompt remediation or mitigation.
The Cloud Service Provider regularly measures, analyses and assesses the
procedures with which vulnerabilities and incidents are handled to verify
their continued suitability, appropriateness and effectiveness.

Results are evaluated at least quarterly by accountable departments at the

Cloud Service Provider to initiate continuous improvement actions and to
verify their effectiveness.

The Cloud Service Provider periodically informs the cloud customer on the
status of incidents affecting the cloud customer, or, where appropriate and
necessary, involve the customer in the resolution, in a manner consistent
with the contractual agreements.

As soon as an incident has been resolved from the Cloud Service

Provider's perspective, the cloud customer is informed according to the
contractual agreements, about the actions taken.

System components in the area of responsibility of the Cloud Service

Provider for the provision of the cloud service are automatically checked for
known vulnerabilities at least once a month in accordance with the policies
for handling vulnerabilities (cf. OPS-18), the severity is assessed in
accordance with defined criteria and measures for timely remediation or
mitigation are initiated within defined time windows.

System components in the production environment used to provide the

cloud service under the Cloud Service Provider's responsibility are
hardened according to generally accepted industry standards. The
hardening requirements for each system component are documented.

If non-modifiable ("immutable") images are used, compliance with the

hardening specifications as defined in the hardening requirements is
checked upon creation of the images. Configuration and log files regarding
the continuous availability of the images are retained.

Cloud customer data stored and processed on shared virtual and physical
resources is securely and strictly separated according to a documented
approach based on OIS-07 risk analysis to ensure the confidentiality and
integrity of this data.
A role and rights concept based on the business and security requirements
of the Cloud Service Provider as well as a policy for managing user
accounts and access rights for internal and external employees of the
Cloud Service Provider and system components that have a role in
automated authorisation processes of the Cloud Service Provider are
documented, communicated and made available according to SP-01:

• Assignment of unique usernames;

• Granting and modifying user accounts and access rights based on the
“least-privilege- principle” and the “need-to-know” principle;

• Segregation of duties between operational and monitoring functions

(“Segregation of Duties”);

• Segregation of duties between managing, approving and assigning user

accounts and access rights;

• Approval by authorised individual(s) or system(s) for granting or modifying

user accounts and access rights before data of the cloud customer or
system components used to provision the cloud service can be accessed;

• Regular review of assigned user accounts and access rights;

• Blocking and removing access accounts in the event of inactivity;

• Time-based or event-driven removal or adjustment of access rights in the

event of changes to job responsibility;

• Two-factor or multi-factor authentication for users with privileged access;

• Requirements for the approval and documentation of the management of

user accounts and access rights.

Specified procedures for granting and modifying user accounts and access
rights for internal and external employees of the Cloud Service Provider as
well as for system components involved in automated authorisation
processes of the Cloud Service Provider ensure compliance with the role
and rights concept as well as the policy for managing user accounts and
access rights.
User accounts of internal and external employees of the Cloud Service
Provider as well as for system components involved in automated
authorisation processes of the Cloud Service Provider are automatically
locked if they have not been used for a period of two months. Approval from
authorised personnel or system components are required to unlock these
accounts.

Locked user accounts are automatically revoked after six months. After
revocation, the procedure for granting user accounts and access rights (cf.
IDM-02) must be repeated.

Access rights are promptly revoked if the job responsibilities of the Cloud
Service Provider's internal or external staff or the tasks of system
components involved in the Cloud Service Provider's automated
authorisation processes change. Privileged access rights are adjusted or
revoked within 48 hours after the change taking effect. All other access
rights are adjusted or revoked within 14 days. After revocation, the
procedure for granting user accounts and access rights (cf. IDM-02) must
be repeated.

Access rights of internal and external employees of the Cloud Service

Provider as well as of system components that play a role in automated
authorisation processes of the Cloud Service Provider are reviewed at least
once a year to ensure that they still correspond to the actual area of use.
The review is carried out by authorised persons from the Cloud Service
Provider's organisational units, who can assess the appropriateness of the
assigned access rights based on their knowledge of the task areas of the
employees or system components. Identified deviations will be dealt with
promptly, but no later than 7 days after their detection, by appropriate
modification or withdrawal of the access rights.

Privileged access rights for internal and external employees as well as

technical users of the Cloud Service Provider are assigned and changed in
accordance to the policy for managing user accounts and access rights (cf.
IDM-01) or a separate specific policy.

Privileged access rights are personalised, limited in time according to a risk

assessment and assigned as necessary for the execution of tasks ("need-
to-know principle"). Technical users are assigned to internal or external
employees of the Cloud Service Provider.

Activities of users with privileged access rights are logged in order to detect
any misuse of privileged access in suspicious cases. The logged
information is automatically monitored for defined events that may indicate
misuse. When such an event is identified, the responsible personnel are
automatically informed so that they can promptly assess whether misuse
has occurred and take corresponding action. In the event of proven misuse
of privileged access rights, disciplinary measures are taken in accordance
with HR-04.
The cloud customer is informed by the Cloud Service Provider whenever
internal or external employees of the Cloud Service Provider read or write
to the cloud customer's data processed, stored or transmitted in the cloud
service or have accessed it without the prior consent of the cloud customer.
The Information is provided whenever data of the cloud customer is/was not
encrypted, the encryption is/was disabled for access or the contractual
agreements do not explicitly exclude such information. The information
contains the cause, time, duration, type and scope of the access. The
information is sufficiently detailed to enable subject matter experts of the
cloud customer to assess the risks of the access. The information is
provided in accordance with the contractual agreements, or within 72 hours
after the access.

The allocation of authentication information to access system components

used to provide the cloud service to internal and external users of the cloud
provider and system components that are involved in automated
authorisation processes of the cloud provider is done in an orderly manner
that ensures the confidentiality of the information. If passwords are used as
authentication information, their confidentiality is ensured by the following
procedures, as far as technically possible:

• Users can initially create the password themselves or must change an

initial password when logging on to the system component for the first time.
An initial password loses its validity after a maximum of 14 days.

• When creating passwords, compliance with the password specifications

(cf. IDM-12) is enforced as far as technically possible.

• The user is informed about changing or resetting the password.

• The server-side storage takes place using cryptographically strong hash

functions.

Deviations are evaluated by means of a risk analysis and mitigating

measures derived from this are implemented.
System components in the Cloud Service Provider's area of responsibility
that are used to provide the cloud service, authenticate users of the Cloud
Service Provider's internal and external employees as well as system
components that are involved in the Cloud Service Provider's automated
authorisation processes. Access to the production environment requires
two-factor or multi-factor authentication. Within the production environment,
user authentication takes place through passwords, digitally signed
certificates or procedures that achieve at least an equivalent level of
security. If digitally signed certificates are used, administration is carried out
in accordance with the Guideline for Key Management (cf. CRY-01). The
password requirements are derived from a risk assessment and
documented, communicated and provided in a password policy according
to SP-01. Compliance with the requirements is enforced by the
configuration of the system components, as far as technically possible.

-
Policies and instructions with technical and organisational safeguards for
encryption procedures and key management are documented,
communicated and provided according to SP-01, in which the following
aspects are described:

• Usage of strong encryption procedures and secure network protocols that

correspond to the state-of-the-art;

• Risk-based provisions for the use of encryption which are aligned with the
data classification schemes and consider the communication channel, type,
strength and quality of the encryption;

• Requirements for the secure generation, storage, archiving, retrieval,

distribution, withdrawal and deletion of the keys; and

• Consideration of relevant legal and regulatory obligations and

requirements.

The Cloud Service Provider has established procedures and technical

measures for strong encryption and authentication for the transmission of
data of cloud customers over public networks.

The Cloud Service Provider has established procedures and technical

safeguards to encrypt cloud customers' data during storage. The private
keys used for encryption are known only to the cloud customer in
accordance with applicable legal and regulatory obligations and
requirements. Exceptions follow a specified procedure. The procedures for
the use of private keys, including any exceptions, must be contractually
agreed with the cloud customer.
Procedures and technical safeguards for secure key management in the
area of responsibility of the Cloud Service Provider include at least the
following aspects:

• Generation of keys for different cryptographic systems and applications;

• Issuing and obtaining public-key certificates;

• Provisioning and activation of the keys;

• Secure storage of keys (separation of key management system from

application and middleware level) including description of how authorised
users get access;

• Changing or updating cryptographic keys including policies defining under

which conditions and in which manner the changes and/or updates are to
be realised;

• Handling of compromised keys;

• Withdrawal and deletion of keys; and

• If pre-shared keys are used, the specific provisions relating to the safe use
of this procedure are specified separately.

Based on the results of a risk analysis carried out according to OIS-06, the
Cloud Service Provider has implemented technical safeguards which are
suitable to promptly detect and respond to network-based attacks on the
basis of irregular incoming or outgoing traffic patterns and/or Distributed
Denial- of-Service (DDoS) attacks. Data from corresponding technical
protection measures implemented is fed into a comprehensive SIEM
(Security Information and Event Management) system, so that (counter)
measures regarding correlating events can be initiated. The safeguards are
documented, communicated and provided in accordance with SP-01.

Specific security requirements are designed, published and provided for

establishing connections within the Cloud Service Provider's network. The
security requirements define for the Cloud Service Provider's area of
responsibility:

• in which cases the security zones are to be separated and in which cases
cloud customers are to be logically or physically segregated;

• which communication relationships and which network and application

protocols are permitted in each case;

• how the data traffic for administration and monitoring is segregated from
each on network level;

• which internal, cross-location communication is permitted and;

• which cross-network communication is allowed

A distinction is made between trusted and untrusted networks. Based on a
risk assessment, these are separated into different security zones for
internal and external network areas (and DMZ, if applicable). Physical and
virtualised network environments are designed and configured to restrict
and monitor the established connection to trusted or untrusted networks
according to the defined security requirements.

The entirety of the conception and configuration undertaken to monitor the

connections mentioned is assessed in a risk-oriented manner, at least
annually, with regard to the resulting security requirements.

Identified vulnerabilities and deviations are subject to risk assessment in

accordance with the risk management procedure (cf. OIS-06) and follow-up
measures are defined and tracked (cf. OPS-18).

At specified intervals, the business justification for using all services,

protocols, and ports is reviewed. The review also includes the justifications
for compensatory measures for the use of protocols that are considered
insecure.

Each network perimeter is controlled by security gateways. The system

access authorisation for cross-network access is based on a security
assessment based on the requirements of the cloud customers.

There are separate networks for the administrative management of the

infrastructure and for the operation of management consoles. These
networks are logically or physically separated from the cloud customer's
network and protected from unauthorised access by multi-factor
authentication (cf. IDM-09). Networks used by the Cloud Service Provider to
migrate or create virtual machines are also physically or logically separated
from other networks

Data traffic of cloud customers in jointly used network environments is

segregated on network level according to a documented concept to ensure
the confidentiality and integrity of the data transmitted.

The documentation of the logical structure of the network used to provision

or operate the Cloud Service, is traceable and up-to-date, in order to avoid
administrative errors during live operation and to ensure timely recovery in
the event of malfunctions in accordance with contractual obligations. The
documentation shows how the subnets are allocated and how the network
is zoned and segmented. In addition, the geographical locations in which
the cloud customers' data is stored are indicated.
Policies and instructions with technical and organisational safeguards in
order to protect the transmission of data against unauthorised interception,
manipulation, copying, modification, redirection or destruction are
documented, communicated and provided according to SP-01. The policy
and instructions establish a reference to the classification of information (cf.
AM-06).

The cloud service can be accessed by other cloud services or IT systems of

cloud customers through documented inbound and outbound interfaces.
Further, the interfaces are clearly documented for subject matter experts on
how they can be used to retrieve the data.

Communication takes place through standardised communication protocols

that ensure the confidentiality and integrity of the transmitted information
according to its protection requirements. Communication over untrusted
networks is encrypted according to CRY-02.

The type and scope of the documentation on the interfaces is geared to the
needs of the cloud customers' subject matter experts in order to enable the
use of these interfaces. The information is maintained in such a way that it
is applicable for the cloud service's version which is intended for productive
use.

In contractual agreements, the following aspects are defined with regard to

the termination of the contractual relationship, insofar as these are
applicable to the cloud service:

• Type, scope and format of the data the Cloud Service Provider provides to
the cloud customer;

• Definition of the timeframe, within which the Cloud Service Provider

makes the data available to the cloud customer

• Definition of the point in time as of which the Cloud Service Provider

makes the data inaccessible to the cloud customer and deletes these; and

• The cloud customers' responsibilities and obligations to cooperate for the

provision of the data.

The definitions are based on the needs of subject matter experts of

potential customers who assess the suitability of the cloud service with
regard to a dependency on the Cloud Service Provider as well as legal and
regulatory requirements.

The Cloud Service Provider's procedures for deleting the cloud customers'
data upon termination of the contractual relationship ensure compliance
with the contractual agreements (cf. PI-02).

The deletion includes data in the cloud customer's environment, metadata

and data stored in the data backups.

The deletion procedures prevent recovery by forensic means.

Policies and instructions with technical and organisational measures for the
secure development of the cloud service are documented, communicated
and provided in accordance with SP-01.

The policies and instructions contain guidelines for the entire life cycle of
the cloud service and are based on recognised standards and methods with
regard to the following aspects:

• Security in Software Development (Requirements, Design,

Implementation, Testing and Verification);

• Security in software deployment (including continuous delivery); and

• Security in operation (reaction to identified faults and vulnerabilities).

In the case of outsourced development of the cloud service (or individual

system components), specifications regarding the following aspects are
contractually agreed between the Cloud Service Provider and the
outsourced development contractor:

• Security in software development (requirements, design, implementation,

tests and verifications) in accordance with recognised standards and
methods;

• Acceptance testing of the quality of the services provided in accordance

with the agreed functional and non-functional requirements; and

• Providing evidence that sufficient verifications have been carried out to

rule out the existence of known vulnerabilities.
Policies and instructions with technical and organisational safeguards for
change management of system components of the cloud service within the
scope of software deployment are documented, communicated and
provided according to SP-01 with regard to the following aspects:

• Criteria for risk assessment, categorisation and prioritisation of changes

and related requirements for the type and scope of testing to be performed,
and necessary approvals for the development/implementation of the
change and releases for deployment in the production environment by
authorised personnel or system components;

• Requirements for the performance and documentation of tests;

• Requirements for segregation of duties during development, testing and

release of changes;

• Requirements for the proper information of cloud customers about the

type and scope of the change as well as the resulting obligations to
cooperate in accordance with the contractual agreements;

• Requirements for the documentation of changes in system, operational

and user documentation; and

• Requirements for the implementation and documentation of emergency

changes that must comply with the same level of security as normal
changes.

The Cloud Service Provider provides a training program for regular, target
group-oriented security training and awareness for internal and external
employees on standards and methods of secure software development and
provision as well as on how to use the tools used for this purpose. The
program is regularly reviewed and updated with regard to the applicable
policies and instructions, the assigned roles and responsibilities and the
tools used.

In accordance with the applicable policies (cf. DEV-03), changes are

subjected to a risk assessment with regard to potential effects on the
system components concerned and are categorised and prioritised
accordingly.
Changes to the cloud service are subject to appropriate testing during
software development and deployment.

The type and scope of the tests correspond to the risk assessment. The
tests are carried out by appropriately qualified personnel of the Cloud
Service Provider or by automated test procedures that comply with the
state-of-the-art. Cloud customers are involved into the tests in accordance
with the contractual requirements.

The severity of the errors and vulnerabilities identified in the tests, which
are relevant for the deployment decision, is determined according to
defined criteria and actions for timely remediation or mitigation are initiated.

System components and tools for source code management and software
deployment that are used to make changes to system components of the
cloud service in the production environment are subject to a role and rights
concept according to IDM-01 and authorisation mechanisms. They must be
configured in such a way that all changes are logged and can therefore be
traced back to the individuals or system components executing them.

Version control procedures are set up to track dependencies of individual

changes and to restore affected system components back to their previous
state as a result of errors or identified vulnerabilities.

Authorised personnel or system components of the Cloud Service Provider

approve changes to the cloud service based on defined criteria (e.g. test
results and required approvals) before these are made available to the
cloud customers in the production environment.

Cloud customers are involved in the release according to contractual

requirements.

Production environments are physically or logically separated from test or

development environments to prevent unauthorised access to cloud
customer data, the spread of malware, or changes to system components.
Data contained in the production environments is not used in test or
development environments in order not to compromise their confidentiality.
-

Policies and instructions for controlling and monitoring third parties (e.g.
service providers or suppliers) whose services contribute to the provision of
the cloud service are documented, communicated and provided in
accordance with SP-01 with respect to the following aspects:

• Requirements for the assessment of risks resulting from the procurement

of third-party services;

• Requirements for the classification of third parties based on the risk

assessment by the Cloud Service Provider and the determination of
whether the third party is a subcontractor (cf. Supplementary Information);

• Information security requirements for the processing, storage or

transmission of information by third parties based on recognised industry
standards;

• Information security awareness and training requirements for staff;

• applicable legal and regulatory requirements;

• Requirements for dealing with vulnerabilities, security incidents and

malfunctions;

• Specifications for the contractual agreement of these requirements;

• Specifications for the monitoring of these requirements; and

• Specifications for applying these requirements also to service providers

used by the third parties, insofar as the services provided by these service
providers also contribute to the provision of the cloud service.
Service providers and suppliers of the Cloud Service Provider undergo a
risk assessment in accordance with the policies and instructions for the
control and monitoring of third parties prior to contributing to the delivery of
the cloud service. The adequacy of the risk assessment is reviewed
regularly, at least annually, by qualified personnel of the Cloud Service
Provider during service usage.

The risk assessment includes the identification, analysis, evaluation,

handling and documentation of risks with regard to the following aspects:

• Protection needs regarding the confidentiality, integrity, availability and

authenticity of information processed, stored or transmitted by the third
party;

• Impact of a protection breach on the provision of the cloud service;

• The Cloud Service Provider's dependence on the service provider or

supplier for the scope, complexity and uniqueness of the service
purchased, including the consideration of possible alternatives.

The Cloud Service Provider maintains a directory for controlling and

monitoring the service providers and suppliers who contribute services to
the delivery of the cloud service. The following information is maintained in
the directory:

• Company name;

• Address;

• Locations of data processing and storage;

• Responsible contact person at the service provider/supplier;

• Responsible contact person at the cloud service provider;

• Description of the service;

• Classification based on the risk assessment;

• Beginning of service usage; and

• Proof of compliance with contractually agreed requirements.

The information in the list is checked at least annually for completeness,

accuracy and validity.
The Cloud Service Provider monitors compliance with information security
requirements and applicable legal and regulatory requirements in
accordance with policies and instructions concerning controlling and
monitoring of third-parties.

Monitoring includes a regular review of the following evidence to the extent

that such evidence is to be provided by third parties in accordance with the
contractual agreements:

• reports on the quality of the service provided;

• certificates of the management systems' compliance with international

standards;

• independent third-party reports on the suitability and operating

effectiveness of their service-related internal control systems; and

• Records of the third parties on the handling of vulnerabilities, security

incidents and malfunctions.

The frequency of the monitoring corresponds to the classification of the

third party based on the risk assessment conducted by the Cloud Service
Provider (cf. SSO-02). The results of the monitoring are included in the
review of the third party's risk assessment.

Identified violations and deviations are subjected to analysis, evaluation

and treatment in accordance with the risk management procedure (cf. OIS-
07).

The Cloud Service Provider has defined and documented exit strategies for
the purchase of services where the risk assessment of the service providers
and suppliers regarding the scope, complexity and uniqueness of the
purchased service resulted in a very high dependency (cf. Supplementary
Information).

Exit strategies are aligned with operational continuity plans and include the
following aspects:

• Analysis of the potential costs, impacts, resources and timing of the

transition of a purchased service to an alternative service provider or
supplier;

• Definition and allocation of roles, responsibilities and sufficient resources

to perform the activities for a transition;

• Definition of success criteria for the transition;

• Definition of indicators for monitoring the performance of services, which

should initiate the withdrawal from the service if the results are
unacceptable.
Policies and instructions with technical and organisational safeguards are
documented, communicated and provided in accordance with SP-01 to
ensure a fast, effective and proper response to all known security incidents.

The Cloud Service Provider defines guidelines for the classification,

prioritisation and escalation of security incidents and creates interfaces to
the incident management and business continuity management.

In addition, the Cloud Service Provider has set up a "Computer Emergency

Response Team" (CERT), which contributes to the coordinated resolution
of occurring security incidents.

Customers affected by security incidents are informed in a timely and

appropriate manner.

#N/A

Subject matter experts of the Cloud Service Provider, together with external
security providers where appropriate, classify, prioritise and perform root-
cause analyses for events that could constitute a security incident.

After a security incident has been processed, the solution is documented in

accordance with the contractual agreements and the report is sent to the
affected customers for final acknowledgement or, if applicable, as
confirmation.
The Cloud Service Provider informs employees and external business
partners of their obligations. If necessary, they agree to or are contractually
obliged to report all security events that become known to them and are
directly related to the cloud service provided by the Cloud Service Provider
to a previously designated central office of the Cloud Service Provider
promptly.

In addition, the Cloud Service Provider communicates that "false reports" of

events that do not subsequently turn out to be incidents do not have any
negative consequences.

Mechanisms are in place to measure and monitor the type and scope of
security incidents and to report them to support agencies. The information
obtained from the evaluation is used to identify recurrent or significant
incidents and to identify the need for further protection.

The top management (or a member of the top management) of the Cloud
Service Provider is named as the process owner of business continuity and
emergency management and is responsible for establishing the process
within the company as well as ensuring compliance with the guidelines.
They must ensure that sufficient resources are made available for an
effective process.

People in management and other relevant leadership positions

demonstrate leadership and commitment to this issue by encouraging
employees to actively contribute to the effectiveness of continuity and
emergency management.
Policies and instructions to determine the impact of any malfunction to the
cloud service or enterprise are documented, communicated and made
available in accordance with SP-01. The following aspects are considered
as minimum:

• Possible scenarios based on a risk analysis;

• Identification of critical products and services

• Identify dependencies, including processes (including resources required),

applications, business partners and third parties;

• Capture threats to critical products and services;

• Identification of effects resulting from planned and unplanned

malfunctions and changes over time;

• Determination of the maximum acceptable duration of malfunctions;

• Identification of restoration priorities;

• Determination of time targets for the resumption of critical products and

services within the maximum acceptable time period (RTO);

• Determination of time targets for the maximum reasonable period during

which data can be lost and not recovered (RPO); and

• Estimation of the resources needed for resumption.

Based on the business impact analysis, a single framework for operational
continuity and business plan planning will be implemented, documented
and enforced to ensure that all plans are consistent. Planning is based on
established standards, which are documented in a "Statement of
Applicability".

Business continuity plans and contingency plans take the following aspects
into account:

• Defined purpose and scope with consideration of the relevant

dependencies;

• Accessibility and comprehensibility of the plans for persons who are to act
accordingly;

• Ownership by at least one designated person responsible for review,

updating and approval;

• Defined communication channels, roles and responsibilities including

notification of the customer;

• Recovery procedures, manual interim solutions and reference information

(taking into account prioritisation in the recovery of cloud infrastructure
components and services and alignment with customers);

• Methods for putting the plans into effect;

• Continuous process improvement; and

• Interfaces to Security Incident Management.

The business impact analysis, business continuity plans and contingency

plans are reviewed, updated and tested on a regular basis (at least
annually) or after significant organisational or environmental changes. Tests
involve affected customers (tenants) and relevant third parties. The tests
are documented and results are taken into account for future operational
continuity measures.

The legal, regulatory, self-imposed and contractual requirements relevant to

the information security of the cloud service as well as the Cloud Service
Provider's procedures for complying with these requirements are explicitly
defined and documented.
Policies and instructions for planning and conducting audits are
documented, communicated and made available in accordance with SP-01
and address the following aspects:

• Restriction to read-only access to system components in accordance with

the agreed audit plan and as necessary to perform the activities;

• Activities that may result in malfunctions to the cloud service or breaches

of contractual requirements are performed during scheduled maintenance
windows or outside peak periods; and

• Logging and monitoring of activities.

Subject matter experts check the compliance of the information security

management system at regular intervals, at least annually, with the relevant
and applicable legal, regulatory, self-imposed or contractual requirements
(cf. COM-01) as well as compliance with the policies and instructions (cf.
SP-01) within their scope of responsibility (cf. OIS-01) through internal
audits (cf. § 9.3 of ISO/IEC 27001).

Identified vulnerabilities and deviations are subject to risk assessment in

accordance with the risk management procedure (cf. OIS-06) and follow-up
measures are defined and tracked (cf. OPS-18).

The top management of the Cloud Service Provider is regularly informed

about the information security performance within the scope of the ISMS in
order to ensure its continued suitability, adequacy and effectiveness. The
information is included in the management review of the ISMS at is
performed at least once a year.

Investigation requests from government agencies are subjected to a legal

assessment by subject matter experts of the Cloud Service Provider. The
assessment determines whether the government agency has an applicable
and legally valid legal basis and what further steps need to be taken.
The Cloud Service Provider informs the affected Cloud Customer(s) without
undue delay, unless the applicable legal basis on which the government
agency is based prohibits this or there are clear indications of illegal actions
in connection with the use of the Cloud Service.

Access to or disclosure of cloud customer data in connection with

government investigation requests is subject to the proviso that the Cloud
Service Provider's legal assessment has shown that an applicable and valid
legal basis exists and that the investigation request must be granted on that
basis.
The Cloud Service Provider's procedures for setting up access to or
disclosure of cloud customer data as part of an investigation requests,
ensure that government agencies only have access to the data they need
to investigate.

If no clear limitation of the data is possible, the Cloud Service Provider

anonymises or pseudonymises the data so that government agencies can
only assign it to those cloud customers who are subject of the investigation
request.

Basic Criterion
The Cloud Service Provider provides cloud customers with guidelines and
recommendations for the secure use of the cloud service provided. The
information contained therein is intended to assist the cloud customer in the
secure configuration, installation and use of the cloud service, to the extent
applicable to the cloud service and the responsibility of the cloud user.

The type and scope of the information provided will be based on the needs
of subject matter experts of the cloud customers who set information
security requirements, implement them or verify the implementation (e.g. IT,
Compliance, Internal Audit). The information in the guidelines and
recommendations for the secure use of the cloud service address the
following aspects, where applicable to the cloud service:

• Instructions for secure configuration;

• Information sources on known vulnerabilities and update mechanisms;

• Error handling and logging mechanisms;

• Authentication mechanisms;

• Roles and rights concept including combinations that result in an

elevated risk; and

• Services and functions for administration of the cloud service by privileged

users.

The information is maintained so that it is applicable to the cloud service

provided in the version intended for productive use.
The Cloud Service Provider applies appropriate measures to check the
cloud service for vulnerabilities which might have been integrated into the
cloud service during the software development process.

The procedures for identifying such vulnerabilities are part of the software
development process and, depending on a risk assessment, include the
following activities:

• Static Application Security Testing;

• Dynamic Application Security Testing;

• Code reviews by the Cloud Service Provider's subject matter experts; and

• Obtaining information about confirmed vulnerabilities in software libraries

provided by third parties and used in their own cloud service.

The severity of identified vulnerabilities is assessed according to defined

criteria and measures are taken to immediately eliminate or mitigate them.

The Cloud Service Provider operates or refers to a daily updated online

register of known vulnerabilities that affect the Cloud Service Provider and
assets provided by the Cloud Service Provider that the cloud customers
have to install, provide or operate themselves under the customers
responsibility.

The presentation of the vulnerabilities follows the Common Vulnerability

Scoring System (CVSS).

The online register is easily accessible to any cloud customer. The

information contained therein forms a suitable basis for risk assessment
and possible follow-up measures on the part of cloud users.

For each vulnerability, it is indicated whether software updates (e.g. patch,

update) are available, when they will be rolled out and whether they will be
deployed by the Cloud Service Provider, the cloud customer or both of
them together.
The cloud service provided is equipped with error handling and logging
mechanisms. These enable cloud users to obtain security-related
information about the security status of the cloud service as well as the
data, services or functions it provides.

The information is detailed enough to allow cloud users to check the

following aspects, insofar as they are applicable to the cloud service:

• Which data, services or functions available to the cloud user within the
cloud service, have been accessed by whom and when (Audit Logs);

• Malfunctions during processing of automatic or manual actions; and

• Changes to security-relevant configuration parameters, error handling and

logging mechanisms, user authentication, action authorisation,
cryptography, and communication security.

The logged information is protected from unauthorised access and

modification and can be deleted by the Cloud Customer.

If the cloud customer is responsible for the activation or type and scope of
logging, the Cloud Service Provider must provide appropriate logging
capabilities.

The Cloud Service Provider provides authentication mechanisms that can

force strong authentication (e.g. two or more factors) for users, IT
components or applications within the cloud users' area of responsibility.
These authentication mechanisms are set up at all access points that allow
users, IT components or applications to interact with the cloud service.

For privileged users, IT components or applications, these authentication

mechanisms are enforced.

To protect confidentiality, availability, integrity and authenticity during

interactions with the cloud service, a suitable session management system
is used that at least corresponds to the state-of-the-art and is protected
against known attacks. Mechanisms are implemented that invalidate a
session after it has been detected as inactive. The inactivity can be
detected by time measurement. In this case, the time interval can be
configured by the Cloud Service Provider or - if technically possible - by the
cloud customer.
If passwords are used as authentication information for the cloud service,
their confidentiality is ensured by the following procedures:

• Users can initially create the password themselves or must change an

initial password when logging in to the cloud service for the first time. An
initial password loses its validity after a maximum of 14 days.

• When creating passwords, compliance with the length and complexity

requirements of the Cloud Service Provider (cf. IDM-09) or the cloud
customer is technically enforced.

• The user is informed about changing or resetting the password.

• The server-side storage takes place using state-of-the-art

cryptographically strong hash functions in combination with at least 32-bit
long salt values.

The Cloud Service Provider provides cloud users with a roles and rights
concept for managing access rights. It describes rights profiles for the
functions provided by the cloud service.

The rights profiles are suitable for enabling cloud users to manage access
authorisations and permissions in accordance with the principle of least-
privilege and how it is necessary for the performance of tasks ("need-to-
know principle") and to implement the principle of functional separation
between operational and controlling functions ("separation of duties").

Access to the functions provided by the cloud service is restricted by

access controls (authorisation mechanisms) that verify whether users, IT
components, or applications are authorised to perform certain actions.

The Cloud Service Provider validates the functionality of the authorisation

mechanisms before new functions are made available to cloud users and in
the event of changes to the authorisation mechanisms of existing functions
(cf. DEV-06). The severity of identified vulnerabilities is assessed according
to defined criteria based on industry standard metrics (e.g. Common
Vulnerability Scoring System) and measures for timely resolution or
mitigation are initiated. Vulnerabilities that have not been fixed are listed in
the online register of known vulnerabilities (cf. PSS-02).

If the Cloud Service offers functions for software-defined networking (SDN),

the confidentiality of the data of the cloud user is ensured by suitable SDN
procedures.

The Cloud Service Provider validates the functionality of the SDN functions
before providing new SDN features to cloud users or modifying existing
SDN features. Identified defects are assessed and corrected in a risk-
oriented manner.
If cloud customers operate virtual machines or containers with the cloud
service, the Cloud Service Provider must ensure the following aspects:

• The cloud customer can restrict the selection of images of virtual

machines or containers according to his specifications, so that users of this
cloud customer can only launch the images or containers released
according to these restrictions.

• If the Cloud Service Provider provides images of virtual machines or

containers to the Cloud Customer, the Cloud Service Provider appropriately
inform the Cloud Customer of the changes made to the previous version.

• In addition, these images provided by the Cloud Service Provider are

hardened according to generally accepted industry standards.

The cloud customer is able to specify the locations (location/country) of the

data processing and storage including data backups according to the
contractually available options.

This must be ensured by the cloud architecture.

Description of Changes for the Basic Criteria

Linguistic generalization (Cloud Service Provider instead of top

management) and adaptation to the terms from ISO/IEC 27001.
Specification of a compliant ISMS and reference to individual aspects from
the standard.

Structuring with bullet points, removal of references to other criteria,

linguistically aligned to IT-Grundschutz-Kompendium, module ISMS.1.
The requirement to communicate the guideline to subcontractors has been
removed, as this is unusual in practice. Instead, dedicated security
requirements are communicated.

Restriction of interfaces to only the cloud customer has been generalized

(including sub-service providers and all other parties involved). Linguistic
alignment of the criterion with the requirements of ISO/IEC 27001 without
significant change in content.
Conversion of function-oriented responsibilities to event/activity oriented
responsibilities.
Linguistic alignment of the criterion with the requirements of ISO 27001
without any significant change in content.
The previously used term "control" was removed and therefore a stronger
connection to risk management was established. No "hard" regulation on
the separation of areas to allow new concepts, e.g. "DevOps", i.e. the
merging of development and operation of IT systems. Included clear
expectations of the establishment of monitoring measures.

Rephrasing into active language.

The requirement for communication of the information previously contained
in the optional requirement has been transferred to the basic criterion
where it has been further specified.
Linguistic alignment of the criterion with the requirements of ISO/IEC 27001
with specification of the aspects.
Linguistic alignment of the criterion with the requirements of ISO/IEC
27001. Inclusion of cloud-specific risk aspects.

Minor linguistic adjustments.

Added flexibility for approval of guidelines: Not all directives have to be
approved by the "top management" (ISO designation) (in practice, this
would not be appropriate for large providers).
The abbreviation for the reference of criteria in this area has been changed
from SA to SP.
Testing of effectiveness removed, as testing of effectiveness according to
the testing methodology of this catalogue of criteria is not to be required.
Second bullet point removed for lack of adequate auditability.

Reference to the procedure for dealing with risks in order to achieve a

stronger risk orientation.

Sharpening of content and extension to include the assessment of

blackmailability.

Linguistic alignment of the criterion with the requirements of ISO/IEC

27001. Removed the aspect to add the policies to the employment
agreement documents. Focused on acknowledgement of policies instead.
Linguistic adaptation of the basic requirement in terms of readability and
comprehension.
Requirement for obligations of external service providers reclassified to
criteria of the SSO area.

Linguistic alignment of the criterion with the requirements of ISO/IEC

27001.
Definition of aspects for the assessment of adequacy of implementation as
well as adding to the requirement for documentation to support
effectiveness testing.

Clarification of the criterion as not all requirements remain in place

indefinitely.
Reclassification of the basic criterion from the field of communication
security.
Highlighting of the in the confidentiality agreements implied written form.
Worded in such a way that they can only be concluded on a legally valid
basis, which may be done using an electronic signature.

Linguistic adaptations. The previous requirement for a monthly review

intervened heavily in the design of the controls at the service provider and
was replaced by a risk-oriented approach.
The previously independent requirement AM-02 for the assignment of
persons responsible for assets was integrated into the basic criterion AM-
01.
Previous basic requirement AM-03 extended by dedicated aspects
including requirements for classification and labelling (previously AM-05
and AM-06).
Mobile devices are now also considered as assets (no longer a separate
requirement area). Therefore, requirement MDM-01 has been included here
and has been adjusted to eliminate any unclear or redundant aspects.

Basic criterion newly included.

The basic requirement AM-04 for mandatory return has been extended to
include safe handling obligations. Furthermore, the expectation to provide
evidence of the obligation is formulated more clearly.

Merger of AM-05 and AM-06: Linguistic realignment focuses less on

information and more on the respective protection needs of the assets.
Explicit levels of protection (confidentiality, integrity, availability and
authenticity).
Basic criterion newly included.

Basic criterion newly included.

The previous basic requirement was specified.

Requirements for the access control system and the procedures for
managing accesses were specified in more detail.
The original basic requirements required measures "against fire, water,
earthquakes, explosions, civil disturbances and other forms of natural
threats and threats caused by humans", but these were then only backed
up by measures to protect against fire and smoke. The revised basic
criterion is now limited to measures for protection against fire and smoke,
which were then specified in more detail.
Similar basic requirements PS-04 and BCM-05 were consolidated in this
basic criterion.
The aspects relating prevention of the failure of the technical supply
facilities were specified.

Basic criterion created on the basis of the previous optional, more extensive
requirement PS-04.

The basic criterion was further sharpened by reference to the agreements

made with cloud customers.
-

Explicit reference to IaaS/PaaS has been removed. Explicit reference to

IaaS/PaaS has been removed; instead, the focus is generally on controlling
in accordance to the capabilities of the respective service model.

The basic requirement was divided into two basic criteria, which focus on
the contents of a concept and the implementation of this concept.
The previously required use of virus protection and repair programs, which
enable signature- and behavior-based detection and removal of malware,
was made more general in order to also enable the use of other protection
mechanisms that provide protection against malware.

See information in OPS-04.

For better readability, the relevant aspects have been provided with bullet
points.
For the scope and frequency of data backups, it was added that they must
meet the requirements for operational continuity of the Cloud Service
Provider.
Encryption of the data backup was previously an optional requirement,
which has now been incorporated into the basic criterion.

Linguistic adaptation without changes in content.

The requirement to check the backup media has been removed.

A reference was made to the specifications for the maximum acceptable

downtime and the maximum permissible data loss from the area of
"Business Continuity Management (BCM)".

The part of the previous basic requirement for handling errors has been
adapted to the formulation for handling deviations in other basic criteria.

Linguistic adaptation without changes in content.

For better readability, the relevant aspects have been provided with bullet
points.
The aspects of time synchronisation and compliance with legal and
regulatory framework requirements were added.
For better readability, the relevant aspects have been provided with bullet
points. No extension of content.

Basic criterion newly included to ensure that within the scope of an audit
the implementation of the concepts required by OPS-10 and OPS-11 also
occurs.

The previous basic requirement RB-12 strongly interfered with the design of
the controls at the Cloud Service Provider without defining in more detail
what is meant by "dvanced logging and monitoring safeguards". Therefore
It was removed.

The previous basic requirement SIM-05 has been reclassified to the area of
regular operation and revised in such a way that it does not refer to an
explicit process, but generally requires the introduction of necessary
measures.

Linguistic adaptation without changes in content.

Addition of interfaces for the performance of forensic analyses to the basic
criterion.

Linguistic adaptation and alignment with the wording of other criteria

without changes in content.

Linguistic adaptation and alignment with the wording of other criteria

without changes in content.

The aspects relevant to the policies and procedures were specified

regarding the assessment and prioritisation of vulnerabilities and the
handling of deviations.

Alignment of the scope for this basic criterion to "infrastructure components

of the cloud service" and addition of the following aspects:

a) The Cloud Service Provider shall assess the level of severity of the
findings made in penetration tests according to defined criteria.

b) Measures for correction or mitigation shall be implemented within defined

time periods.
The previous basic requirement has been removed and replaced by this
basic criterion regarding continuous improvement of procedures and
processes.

Linguistic adaptation without changes in content.

Linguistic adaptation to align with other criteria.

Measures for correction or mitigation are to be carried out within defined
time frames.

Linguistic adaptation to align with other criteria. Limiting hardening

requirement to those system components which are within the Cloud
Service Provider's area of responsibility.
Criterion extended by specifications for non-modifiable ("immutable")
images.

Previous restriction of the basic requirement to storage net and RAM

removed, as other resources may also be relevant.
Clarification that the separation must be based on a risk analysis.
The following aspects were added:
- Assignment of unique usernames
- Approval by authorised individual(s) or system(s) for granting or modifying
access and access rights before data of the cloud customer or system
components used to provision the cloud service can be accessed
- Blocking and removing access rights in the event of inactivity
- Two-factor or multi-factor authentication for users with privileged access

Previous basic requirement IDM-02 regarding unique user identifiers

removed and IDM-03 shortened accordingly, as these aspects are now
included in the guideline criterion (IDM-01) and reference is made to this
guideline here.
Basic criterion newly included to handle access permissions in case of
inactivity or multiple failed logins.

Strengthening of the requirement for the withdrawal of permissions (after 14

days instead of 30 days as previously). Shortened duration for privileged
access authorizations.

The revised basic criterion now deals more specifically with the treatment of
deviations, including a time limit for treatment.

We now speak of privileged instead of administrative authorizations

(alignment with ISO/IEC 27001).

The part on measures for critical authorization combinations that violate the
principle of separation of functions, which was previously designed
relatively open, has been defined more specifically.

Disciplinary measures are to be taken if there is evidence of abuse.

Basic criterion newly included to regulate the handling of access to data of
cloud customers.

In the basic requirement IDM-07 of the C5:2016, both the authentication

information of users in the area of responsibility of the Cloud Service
Provider and the cloud customers were considered. A separation was made
during the revision. Authentication information of the Cloud Service
Provider's users is the subject of the basic criterion IDM-08.
Authentication information of the cloud customer's users is considered in
the basic criterion PSS-07.

It was specified in more detail how the confidentiality of passwords should

be ensured.
Linguistic alignment with the other basic criterion (by reference to system
components in the Cloud Service Provider's area of responsibility instead of
naming dedicated individual levels that may not be the responsibility of the
Cloud Service Provider).

Two- or multi-factor authentication is now mandatory for access to the

production environment The restriction to "administrators of the Cloud
Service Provider" is no longer applicable.

The detailed specifications for passwords no longer apply. Password

requirements are now derived from a risk assessment.

Basic requirement removed, since in basic criterion IDM-06 is now

sufficient.

Basic requirement removed, since this aspect is now considered in the

basic criterion DEV-07 "Logging of Changes".
Reference of the criteria in this area changed from KRY to CRY.

The examples in the basic requirement have been removed. No content

changes.

Linguistic adaptation without changes in content.

The handling of encryption exceptions is clarified with regard to contractual

agreements. Previously, these were only to be agreed by mutual consent.
Sharpening the scope to the Cloud Service Provider.
Add an aspect for handling pre-shared keys.

The use of a SIEM system, previously mentioned in the optional

requirement, has been integrated into the basic criterion.

Basic criterion newly included.

It is explained in more detail on which basis network areas are to be
sparated.
It was also added that the concept for monitoring connections should be
reviewed regularly.

Linguistic adaptation without changes in content.

No change.

No change.
Only references to other basic criteria updated, no change in content.

The basic requirements PI-01 and PI-04 were consolidated into one basic
criterion and a reference to the criteria for encryption was established
again.

In its previous form, the basic requirement was not applicable to all cloud
services. The focus was placed on providing meaningful documentation on
the interfaces used for this purpose.

The basic requirements PI-02 and PI-03 have been consolidated into one
basic criterion. The relevant contractual aspects will be more strongly
focused on than before. The previously required guidelines were rather
unusual in this area.

The previously required data deletion of data on data media is now part of
asset management (see basic criterion "AM-04 Decommissioning of
hardware").

The data deletion of cloud customers is now based on compliance with the
relevant contractual agreements.

The sentences have been shortened to make the basic criterion easier to
understand.
The basic criterion was revised according to the requirements of ISO/IEC
27034 and OWASP Secure Software Development Lifecycle.

The aspect of auditing the development process was deleted in the

revision, as this is regulated in the basic criteria in the area of "Control and
Monitoring of Service Providers and Suppliers (SSO)".

Explicit checks for the existence of known vulnerabilities are now required.
The following aspects were added:
- Requirements for the proper information of cloud customers about the
type and scope of the change as well as the resulting obligations to
cooperate in accordance with the contractual agreements
- Requirements for the implementation and documentation of emergency
modifications, which must meet the same level of safety as normal
modifications.

Basic criterion newly included to emphasize the importance of sufficient

qualification of personnel for software development and software provision.

The basic requirements BEI-04, BEI-05 and BEI-06 were consolidated in

basic criterion DEV-05.
The basic criterion now requires that tests concern not only software
development but also software deployment.

It is explicitly allowed that automated test procedures can also be used, not
only manual (by humans).

The Basic Criterion has been extended to include the aspect of dealing with
identified errors and vulnerabilities.

Basic criterion newly included to reflect the increased importance of

Continuous Deployment.
The previous basic requirement IDM-13 is included here.

Adaptation to the state of the art.

Generalisation of the basic criterion regarding the fulfilment of defined

criteria for the release of a change.

This basic requirement has been deleted, as for emergency changes the
requirements are basically the same as for all other changes. Deviations
must now be regulated by the service provider in the change management
guideline (see change description in DEV-03). The previous basic
requirement related to the documentation of such changes. It intervened in
the design of the controls at the service provider.

The basic criterion has been extended to include the aspect of preventing
the spread of malware.
Due to the changes in the other basic criteria in this area, the former basic
requirement became obsolete.

The following aspects were newly included in the basic criterion:

•Requirements for the assessment of risks resulting from the procurement

of third party services;

• Requirements for the classification of third parties on the basis of the risk
assessment by the Cloud Service Provider and the determination of
whether the third party is a subcontractor (cf. Supplementary Information);

•Information security awareness and training requirements for staff (this

aspect was transferred from the previous basic requirement HR-03).
Basic criterion newly included.

Basic criterion newly included.

Linguistic simplifications and adaptations to the changes made to the basic
criterion SSO-01.

Basic criterion newly included.

The previously required definition of roles according to the original basic
requirement OIS-03 has been removed, as these roles were removed
during the revision.

Basic requirement removed, as this aspect is already considered in the

Basic Criteria AM-06 "Asset Classification and Labeling".

Linguistic adaptation without changes in content.

No change.
Restrict the reporting of security events to those directly related to the cloud
service provided by the Cloud Service Provider.

The previous basic requirement SIM-05 has been reclassified to the area of
Operations, see basic criterion OPS-13.

Here, only the reference has been changed. No change in content.

Alignment with the wording of OIS-02 without changing the content.

No change.
The examples listed in the basic requirement have been removed. No
changes have been made to the content.

No change.

The two previously separate requirement areas "Security check and

verification" and "Compliance and data protection" have been consolidated
in the requirement area "Compliance".

This basic criterion was adapted to the requirements of ISO/IEC 27001.

Linguistic alignment of this basic criterion with the other criteria in this
catalogue of criteria.

The previously separate basic requirements SPN-02 and SPN-03 have

been combined in one basic criterion and linked to other basic criteria.

The previous basic requirement COM-03 has been deleted, since Cloud
Service Providers who are regularly audited according to this catalogue of
criteria fulfill them anyway.

Alignment of the formulation with the requirements of ISO/IEC 27001.

Basic criterion newly included as an extension of the previous

environmental parameter "UP-03 Disclosure and investigative powers" and
as a supplement to the information on the framework conditions of the
cloud service "BC-05 Information on how Investigation Enquiries from
Government Authorities are handled".
Basic criterion newly included as an extension of the previous
environmental parameter "UP-03 Disclosure and investigative powers" and
as a supplement to the information on the framework conditions of the
cloud service "BC-05 Information on how Investigation Enquiries from
Government Authorities are handled".
Basic criterion newly included as an extension of the previous
environmental parameter "UP-03 Disclosure and investigative powers" and
as a supplement to the information on the framework conditions of the
cloud service "BC-05 Information on how Investigation Enquiries from
Government Authorities are handled".
Basic criterion newly included as an extension of the previous
environmental parameter "UP-03 Disclosure and investigative powers" and
as a supplement to the information on the framework conditions of the
cloud service "BC-05 Information on how Investigation Enquiries from
Government Authorities are handled".

Basic criterion based on the EU Cyber Security Act, Article 55 1.a newly
included.
Basic criterion newly included.

Basic criterion based on the EU Cyber Security Act, Article 55 1.d newly
included.
Basic criterion based on the EU Cyber Security Act, Article 55 1.e newly
included.

Basic criterion newly included.

In the basic requirement IDM-07 of the C5:2016, both the authentication
information of users in the area of responsibility of the Cloud Service
Provider as well as the Cloud customers have been considered. A
separation was made during the revision. Authentication information of the
Cloud Service Provider's users is the subject of the basic criterion IDM-08.
Authentication information of the cloud customer's users is considered in
the basic criterion PSS-07.

Basic criterion newly included in line with the existing basic requirement
IDM-01 regarding the users in the cloud customer's area of responsibility.

Basic criterion based on the previous basic requirement IDM-09 and

extended by aspects of validation of functionality.

Basic criterion based on CSA Security Guidance for Critical Areas of Focus
in Cloud Computing v4.0, Section 7.2 newly included.
Basic criterion based on CSA Security Guidance for Critical Areas of Focus
in Cloud Computing v4.0, Section 8, p. 93 newly included.

Reclassification of the basic requirement from the original regular operation

area.
Restriction of the possibilities for determining the locations to the
contractually available options. Addition that the technical architecture of
the cloud service must ensure this.
Additional Requirements
C5:2016

The top management initiates, controls and monitors an information

security management system (ISMS), which has a valid certification
according to ISO/IEC 27001:2013 or ISO 27001 on the
basis of IT- Grundschutz.
The statement of applicability covers the IT processes for the development
and operation of the cloud service.

The cloud provider identifies all risks related to overlapping or incompatible

authorities and responsibilities.
The cloud provider has documented any function separation conflicts and
the compensating controls established for this purpose comprehensibly (e.
g. in a role and rights concept) to allow for an assessment of the
appropriateness and effectiveness of these controls.

Procedures are defined and documented to communicate the information

received to the internal and external employees of the cloud provider and to
be able to respond to it appropriately and in a timely manner.

-
Parameters of the top management for the risk appetite and the risk
tolerances of the cloud provider are included in the policy for the risk
management or a comparable official document. The timely implementation
of the mitigating safeguards is monitored by qualified personnel of the cloud
provider. The top management is informed of the status of the identified
risks and mitigating safeguards at least once every three months and in an
appropriate form.

-
The regular review is followed up by central bodies at the cloud provider.

The appropriateness of approved exceptions and the assessment of the

risks resulting from this are reviewed by an independent third party at least
once a year as to whether they reflect a realistic picture of the current and
future expected threat environment regarding information security (see
SPN-01).

Special approval procedure in the hiring process for employees and posts
for which particularly sensitive information is accessed are established.

-
The programme takes different profiles into account and includes further
information for posts and employees who have extensive authorisations or
access to sensitive data.
External employees of service providers and suppliers of the cloud
provider, who contribute to the development or operation of the cloud
service, are instructed in the specific security requirements of the cloud
provider as well as generally in the subject of information security.
The cloud provider checks on a random basis that the service providers
and suppliers have carried out the instruction in an appropriate manner.
The results of the audit are documented comprehensibly.

-
If adjustments to the non-disclosure or confidentiality agreements result
from the review, the internal and external employees of the cloud provider
must be informed about this and new confirmations shall be obtained.

AM-01:
In the event of a failure of assets which are of essential importance for the
availability of the cloud service (e. g. central network components), the
cloud provider is able to promptly detect which cloud customers are
affected by this in order to ensure a response to the malfunctions occurred
that complies with the service level agreement.
By means of technical safeguards, it is ensured that the inventory of the
assets is updated automatically at regular intervals.

MDM-01:
Central management and monitoring is performed by means of MDM
solutions, including a possibility for remote deletion.
A site plausibility check of the access is carried out.
An inventory list of mobile terminal devices with access to the cloud service
(among other things, with information of the operating system and patch
status, assigned employees, approval regarding BYOD) is maintained (see
AM-01).
MDM-01:
Central management and monitoring is performed by means of MDM
solutions, including a possibility for remote deletion.
A site plausibility check of the access is carried out.
An inventory list of mobile terminal devices with access to the cloud service
(among other things, with information of the operating system and patch
status, assigned employees, approval regarding BYOD) is maintained (see
AM-01).

-
MDM-01:
Central management and monitoring is performed by means of MDM
solutions, including a possibility for remote deletion.
A site plausibility check of the access is carried out.
An inventory list of mobile terminal devices with access to the cloud service
(among other things, with information of the operating system and patch
status, assigned employees, approval regarding BYOD) is maintained (see
AM-01).

-
-

The security concept includes the setup of different security zones which
are separated by security lines as monitored and secured gateways
between the zones.
The physical site access controls require two-factor authentication.
The environmental parameters are monitored. If the tolerable control range
is exceeded from below or above, alarm messages are generated and
forwarded to the responsible bodies.
PS-04:
The supply services are monitored. If the tolerable control range is
exceeded from below or above, alarm messages are generated and
forwarded to the responsible bodies. The cloud provider determines and
communicates the times of self- sufficient supply which are achieved by the
safeguards taken if the supply services fail or if extraordinary
events occur (e. g. heat waves, long lasting power failure) as well as the
maximum tolerable times for a failure of the supply services.
Contracts for maintaining the precautions with corresponding service
providers have been concluded (e. g. for the fuel of the emergency power
supply).

BCM-05:
Simulated failures of the supply of computing centres are integrated into the
drills (see BCM-03).

The forecasts are taken into account in coordination with the service level
agreement for the planning and preparation of the provisioning.
To monitor the capacity and the availability, the cloud customer is provided
with relevant information via a self-service portal.

The cloud provider draws up regular reports on the performed audits, which
are reviewed and analysed by authorised bodies or committees.
Policies and instructions describe the technical safeguards for the secure
configuration and monitoring of the management console (both the self-
service of the customer and the cloud administration of the service
provider) in order to protect them against malware.
The update is performed with the highest frequency that is contractually
offered by the manufacturer(s).

The data is backed up in encrypted form that conforms to the current state
of the art.

To monitor the data backup, the cloud customer is provided with the
relevant logs or the summary of the results via a self-service portal.
Upon customer request, the cloud provider informs the cloud customers of
the results of the restoration tests. Restoration tests are incorporated into
the business continuity management of the cloud provider.

-
-

Upon request of the cloud customer, the cloud provider offers customer-
specific logging (in terms of the scope and duration of the storage) and
makes it available to the customer.
Depending on the protection requirements and technical feasibility, the
logged data and the user data should be separated logically or physically.
Upon request of the cloud customer, the cloud provider makes the logs
affecting them available promptly and in an appropriate form so that they
can examine the incidents affecting them themselves.

The access and management of the logging and monitoring functionalities

requires multi-factor authentication.

The logging and monitoring software is designed redundantly in order to

also monitor the security and availability of the customer systems in the
event of failures.

The tests are carried out every six months. They must always be performed
by independent external auditors. Internal personnel for penetration tests
may support the external service providers.
-

Upon customer request, the cloud provider informs the cloud customer of
open vulnerabilities in an appropriate form.
The open vulnerabilities are remedied promptly without exception.

Upon request, the cloud customer must be informed of the standards used
and the safeguards taken to harden the system components.

Resources in the storage network (Storage) are segmented by secure

zoning (LUN Binding and LUN Masking).
-

IDM-02:
The cloud provider offers self- service options for cloud customers in order
to be able to grant user IDs independently.

IDM-03:
The cloud provider offers self- service options for cloud customers in order
to be able to grant and change user data access authorisations
independently.
-

Administrative authorisations are checked at least every six months.

-
-

The users sign a declaration in which they assure that they will treat
personal (or shared) authentication information confidentially and keep it
private (within the members of the group).
IDM-11:
Automatic controls are implemented, which are based on the following
rules:
• There is a lock of 15 minutes after 5 failed login attempts and the waiting
time is increased with each failed login attempt.
• Multiple logins of one and the same user are not possible.
• Upon login, there is an automatic lock after 15 minutes of inactivity.
• The minimum password length of privileged users is 14 characters and 8
characters for users without wide-ranging authorisations.
• Capital letters, lower-case letters, special characters and numbers must
be included.
• After 90 days, the user is forced to change the password with the next
login.
• Password history is 12.

-
-

If data with higher protection requirements are transmitted, strong

encryption must also be implemented within the cloud provider's
infrastructure.

-
-

Intrusion prevention / intrusion detection systems (IDS/IPS) are integrated

into an overall SIEM system (security information and event management)
so that events from IDS/IPS can be correlated with other events in order to
be able to initiate the required safeguards (countermeasures) resulting from
this. By means of technical safeguards, it is ensured that no unknown
(physical or virtual) devices join the (physical or virtual) network of the cloud
provider (for example by means of MACSec according to IEEE
802.1X:2010), see IDM-08).

-
-

Each network perimeter is controlled by redundant and high-availability

security gateways. The system access authorisation for cross- network
access is based on a security assessment on the basis of the customer
requirements.

In the case of IaaS/PaaS, the secure separation is ensured by physically

separated networks or by means of strongly encrypted VLANs.

-
-

-
For the procurement, products which were certified according to the
"Common Criteria for Information Technology Security Evaluation"
(abbreviated: Common Criteria - CC) according to evaluation level EAL 4
are preferred.
If uncertified products are procured although certified products are
available, this must be documented and justified.

-
-

At least every three months, it is reviewed for an appropriate random

sample of changes made to the production environment (i. e. at least 10%
of all changes completed during this period of time) whether the internal
requirements regarding the proper classification, testing and approval of
changes were met

-
-

Subcontractors of the cloud provider are contractually obliged to grant the

cloud provider auditing rights regarding the effectiveness of the service-
related internal control system as well as with respect to the compliance of
the security requirements agreed upon. The subcontractor can also
demonstrate evidence by submitting corresponding certificates of
independent third parties (e. g. in the form of reports according to ISAE
3402/IDW PS 951). This also includes subcontractors of the subcontractor.
-

-
Interfaces for an automated real- time monitoring of the service (minimum
capacity, availability as well as elimination of malfunctions) are established
to be able to monitor compliance with the service level agreements agreed
upon and to promptly respond to deviations. At least once a year, an audit
is performed by independent, external auditors or qualified personnel of the
cloud provider in order to review the effectiveness of the controls
established at the service provider, which are related to the contract
relationship, as well as the security requirements agreed upon.
Evidence can be demonstrated, for example in the form of reports
according to ISAE 3402/IDW PS 951.
The prompt addressing of audit findings is followed up by the cloud
provider.

-
Instructions are given as to how data of a suspicious system can be
collected in the event of a security incident so that it can be used as
evidence.
Moreover, there are analysis plans for typical security incidents as well as
an evaluation method so that the information collected will not lose its
evidentiary value during a subsequent legal appraisal.

The customer can either actively agree to solutions or the solution is agreed
upon after a certain period of time has expired.
Information about security incidents or confirmed security violations is made
available to all affected customers.
It is contractually agreed upon between the cloud provider and the cloud
customer which data is made available to the cloud customer for their own
analysis in the event of security incidents.
-

-
-
-

In addition to the tests, drills are also carried out, which are, among other
things, based on scenarios resulting from security incidents that have
already occurred in the past.

-
The cloud provider has taken precautions for unscheduled audits.

SPN-02:
The audit is carried out at least every six months.
The audit also includes the compliance with the requirements of C5.

SPN-03:
Upon request of the cloud customer, the cloud provider provides
information of the results, impacts and risks of these audits and
assessments in an appropriate form. The cloud provider commits their
subcontractors to such audits, asks for the submission of the audit reports
in the same intervals and uses them for their own audits.

COM-03:
Upon request of the cloud customer, the cloud provider provides
information of the results, impacts and risks of these audits and
assessments in an appropriate form. If necessary, unscheduled audits can
be carried out by independent third parties.

-
-

-
The users sign a declaration in which they assure that they will treat
personal (or shared) authentication information confidentially and keep it
private (within the members of the group).

At least once a month, the activations of the emergency users and the
corresponding approvals are compared manually. Irregularities are
examined in order to determine any misuse of these users and to avoid this
in the future.
The activities of the emergency users are logged in an audit-proof manner.
The logging is sufficiently detailed so that an expert third party is able to
comprehend the activities.

-
-

-
Additional Criteria
C5:2020

The Information Security Management System (ISMS) has a valid

certification according to ISO/IEC 27001 or ISO 27001 based on IT-
Grundschutz.

-
-

If the cloud service is used by public sector organisations in Germany, the

Cloud Service Provider leverages contacts with the National IT Situation
Centre and the CERT Association of the BSI.

-
-

-
The learning outcomes achieved through the awareness and training
programme are measured and evaluated in a target group-oriented
manner. The measurements cover quantitative and qualitative aspects. The
results are used to improve the awareness and training programme.

-
If the review results in adjustments to the confidentiality or non-disclosure
agreements, the Cloud Service Provider's internal and external employees
must be notified, and new confirmations must be obtained.

Logging and monitoring applications take into account the information

collected on the assets in order to identify the impact on cloud services and
functions in case of events that could lead to a breach of protection
objectives, and to support information provided to affected cloud customers
in accordance with contractual agreements.
-

-
Physical assets of internal and external employees are managed centrally.

Central management enables software, data, and policy distribution, as well

as remote deactivation, deletion, or locking.

Logging and monitoring applications take the asset protection needs into
account in order to inform the responsible stakeholder of events that could
lead to a violation of the protection goals, so that the necessary measures
are taken with an appropriate priority. Actions for events on assets with a
higher level of protection take precedence over events on assets with a
lower need for protection.
The security requirements include time constraints for self-sufficient
operation in the event of exceptional events (e.g. prolonged power outage,
heat waves, low water in cold river water supply) and maximum tolerable
utility downtime.

The time limits for self-sufficient operation provide for at least 48 hours in
the event of a failure of the external power supply.

For a self-sufficient operation during a heat period, the highest outside

temperatures measured to date within a radius of at least 50 km around the
locations of the premises and buildings have been determined with a safety
margin of 3 K. The security requirements stipulate that the permissible
operating and environmental parameters of the cooling supply must also be
observed on at least five consecutive days with these outside temperatures
including the safety margin (cf. PS-06 Protection against failure of the
supply facilities).

If water is taken from a river for air conditioning, it is determined at which

water levels and water temperatures the air conditioning can be maintained
for how long.

The maximum tolerable downtimes of utility facilities are suitable for

meeting the availability requirements contained in the service level
agreement.

The cloud service is provided from more than two locations that provide
each other with redundancy. The locations are sufficiently far apart to
achieve georedundancy. If two locations fail at the same time, at least one
third location is still available to prevent a total service failure. The
georedundancy is designed in a way that ensures that the availability
requirements specified in the service level agreement are met.. The
functionality of the redundancy is checked at least annually by suitable tests
and exercises (cf. BCM-04 - Verification, updating and testing of business
continuity).

The security measures installed at the site include permanently present

security personnel (at least 2 individuals), video surveillance and anti-
burglary systems.
-
The environmental parameters are monitored. When the permitted control
range is exceeded, alarm messages are generated and forwarded to the
Cloud Service Provider’s subject matter experts
Uninterruptible Power Supplies (UPS) and Emergency Power Supplies
(NPS) are designed to meet the availability requirements defined in the
Service Level Agreement.

The cooling supply is designed in such a way that the permissible operating
and environmental parameters are also ensured on at least five
consecutive days with the highest outside temperatures measured to date
within a radius of at least 50 km around the locations of the premises and
buildings, with a safety margin of 3 K (in relation to the outside
temperature). The Cloud Service Provider has previously determined the
highest outdoor temperatures measured to date (cf. PS-00-1 Security
Concept).

The connection to the telecommunications network is designed with

sufficient redundancy so that the failure of a telecommunications network
does not impair the security or performance of the Cloud Service Provider.

The forecasts are considered in accordance with the service level

agreement for planning and preparing the provisioning.
To monitor capacity and availability, the relevant information is available to
the cloud customer in a self-service portal.

The Cloud Service Provider creates regular reports on the checks

performed, which are reviewed and analysed by authorised bodies or
committees. Policies and instructions describe the technical measures
taken to securely configure and monitor the management console (both the
customer's self-service and the service provider's cloud administration) to
protect it from malware. Updates are applied at the highest frequency that
the vendor(s) contractually offer(s).

The configuration of the protection mechanisms is monitored automatically.

Deviations from the specifications are automatically reported to the
responsible authorities so that they can be immediately assessed and the
necessary measures taken.

The relevant logs or summarised results are available to the cloud customer
in a self-service portal for monitoring the data backup.
At the customer's request, the Cloud Service Provider inform the cloud
customer of the results of the recovery tests. Recovery tests are embedded
in the Cloud Service Provider's emergency management.

-
Personal data is automatically removed from the log data before the Cloud
Service Provider processes it as far as technically possible. The removal is
done in a way that allows the Cloud Service Provider to continue to use the
log data for the purpose for which it was collected.

The Cloud Service Provider provides a customer-specific logging (in terms

of scope and duration of retention period) upon request of the Cloud
Customer. Depending on the protection requirements of the Cloud Service
Provider and the technical feasibility, a logical or physical separation of log
and customer data is carried out.
On request of the Cloud customer, the Cloud Service Provider provides the
logs relating to the cloud customer in an appropriate form and in a timely
manner so that the cloud customer can investigate any incidents relating to
them.

Access to system components for logging and monitoring in the Cloud

Service Provider's area of responsibility requires two-factor authentication.

The system components for logging and monitoring are designed in such a
way that the overall functionality is not restricted if individual components
fail.

The tests are carried out every six months. They must always be performed
by independent external auditors. Internal personnel for penetration tests
may support the external service providers.
-

Available security patches are applied depending on the severity of the

vulnerabilities, as determined based on the latest version of the Common
Vulnerability Scoring System (CVSS):

• Critical (CVSS = 9.0 - 10.0): 3 hours;

• High (CVSS = 7.0 - 8.9): 3 days;

• Average (CVSS = 4.0 - 6.9): 1 month;

• Low (CVSS = 0.1 - 3.9): 3 months.

System components in the Cloud Service Provider's area of responsibility

are automatically monitored for compliance with hardening specifications.
Deviations from the specifications are automatically reported to the
appropriate departments of the Cloud Service Provider for immediate
assessment and action.

Resources in the storage network are segmented by secure zoning (LUN

binding and LUN masking).
-

The Cloud Service Provider offers cloud customers a self-service with

which they can independently assign and change user accounts and
access rights.
-

Privileged access rights are reviewed at least every six months.

-
Access to the data processed, stored or transmitted in the cloud service by
internal or external employees of the Cloud Service Provider requires the
prior consent of an authorised department of the cloud customer, provided
that the cloud customer's data is not encrypted, encryption is disabled for
access, or contractual agreements do not explicitly exclude such consent.
For the consent, the cloud customer's department is provided with
meaningful information about the cause, time, duration, type and scope of
the access supporting assessing the risks associated with the access.

The users sign a declaration in which they assure that they treat personal
(or shared) authentication information confidentially and keep it exclusively
for themselves (within the members of the group).
Access to the non-production environment requires two-factor or multi-
factor authentication. Within the non-production environment, users are
authenticated using passwords, digitally signed certificates, or procedures
that provide at least an equivalent level of security.

-
-

The Cloud Service Provider has established procedures and technical

measures for strong encryption and authentication for the transmission of
all data.

The private keys used for encryption are known to the customer exclusively
and without exception in accordance with applicable legal and regulatory
obligations and requirements.
-

Technical measures ensure that no unknown (physical or virtual) devices

join the Cloud Service Provider's (physical or virtual) network (e.g. MACSec
according to IEEE 802.1X:2010).

-
-

Each network perimeter is controlled by redundant and highly-available

security gateways.

In the case of IaaS/PaaS, the secure segregation is ensured by physically

separated networks or by means of strongly encrypted VLANs. For the
definition of strong encryption, the technical guideline TR02102 of the BSI
must be considered.
-
-

The design of the aspects is based on legal and regulatory requirements in

the environment of the Cloud Service Provider. The Cloud Service Provider
identifies the requirements regularly, at least once a year, and checks these
for actuality and adjusts the contractual agreements accordingly.

-
In procurement, products are preferred which have been certified according
to the "Common Criteria for Information Technology Security Evaluation"
(short: Common Criteria - CC) according Evaluation Assurance Level EAL
4. If non-certified products are to be procured for available certified
products, a risk assessment is carried out in accordance with OIS-07.

-
-

In accordance with the contractual agreements, meaningful information

about the occasion, time, duration, type and scope of the change is
submitted to authorised bodies of the cloud customer so that they can carry
out their own risk assessment before the change is made available in the
production environment. Regardless of the contractual agreements, this is
done for changes that have the highest risk category based on their risk
assessment.
-

Version control procedures provide appropriate safeguards to ensure that

the integrity and availability of cloud customer data is not compromised
when system components are restored back to their previous state.

-
-

Subservice organisations of the Cloud Service Provider are contractually

obliged to provide regular reports by independent auditors on the suitability
of the design and operating effectiveness of their service-related internal
control system.

The reports include the complementary subservice organisations that are

required, together with the controls of the Cloud Service Provider, to meet
the applicable basic criteria of BSI C5 with reasonable assurance.

In case no reports can be provided, the Cloud Service Provider agrees

appropriate information and audit rights to assess the suitability and
effectiveness of the service-related internal control system, including the
complementary controls, by qualified personnel.
-

-
The procedures for monitoring compliance with the requirements are
supplemented by automatic procedures relating to the following aspects:

• Configuration of system components;

• Performance and availability of system components;

• Response time to malfunctions and security incidents; and

• Recovery time (time until completion of error handling).

Identified violations and discrepancies are automatically reported to the

responsible personnel or system components of the Cloud Service Provider
for prompt assessment and action.

-
There are instructions as to how the data of a suspicious system can be
collected in a conclusive manner in the event of a security incident. In
addition, there are analysis plans for typical security incidents and an
evaluation methodology so that the collected information does not lose its
evidential value in any subsequent legal assessment.

#N/A

The Cloud Service Provider simulates the identification, analysis and

defence of security incidents and attacks at least once a year through
appropriate tests and exercises (e.g. Red Team training).

The customer can either actively approve solutions or the solution is

automatically approved after a certain period.

Information on security incidents or confirmed security breaches is made

available to all affected customers.

The contract between the Cloud Service Provider and the cloud customer
regulates which data is made available to the cloud customer for his own
analysis in the event of security incidents.
-

-
-
-

In addition to the tests, exercises are also carried out which, among other
things, have resulted in scenarios from security incidents that have already
occurred in the past.

-
The Cloud Service Provider grants its cloud customers contractually
guaranteed information and audit rights.

Internal audits are supplemented by procedures to automatically monitor

applicable requirements of policies and instructions with regard to the
following aspects:

• Configuration of system components to provide the cloud service within

the Cloud Service Provider's area of responsibility;

• Performance and availability of these system components;

• Response time to malfunctions and security incidents;

• Recovery time (time to completion of error handling);

Identified vulnerabilities and deviations are automatically reported to the

appropriate Cloud Service Provider’s subject matter experts for immediate
assessment and action.

Cloud customers can view compliance with selected contractual

requirements in real time.

-
-

-
The procedures for identifying such vulnerabilities also include annual code
reviews or security penetration tests by qualified external third parties.

Assets provided by the Cloud Service Provider, which must be installed,

provided or operated by cloud users within their area of responsibility, are
equipped with automatic update mechanisms. After approval by the
respective cloud user, software updates can be rolled out in such a way
that they can be distributed to all affected users without human interaction.
Cloud users can retrieve security-related information via documented
interfaces which are suitable for further processing this information as part
of their Security Information and Event Management (SIEM).

The cloud service offers out-of-band authentication (OOB), in which the

factors are transmitted via different channels (e.g. Internet and mobile
network).

-
-

Access controls are attribute-based to enable granular and contextual

checks against multiple attributes of a user, IT component, or application
(e.g., role, location, authentication method).

-
At startup and runtime of virtual machine or container images, an integrity
check is performed that detects image manipulations and reports them to
the cloud customer.

-
Description of Changes for the Additional Criteria

Explanation of applicability has been removed as it is already specified in

the basic criterion.

Removed, as verifiability of the identification of "all risks" is only possible to

a limited extent.
Removed, as it was only a documentation requirement, which does not
contribute to increasing the safety level.

After including the previously optional requirement for communication in the

basic criterion, this additional criterion was formulated to meet the needs of
public sector organisations in Germany.

-
Removed due to the following reasons:
(a) the definition of risk appetite and risk tolerances concerns the policy and
thus the basic criterion OIS-06
b) the monitoring of the timely implementation of mitigating measures has
not been specified in detail so far and can only be checked to a limited
extent.
c) communication with the management is already covered by the basic
criterion COM-04.

-
Removed, as it was only an organisational requirement, which does not
contribute significantly to increasing the level of safety.

Removed, as the assessment by a third party no longer contributes

significantly to increasing the safety level once the basic criterion has been
adapted.

Removed, as the required "special approval procedures" were not further

specified.

-
Consideration of different profiles through target group orientation in the
basic criterion already given. Instead, the measurement and evaluation of
learning outcomes has been added.
Requirement for review of external service providers reclassified to criteria
of the SSO area.

-
Dealing with changes from the previous basic requirement shifted to an
additional criterion and the possibility of information instead of renewed
conclusion granted in order to be able to conduct the procedure less
formally.

Reformulation of the additional criterion regarding communication with

affected customers. The initiation of appropriate measures to respond to
disturbances has been transferred to Ref. AM-06.
The partial aspect of automatic updating has been removed, as this does
not necessarily increase the security level.

The former optional requirement for the basic requirement MDM-01 has
been deleted, as mobile devices are now also considered assets and the
requirements contained therein have been transferred to the basic criteria
AM-01 and AM-02 and the additional criterion AM-05.
The former optional requirement to the basic requirement MDM-01 has
been deleted, as mobile devices are now also considered assets and the
requirements contained therein have been transferred to the basic criteria
AM-01 and AM-02.

-
Since mobile devices are now also regarded as assets, the additional
criterion has been formulated more generally on the basis of the previously
optional, more extensive MDM-01 requirement.

New additional criterion based on the formerly optional requirement AM-01.

Additional criterion newly included.

The originally required security zones do not necessarily concern the

perimeter of the rooms and buildings and therefore do not increase the
security level.
The structural measures required in the basic criterion are supplemented
here by an organisational measure.
The originally required two-factor authentication has been further specified
in the basic criterion.
"Responsible bodies" replaced by "responsible authorities" staff in the
course of the uniform formulation in this list of criteria.
The former optional requirement has been transferred to the basic criterion
PS-07.
The additional criterion specifies further requirements for the supply
facilities.

No change.
No change.

No change.

Since the basic requirement has been divided into two basic criteria, an
additional criterion for the automatic monitoring of the configuration of the
protection mechanisms has been added to supplement the basic criterion
for the implementation of protection against malware.

The additional criterion is no longer necessary, since the encryption of the

data backup has been transferred to the basic criterion.

No change.
No change.

-
Additional criterion newly included.

Linguistic adaptation without changes in content.

No change.

Linguistic adaptation and alignment with the wording in other criteria without
substantive changes.

Revision of the criterion with the purpose of not making concrete

specifications for implementation (i.e. redundancy is not mandatory).

No change.
-

Information on vulnerabilities for the cloud customers is now the subject of

the new basic criterion "PSS-03 Online Register of Known Vulnerabilities".
Time periods for applying security patches are now defined depending on
their severity.

The previously required disclosure of measures can cause a security risk.

Therefore, the additional criterion is based on the aspect of automatic
monitoring of these measures.

No change.
-

Consolidation of the optional additional requirements IDM-02 and IDM-03

into one additional criterion.
-

There is now talk of privileged instead of administrative authorizations

(alignment with ISO/IEC 27001).

-
Additional criterion newly included to regulate the handling when accessing
data of cloud customers.

No change.
Additional criterion newly included.

-
-

Extension of the former optional requirement to all data (no longer related
to the protection requirements).

New additional criterion.

The use of a SIEM system, previously required in the optional requirement,

has been integrated into the basic criterion.

-
-

The second sentence of the previously optional requirement was already

included in the basic requirement and was therefore removed.

Reference to the technical guideline TR02102 of the BSI added.

-
-

The new additional criterion is intended to take account of regulatory

requirements, in particular with regard to storage obligations.

-
Additional criterion now also allows certifications > EAL 4.
For deviations, an explicit risk management certificate was produced.

-
-

New additional criterion.

The previously optional requirement strongly interfered with the design of

the controls at the service provider. It was therefore deleted.

-
-

The optional requirement has been limited to subcontractors for which a

definition has been included in the C5:2020 (not all suppliers and service
providers are subcontractors).
Reports should only be submitted if they do not exist. Alternatively, the
Cloud Service Provider can agree on corresponding information and
auditing rights.
-

-
The aspects relevant for automatic monitoring were specified in more detail.

The second part of the previously optional, more extensive requirement has
been deleted, since it is redundant to the basic criterion SSO-01.

-
No change.

New additional criterion.

No change.
-

-
-
-

No change.

-
The focus of the additional criterion was placed on audits initiated by cloud
customers.

The previous optional, more extensive requirements SPN-02 and SPN-03

have been removed, as the provision of information from internal audits can
pose a security risk to the Cloud Service Provider.
The previous optional requirement COM-03 has also been removed, as the
results of external audits of the audit reports are typically provided to
customers anyway.

The additional criterion was therefore rewritten with regard to aspects for
automatic monitoring.

-
-

-
Additional criterion newly included.

Additional criterion newly included.

-
-

Additional criterion newly included.

-
Additional criterion newly included.

Information Security Manual (March 2025)
No ratings yet
Information Security Manual (March 2025)
228 pages
ISm - Information Security Manual
100% (1)
ISm - Information Security Manual
223 pages
CAIQ - v3.0.1 09 01 2017 - LTA
No ratings yet
CAIQ - v3.0.1 09 01 2017 - LTA
526 pages
Iso27002 2022
No ratings yet
Iso27002 2022
1 page
Incident Response Plan Template
100% (1)
Incident Response Plan Template
51 pages
Cover Letter For Cyber Security Internship
100% (2)
Cover Letter For Cyber Security Internship
6 pages
ESDS - ISO 27017 Checklist
No ratings yet
ESDS - ISO 27017 Checklist
14 pages
GAP Analysis V1
100% (1)
GAP Analysis V1
79 pages
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier
100% (2)
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier
18 pages
Information Security Policy
100% (1)
Information Security Policy
12 pages
Iso 27001 Business Continuity Checklist
100% (1)
Iso 27001 Business Continuity Checklist
6 pages
CAIQ v3.0.1-09-16-2019
No ratings yet
CAIQ v3.0.1-09-16-2019
728 pages
Iso 27001 Controls Checklist
100% (1)
Iso 27001 Controls Checklist
5 pages
Final
No ratings yet
Final
48 pages
Example Cybersecurity Standardized Operating Procedures 23 NYCRR 500
No ratings yet
Example Cybersecurity Standardized Operating Procedures 23 NYCRR 500
29 pages
ISO 27001 2022 Controls - XLSXV NIST
No ratings yet
ISO 27001 2022 Controls - XLSXV NIST
12 pages
S O P (SOP) : Tandardized Perating Rocedures
100% (1)
S O P (SOP) : Tandardized Perating Rocedures
30 pages
2019 07 07 13 26 25 Information Security - Policy - Draft
No ratings yet
2019 07 07 13 26 25 Information Security - Policy - Draft
69 pages
CSA CCMv4.0 Final 031521
No ratings yet
CSA CCMv4.0 Final 031521
222 pages
Software Installation Policy
100% (1)
Software Installation Policy
2 pages
Isec Notes Chapter 1-4
100% (1)
Isec Notes Chapter 1-4
27 pages
SaaS Cloud Security Standards
No ratings yet
SaaS Cloud Security Standards
42 pages
CloudOPS Risk Register
No ratings yet
CloudOPS Risk Register
42 pages
ISO27k 27001 Maltego Mind Map
100% (1)
ISO27k 27001 Maltego Mind Map
51 pages
ISO 27001 Control Mapping
No ratings yet
ISO 27001 Control Mapping
1 page
ISO 27002 2013 2022 MAP Annex B
No ratings yet
ISO 27002 2013 2022 MAP Annex B
12 pages
SaaS Cloud Security Standards
No ratings yet
SaaS Cloud Security Standards
54 pages
ISO 27001:2013 Statement of Applicability
70% (10)
ISO 27001:2013 Statement of Applicability
21 pages
NIST 800 53 Rev 3 To 4 - v03
No ratings yet
NIST 800 53 Rev 3 To 4 - v03
585 pages
ISO27001 2013 and NESA IA Control Mapping
50% (2)
ISO27001 2013 and NESA IA Control Mapping
6 pages
TISAX® Technical Document
No ratings yet
TISAX® Technical Document
20 pages
ISO27002 ControlsCrossCheck
No ratings yet
ISO27002 ControlsCrossCheck
3 pages
Secure IoT Platform For Industrial Control Systems PDF
100% (2)
Secure IoT Platform For Industrial Control Systems PDF
6 pages
DoD 5200.08-R - Physical Security Program, April 9, 2007 (Incorporating Change 1, May 27, 2009)
No ratings yet
DoD 5200.08-R - Physical Security Program, April 9, 2007 (Incorporating Change 1, May 27, 2009)
26 pages
ISOIEC 270022022 Vs ISOIEC 270022013
No ratings yet
ISOIEC 270022022 Vs ISOIEC 270022013
13 pages
Dynatrace SaaS CAIQ v3.0.1
No ratings yet
Dynatrace SaaS CAIQ v3.0.1
94 pages
IT Auditing Using Controls To Protect Information Assets 3rd Edition Mike Kegerreis - Ebook PDF PDF Download
No ratings yet
IT Auditing Using Controls To Protect Information Assets 3rd Edition Mike Kegerreis - Ebook PDF PDF Download
80 pages
212 89 Questions
No ratings yet
212 89 Questions
4 pages
ISO 27001 Vs NIST SP 800 - 53
No ratings yet
ISO 27001 Vs NIST SP 800 - 53
8 pages
IA-Checklist - ISMS 6 Feb 2018
No ratings yet
IA-Checklist - ISMS 6 Feb 2018
41 pages
ISO27002-2013 Version Change Summary
No ratings yet
ISO27002-2013 Version Change Summary
8 pages
ISO QGCIO-Sample-SoA-annd-Essential-8-for-workshop
No ratings yet
ISO QGCIO-Sample-SoA-annd-Essential-8-for-workshop
25 pages
ISO 27001 Statement-of-Applicability
No ratings yet
ISO 27001 Statement-of-Applicability
12 pages
A Guide To in GCC Countries Data Protection Laws: Information Security and
No ratings yet
A Guide To in GCC Countries Data Protection Laws: Information Security and
12 pages
ERP Implementation
From Everand
ERP Implementation
Shyamala Nemana
3.5/5 (8)
Control Domain Control Title Control ID: Cloud Controls Matrix Version 4.0
No ratings yet
Control Domain Control Title Control ID: Cloud Controls Matrix Version 4.0
40 pages
Control List ISO 27001
No ratings yet
Control List ISO 27001
3 pages
Wa0014.
No ratings yet
Wa0014.
198 pages
RMF Security Control Assessor NIST 800-53A Security Control Assessment Guide: NIST 800 Cybersecurity, #3
From Everand
RMF Security Control Assessor NIST 800-53A Security Control Assessment Guide: NIST 800 Cybersecurity, #3
Bruce Brown, CISSP
No ratings yet
Module 2 - Information Security Concepts
No ratings yet
Module 2 - Information Security Concepts
32 pages
IC ISO 27001 Controls Checklist 10838
No ratings yet
IC ISO 27001 Controls Checklist 10838
6 pages
Audit Framework Under Information System and Cyber Security Regulations
No ratings yet
Audit Framework Under Information System and Cyber Security Regulations
16 pages
QGCIO Sample SoA Annd Essential 8 For Workshop
No ratings yet
QGCIO Sample SoA Annd Essential 8 For Workshop
29 pages
Controls
No ratings yet
Controls
1 page
Cis 7.1 Vs Iso27001
No ratings yet
Cis 7.1 Vs Iso27001
23 pages
Iso 27001 Vs Nist
No ratings yet
Iso 27001 Vs Nist
7 pages
Subject Matter Expert Resume
100% (2)
Subject Matter Expert Resume
5 pages
Statement of Applicability
0% (1)
Statement of Applicability
10 pages
Gap Analysis Tool
No ratings yet
Gap Analysis Tool
43 pages
Information Systems Security NIST 800 2-in-1
From Everand
Information Systems Security NIST 800 2-in-1
Bruce Brown
No ratings yet
27001-2013 To Cybersecurity Framework-1.0
No ratings yet
27001-2013 To Cybersecurity Framework-1.0
29 pages
ISO27k Controls Cross Check 2013
No ratings yet
ISO27k Controls Cross Check 2013
8 pages
CObIT-ISF Coverage
No ratings yet
CObIT-ISF Coverage
14 pages
Basic Cybersecurity Concepts CDI 6
No ratings yet
Basic Cybersecurity Concepts CDI 6
8 pages
ISO 27001 Controls
No ratings yet
ISO 27001 Controls
20 pages
iCS - L01 - Course Intro
No ratings yet
iCS - L01 - Course Intro
36 pages
Vulnerability Assessments in Ethical Hacking
No ratings yet
Vulnerability Assessments in Ethical Hacking
5 pages
I So 7799 Audit Question
No ratings yet
I So 7799 Audit Question
12 pages
Chapter 8
No ratings yet
Chapter 8
13 pages
Cyber Readiness Report
No ratings yet
Cyber Readiness Report
64 pages
Section Sub Section 1 Security Policy
No ratings yet
Section Sub Section 1 Security Policy
12 pages
2 ISO 27002-2013 - Control Cross Check (EN)
No ratings yet
2 ISO 27002-2013 - Control Cross Check (EN)
2 pages
Iso Audit Question
No ratings yet
Iso Audit Question
12 pages
ISO27k Controls Cross Check 2013
No ratings yet
ISO27k Controls Cross Check 2013
6 pages
Query Process
No ratings yet
Query Process
13 pages
Controles Iso 27001-2013
No ratings yet
Controles Iso 27001-2013
9 pages
Endian Iec-62443-Compliance Whitepaper en
No ratings yet
Endian Iec-62443-Compliance Whitepaper en
5 pages
ISMS Audit
No ratings yet
ISMS Audit
12 pages
FIS Assignment 1
No ratings yet
FIS Assignment 1
4 pages
UK Gambling Commission Security Audit
No ratings yet
UK Gambling Commission Security Audit
4 pages
Blaze-Sample Web App Pentest Report
No ratings yet
Blaze-Sample Web App Pentest Report
45 pages
Iso27k Iso Iec 27002 Outline
No ratings yet
Iso27k Iso Iec 27002 Outline
4 pages
Questions For Practice
No ratings yet
Questions For Practice
2 pages
Data Security and Privacy Risk Managment
No ratings yet
Data Security and Privacy Risk Managment
39 pages
VU23213 Learner Resource v1.0
No ratings yet
VU23213 Learner Resource v1.0
56 pages
Source Code Review: Dominion Democracy Suite 4.14-A.1 Voting System With Adjudication
No ratings yet
Source Code Review: Dominion Democracy Suite 4.14-A.1 Voting System With Adjudication
12 pages
Info Sec Lec 03
No ratings yet
Info Sec Lec 03
25 pages
Case Study: Enhancing Cybersecurity in A Growing IT Services Company
No ratings yet
Case Study: Enhancing Cybersecurity in A Growing IT Services Company
2 pages
Computer Application
No ratings yet
Computer Application
6 pages
ASPICE Pocket Guide
100% (3)
ASPICE Pocket Guide
168 pages