Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services

Cloud Computing Compliance
Controls Catalogue (C5)

Criteria to assess the information security of cloud services
Cloud Computing ComplianCe Controls Catalogue (C5) | taBle oF Content
Table of Content
1 Introduction 10
1.1 Current situation 10
1.2 Uniform requirements based on existing standards 10
2 Structure and contents of C5 13
2.1 Structure of C5 13
2.2 Content-related presentation of the controls areas 14
2.3 Underlying national and international standards 16
3 Proving conformity with the requirements by an independent audit 18
3.1 Introduction 18
3.2 Auditing standards and criteria 18
3.2.1 ISAE 3000 (Revised) as auditing standard 18

3.2.2 Correspondingly applying further auditing standards 19
3.2.3 Criteria 20
3.3 Subject of the audit including system description 20
3.3.1 Subject of the audit 20

3.3.2 System description of the cloud provider 21
3.3.3 Use of evidence from other audits 22
3.4 Audit objective and reporting 23
3.4.1 Audit objective 23

3.4.2 Reporting of the auditor 23
3.5 Separate and supplementary requirements of the BSI 23
3.5.1 Qualification of the auditor 23

3.5.2 Reporting on existing and/or identified exceptions to
the requirements 24
3.5.3 Information on the limitation of liability 24
3.5.4 Updates of C5 25
3.6 Application notes for potential cloud customers: Regular

audits and contractual assurance 25
3
4 Framework conditions of the cloud service (surrounding parameters

for transparency) 27
UP-01 System description 27

UP-02 Jurisdiction and data storage, processing and
backup locations 27
UP-03 Disclosure and investigatory powers 28
UP-04 Certifications 28
5 Objectives and requirements 30
5.1 Organisation of information security 30
OIS-01 Information security management system (ISMS) 30

OIS-02 Strategic targets regarding information security
and responsibility of the top management 30
OIS-03 Authorities and responsibilities in the framework
of information security 31
OIS-04 Separation of functions 31
OIS-05 Contact with relevant government agencies and
interest groups 32
OIS-06 Policy for the organization of the risk
management 32
OIS-07 Identification, analysis, assessment and handling
of risks 32
5.2 Security policies and work instructions 33
SA-01 Documentation, communication and provision of

policies and instructions 33
SA-02 Review and approval of policies and
instructions 34
SA-03 Deviations from existing policies and
instructions 34
5.3 Personnel 35
HR-01 Security check of the background

information 35
HR-02 Employment agreements 36
HR-03 Security training and awareness-raising
programme 36
HR-04 Disciplinary measures 36
HR-05 Termination of the employment relationship or
changes to the responsibilities 36
5.4 Asset management 37
AM-01 Asset inventory 37
4
AM-02 Assignment of persons responsible

for assets 37
AM-03 Instruction manuals for assets 37
AM-04 Handing in and returning assets 37
AM-05 Classification of information 37
AM-06 Labelling of information and
handling of assets 38
AM-07 Management of data media 38
AM-08 Transfer and removal of assets 38
5.5 Physical security 39
PS-01 Perimeter protection 39

PS-02 Physical site access control 39
PS-03 Protection against threats from outside and from
the environment 39
PS-04 Protection against interruptions caused by power
failures and other such risks 40
PS-05 Maintenance of infrastructure and
devices 40
5.6 Operations 41
RB-01 Capacity management – planning 41

RB-02 Capacity management – monitoring 41
RB-03 Capacity management – data location 41
RB-04 Capacity management – control
of resources 42
RB-05 Protection against malware 42
RB-06 Data backup and restoration –
concept 42
monitoring 43
regular tests 43
storage 43
RB-10 Logging and monitoring – concept 43
RB-11 Logging and monitoring – meta data 44
RB-12 Logging and monitoring – critical
assets 44
RB-13 Logging and monitoring – storage of the logs 44
RB-14 Logging and monitoring –
accountability 45
RB-15 Logging and monitoring –
configuration 45
5
RB-16 Logging and monitoring – availability of the

monitoring software 45
RB-17 Handling of vulnerabilities, malfunctions and
errors – concept 45
errors – penetration tests 46
errors – integration with
change and incident management 46
errors – involvement of the cloud customer 46
RB-21 Handling of vulnerabilities,
malfunctions and errors – check of open vulnerabilities 46
errors – system hardening 47
RB-23 Segregation of stored and processed
data of the cloud customers in jointly used
resources 47
5.7 Identity and access management 48
IDM-01 Policy for system and data access

authorisations 48
IDM-02 User registration 48
IDM-03 Granting and change (provisioning) of data
access authorisations 48
IDM-04 Withdrawal of authorisations
(de-provisioning) in case of changes to the employment
relationship 49
IDM-05 Regular review of data access authorisations 49
IDM-06 Administrator authorisations 49
IDM-07 Non- disclosure of authentication information 49
IDM-08 Secure login methods 50
IDM-09 Handling of emergency users 50
IDM-10 System-side access control 50
IDM-11 Password requirements and
validation parameters 50
IDM-12 Restriction and control of
administrative software 51
IDM-13 Control of access to source code 51
5.8 Cryptography and key management 52
KRY-01 Policy for the use of encryption procedures and

key management 52
KRY-02 Encryption of data for transmission
(transport encryption) 52
6
KRY-03 Encryption of sensitive data for

storage 53
KRY-04 Secure key management 53
5.9 Communication security 54
KOS-01 Technical safeguards 54

KOS-02 Monitoring of connections 54
KOS-03 Cross-network access 54
KOS-04 Networks for administration 54
KOS-05 Segregation of data traffic in jointly used
network environments 54
KOS-06 Documentation of the network
topology 55
KOS-07 Policies for data transmission 55
KOS-08 Confidentiality agreement 55
5.10 Portability and interoperability 56
PI-01 Use of public APIs and industry

standards 56
PI-02 Export of data 56
PI-03 Policy for the portability and
interoperability 56
PI-04 Secure data import and export 57
PI-05 Secure deletion of data 57
5.11 Procurement, development and maintenance of information

systems 57
BEI-01 Policies for the development/procurement of

information systems 57
BEI-02 Outsourcing of the development 58
BEI-03 Policies for changes to information
systems 58
BEI-04 Risk assessment of changes 58
BEI-05 Categorisation of changes 58
BEI-06 Prioritisation of changes 58
BEI-07 Testing changes 59
BEI-08 Rollback of changes 59
BEI-09 Review of proper testing and
approval 59
BEI-10 Emergency changes 59
BEI-11 System landscape 59
BEI-12 Separation of functions 59
5.12 Control and monitoring of service providers and suppliers 60
7
DLL-01 Policies for the handling of and security

requirements for service providers and suppliers of the
cloud provider 60
DLL-02 Monitoring of the rendering of services and
security requirements for service providers and suppliers
of the cloud provider 60
5.13 Security incident management 61
SIM-01 Responsibilities and procedural model 61

SIM-02 Classification of customer systems 62
SIM-03 Processing of security incidents 62
SIM-04 Documentation and reporting of
security incidents 62
SIM-05 Security incident event management 62
SIM-06 Duty of the users to report security incident to a
central body 62
SIM-07 Evaluation and learning process 62
5.14 Business continuity management 63
BCM-01 Top management responsibility 63

BCM-02 Business impact analysis policies and procedures 63
BCM-03 Planning business continuity 63
BCM-04 Verification, updating and testing of the
business continuity 64
BCM-05 Supply of the computing centres 64
5.15 Security check and verification 65
SPN-01 Notification of the top management 65

SPN-02 Internal audits of the compliance
of IT processes with internal security policies
and standards 65
of IT systems with internal security policies
and standards 66
5.16 Compliance and data protection 66
COM-01 Identification of applicable legal, contractual

and data protection requirements 66
COM-02 Planning independent, external audits 67
COM-03 Carrying out independent,
external audits 67
5.17 Mobile device management 68
MDM-01 Policies and procedures for the risk

minimisation of access via the cloud provider’s mobile
terminal devices 68
8
1 Introduction
9
Cloud Computing ComplianCe Controls Catalogue (C5) | introduCtion
1 Introduction
1.1 Current situation There are different standards and certifications on

the market which are used and maintained in par-
Cloud computing is a new paradigm in ICT (infor- allel with great effort by many cloud providers. It
mation and communication technology). It con- is difficult for customers, however, to keep up an
sists of IT services being adjusted dynamically to overview of the large number of different certifi-
the customer needs and made available through cations. The present cloud computing compliance
a network in a billable manner. These services are controls catalogue (hereafter referred to as “C5”) is
offered and used by means of technical interfaces intended to be an aid for the customer providing
and protocols. Moreover, the definition of cloud a better overview for a higher level of security and
computing of the Federal Office for Information avoiding redundant audits.
Security (Bundesamt für Sicherheit in der Infor-
mationstechnik – BSI) (and the differentiation
from IT outsourcing) applies as it is described on
the BSI website1. 1.2 Uniform requirements based
on existing standards
Cloud computing is based on a high level of
standardisation of the hard- and software as well The BSI uses C5 to present its current view of the
as on the services build on it, details of which the mentioned informal consensus, and particularly
customer is usually not very familiar with. As a to also facilitate an in-depth technical discussion.
consequence, a particularly high degree of trust in The requirements were, wherever possible, taken
the cloud service provider is required, which has from known security standards and specified if
to be developed first. necessary. They were supplemented by the BSI’s
own requirements only to the extent needed. The
A possible solution is combining the high origin of the requirements is documented in a
standardisation of cloud computing with a high transparent manner so that the cloud provider is
standardisation of information security. There able to easily perform a comparison with his own
is no lack of available information security security level.
standards in the context of cloud computing.
Examples include the ISO/IEC 27001 and ISO/ In cases considered appropriate, additional
IEC 27017 standards, the rules of the CSA Cloud requirements were included in C5 for certain
Controls Matrix and the BSI products like the basic requirements. It’s BSI’s professional point
IT-Grundschutz Catalogues and security profiles of view that the basic requirements shall always
for software as a service (SaaS). be met for secure cloud computing. Moreover,
it is up to the cloud customer to decide for their
Among security experts and cloud service pro- specific use case whether these basic requirements
viders exists an informal consensus about the are sufficient or additional, optional requirements
requirements that have to be met for secure cloud have to be met by the cloud provider. For this
computing. A generally recognised requirements purpose, the additional requirements of C5 serve
(or controls) catalogue on this, however, is not as a useful starting point.
available yet.
It remains the challenge to prove the cloud
customer that the requirements of C5 are fulfilled
by means of a transparent audit performed by an
independent, trusted third party. As for the basic
1 https://www.bsi.bund.de/EN/Topics/CloudComput-
requirements found in this catalogue, this audit
ing/Basics/Basics_node.html
10
Cloud Computing ComplianCe Controls Catalogue (C5) | introduCtion
should build on existing standards and certifi-

cations and thus generate the lowest possible
additional effort for the cloud provider.
C5 is therefore structured in such a way that it is

suitable for an audit by a certified public auditor2
according to an international auditing standard.
This aims at an audit with comprehensive report-
ing with respect to the structure, procedures and
organisation of safeguarding and monitoring
measures (controls), especially including a state-
ment concerning their design appropriateness
and operational effectiveness.
Section 2 of this document referres to structure

und content of C5. Information on the audit
execution and reporting by an independent
certified public auditor can be found in section 3.
In section 3.6, application notes for potential
cloud customers are listed. The requirements can
be found in the sections 4 and 5. References to a
selection of well-known standards are provided
in a separate auxiliary document, which can be
found on the BSI websites.
2 The term “certified public auditor” is used in this

document as a collective term and refers to people
who did the specific examination for public account-
ants and hold that specific certificate in their country.
In Germany, they are called “Wirtschaftsprüfer (WP)”,
in USA they are called “certified public account-
ants (CPA)”. Using the country-specific terms is – by
no means – meant to restrict audits against C5 to
accountants of a specific country.
11
2 Structure and contents of C5
12
Cloud Computing ComplianCe Controls Catalogue (C5) | struCture and Contents oF C5
2 Structure and contents of C5
2.1 Structure of C5 starting point for requirements which the cloud

customers could specify based on their individual
Cloud services in terms of C5 are IT services use case.
which are made available to the customer by a
service company (cloud provider, provider or ser- The cloud provider is responsible for the design,
vice provider) over a network. Cloud services are description, implementation and effective opera-
offered, used and billed elastically and adapted to tions of organizational and operational measures
the requirements by defined technical interfaces (controls) with which the requirements are imple-
and protocols. The range of the services offered mented at the cloud provider. The entirety of the
within the cloud computing framework covers required measures is part of their internal control
the entire spectrum of information technology system concerning the cloud services. The design
and, among other things, includes infrastructure of this internal control system depends on the
(e. g. computing power, storage), platforms and type of cloud service provided, the requirements
software. of the cloud customers and the company goals
of the cloud provider as well as on the associated
C5 itself is subdivided into 17 sections (see specific risks.
section 2.2).
A speciality in C5 are the so-called surrounding
An objective is assigned to each section (see parameters for transparency which precede the
section 2.2). The objective provides the cloud requirements. Surrounding parameters for trans-
provider a summarised target which they have to parency address the transparency with respect
fulfill in the related section through correspond- to the general conditions according to which the
ing organisational and operational measures and cloud service is provided (e. g. the place of juris-
(procedural) organisation. diction). By means of the information resulting
from auditing these surrounding parameters for
Individual requirements are assigned to each transparency, the customer can decide on the
objective (see section 5). The requirements specify general suitability of the cloud service according
general principles, procedures and measures to their internal targets.
for fulfilling the objective. In this respect, a
distinction is made between basic requirements
and additional, optional requirements. The basic
requirements are essential and the cloud provider
has to meet and at least comply with as part of an
audit according to this catalogue.
In addition to some basic requirements, addi-

tional, optional requirements are defined. They
are classified as to whether especially confiden-
tiality (C), availability (A) or both properties at
the same time (C/A) are addressed with respect
to the data processed in the cloud service. It
turned out that there are no effective higher-level
requirements for integrity (I) in addition to the
basic requirements, which is why this category is
missing here. The additional requirements are a
13
2.2 Content-related presentation requests of information and are similar to the

of the controls areas other requirements with regards to nomenclature
and structure. The customers have to decide on
Prior to the description of the detailed require- the range of these parameters along their internal
ments in section 5, section 4 provides information guidelines and policies.
on so- called “surrounding parameters for trans-
parency”. They define the general framework for C5 itself comprises of 17 sections (see table 1).
Section Objective
Organisation of information Planning, implementation, maintenance and continuous improve-

security ment of a framework regarding information security within the
organisation.
Security policies and work Providing policies and instructions with respect to the security claim
instructions and to support the business requirements.
Personnel Making sure that employees, service providers and suppliers under-
stand their tasks, are aware of their responsibility with regard to infor-
mation security and that the assets of the organisation are protected if
the tasks are modified or completed.
Asset management Identifying the organisation's own assets and responsible persons as
well as ensuring an appropriate level of protection.
Physical security Preventing unauthorised physical access and protection against theft,
damage, loss and failure of operations.
Operations Assuring proper regular operations including appropriate safeguards

for planning and monitoring the capacity, protection against malware,
logging and monitoring events as well as handling vulnerabilities,
malfunctions and errors.
Identity and access Securing the authorisation and authentication of users of the cloud
management provider (usually privileged user) and the cloud customer in order to
prevent unauthorised access.
Cryptography and key Using appropriate and effective cryptography in order to safeguard
management information security.
Communication security Protecting information in networks and the corresponding informa-

tion-processing systems.
Portability and Providing the ability to securely operate the service on different IT
interoperability platforms as well as the possibility of secure connections to different
IT platforms and termination of the service.
Procurement, development Complying with the security targets in case of new developments and
and maintenance of infor- procurement of information systems as well as changes.
mation systems
14
Section Objective
Control and monitoring Protecting information that can be accessed by service providers and/
of service providers and or suppliers of the cloud provider (subcontractors) and monitoring the
suppliers services and security requirements agreed upon.
Security incident Assuring a consistent and comprehensive approach regarding the

management monitoring, recording, assessment, communication and escalation of
security incidents.
Business continuity Strategic establishment and governance of a business continuity

management management (BCM). Planning, implementing and testing business
continuity concepts as well as incorporating safeguards in order to
ensure and maintain continuous operations.
Security check and Checking and verifying that the information security safeguards
verification are implemented and carried out in accordance with the organisa-
tion-wide policies and instructions.
Compliance and data Preventing violations against statutory or contractual duties with
protection respect to information security.
Mobile device management Guaranteeing secure access to IT systems via mobile devices in the
cloud provider's responsibility to develop and operate the cloud
service.
table 1: sections of C5 with assigned objectives
15
2.3 Underlying national and implementation of C5 largely through referencing

international standards their individual safeguards to the requirements of
C5. In this respect, the user is supported by means
According to C5’s objective, the content of the of detailed references between the requirements
individual requirements were derived from of this catalogue and the requirements of the
nationally and internationally established stand- mentioned standards in a separate auxiliary docu-
ards. The following standards were taken into ment which can be found on the BSI websites.
account:
» ISO/IEC 27001:2013
» CSA3 – Cloud Controls Matrix 3.01 (CSA CCM)
» AICPA4 – Trust Services Principles Criteria 2014

(TSP)
» ANSSI5 Référentiel Secure Cloud v2.0 (version

intermediaire validée du 20/03/2015, not
published)
» IDW6 ERS FAIT 5 (draft of a statement on

accounting: “Grundsätze ordnungsmäßiger
Buchführung bei Auslagerung von rech-
nungslegungsrelevanten Dienstleistungen
einschließlich Cloud Computing” [Generally
accepted accounting principles for the out-
sourcing of accounting-related services includ-
ing cloud computing], version of 4 November
2014)
» BSI IT-Grundschutz Catalogues, 14th version

2014
» BSI SaaS Sicherheitsprofile 2014 (German only)
Providers who already hold the respective

certifications or aligned their organisation
and processes along one or several of these
standards have the possibility to document the
3 Cloud Security Alliance, a non-profit organisation for

the distribution of security standards in the field of
cloud computing
4 American Institute of Certified Public Accountants
5 Agence nationale de la sécurité des systèmes d’infor-
mation, French authority for the security of informa-
tion systems
6 Institut der Wirtschaftsprüfer [Institute of Certified
Public Accountants in Germany, Incorporated Associ-
ation], serving the interests of the auditing professions
in Germany
16
3 Proving conformity with
the requirements by an
independent audit
17
Cloud Computing ComplianCe Controls Catalogue (C5) | proving ConFormity
3 Proving conformity with the

requirements by an independent audit
3.1 Introduction Wirtschaftsprüfer (IDW) are to be mentioned.

Moreover, the rules for audits and documentation
The requirements in this document can be used according to Service Operation Controls (SOC)
by cloud providers and by cloud customers. The must be respected.
providers can use this as orientation for the secure
design of their processes. The cloud customer will Reference to targets and rules of national and
be entitled to demand verification of whether international auditing and accounting is inten-
the cloud provider meets these requirements. An tional. Furthermore, the special requirements
assessment for each individual customer would for the independence of the auditor and the
not be efficient for the provider and provides no binding nature and comprehensibility of the audit
sufficient reliability for the customer. Moreover, evidence should be ensured. At the same time,
there would be no uniform level of information cloud providers who have already been audited
on security issues – if a customer sends inquiries according to the standards mentioned in section
to several providers – so that a customer could 2.3 are thus able to re-use system descriptions
not compare different providers. According to the already available and, where applicable, also parts
BSI’s professional point of view, a uniform audit of applicable audit results in parallel. These may
by an independent third party expert who creates serve as audit evidences within testation of the
a standardised report for the cloud provider to cloud service against C5. Thus, the additional
pass it on to customers and prospects is a cost-ef- audit effort can be reduced.
ficient and reasonable solution to this problem.
According to the BSI’s professional point of view,
Below, the BSI presents its professional point of the requirements for the audit in the mentioned
which auditors should follow when performing auditing standards for the purposes of meaningful
such an audit, irrespective of their individual audit opinions must be fulfilled at all times. In the
responsibility, and how they have to report to the following section, several essential explanations
provider and the customer of the cloud service. are provided.
When designing the audit requirements, nation-

ally and internationally established standards
were taken into account in the same way as 3.2 Auditing standards and criteria
described before for the security requirements
themselves. 3.2.1 ISAE 3000 (Revised) as
auditing standard
Specifically, the international auditing standard
ISAE7 3000 (Revised) is used as the general basis Auditing and reporting shall be carried out by
for the auditing and reporting. It is supplemented applying ISAE 3000 (Revised) “Assurance Engage-
by additional auditing standards which – applied ments Other than Audits or Reviews of Historical
correspondingly – are to be used for specific Financial Information”.
questions regarding auditing and reporting. In
this respect, ISAE 3402 or the auditing standard ISAE 3000 (Revised) describes general require-
Prüfungsstandard (PS) 951 of the Institut der ments for the qualification and conduct of an
auditor (e. g. professional judgment and scep-
ticism) as well as for accepting, planning and
7 International Standard on Assurance Engagements
18
carrying out an audit engagement. Furthermore, on Standards for Attestation Engagements” AT

the standard includes general requirements for Section 801 and/or AT Section 101 for the use case
audit criteria without specifying their content of so-called SOC audits.
in more detail. ISAE 3000 (Revised) must there-
fore be understood as a high-level auditing All these standards aim for appropriate and
standard which provides the required high-level effective internal processes and controls which
framework. are used by the service provider in order to
achieve specific targets and goals. For ISAE 3402,
The standard distinguishes between audits with IDW PS 951 (new version) and AT Section 801,
reasonable assurance and audits with limited processes and controls have priority to the extent
assurance. Furthermore, so-called “attestation that they are important for the financial reporting
engagements” are distinguished from so-called of the service provider’s customers. In the special
“direct engagements”.8 use case of SOC 2 audits according to AT Section
101, proof of the implementation of the AICPA
Audits regarding the implementation of the Trust Services Principles and Criteria (security,
requirements of C5 presented here must be availability, processing integrity, confidentiality
carried out with reasonable assurance as an and/or data protection) must be demonstrated.
“attestation engagement”. In case of an “attes- Moreover, these principles and criteria were also
tation engagement”, the legal representatives of taken into consideration when drawing up C5 (see
the cloud provider (e. g. a representative of the section 2.3).
top management of the cloud provider) or the
authorised signatories of the organisational unit Correspondingly applying these auditing stand-
responsible for the operations of the cloud service ards means that the audit is based on the con-
(hereinafter referred to as “management of the tents of the individual requirements of C5. The
cloud provider”) issue a statement on the appro- auditing standards mentioned here with regard
priateness and – where relevant – effectiveness to specific questions are used for audit planning,
of the safeguards established to meet the require- implementation and reporting. Accordingly, the
ments. With this statement, the cloud provider requirements for the audit which are described
signals his liability to implement the require- in more detail in the sections 3.3 and 3.4 can be
ments to the cloud customer. For the auditor, the traced back directly to these auditing standards.
statement (which is internationally also referred Therefore, all interest groups involved (cloud pro-
to as “written assertion” or “written statement”) is vider, auditor and the customer as the addressee
the starting point for their audit. of the report) which already have experience with
audits and/or reports according to these auditing
standards can also use this experience directly
3.2.2 Correspondingly applying for the audit along C5 and/or for evaluating the
further auditing standards reporting.
In case of special questions regarding the audit- For several aspects, however, the BSI has specific
ing procedure as well as documentation and additional expectations. These expectations relate,
reporting, ISAE 3402 “Assurance Reports on for example, to the qualification of the auditor or
Controls at a Service Organization” is to be used details of the presentation of deviations identi-
correspondingly. As an alternative or supplement, fied in the reporting. They are summarised and
the auditor can also refer to the German version explained in section 3.5 as “Separate and supple-
of this standard (IDW PS 951 new version “Die mentary requirements of the BSI”.
Prüfung des internen Kontrollsystems bei Dien-
stleistungsunternehmen” [Auditing the internal
control system of service companies]) and/or
the US-American targets of the “Statements
8 See ISAE 3000, marginal number 12.
19
3.2.3 Criteria » Description of the internal control system

related to the cloud services (system descrip-
The audit criteria need to be based on the follow- tion) and
ing high-level requirements (see correspondingly
e. g. ISAE 3000 (Revised), marginal number A45 or » Controls presented in the system description
IDW PS 951 new version, marginal number 50): with reference to the individual requirements
on the basis of a management statement of the
» Relevance: Criteria must be relevant for the cloud service provider
assessment of the principles, procedures and
safeguards established by the cloud provider as The responsibility for the system description
well as for the decision-making. and its content lies with the legal representatives
of the provider. The management statement
» Completeness: Criteria are complete if no includes the appropriateness and usually also the
aspects essential for the assessment of the prin- effectiveness of the internal control system pre-
ciples, procedures and safeguards established by sented in the system description. The processes
the cloud provider and no aspects essential for and procedures for implementing and executing
the decision-making were excluded. the presented controls are also included.
» Reliability: Criteria are reliable if they allow for For an audit regarding C5, a distinction is made
a consistent and comprehensible assessment between two types of audits and reporting, as is
of the principles, procedures and safeguards also the case in ISAE 3402 or IDW PS 951 new
established by the cloud provider. version.
» Neutrality: Criteria are neutral if they ensure an » Type 1 audit and reporting: The auditor has to
objective assessment of the principles, proce- assess whether the system description properly
dures and safeguards established by the cloud reflects the actual design and implementation
provider. of the internal control system related to the
cloud services at the time of the audit and
» Comprehensibility: Criteria are comprehensi- whether the controls presented have been
ble as far as they allow for clear conclusions and designed appropriately. For example, type 1
misinterpretations are thus avoided. reporting is suitable, for initial audits of newly
developed cloud services in order to obtain an
The requirements of C5 are based on the stand- audit result in a timely manner. It is not suitable
ards and publications listed in section 2.3. By for demonstrating effective implementation
means of this reference, it is ensured according over a retrospective period of time.
to the BSI’s point of view that the requirements
included therein are suitable for use as a basis for » Type 2 audit and reporting: As compared to
a proper and comprehensible assessment of the type 1 audit and reporting, the auditor performs
cloud services by the cloud provider themselves additional audit activities with respect to the
and by an independent auditor. effectiveness of the controls (functional tests).
For this purpose, the audit period usually
covers twelve months, but not less than six
months. Shorter audit periods can be taken into
3.3 Subject of the audit including account in exceptional cases (e. g. foundation
system description of the cloud provider, acquisition of new cloud
services) and must be justified within the report.
3.3.1 Subject of the audit According to the BSI’s professional point of view,
type 2 audit and reporting is required in order
The subject of the audit includes the following to provide an appropriate informative opinion.
two areas: Type 1 reporting should only be carried out in the
20
exceptional cases as mentioned above and must » Type and scope of the provided cloud services
be justified and should under no circumstances be
considered several times in a row. » Principles, procedures and measures for provid-
ing (development and/or operation) the cloud
C5 makes a distinction between basic require- service, including the implemented controls
ments and additional requirements (see section
2.1). » Description of the infrastructure, network and
system components used for the development
» The audit and reporting can be based either on and operation of the cloud service, including
the basic requirements alone or on the basic the geographical location of the data in use or
requirements together with the additional at rest
requirements.
» Regulation for handling significant incidents
» The basic requirements (and, where applicable, and conditions which constitute exceptions to
the additional requirements) must be addressed regular operations, such as the failure of critical
completely and without omissions. To demon- IT systems
strate a higher level of confidentiality, addi-
tional requirements relating to confidentiality » Roles and responsibilities of the cloud provider
can be taken into consideration (in section 5, and the cloud customer, including the obliga-
column “C/A” classified with “C” and/or “C/A”). tion to cooperate and required corresponding
The same applies to demonstrating a higher controls at the cloud customer
level of availability. Which additional require-
ments were used as criteria for the audit must » Functions assigned or outsourced to
be reflected in the system description of the subcontractors
cloud provider. If all additional requirements
relating to confidentiality (C and C/A) and/or For type 2 reporting, the system description must
all requirements with reference to availability represent all essential changes to the internal con-
(A and C/A) have been met in full, this must trol system related to the cloud services, which
also be marked in the description of the subject were made during the period covered, in a suffi-
of the audit by the supplement “The system ciently detailed manner. This also includes those
description addresses all additional require- changes resulting from an update of C5 which has
ments regarding [the confidentiality]/[(and) the taken place in the meantime (see section 3.5.4).
availability] in full”. If individual requirements
cannot be applied from the cloud provider’s Information which is relevant to the environment
point of view, this is to be justified accordingly of the internal control system related to the
in the system description. The supplement in cloud services must not be omitted or distorted
the description of the subject of the audit is in the system description. However, this does
omitted in this case. not include all aspects that can be considered to
be important from the perspective of individual
contractors or prospects.
3.3.2 System description of the cloud
provider In this respect, it must be noted that the system
description is usually drawn up for a large num-
The system description of the cloud services is ber of cloud customers for whom the cloud pro-
created by the cloud provider. The minimum vider may follow individual processes customized
scope of the system description results from to meet individual cloud customer requirements.
applying ISAE 3402 (or the standard(s) used as
an alternative, see section 3.2) correspondingly. In many cases, the cloud provider outsource parts
The following components have to be listed, for of their business processes for the development
example: and/or operation of the cloud service to other
service companies (use of subcontractors). This
21
must be taken into account accordingly in the 3.3.3 Use of evidence from other audits
system description (and also in the course of the
audit). For this purpose, a distinction is made The requirements of C5 are largely based on
between the “inclusive method” and the “carve- nationally and internationally recognised stand-
out method”. ards. If those standards are already used by the
cloud provider as references, the provider will
» Inclusive method: The system description also have already aligned the processes and controls
includes the type and scope of the outsourced of his operations to the related requirements of
functions and the controls implemented at the C5. These processes and controls typically also
subcontractor, which, together with the con- constitute the basis for further audits which
trols at the cloud provider themselves, are also are carried out at the cloud provider, usually by
subject of the audit. independent external auditors. In this context,
audits according to ISAE 3402, IDW PS 951 and/or
» Carve-out method: The system description the US- American regulations for SOC 1 or SOC 2
does not include a detailed description of the in particular should be mentioned.
outsourced functions. The controls imple-
mented at the subcontractor are not subject of In these cases, it is recommended to combine the
the audit. In this case, at least the controls of organisation and timing of these audits with an
the service provider which are used to monitor audit according to C5. This enables the auditor
the effectiveness of the controls at the subcon- and cloud provider, in case of overlapping con-
tractor are audited (see also the requirements trols, to use parts of the system descriptions and
DLL-01 and DLL-02 in section 5). The most audit results for both the reporting according to
straightforward approach in this case is if the ISAE 3402 and/or SOC 2, for example, and for the
subcontractor is audited (and will be audited reporting according to C5. It usually makes sense
regularly) according to the requirements of this to cover the same audit period for C5 as for the
document and submits an audit report on the other audits.
effectiveness of the outsourced controls to the
cloud provider, which the provider processes This enables to reduce additional effort for cov-
as part of their procedures used to control and ering the requirements of C5, for the documenta-
monitor their subcontractors. tion of the measures in a system description and
for the audit itself.
The cloud provider must select the method to be
applied for his audit. This selection must be out- If the cloud provider aims for further certificates
lined clearly in the audit report and made trans- (e. g. according to ISO/IEC 27001, ISO 22301 or
parent to the (potential) cloud customer. When data protection certificates), it is recommended
the carve-out method is applied, the certified to incorporate the corresponding auditors in the
public auditor assesses whether the scope of the audit team and to perform a joint audit as far as
outsourcing is presented in the system descrip- practicable. This allows further optimisation of
tion (e. g. on the basis of the contract and audit the audit efficiency. The reference table provided
reports on the service-related internal control in a separate document for C5 may help to iden-
system of the subcontractor) and the effectiveness tify overlaps between the standards mentioned in
of the outsourced controls is monitored by the section 2.3 and C5.
cloud provider according to requirement DLL-02.
The auditor’s other general possibilities of also
To what extent subcontractors meet the require- using audit results as work of others are part of
ments from this catalogue and how the surround- his or her individual responsibility and remain
ing parameters for transparency are designed at unaffected by the statements above.
the subcontractor must be documented in the
audit report.
22
3.4 Audit objective and reporting » Independence and quality assurance of the
auditor/auditing company, including infor-
3.4.1 Audit objective mation on the technical qualification of the
auditor
With respect to the audit objective, a distinction
has to be made as to whether type 1 or type 2 » Responsibility of the auditor
reporting (see section 3.3.1) has been agreed
upon. Depending on the type, the auditor issues » Inherent limits of controls at service
different audit opinions. The objective of the companies
audit is to allow the auditor to issue a statement
with reasonable assureance (audit opinion) as to » Audit opinion
whether
» Addressees and use of the certificate
» the provider’s system description properly
reflects the actual design and implementation » Notes on the assignment conditions
of the internal control system related to the
cloud services at the point in time of the audit 2. Statement of the legal representatives of the
(type 1 reporting) and/or during the period of cloud service provider and/or of the cloud
time to be audited (type 2 reporting), provider management responsible for the
cloud services (internationally also referred to
» the controls presented in the system description as “written assertion” or “written statement”)
at the time of the audit (type 1 reporting) and/
or during the period of time to be audited (type 3. Description of the internal control system
2 reporting) are designed appropriately with related to the cloud services (as part of the
respect to the fulfilment of the requirements of system description)
C5 and
4. Presentation of the requirements and the
» the controls presented in the system description assigned controls (part of the system descrip-
(only in the case of type 2 audit and reporting) tion) as well as presentation of the audit
were effective during the period of time to be activities carried out and the individual audit
audited. results of the auditor
5. Optionally: Other information, provided by the

3.4.2 Reporting of the auditor service provider
The reporting on the audit includes the following

elements (with corresponding application of ISAE
3402) and should be structured accordingly: 3.5 Separate and supplementary
requirements of the BSI
1. Independent auditor’s report
3.5.1 Qualification of the auditor
» Assignment and scope of the audit
» Responsibility of the legal representatives the assessment of an internal control system
of the cloud service provider and/or of the related to the cloud services on the basis of C5
cloud provider management responsible for puts special demands on the qualification of the
the cloud services auditor due to the technical nature of the associ-
ated requirements.
23
In addition to the general requirements for the » If the deficiency was identified by the service
auditor associated with the application of ISAE provider, it must be specified when and with
3000 (Revised), the following supplementary which measures the deficiency was identified.
requirements are imposed on the auditor respec-
tively the audit team. » If the deficiency had already been subject of the
reporting over a previous audit period, it must
At least half of the members of the audit team be specified when and with which measures
has more than 3 years of professional experience the deficiency was identified, in addition to a
in accounting (auditing) and, in addition to separate note that it was identified in a previous
this, at least one of the following professional audit period. This assumes that the auditor has
examinations/certifications: access to previous audit reports of the cloud
provider. The auditor must seek separate assur-
» Information Systems Audit and Control Associ- ance of this as part of his assignment.
ation (ISACA) – Certified Information Systems
Auditor (CISA) or Certified Information Security » In any case, it should be specified which meas-
Manager (CISM) or Certified in Risk and Infor- ures for the future elimination of the deficiency
mation Systems Control (CRISC) and the date when these measures will be
completed and/or implemented effectively.
» ISO/IEC 27001 Lead Auditor or BSI-certified
ISO 27001 Auditor for Audits on the basis of BSI This can be reported, for example, in a separately
IT-Grundschutz marked section of the system description or in the
optional section “Other information, provided by
» Cloud Security Alliance (CSA) – Certificate of the service provider”.
Cloud Security Knowledge (CCSK)
» (ISC)² – Certified Cloud Security Professional 3.5.3 Information on the limitation

(CCSP) of liability
As part of the reporting, it must be specified Regulations regarding the auditor’s liability to the
which of the professional examinations/certifica- service provider and other recipients of the report
tions are held by the audit team (e. g. in the section may be designed differently, also depending
“Independence and quality assurance of the on country-specific regulations concerning the
auditor”). Upon request, appropriate documents auditor.
(e. g. certificates etc.) must be submitted to the
client. In the BSI’s professional point of view, specifica-
tions regarding the type and limit of the auditor’s
liability is important information for the recipient
3.5.2 Reporting on existing and/or identified of the report and therefore must be included in
exceptions to the requirements the reporting according to the agreement.
It is in the nature of audits that “negative” audit Information on this can be provided, for example,
findings may come up during the course of an in the section “Notes on the assignment con-
audit. Whether or not such a finding has an ditions” (if necessary, with reference to further
impact on the audit opinion, the customers of annexes).
the cloud provider expect remediating measures
for error correction as well as system and process
optimisation to be performed.
For this reason, the following additional informa-

tion must be included in the audit report:
24
3.5.4 Updates of C5 First, it should be noted that the security of cloud

services is an ongoing task. This understanding
The BSI intends to update C5 regularly according must also be reflected in the attestation which
to the general technical developments and to should therefore be renewed at regular intervals –
the continuous development of the underlying usually every 12 months.
standards.
Moreover, the BSI does not have any influence on
In this context, cloud providers and auditors the actual audit by the certified public auditor and
shall have sufficient time to adjust systems and does not check the quality of the cloud service
processes as well as the audit approach to updates either. The certified public auditor performs their
of C5. activities for the cloud provider and not for the
customer of the provider.
the adjustments must be implemented within The customer of the cloud provider should
12 months after the new version has been pub- consider the compliance with the requirements
lished. Any deviations from this must be justified of C5 (including the requirements for the audit,
towards customers and auditors. audit intervals and reporting) as an essential
component of their assignment and contractually
As described in section 3.3.2, all relevant changes agree upon this with the provider. This applies
to the internal control system related to the particularly if additional requirements are to be
cloud services which were made during the met by the cloud provider.
auditi period must be documented in the system
description in a sufficiently detailed manner. Furthermore, the potential cloud customer
Since updates of C5 must be implemented within should base their decision not only on an existing,
12 months, it may occur within an audit period current attestation (whether or not it relates solely
that the assessment of the appropriateness and to the basic requirements or also to additional
effectiveness relates to both the state before and requirements) according to C5, but should also
after the implementation. request the audit report at regular intervals.
If the audit period ends between six and twelve

months after the publication of the updated C5,
the cloud provider must add specifications to the
system description regarding the measures which
are not yet implemented. This must also indicate
when these measures are to be completed and/or
implemented effectively.
3.6 Application notes for potential

cloud customers: Regular audits
and contractual assurance
The previous sections outline the basic require-

ments for audit and reporting of cloud services.
The following chapters will describe the specific
requirements of C5. In this section, the BSI
provides potential cloud customers with hints on
how to use available audit attestations of cloud
providers.
25
4 Framework conditions of the
cloud service (surrounding
parameters for transparency)
26
Cloud Computing ComplianCe Controls Catalogue (C5) | surrounding parameters
4 Framework conditions of the

cloud service (surrounding
parameters for transparency)
» Roles and responsibilities of the cloud provider

Objective: the general organisational and legal and the cloud customer, including the duties
framework conditions and targets are described to cooperate and corresponding controls at the
comprehensibly and accurately for a third party cloud customer
expert in order to assess the general suitability
of the cloud service for the desired application. » Functions assigned or outsourced to
subcontractors
Supplementary information for the basic

UP-01 System description requirement
Basic requirement The description of the infrastructure, network

and system components should be sufficiently
In their system description, the cloud provider detailed so that the cloud customer gains a good
provides comprehensible and transparent overview that is necessary for risk assessment as
specifications regarding the cloud service, which part of their security management, but without
allow an expert third party to assess the general putting the security of the cloud provider at risk
suitability of the cloud service for the desired by this documentation.
application. The system description describes the
following aspects:
UP-02 Jurisdiction and data storage,
» Type and scope of the cloud services rendered processing and backup locations
according to the service level agreement which
is typically based on a contract concluded with Basic requirement
the cloud customers
In service level agreements, their process docu-
» Principles, procedures and safeguards for mentation or comparable documentation, the
rendering (development and/or operation) the cloud provider provides comprehensible and
cloud service, including the controls established transparent specifications regarding its juris-
diction as well as with respect to data storage,
» Description of the infrastructure, network and processing and backup locations, which allow an
system components used for the development expert third party to assess the general suitability
and operation of the cloud service of the cloud service for the customer application.
This also holds true if data of the cloud customer
» Handling of significant incidents and conditions is processed, stored and backed up by subcontrac-
which constitute exceptions to regular opera- tors of the cloud provider. Data of the cloud cus-
tions, such as the failure of critical IT systems tomer shall only be processed, stored and backed
up outside the contractually agreed locations
only with the prior express written consent of the
cloud customer.
27
Cloud Computing ComplianCe Controls Catalogue (C5) | surrounding parameters
UP-03 Disclosure and investigatory powers » Proof of compliance with data protection
accepted by the responsible data protection
Basic requirement authorities
In service level agreements, their process docu- » Audit reports according to ISAE 3402/SSAE 16/
mentation or comparable documentation, the SOC 1/IDW PS 951
cloud provider provides comprehensible and
transparent specifications regarding applicable » Software certificates according to IDW PS 880
disclosure and investigatory powers of govern-
ment agencies which allow access to data of the In this respect, the target of certification and/
cloud customer. The specifications must allow an or, in the case of system certifications, the corre-
expert third party to assess the general suitability sponding scope is important.
of the cloud service for the customer application.
If the cloud provider accesses third-party services,
the provider has obtained these specifications
from them.

requirement
Affiliated companies are parent or subsidiary

companies of the cloud provider within the
meaning of § 271 Para. 2 HGB [German Commer-
cial Code]. Disclosure and investigatory powers
usually exist towards the police and the public
prosecutor’s office as well as intelligence agencies.
UP-04 Certifications
Basic requirement
In service level agreements, their process docu-

mentation or comparable documentation, the
cloud provider provides comprehensible and
transparent specifications regarding available and
valid certifications and certificates of independent
third parties, which allow an expert third party to
assess the general suitability of the cloud service
for the customer application.

requirement
The following certifications or certificates may be

submitted:
» ISO/IEC 27001 (if necessary, also based on

IT-Grundschutz)
» ISO 22301
28
5 Objectives and requirements
29
Cloud Computing ComplianCe Controls Catalogue (C5) | oBjeCtives and requirements
5 Objectives and requirements
5.1 Organisation of information security » Strategic targets regarding information security

and responsibility of the top management
Objective: planning, implementation, (OIS-02)
maintenance and continuous improvement
of a framework regarding information » Identification, analysis, assessment and han-
security within the organisation. dling of risks (OIS-07)
» Policies and instructions (SA-01, SA-02 and

SA-03)
OIS-01 Information security
management system (ISMS) » Notification of the top management (SPN-01)
Basic requirement Description of additional requirements

(confidentiality and availability)
The top management initiates, controls and
monitors an information security management The top management initiates, controls and mon-
system (ISMS) which is based on ISO standards of itors an information security management system
the 2700x series. (ISMS), which has a valid certification according
to ISO/IEC 27001:2013 or ISO 27001 on the basis
» The instruments and methods used allow of IT- Grundschutz. The statement of applicability
a comprehensible control of the following covers the IT processes for the development and
tasks and activities to permanently maintain operation of the cloud service.
and ensure information security: Planning,
implementing the plan and/or carrying out the
project OIS-02 Strategic targets regarding
information security and responsibility
» Performance review and/or monitoring the of the top management
achievement of objectives
Basic requirement
» Eliminating discovered flaws and weaknesses
and continuous improvement. A security policy with security objectives and stra-
tegic parameters for achieving these objectives is
The ISMS also includes the IT processes for the documented. The security objectives are derived
development and operation of the cloud service. from the corporate objectives and business
processes, relevant laws and regulations as well as
Supplementary information for the basic the current and future expected threat environ-
requirement ment with respect to information security. The
strategic targets constitute essential framework
If the cloud provider cannot submit a certification conditions which in further policies and instruc-
of the ISMS yet, the statement of applicability tions are specified in more detail (see SA- 01). The
of which covers the IT processes for the devel- security policy is adopted by the top management
opment and operation of the cloud service, and communicated to all concerned internal and
appropriateness and effectiveness can be assessed, external parties of the cloud provider (e. g. cloud
among other things, by auditing the following customers, subcontractors).
requirements:
30
Supplementary information for the basic to respond to them appropriately with organisa-
requirement tional and technical safeguards, before the change
becomes effective.
The security policy required here is a basic
requirement. Further policies and instructions Supplementary information for the basic
must be based on the size and complexity of the requirement
organisation of the cloud provider and the type of
the cloud service offered. Documentation and job profiles which define
Whereas the general security objectives and a and determine the authorities in the framework
strategy to achieve these objectives have to be of information security should be available.
formulated concisely in the security policy, it The appropriateness of the assignment of roles
typically does not include organisational and and responsibilities to one or several persons
technical details. It has proved to be successful at the cloud provider must be assessed against
to regulate these details in further policies and the backdrop of the size and complexity of the
instructions on different levels. At the lower lev- organisation.
els, the level of detail increases, while the change
intervals are reduced. Description of additional requirements
(confidentiality)
OIS-03 Authorities and responsibilities The cloud provider identifies all risks related
in the framework of information security to overlapping or incompatible authorities and
responsibilities.
Basic requirement
Responsibilities shared between the cloud pro- OIS-04 Separation of functions

vider and cloud customers, duties to cooperate
as well as interfaces for the reporting of security Basic requirement
incidents and malfunctions are defined, docu-
mented, assigned depending on the respective Organisational and technical controls are
cloud model (infrastructure, platform or software established in order to ensure the separation of
as a service) and the contractual duties and com- roles and responsibilities (also referred to the
municated to all concerned internal and external “separation of duties”) which are incompatible
parties (e. g. cloud customers, subcontractors with respect to the confidentiality, integrity and
of the cloud provider). On the part of the cloud availability of information of the cloud custom-
provider, at least the following roles (or compa- ers. Controls for the separation of functions are
rable equivalents) are described in the security established in the following areas in particular:
policy or associated policies and corresponding
responsibilities assigned: » Administration of roles, granting and assign-
ment of access authorisations for users under
» Head of IT (CIO) the responsibility of the cloud provider
» IT Security Officer (CISO) » Development and implementation of changes

to the cloud service
» Representative for the handling of IT security
incidents (e. g. Head of CERT) » Maintenance of the physical and logical IT
infrastructure relevant to the cloud service (net-
Changes to the responsibilities and interfaces are works, operating systems, databases) and the IT
communicated internally and externally in such applications if they are in the cloud provider’s
a timely manner that all internal and external area of responsibility according to the contrac-
parties concerned (e. g. cloud customers) are able tual agreements with the cloud customers
31
Operative and controlling functions should not OIS-06 Policy for the organization
be performed by one and the same person at of the risk management
the same time. If it is not possible to achieve a
separation of duties for organisational or techni- Basic requirement
cal reasons, appropriate compensating controls
are established in order to prevent or uncover Policies and instructions for the general proce-
improper activities. dure applicable to the identification, analysis,
assessment and handling of risks and IT risks in
Description of additional requirements particular are documented, communicated and
(confidentiality) provided according to SA-01.
The cloud provider has documented any function

separation conflicts and the compensating con- OIS-07 Identification, analysis,
trols established for this purpose comprehensibly assessment and handling of risks
(e. g. in a role and rights concept) to allow for an
assessment of the appropriateness and effective- Basic requirement
ness of these controls.
The procedures for the identification, analysis,
assessment and handling of risks, including the IT
OIS-05 Contact with relevant risks relevant to the cloud service are done at least
government agencies and interest groups once a year in order to take internal and external
changes and influencing factors into account.
Basic requirement The identified risks are comprehensibly docu-
mented, assessed and provided with mitigating
Appropriate and relevant contacts of the safeguards according to the safeguards of the risk
cloud provider with government agencies and management.
interest groups are established to be always
informed about current threat scenarios and Supplementary information for the basic
countermeasures. requirement
Supplementary information for the basic If the cloud provider is a German Aktienge-
requirements sellschaft (AG) [public limited company] or a
German Kommanditgesellschaft auf Aktien
Relevant contacts include, for example: (KGaA) [partnership limited to shares], § 91 Para. 2
AktG [German Public Companies Act] is applied.
» Federal Office for Information Security (BSI) (or According to this, the board of directors must
comparable agencies in other countries) take suitable safeguards, i.e. especially establish a
monitoring system so that developments putting
» OWASP Foundation the company at risk are detected at an early
stage. If these safeguards have already been the
» CERT alliances DFN-CERT, TF-CSIRT etc. subject of an audit carried out by a certified public
auditor, these results can be taken into account.
Description of additional requirements In this respect, it must be ensured that the risks
(confidentiality and availability) relevant to the cloud service (usually IT risks) are
the subject of the monitoring system audited. If
Procedures are defined and documented to com- business processes for the development and/or
municate the information received to the internal operation of the cloud service are outsourced to
and external employees of the cloud provider and other service companies, the cloud provider still
to be able to respond to it appropriately and in a remains responsible for these risks. They must
timely manner.
32
be addressed by appropriate procedures for the 5.2 Security policies and work instructions
selection, control and monitoring of the service
companies (see requirements DLL-01 and DLL-02). Objective: providing policies and instructions
with respect to the security claim and to
Description of additional requirements support the business requirements.
Parameters of the top management for the risk

appetite and the risk tolerances of the cloud SA-01 Documentation, communication
provider are included in the policy for the risk and provision of policies and instructions
management or a comparable official document.
The timely implementation of the mitigating Basic requirement
safeguards is monitored by qualified personnel
of the cloud provider. The top management is Policies and instructions for information security
informed of the status of the identified risks and or related topics derived from the security policy
mitigating safeguards at least once every three are documented in an uniform structure. They are
months and in an appropriate form. communicated and made available to all internal
and external employees of the cloud provider
properly and adequately. Policies are versioned
and approved by top management of the cloud
provider. The policies and instructions describe at
least the following aspects:
» Goals
» Scopes of application
» Roles and responsibilities, including require-

ments for the qualification of the personnel and
the establishment of substitution arrangements
» Coordination of different company

departments
» Security architecture and safeguards for the

protection of data, IT applications and IT
infrastructures which are managed by the cloud
provider or third parties
» Safeguards for the compliance with legal and

regulatory requirements (compliance)

requirement
Proper and adequate communication and provi-

sion must be assessed with respect to the size and
complexity of the cloud provider’s organisation
and the type of the cloud service offered. Possible
criteria include:
33
» Addressing the topic of policies and instructions SA-02 Review and approval of policies and
when new employees start their work instructions
» Training and information campaigns when Basic requirement

approving new or revising existing policies and
instructions The policies and instructions for information
security are reviewed with respect to their appro-
» Form of provision priateness and effectiveness by specialists of the
cloud provider who are familiar with the topic at
Policies and instructions are required for the least once a year. At least the following aspects are
following basic requirements and specified in taken into account in the review:
more detail in the corresponding controls (see
brackets below): » Organisational changes at the cloud provider
» Risk management (OIS-06) » Current and future expected threat environ-

ment regarding information security
» Management of data media (AM-07)
» Legal and technical changes in the cloud
» Maintenance of infrastructure and devices provider’s environment
(PS-05)
Revised policies and instructions are approved
» Data backup and restore (RB-06) by committees or bodies of the cloud provider
authorised to do so before they become valid.
» Logging and monitoring (RB-10/RB-11)
Description of additional requirements
» Identification and handling of vulnerabilities (confidentiality and availability)
(RB-19)
The regular review is followed up by central
» Management of system and data access authori- bodies at the cloud provider.
sations (IDM-01)
» Cryptography and key management (KRY-01) SA-03 Deviations from existing policies and
instructions
» Communication security (KOS-05)
Basic requirement
» Portability and interoperability (PI-03)
Exceptions of policies and instructions for
» Procurement and development of cloud information security are approved by committees
services (BEI-01) or bodies of the cloud provider authorised to do
so in a documented form. The appropriateness of
» Change management (BEI-03) approved exceptions and the assessment of the
risks resulting from this are reviewed by special-
» Policies for the handling of and security require- ists of the cloud provider who are familiar with
ments for service providers and suppliers of the the topic against the backdrop of the current and
cloud provider (DLL-01) future expected threat environment regarding
information security at least once a year.
» Business continuity management (BCM-02)
» Security of mobile terminal devices (MDM-01)
34
Description of additional requirements 5.3 Personnel

The appropriateness of approved exceptions and Objective: making sure that employees, service
the assessment of the risks resulting from this are providers and suppliers understand their tasks,
reviewed by an independent third party at least that they are aware of their responsibility
once a year as to whether they reflect a realistic with regard to information security and that
picture of the current and future expected threat the assets of the organisation are protected
environment regarding information security (see if the tasks are modified or completed.
SPN-01).
HR-01 Security check of the background

information
Basic requirement
The background of all internal and external

employees of the cloud provider with access to
data of the cloud customers or of the shared IT
infrastructure is checked according to the local
legislation and regulation by the cloud provider
prior to the start of the employment relationship.
To the extent permitted by law, the security check
includes the following areas:
» Verification of the person by means of the

identity card
» Verification of the curriculum vitae
» Verification of academic titles and degrees
» Request of a police clearance certificate for

sensitive posts in the company

requirement
The security check can be supported by a special-

ised service provider. If employees of a service
provider have access to the user data, the service
provider must meet this requirement and make it
transparent according to DLL-01 and DLL-02.

(confidentiality)
Special approval procedure in the hiring process

for employees and posts for which particularly
sensitive information is accessed are established.
35
HR-02 Employment agreements obliged by contract to make their employees

and subcontractors aware of the specific security
Basic requirement requirements of the cloud provider and train their
employees generally in the subject of information
Employment agreements include the obligations security.
of the cloud provider’s internal and external
employees to comply with relevant laws, regula- Description of additional requirements
tions and provisions regarding information secu- (confidentiality and availability)
rity (see KOS-10). The security policy as well as the
policies and instructions for information security The programme takes different profiles into
derived from this are added to the employment account and includes further information for
agreement documents. Corresponding compli- posts and employees who have extensive author-
ance is confirmed by the employee by a written isations or access to sensitive data. External
statement before they can access the data of the employees of service providers and suppliers of
cloud customers or the (shared) IT infrastructure. the cloud provider, who contribute to the devel-
opment or operation of the cloud service, are
instructed in the specific security requirements of
HR-03 Security training and the cloud provider as well as generally in the sub-
awareness-raising programme ject of information security. The cloud provider
checks on a random basis that the service provid-
Basic requirement ers and suppliers have carried out the instruction
in an appropriate manner. The results of the audit
A security training and awareness-raising pro- are documented comprehensibly.
gramme tailored to specific target groups on the
topic of information security is available and
mandatory for all internal and external employees HR-04 Disciplinary measures
of the cloud provider. The programme is updated
at regular intervals with respect to the applicable Basic requirement
policies and instructions, the assigned roles and
responsibilities as well as the known threats and A process for performing disciplinary measures is
must then be run through again. The programme implemented and communicated to the employ-
includes at least the following contents: ees in order to make the consequences of viola-
tions of the applicable policies and instructions as
» Regular and documented instruction on the well as legal provisions and laws transparent.
secure configuration and secure operation
of the IT applications and IT infrastructure
required for the cloud service, including mobile HR-05 Termination of the employment
terminal devices relationship or changes to the responsibilities
» Appropriate handling of data of the cloud Basic requirement

customers
Internal as well as external employees are
» Regular and documented instruction on known informed that the obligations to comply with
basic threats and relevant laws, regulations and provisions regard-
ing information security remain valid even if the
» Regular and documented training on the behav- area of responsibility changes or the employment
iour in case of security-relevant events. relationship is terminated.
External service providers and suppliers of the

cloud provider, who contribute to the devel-
opment or operation of the cloud service, are
36
5.4 Asset management AM-02 Assignment of persons responsible

for assets
Objective: identifying the organisation’s Basic requirement

own assets and the persons responsible and
ensuring an appropriate level of protection. All inventoried assets are assigned to a person
responsible on the part of the cloud provider.
The persons responsible of the cloud provider are
responsible over the entire life cycle of the assets
AM-01 Asset inventory to ensure that they are inventoried completely
and classified correctly.
Basic requirement
The assets (e. g. PCs, peripheral devices, tele- AM-03 Instruction manuals for assets
phones, network components, servers, installation
documentation, process instructions, IT applica- Basic requirement
tions, tools) used to render the cloud service are
identified and inventoried. By means of appropri- Policies and instructions with technical and
ate processes and safeguards, it is ensured that this organisational safeguards for the proper handling
inventory remains complete, correct, up-to-date of assets are documented, communicated and
and consistent. A history of the changes to the provided according to SA-01 in the respectively
entries in the inventory is kept in a comprehensi- current version.
ble manner. If no effective automatic procedures
are established for this, this is ensured by a
manual review of the inventory data of the assets AM-04 Handing in and returning assets
which takes place at least once a month.
Basic requirement
requirement All internal and external employees of the cloud
provider are obliged to return or irrevocably
For asset management, see also ISO standards delete all assets which were handed over to them
55001 and 55002. in relation to the cloud service and/or for which
they are responsible as soon as the employment
Description of additional requirements relationship has been terminated.
(availability)
In the event of a failure of assets which are of AM-05 Classification of information

essential importance for the availability of the
cloud service (e. g. central network components), Basic requirement
the cloud provider is able to promptly detect
which cloud customers are affected by this in The cloud provider uses a uniform classification
order to ensure a response to the malfunctions of information and assets which are relevant
occurred that complies with the service level to the development and rendering of the cloud
agreement. By means of technical safeguards, it is service.
ensured that the inventory of the assets is updated
automatically at regular intervals. Supplementary information for the basic
requirement
The classification of information and assets

should, among other things, take the following
specifications into consideration:
37
» Criticality for the rendering of the cloud service AM-07 Management of data media
» Sensitivity to unauthorised disclosure or Basic requirement
modification
Policies and instructions with technical and
» Data type organisational safeguards for the secure handling
of data media of any type are documented, com-
» Applicable legislation of the assets municated and provided according to SA-01. The
targets establish a reference to the classification of
» Geographical location information (see AM-05). They include the secure
use, the secure transport as well as the irrevocable
» Context deletion and destruction of data media.
» Legal restrictions Supplementary information for the basic

requirement
» Contractual restrictions
Policies and instructions should take the follow-
» Value ing aspects into account:
» Secure and irrevocable deletion of the data and

AM-06 Labelling of information and disposal/destruction of the data media
handling of assets
» Encryption of removable media
Basic requirement
» Transmission of data to new data media when a
Work instructions and processes for the imple- medium is replaced
mented classification scheme of information and
assets are in place in order to ensure the labeling
of information as well as the corresponding AM-08 Transfer and removal of assets
handling of assets. This only refers to assets which
store or process information. Basic requirement
Supplementary information for the basic Devices, hardware, software or data may only be
requirement transferred to external premises after it has been
approved by authorised committees or bodies
The labeling of information must be carried out of the cloud provider. The transfer takes place
after the classification has been performed and is securely according to the type of the assets to be
usually the responsibility of the asset owners. A transferred.
labeling method could be a provision for docu-
ments so that the confidentiality level is specified
in the same place on each page of the document.
Methods for the handling of assets should include
information as to how assets are to be protected
according to each confidentiality level.
38
5.5 Physical security Description of additional requirements

(confidentiality)
Objective: preventing unauthorised physical The physical site access controls require two-fac-
site access and protection against theft, tor authentication.
damage, loss and failure of operations.
PS-03 Protection against threats from

outside and from the environment
PS-01 Perimeter protection
Basic requirement
Basic requirement
Structural, technical and organisational safe-
The perimeter of premises or buildings which guards are taken to protect premises or buildings
house sensitive or critical information, informa- which house sensitive or critical information,
tion systems or other network infrastructure are information systems or other network infrastruc-
protected in a physically solid manner and by ture against fire, water, earthquakes, explosions,
means of appropriate security safeguards that civil disturbances and other forms of natural
conform to the current state of the art. threats and threats caused by humans. At two
geo-redundant sites, at least the following safe-
Supplementary information for the basic guards are carried out:
requirement
Structural safeguards:
Possible security safeguards could include, for
example, fences, walls, security guards or video » Setup of a separate fire zone for the computer
monitoring. For the outer doors and windows, centre
burglar-resistant material (e.g. according to DIN
EN 1627 resistance class RC 2) and corresponding » Use of fire-resistant materials according to DIN
closing devices should be installed. 4102-1 or EN 13501 (period of fire resistance of
at least 90 minutes)
(confidentiality) Technical safeguards:
The security concept includes the setup of differ- » Sensors to monitor temperature and humidity
ent security zones which are separated by security
lines as monitored and secured gateways between » Connecting the building to a fire alarm system
the zones. with notification of the local fire department
» Early fire detection and extinguishing systems

PS-02 Physical site access control
Organisational safeguards:
Basic requirement
» Regular fire drills and fire safety inspections to
Access to the premises or buildings which house check compliance with fire protection measures
sensitive or critical information, information
systems or other network infrastructure is Description of additional requirements
secured and monitored by means of physical site (availability)
access controls in order to avoid unauthorised site
access. The environmental parameters are monitored.
If the tolerable control range is exceeded from
below or above, alarm messages are generated and
forwarded to the responsible bodies.
39
PS-04 Protection against interruptions Description of additional requirements

caused by power failures and other such risks (availability)
Basic requirement The supply services are monitored. If the tolerable

control range is exceeded from below or above,
Precautions against the failure of supply services alarm messages are generated and forwarded to
such as power, cooling or network connections the responsible bodies. The cloud provider deter-
are taken by means of suitable safeguards and mines and communicates the times of self-suffi-
redundancies in coordination with safeguards for cient supply which are achieved by the safeguards
operational reliability. Power and telecommuni- taken if the supply services fail or if extraordinary
cation supply lines which transport data or supply events occur (e. g. heat waves, long lasting power
information systems must be protected against failure) as well as the maximum tolerable times
interception and damage. for a failure of the supply services. Contracts for
maintaining the precautions with corresponding
Supplementary information for the basic service providers have been concluded (e. g. for
requirement the fuel of the emergency power supply).
Suitable safeguards for precautions typically

include the following: PS-05 Maintenance of infrastructure and
devices
» Redundant power supply and air conditioning
systems Basic requirement
» Use of appropriately dimensioned uninterrupti- Policies and instructions with technical and
ble power supplies (UPS) and emergency power organisational safeguards are documented,
systems (EPS) communicated and provided according to SA-01
which describe the maintenance (especially
» Redundant network connection via different remote maintenance), deletion, updating and
physical connections re-use of assets in information processing in
outsourced premises or by external personnel.
Furthermore, the cloud provider should deter-
mine and communicate which external tempera- Supplementary information for the basic
tures the air conditioning of the computer centre requirement
can withstand for how long (e. g. 30°C/14 days,
35°C/6 days, 40°C/4 days). If river water is used Policies and instructions should take the follow-
for cooling, it should be specified at which water ing aspects into account:
levels the air conditioning can be maintained
for how long. To demonstrate resilience against » Secure deletion of sensitive data prior to exter-
interception and the protection against damage, nal repair or maintenance
wiring diagrams and a corresponding protection
concept can be submitted, which is checked for » Analyses of the assets prior to re-use in order to
plausibility in discussion with the person respon- avoid manipulations or malfunctions
sible. During visual inspection, attention should
be paid, among other things, to traces of violent » Renewal of assets if availability, security, integ-
opening attempts at closed distributors, currency rity or confidentiality could be at risk
of the documentation inside the distributors, con-
formity of the actual wiring and patches with the
documentation, intactness of the short circuits
and grounding of non-required lines as well as for
impermissible installations and changes.
40
5.6 Operations RB-02 Capacity management – monitoring

Basic requirement
Objective: ensuring proper regular
operations including appropriate safeguards Technical and organisational safeguards for the
for planning and monitoring the capacity, monitoring and provisioning and de-provisioning
protection against malware, logging and of cloud services are defined. Thus, the cloud pro-
monitoring events as well as handling vider ensures that resources are provided and/or
vulnerabilities, malfunctions and errors. services are rendered according to the contractual
agreements and that compliance with the service
level agreements is ensured.
RB-01 Capacity management – planning Supplementary information for the basic

requirement
Basic requirement
Technical and organisational safeguards typically
The planning of capacities and resources (per- include the following:
sonnel and IT resources) follows an established
procedure in order to avoid capacity bottlenecks. » Use of monitoring tools with alarm function if
The procedures include forecasts of future capac- Defined thresholds are exceeded
ity requirements in order to identify use trends
and master system overload risks. » Process for correlating events and interface with
incident management
requirement » Continuous monitoring of the systems by
qualified personnel
For economic reasons, cloud providers typically
strive for a high utilisation of the IT resources » Redundancies in the IT systems
(CPU, memory, storage space, network). In mul-
ti-client environments, the available resources Description of additional requirements
must still be distributed between the cloud users (availability)
(clients) so that the service level agreements are
complied with. In this respect, the appropriate To monitor the capacity and the availability, the
planning and monitoring of IT resources is critical cloud customer is provided with relevant infor-
to the availability and competitiveness of the mation via a self-service portal.
cloud service. If the procedures are not docu-
mented or are subject to a higher confidentiality
level as a trade secret of the cloud provider, it RB-03 Capacity management –
must be possible to explain the procedures as part data location
of this audit at least orally.
Basic requirement
(availability) The cloud customer is able to determine the
locations (city/country) of the data processing and
The forecasts are taken into account in coordi- storage including data backups.
nation with the service level agreement for the
planning and preparation of the provisioning.
41
Supplementary information for the basic to protect them against malware. The update is
requirement performed with the highest frequency that is
contractually offered by the manufacturer(s).
This requirement supplements requirement
UP-02 in which the locations are to be docu-
mented. If a cloud provider renders their services RB-06 Data backup and restoration –
at several sites, this requirement demands the concept
cloud provider to define precisely at which site
the service is rendered and the data processed. Basic requirement

RB-04 Capacity management – control organisational safeguards in order to avoid losing
of resources data are documented, communicated and pro-
vided according to SA-01. They provide reliable
Basic requirement procedures for the regular backup (backup as
well as snapshots, where applicable) and restora-
In case of IaaS/PaaS, the cloud customer is able tion of data. The scope, frequency and duration
to control and monitor the distribution of the of the retention comply with the contractual
system resources assigned to them for adminis- agreements concluded with the cloud customers
tration/use (e. g. computing capacity or storage as well as the cloud provider’s business require-
capacity) in order to prevent resources from being ments. Access to the data backed up is limited to
congested. authorised personnel. Restoration procedures
include control mechanisms that ensure that
restorations are carried out only after they have
RB-05 Protection against malware been approved by persons authorised to do so
according to the contractual agreements with the
Basic requirement cloud customers or the internal policies of the
cloud provider.
The logical and physical IT systems which the
cloud provider uses for the development and Supplementary information for the basic
rendering of the cloud service as well as the net- requirement
work perimeters which are subject to the cloud
provider’s area of responsibility are equipped When making data backups, a distinction must be
with anti-virus protection and repair programs made between backups and snapshots of virtual
which allow for a signature- and behaviour-based machines. Snapshots do not replace backups, but
detection and removal of malware. The programs can be part of the backup strategy in order to
are updated according to the contractual agree- achieve the recovery point objectives (RPO) pro-
ments concluded with the manufacturer(s), but at vided that they are stored additionally outside the
least once a day. original data location. The business requirements
of the cloud provider for the scope, frequency and
Description of additional requirements duration of the data backup are derived from the
(confidentiality and availability) business impact analysis (see control BCM-03)
for development and operating processes of the
The cloud provider draws up regular reports on cloud service. If there are different data backup
the performed audits, which are reviewed and and restoration procedures for data under the
analysed by authorised bodies or committees. responsibility of the cloud customer and the
Policies and instructions describe the technical cloud provider, both versions are to be involved in
safeguards for the secure configuration and an audit according to C5. For procedures applied
monitoring of the management console (both to the backup of the cloud provider’s data, only
the self- service of the customer and the cloud evidence of the appropriateness and implemen-
administration of the service provider) in order tation of the controls must be demonstrated,
42
but not of their effectiveness. For procedures Description of additional requirements

applied to the backup of the cloud customers’ (availability)
data, evidence of their effectiveness must also be
demonstrated. Upon customer request, the cloud provider
informs the cloud customers of the results of the
Description of additional requirements restoration tests. Restoration tests are incorpo-
(confidentiality) rated into the business continuity management of
the cloud provider.
The data is backed up in encrypted form that
conforms to the current state of the art.
storage
monitoring Basic requirement
Basic requirement The data to be backed up is transmitted to a

remote site (e. g. another data centre of the cloud
The process of backing up data is monitored by provider) or transported to a remote site on
means of technical and organisational safeguards. backup media. If the backup of the data is trans-
Malfunctions are examined and eliminated mitted to the remote site via a network, this is
promptly by qualified employees in order to carried out in an encrypted form that conforms to
ensure compliance with the contractual duties the state of the art. The distance to the main site
towards the cloud customers or the cloud pro- should be large enough to ensure that catastro-
vider’s business requirements with respect to the phes there do not lead to a loss of data at the
scope, frequency and duration of the retention. remote site and, at the same time, short enough to
be able to fulfill the contractual duties regarding
Description of additional requirements the restoration times. The safeguards taken to
(availability) ensure the physical and environment-related
security at the remote site corresponds to the
To monitor the data backup, the cloud customer level at the main site.
is provided with the relevant logs or the summary
of the results via a self-service portal.
RB-10 Logging and monitoring – concept
RB-08 Data backup and restoration – Basic requirement

regular tests
Basic requirement organisational safeguards are documented,
communicated and provided according to SA-01
Backup media and restoration procedures must in order to log events on all assets which are used
be tested with dedicated test media by qualified for the development or operation of the cloud
employees at regular intervals. The tests are service and to store them in a central place. The
designed in such a way that the reliability of the logging includes defined events which may impair
backup media and the restoration time can be the security and availability of the cloud service,
audited with sufficient certainty. The tests are including logging the activation, stopping and
carried out by qualified employees and the results pausing of different logs. In case of unexpected or
documented comprehensibly. Any occurring unusual events, the logs are checked by author-
errors are eliminated in a timely manner. ised personnel due to special events in order to
allow for a timely examination of malfunctions
and security incidents as well as for the initiation
of suitable safeguards.
43
Supplementary information for the basic IP addresses, GPS position of the customer, which
requirement resources (network, storage, computer) were used,
which data was accessed when, with whom the
Security-relevant events include, among other data was shared, who was communicated with etc.
things: Part of this data is used for accounting and billing
purposes and for the (security) incident manage-
» Login and logout processes ment. Moreover, it is also suitable for making the
customer behaviour and (depending on the cloud
» Creation, change or deletion of users and service) a large part of decision-making and work
extension of authorisations processes transparent for the cloud provider. With
the requirement, the collection and use of the
» Use, extension and changes of privileged data meta data should be limited in a transparent and
access authorisations clear manner.
» Use of temporary authorisations

RB-12 Logging and monitoring – critical
Since the logged data is usually personal data, the assets
data protection-related requirements for reten-
tion must be taken into account and checked in Basic requirement
this case. Experience has shown that a retention
period of one year should not be exceeded. The cloud provider maintains a list of all assets
critical in terms of logging and monitoring and
reviews this list for their currency and correct-
RB-11 Logging and monitoring – meta data ness at regular intervals. For these critical assets,
advanced logging and monitoring safeguards
Basic requirement were defined.

organisational safeguards for the secure han- RB-13 Logging and monitoring –
dling of meta data (user data) are documented, storage of the logs
communicated and provided according to SA-01.
The meta data is collected and used only for Basic requirement
accounting and billing purposes, for eliminating
malfunctions and errors (incident management) The generated logs are stored on central logging
as well as for processing security incidents (secu- servers on which they are protected against
rity incident management). The meta data is not unauthorised access and changes. Logged data
used for commercial purposes. Meta data must be must be deleted immediately once they are no
deleted immediately once it is no longer required longer required to fulfill the purpose. Authentica-
to fulfill the legitimate purpose according to this tion takes place between the logging servers and
requirement. The period of time during which the logged assets in order to protect the integrity
meta data is retained is determined by the cloud and authenticity of the transmitted and stored
provider. It is reasonably related to the purposes information. The transmission is encrypted
pursued with the collection of meta data. that conforms to the state of the art or via a
separate administration network (out-of-band
Supplementary information for the basic management).
requirement
Meta data is all data which arises at the cloud

provider when their service is used by the cloud
customer and which is not content data. This
includes, among other things, login/logout times,
44
Description of additional requirements RB-15 Logging and monitoring –

(confidentiality) configuration
Upon request of the cloud customer, the cloud Basic requirement

provider offers customer- specific logging (in
terms of the scope and duration of the storage) The access and management of the logging and
and makes it available to the customer. Depend- monitoring functionalities is limited to selected
ing on the protection requirements and technical and authorised employees of the cloud provider.
feasibility, the logged data and the user data Changes to the logging and monitoring are
should be separated logically or physically. checked by independent and authorised employ-
ees and approved beforehand.
RB-14 Logging and monitoring – Description of additional requirements

accountability (confidentiality)
Basic requirement The access and management of the logging and

monitoring functionalities requires multi-factor
The generated logs allow for a clear identification authentication.
of user access to the tenant level in order to
support (forensic) analyses in the case of a security
incident. RB-16 Logging and monitoring –
availability of the monitoring software
requirement Basic requirement
The logs should contain the following The availability of the logging and monitoring
information: software is monitored independently. In case the
logging and monitoring software fails, the respon-
» User ID sible employees are informed immediately.
» Date and time Description of additional requirements

» Source & target (e. g. identity or name of the
affected data, system components or resources) The logging and monitoring software is designed
redundantly in order to also monitor the security
» Activities carried out and availability of the customer systems in the
event of failures.
» Information about success or failure of the
access
Description of additional requirements malfunctions and errors – concept
(confidentiality)
Basic requirement
Upon request of the cloud customer, the cloud
provider makes the logs affecting them available Policies and instructions with technical and
promptly and in an appropriate form so that organisational safeguards are documented,
they can examine the incidents affecting them communicated and provided according to SA-01
themselves. in order to ensure the prompt identification and
addressing of vulnerabilities over all levels of the
cloud service, for which they are responsible. The
safeguards include among other things:
45
» Regular identification and analysis of Description of additional requirements

vulnerabilities (confidentiality and availability)
» Regular follow-up of safeguards in order to The tests are carried out every six months. They
address identified safeguards (e. g. installation must always be performed by independent exter-
of security updates according to internal target nal auditors. Internal personnel for penetration
specifications) tests may support the external service providers.
RB-18 Handling of vulnerabilities, RB-19 Handling of vulnerabilities,

malfunctions and errors – penetration tests malfunctions and errors – integration with
change and incident management
Basic requirement
Basic requirement
The cloud provider has penetration tests
performed by qualified internal personnel or Policies and instructions with technical and
external service providers at least once a year. organisational safeguards for the handling of
The penetration tests are carried out according critical vulnerabilities are documented, commu-
to documented test methods and include the nicated and provided according to SA-01. The
infrastructure components defined to be critical safeguards are coordinated with the activities
to the secure operation of the cloud service, which of the change management and the incident
were identified as such as part of a risk analysis. management.
Type, scope, time/period of time and results are
documented comprehensibly for an independent
third party. Determinations from the penetration RB-20 Handling of vulnerabilities,
tests are assessed and, in case of medium or high malfunctions and errors – involvement
criticality regarding the confidentiality, integrity of the cloud customer
or availability of the cloud service, followed up
and remedied. The assessment of the criticality Basic requirement
and the mitigating safeguards for the individual
determinations are documented. The cloud customer is informed by the cloud
provider of the status of the incidents affecting
Supplementary information for the basic them in a regular and an appropriate form that
requirement corresponds to the contractual agreements or is
involved into corresponding remedial actions.
The vulnerabilities should be classified according As soon as an incident was remedied from the
to the damage potential and specify a period cloud provider’s point of view, the cloud customer
of time for the required response. As guidance, is informed of the safeguards taken. This infor-
the following classification according to the BSI mation is sufficiently detailed so that the cloud
publication “Ein Praxis-Leitfaden für IS-Pene- customer can use it in their security management.
trationstests” (A practical guide to IS penetration
tests) can be used:
» High: Immediate response malfunctions and errors – check of
open vulnerabilities
» Medium: Short-term response
Basic requirement
» Low: Medium-term response
The IT systems which the cloud provider uses
» Information: Long-term response for the development and rendering of the cloud
service are checked automatically for known
46
vulnerabilities at least once a month. In the event RB-23 Segregation of stored and processed
of deviations from the expected configurations data of the cloud customers in jointly used
(for example, the expected patch level), the resources
reasons for this are analysed in a timely manner
and the deviations remedied or documented Basic requirement
according to the exception process (see SA-03).
Data is separated securely and strictly on jointly
Supplementary information for the basic used virtual and physical resources (storage
requirement network, memory) according to a documented
concept in order to guarantee the confidentiality
In contrast to the penetration tests (see RB-18) and integrity of the stored and processed data.
which are performed manually and according
to an individual scheme, the checking for open Supplementary information for the basic
vulnerabilities is carried out automatically using requirement
so-called vulnerability management tools.
A technical segregation (separation) of stored and
Description of additional requirements processed data of the cloud customers in jointly
(confidentiality) used resources can be achieved by firewalls, access
lists, tagging (identification of the data), VLANs,
Upon customer request, the cloud provider virtualisation and safeguards in the storage
informs the cloud customer of open vulnerabili- network (e. g. LUN Masking). If the appropriate-
ties in an appropriate form. The open vulnerabili- ness and effectiveness of the segregation cannot
ties are remedied promptly without exception. be assessed with sufficient certainty (e. g. due to
a complex implementation), evidence can also
be demonstrated by audit results of expert third
RB-22 Handling of vulnerabilities, parties (e. g. penetration tests for the validation of
malfunctions and errors – system hardening the concept). The segregation of transmitted data
is the subject of control KOS-05.
Basic requirement
System components which are used for the ren- (confidentiality)
dering of the cloud service are hardened accord-
ing to generally established and accepted industry Resources in the storage network (Storage) are
standards. The hardening instructions used are segmented by secure zoning (LUN Binding and
documented as well as the implementation status. LUN Masking).

(confidentiality)
Upon request, the cloud customer must be

informed of the standards used and the safe-
guards taken to harden the system components.
47
5.7 Identity and access management IDM-02 User registration

Basic requirement
Objective: securing the authorisation and
authentication of users of the cloud provider System access authorisations for users under
(usually privileged user) and the cloud customer the responsibility of the cloud provider (internal
in order to prevent unauthorised access. and external employees) are granted in a formal
procedure. Organisational and/or technical
safeguards make sure that unique user IDs which
clearly identify each user are granted.
IDM-01 Policy for system and data access
authorisations Description of additional requirements
(confidentiality)
Basic requirement
The cloud provider offers self- service options for
A role and rights concept based on the business cloud customers in order to be able to grant user
and security requirements of the cloud provider IDs independently.
as well as a policy for the management of system
and data access authorisations are documented,
communicated and provided according to SA-01 IDM-03 Granting and change
and address the following areas: (provisioning) of data access authorisations
» Granting and change (provisioning) of data Basic requirement

access authorisations on the basis of the
“least-privilege principle” and as is necessary for Granting and change of data access authorisations
performing the required tasks (“need-to-know for users under the responsibility of the cloud
principle”) provider comply with the policy for the manage-
ment of system and data access authorisations.
» Separation of functions between operative Organisational and/or technical safeguards make
and controlling functions (also referred to as sure that the granted access authorisations meet
“separation of duties”) the following requirements:
» Separation of functions in the administration » Data access authorisations comply with the
of roles, approval and granting of data access “least-Privilege principle”.
authorisations
» When granting data access authorisations, only
» Regular review of granted authorisations access authorisations necessary to perform the
corresponding tasks should be granted (“need-
» Withdrawal of authorisations (de-provision- to-know principle”).
ing) in case of changes to the employment
relationship » Formal approval is given by an authorised
person, before the data access authorisations are
» Requirements for the approval and documen- set up (i. e. before the user can access data of the
tation of the management of system and data cloud customers or components of the shared
access authorisations IT infrastructure).
» Technically assigned data access authorisations

do not exceed the formal approval.
48
Description of additional requirements IDM-06 Administrator authorisations

(confidentiality)
Basic requirement
The cloud provider offers self-service options
for cloud customers in order to be able to grant Granting and change of data access author-
and change user data access authorisations isations for internal and external users with
independently. administrative or extensive authorisations under
the responsibility of the cloud provider comply
with the policy or the management of system
IDM-04 Withdrawal of authorisations and data access authorisations (see IDM-01) or a
(de-provisioning) in case of changes to the separate policy. The authorisations are granted
employment relationship in a personalised manner and as is necessary for
performing the corresponding tasks (“need-to-
Basic requirement know principle”). Organisational and/or technical
safeguards make sure that granting these author-
Data access authorisations of users under the isations does not result in undesired, critical
cloud provider’s responsibility (internal and combinations which violate the principle of the
external employees) are withdrawn in the case separation of duties (e. g. assigning authorisations
of changes to the employment relationship for the administration of both the database and
(dismissal, transfer, longer period of absence/ the operating system). If this is not possible in
sabbatical/parental leave) promptly, but 30 days certain selected cases, appropriate, compensating
after its coming into force at the latest and/or controls are established in order to identify any
suspended temporarily. Any access is deactivated misuse of these authorisations (e. g. logging and
completely as soon as the employment relation- monitoring by an SIEM (security information and
ship has expired. event management) solution).
IDM-05 Regular review of data access IDM-07 Non- disclosure of authentication

authorisations information
Basic requirement Basic requirement
Data access authorisations of users under the Secret authentication credentials (e. g. passwords,
cloud provider’s responsibility (internal and certificates, security token) is assigned to internal
external employees) are reviewed at least once a and external users of the cloud provider or cloud
year in order to adjust them promptly to changes customer, provided that this is subject to organ-
to the employment relationship (dismissal, isational or technical procedures of the cloud
transfer, longer period of absence/sabbatical/ provider, in a proper organised procedure which
parental leave). The review is performed by ensures the confidentiality of the information. If
persons authorised to do so from corresponding it is assigned initially, it is valid only temporarily,
part of the cloud provider, who are able to review but not longer than 14 days. Moreover, users are
the appropriateness of the granted authorisations forced to change it when using it for the first
due to their knowledge of the responsibilities. The time. Access of the cloud provider to the authen-
review as well as the adjustments to the authori- tication information of the cloud customer is
sations are documented comprehensibly. strictly regulated, communicated with the cloud
customer and only takes place if it is necessary to
Description of additional requirements perform the corresponding tasks (“need-to-know
(confidentiality) principle”). Access is documented and reported to
the cloud customer.
Administrative authorisations are checked at least
every six months.
49
Description of additional requirements Description of additional requirements

(confidentiality) (confidentiality)
The users sign a declaration in which they assure At least once a month, the activations of the
that they will treat personal (or shared) authen- emergency users and the corresponding approv-
tication information confidentially and keep it als are compared manually. Irregularities are
private (within the members of the group). examined in order to determine any misuse of
these users and to avoid this in the future. The
activities of the emergency users are logged in an
IDM-08 Secure login methods audit-proof manner. The logging is sufficiently
detailed so that an expert third party is able to
Basic requirement comprehend the activities.
The confidentiality of the login information of

internal and external users under the cloud pro- IDM-10 System-side access control
vider’s responsibility is protected by the following
safeguards: Basic requirement
» Identity check by trusted procedures Access to information and application functions

is limited by technical safeguards with which the
» Use of recognised industry standards for the role and rights concept is implemented.
authentication and authorisation (e. g. multi-
factor authentication, no use of jointly used
authentication information, automatic expiry) IDM-11 Password requirements and
validation parameters
» Multi-factor authentication for administrators
of the cloud provider (e. g. using a smart card or Basic requirement
biometric characteristics) is absolutely necessary
Security parameters on the network, operating
system (host and guest), database and application
IDM-09 Handling of emergency users level (where relevant to the cloud service) are
configured appropriately to avoid unauthorised
Basic requirement access. If no two-factor authentication or use of
one-time passwords is possible, the use of secure
The use of emergency users (for activities passwords on all levels and devices (including
which cannot be carried out with personalised, mobile devices) under the cloud provider’s
administrative users, see IDM-06) is documented, responsibility is forced technically or must be
to be justified and requires the approval by an ensured organisationally in a password policy.
authorised person, which takes the principle of The targets must at least meet the following
the separation of functions into account. The requirements:
emergency user is only activated as long as it is
necessary to perform the corresponding tasks. » Minimum password length of 8 characters
Supplementary information for the basic » At least two of the following character types
requirement must be included: Capital letters, minor letters,
special characters and numbers
The approval can also be granted subsequently
provided that this is justified. » Maximum validity of 90 days, minimum validity
of 1 day
» Password history of 6
50
» Transmission and storage of the passwords in restricted to authorised persons. Granting and
an encrypted procedure that conforms to the changes to corresponding data access authorisa-
state of the art. tions comply with the policy for the management
of system and data access authorisations. Access
Supplementary information for the basic is controlled by means of strong authentication
requirement techniques, including multi-factor authentication
(see KOS-06).
Security parameters include, for example, the use
of secure login methods (see IDM- 08), lock after
failed login attempts, no multiple logins with one IDM-13 Control of access to source code
and the same user, automatic logout/lock after
inactivity) Basic requirement
Description of additional requirements Access to the source code and supplementary

(confidentiality) information that is relevant to the development
of the cloud service (e. g. architecture documen-
Automatic controls are implemented, which are tation, test plans) is granted restrictively and
based on the following rules: monitored in order to prevent unauthorised
functions from being introduced and unintended
» There is a lock of 15 minutes after 5 failed login changes from being made.
attempts and the waiting time is increased with
each failed login attempt.
» Multiple logins of one and the same user are not

possible.
» Upon login, there is an automatic lock after 15

minutes of inactivity.
» The minimum password length of privileged

users is 14 characters and 8 characters for users
without wide-ranging authorisations.
» Capital letters, lower-case letters, special charac-

ters and numbers must be included.
» After 90 days, the user is forced to change the

password with the next login.
» Password history is 12.
IDM-12 Restriction and control of

administrative software
Basic requirement
The use of service programs and management

consoles (e. g. for the management of the hyper-
visor or virtual machines), which allow extensive
access to the data of the cloud customers, is
51
5.8 Cryptography and key management » BSI TR-02102-2 Cryptographic Mechanisms:

Recommendations and Key Lengths
Part 2 – Use of Transport Layer Security (TLS)
Objective: guaranteeing the appropriate
and effective use of cryptography in order » BSI TR-02102-3 Cryptographic Mechanisms:
to protect the security of information. Recommendations and Key Lengths
Part 3 – Use of Internet Protocol Security
(IPSec) and Internet Key Exchange (IKEv2)
KRY-01 Policy for the use of encryption » BSI TR-02102-4 Cryptographic Mechanisms:
procedures and key management Recommendations and Key Lengths
Part 4 – Use of Secure Shell (SSH)
Basic requirement
Policies and instructions with technical and KRY-02 Encryption of data for transmission
organisational safeguards for encryption pro- (transport encryption)
cedures and key management are documented,
communicated and provided according to SA-01, Basic requirement
in which the following aspects are described:
Procedures and technical safeguards for strong
» Using strong encryption procedures (e. g. AES) encryption and authentication for the transmis-
and the use of secure network protocols that sion of data of the cloud customers (e. g. electronic
correspond to the state of the art (e. g. TLS, IPsec, messages transported via public networks) are
SSH) established.
» Risk-based regulations for the use of encryption Supplementary information for the basic
which are compared to schemes for the classi- requirement
fication of information and take the communi-
cation channel, type, strength and quality of the When transmitting data with normal protection
encryption into account requirements within the cloud provider’s infra-
structure, encryption is not mandatory provided
» Requirements for the secure generation, storage, that the data is not transmitted via public net-
archiving, retrieval, distribution, withdrawal works. In this case, the non-public environment
and deletion of the keys of the cloud provider can generally be deemed
trusted. Strong transport encryption that con-
» Taking the relevant legal and regulatory obliga- forms to the state of the art is currently consid-
tions and requirements into consideration ered to be the TLS 1.2 protocol in combination
with Perfect Forward Secrecy. Furthermore, the
Supplementary information for the basic BSI Technical Guideline TR-02102-2
requirement Cryptographic Mechanisms: Recommendations
and Key Lengths
The state of the art regarding strong encryption Part 2 – Use of Transport Layer Security (TLS)
procedures and secure network protocols is applies in the respectively current version. Using
defined in the respectively current version of the SSL (including version 3.0) is not considered to be
following BSI Technical Guidelines: a secure procedure.
» BSI TR-02102-1 Cryptographic Mechanisms:

Recommendations and Key Lengths
52
Description of additional requirements » Secure storage of own keys (not those of the
(confidentiality) cloud customers or other third parties) includ-
ing the description as to how authorised users
If data with higher protection requirements are granted access
are transmitted, strong encryption must also
be implemented within the cloud provider’s » Changing or updating cryptographic keys
infrastructure. including policies defining under which condi-
tions and in which manner the changes and/or
updates are to be realised
KRY-03 Encryption of sensitive data for
storage » Handling of compromised keys
Basic requirement » Withdrawal and deletion of keys, for example in

the case of compromising or staff changes
Procedures and technical safeguards for the
encryption of sensitive data of the cloud custom- » Storage of the keys of the cloud users not at the
ers for the storage are established. Exceptions cloud provider (i. e. at the cloud user or a trusted
apply to data that cannot be encrypted for the third party)
rendering of the cloud service for functional
reasons. The private keys used for encryption
are known only to the customer according to
applicable legal and regulatory obligations and
requirements. Exceptions (e. g. use of a master key
by the cloud provider) are based on a controlled
procedure and must be agreed upon jointly with
the cloud customer.

requirement
If there is a procedure using a master key by the

cloud provider, the appropriateness of the proce-
dure must be examined and compliance verified
for a random sample of applications.
KRY-04 Secure key management

Basic requirement
Procedures and technical safeguards for secure

key management include at least the following
aspects:
» Generation of keys for different cryptographic

systems and applications
» Issuing and obtaining public-key certificates
» Provisioning and activation of the keys for

customers and third parties involved
53
5.9 Communication security purpose. In addition, the review also includes the
justifications for compensating controls for the
use of logs which are considered to be insecure.
Objective: ensuring the protection of
information in networks and the corresponding
information-processing systems. KOS-03 Cross-network access
Basic requirement
KOS-01 Technical safeguards Each network perimeter is controlled by secu-

rity gateways. The system access authorisation
Basic requirement for cross- network access is based on a secu-
rity assessment on the basis of the customer
Based on the results of a risk analysis carried requirements.
out according to OIS-06, the cloud provider
has implemented technical safeguards which Description of additional requirements
are suitable to promptly detect and respond to (confidentiality)
network-based attacks on the basis of irregular
incoming or outgoing traffic patterns (e. g. by Each network perimeter is controlled by redun-
MAC spoofing and ARP poisoning attacks) and/or dant and high-availability security gateways. The
Distributed Denial- of-Service (DDoS) attacks. system access authorisation for cross- network
access is based on a security assessment on the
Description of additional requirements basis of the customer requirements.
Intrusion prevention/intrusion detection sys- KOS-04 Networks for administration

tems (IDS/IPS) are integrated into an overall
SIEM system (security information and event Basic requirement
management) so that events from IDS/IPS can be
correlated with other events in order to be able to There are separate networks for the administra-
initiate the required safeguards (countermeasures) tive management of the infrastructure and for
resulting from this. By means of technical safe- the operation of management consoles, which are
guards, it is ensured that no unknown (physical separated logically or physically by the network
or virtual) devices join the (physical or virtual) of the cloud customers and are protected against
network of the cloud provider (for example by unauthorised access by means of multi-factor
means of MACSec according to IEEE 802.1X:2010), authentication (see IDM-08). Networks which
see IDM-08). are used for the purposes of the migration or the
generation of virtual machines must also be sepa-
rated physically or logically by other networks.
KOS-02 Monitoring of connections
Basic requirement KOS-05 Segregation of data traffic in
jointly used network environments
Physical and virtualised network environments
are designed and configured in such a way that Basic requirement
the connections between trusted and untrusted
networks must be restricted and monitored. At The data traffic in jointly used network environ-
defined intervals, it is reviewed whether the use of ments is segregated according to documented
all services, logs and ports serve a real commercial concept for the logical segmentation between the
54
cloud customers on the network level in order to KOS-06 Documentation of the network
guarantee the confidentiality and integrity of the topology
data transmitted.
Basic requirement
requirement The architecture of the network is documented
comprehensibly and currently (e. g. in the form of
If the appropriateness and effectiveness of diagrams) in order to avoid errors in the man-
the logical segmentation cannot be assessed agement during live operation and ensure timely
with sufficient certainty (e. g. due to a complex restoration according to the contractual duties in
implementation), evidence can also be demon- the event of damage. Different environments (e. g.
strated by audit results of expert third parties administration network and shared network seg-
(e. g. penetration tests for the validation of the ments) and data flows become apparent from the
concept). The segregation of stored and processed documentation. Furthermore, the geographical
data is the subject of the control. RB-23. For the locations, in which the data is stored, are specified.
secure segmentation of jointly used resources for
web applications which are provided as SaaS, the
session ID in the basic level should: KOS-07 Policies for data transmission
» be generated randomly and has an adequate Basic requirement
entropy of at least 128 Bit (16 characters) in
order to withstand the educated guessing of the Policies and instructions with technical and
session ID (for example, by means of a brute- organisational safeguards in order to protect the
force attack), transmission of data against unauthorised inter-
ception, manipulation, copying, modification,
» be adequately protected for transmission and redirection or destruction (e. g. use of encryption)
client-side storage, are documented, communicated and provided
according to SA-01. The policy and instructions
» have limited validity (timeout) which is as short establish a reference to the classification of
as possible, measured by the requirements for information (see AM-05).
the use of the web application.
Upon successful authentication or change from KOS-08 Confidentiality agreement

an insecure communication channel (HTTP), a
secure communication channel (HTTPS) should Basic requirement
be switched to.
The non-disclosure or confidentiality agreements
In case of IaaS/PaaS, the requirements for higher to be concluded with internal employees, exter-
protection requirements can be used as guidance nal service providers and suppliers of the cloud
in the basic level. provider are based on the requirements of the
cloud provider in order to protect confidential
Description of additional requirements data and business details. The requirements must
(confidentiality) be identified, documented and reviewed at regular
intervals (at least once a year). If the review shows
In the case of IaaS/PaaS, the secure separation is that the requirements have to be adjusted, new
ensured by physically separated networks or by non-disclosure or confidentiality agreements
means of strongly encrypted VLANs. are concluded with the internal employees, the
external service providers and the suppliers of
the cloud provider. The non-disclosure or confi-
dentiality agreements must be signed by internal
employees, external service providers or suppliers
55
of the cloud provider prior to the start of the 5.10 Portability and interoperability
contract relationship and/or before access to data
of the cloud users is granted.
Objective: allowing the property to be
Supplementary information for the basic able to securely operate the service on
requirement different it platforms as well as the
possibility of securely connecting different
The following should be described in a non-dis- it platforms and terminating the service.
closure agreement:
» Which information needs to be handled

confidentially PI-01 Use of public APIs and industry
standards
» The terms of the non-disclosure agreement
Basic requirement
» What action needs to be taken when the agree-
ment is terminated (i.e. the data media need to In order to guarantee the interoperability of
be destroyed or returned, for example) cloud services, data regarding documented input
and output interfaces and in recognised industry
» Who has the rights of ownership to the standards (e. g. the Open Virtualization Format for
information virtual appliances) is available in order to support
the communication between different compo-
» Which rules and regulations apply to the use nents and the migration of applications.
and disclosure of confidential information to
additional partners, if this is necessary
PI-02 Export of data
» The consequences of violating the terms of the
agreement Basic requirement
Description of additional requirements At the end of the contract, the cloud customer
(confidentiality) can request the data to which they are entitled
according to the contractual framework condi-
If adjustments to the non-disclosure or confi- tions, from the cloud provider and receives them
dentiality agreements result from the review, in processable electronic standard formats such as
the internal and external employees of the cloud CSV or XML.
provider must be informed about this and new
confirmations shall be obtained.
PI-03 Policy for the portability and
interoperability
Basic requirement
If no individual agreements between the cloud

provider and cloud customer regulate the inter-
operability and portability of the data, policies
and instructions with technical and organisa-
tional safeguards are documented, communicated
and provided according to SA-01 in order to
ensure the respective requirements and duties of
the cloud customer.
56
PI-04 Secure data import and export 5.11 Procurement, development and
maintenance of information systems
Basic requirement
The cloud provider uses secure network protocols Objective: Complying with the security targets
for the import and export of information as well in case of new developments and procurement
as for the management of the service in order to of information systems as well as changes.
ensure the integrity, confidentiality and availabil-
ity of the transported data.
BEI-01 Policies for the development/

PI-05 Secure deletion of data procurement of information systems
Both when changing the storage media for main- Policies and instructions with technical and
tenance purposes and upon request of the cloud organisational safeguards for the proper devel-
customer or the termination of the contract rela- opment and/or procurement of information
tionship, the content data of the cloud customer, systems for the development or operation of the
including the data backups and the meta data (as cloud service, including middleware, databases,
soon as they are no longer required for the proper operating systems and network components
documentation of the accounting and billing), are documented, communicated and provided
is deleted completely. The methods used for this according to SA-01. The policies and instructions
(e. g. by overwriting data several times, deletion of describe at least the following aspects:
the key) prevent the data from being restored via
forensic methods. » Security in software development methods
in compliance with security standards estab-
Supplementary information for the basic lished in the industry (e. g. OWASP for web
requirement applications)
The deletion of meta data and log files is the » Security of the development environment
subject of the requirements RB-11 and RB-13. (e. g. separate development/test/production
environments)
» Programming policies for each programming

language used (e. g. regarding buffer overflows,
hiding internal object references towards users)
» Security in version control

(confidentiality)
For the procurement, products which were

certified according to the “Common Criteria for
Information Technology Security Evaluation”
(abbreviated: Common Criteria – CC) according to
evaluation level EAL 4 are preferred. If uncertified
products are procured although certified prod-
ucts are available, this must be documented and
justified.
57
BEI-02 Outsourcing of the development » Requirements for the documentation of tests

as well as for the application and permit of
Basic requirement changes
If the development of the cloud service (or parts » Requirements for the documentation of
thereof) is outsourced regarding the design, changes to the system, operating and user
development, test and/or provision of source documentation
code of the cloud service, a high level of security is
required. Therefore, at least the following aspects Supplementary information for the basic
must be agreed upon contractually between the requirement
cloud provider and external service providers:
Changes to the existing network configuration
» Requirements for a secure software develop- must also run through a controlled procedure,
ment process (especially design, development since they are necessary for an effective client
and testing) segregation.
» Provision of evidence demonstrating that

adequate testing was carried out by the external BEI-04 Risk assessment of changes
service provider
Basic requirement
» Acceptance test of the quality of the services
rendered according to the functional and non- The principal of a change performs a risk assess-
functional requirements agreed upon ment beforehand. All configuration objects which
might be affected by the change are assessed with
» The right to subject the development process regard to potential impacts. The result of the risk
and controls to testing, also on a random basis assessment is documented appropriately and
comprehensively.
BEI-03 Policies for changes to information

systems BEI-05 Categorisation of changes
Policies and instructions with technical and All changes are categorised on the basis of a risk
organisational safeguards for the proper manage- assessment (e. g. as insignificant, significant or far-
ment of changes to information systems for the reaching impacts) in order to obtain an appro-
development or operation of the cloud service, priate authorisation prior to making the change
including middleware, databases, operating sys- available to the production environment.
tems and network components are documented,
communicated and provided according to SA-01.
At least the following aspects are to be taken into BEI-06 Prioritisation of changes
account in this respect:
Basic requirement
» Criteria for the classification and prioritisation
of changes and related requirements for the All changes are prioritised on the basis of a risk
type and scope of tests to be carried out and assessment (e. g. as low, normal, high, emergency)
permits to be obtained in order to obtain an appropriate authorisation
prior to making the change available to the
» Requirements for the notification of affected production environment.
cloud customers according to the contractual
agreements
58
BEI-07 Testing changes BEI-10 Emergency changes

All changes to the cloud service are subjected to Emergency changes are to be classified as such
tests (e. g. for integration, regression, security and by the change manager who creates the change
user acceptance) during the development and documentation before applying the change to the
before they are made available to the production production environment. Afterwards (e. g. within
environment. The tests are carried out by ade- 5 working days), the change manager supple-
quately qualified personnel of the cloud provider. ments the change documentation with a justi-
According to the service level agreement (SLA), fication and the result of the application of the
changes are also tested by the customers (tenants) emergency change. This justification must show
suitable for this. why the regular change process could not have
been run through and what the consequences of a
delay resulting from compliance with the regular
BEI-08 Rollback of changes process would have been. The change documen-
tation is forwarded to the customers concerned
Basic requirement and a subsequent release by authorised bodies is
obtained according to the contractual agreements.
Processes are defined in order to be able to roll
back required changes as a result of errors or
security concerns and restore affected systems or BEI-11 System landscape
services into its previous state.
Basic requirement
BEI-09 Review of proper testing and Production environments are separated physically
approval or logically by non-production environments in
order to avoid unauthorised access or changes
Basic requirement to the production data. Production data is not
replicated in test or development environments
Before a change is released to the production in order to maintain their confidentiality.
environment, it must be reviewed by an author-
ised body or a corresponding committee whether
the planned tests have been completed success- BEI-12 Separation of functions
fully and the required approvals are granted.
Basic requirement
(confidentiality and availability) Change management procedures include
role-based authorisations in order to ensure an
At least every three months, it is reviewed for an appropriate separation of duties regarding the
appropriate random sample of changes made to development, release and migration of changes
the production environment (i. e. at least 10% of between the environments.
all changes completed during this period of time)
whether the internal requirements regarding
the proper classification, testing and approval of
changes were met.
59
5.12 Control and monitoring of service » Disclosure and contractual obligation to the
providers and suppliers minimum security requirements also to sub-
contractors if they do not only contribute insig-
nificant parts to the development or operation
Objective: ensuring the protection of of the cloud service (e. g. service provider of the
information which can be accessed by the computing centre)
service providers and/or suppliers of the cloud
provider (subcontractors) and monitoring the The definition of the requirements is inte-
services and security requirements agreed upon. grated into the risk management of the cloud
provider. According to requirements OIS-07,
they are checked at regular intervals for their
appropriateness.
DLL-01 Policies for the handling of and
security requirements for service providers Description of additional requirements
and suppliers of the cloud provider (confidentiality and availability)
Basic requirement Subcontractors of the cloud provider are con-

tractually obliged to grant the cloud provider
Policies and instructions for ensuring the protec- auditing rights regarding the effectiveness of the
tion of information accessed by other third parties service-related internal control system as well
(e. g. service providers and/or suppliers of the as with respect to the compliance of the security
cloud provider), who contribute significant parts requirements agreed upon. The subcontractor can
to the development or operation of the cloud also demonstrate evidence by submitting corre-
service, are documented, communicated and sponding certificates of independent third parties
provided according to SA-01. The corresponding (e. g. in the form of reports according to ISAE
controls are used to mitigate risks which may 3402/IDW PS 951). This also includes subcontrac-
result from the potential access to information of tors of the subcontractor.
the cloud customers. The following aspects are at
least to be taken into account for this:
DLL-02 Monitoring of the rendering of
» Definition and description of minimum security services and security requirements for service
requirements with regard to the information providers and suppliers of the cloud provider
processed, which are based on recognised
industry standards such as ISO/IEC 27001 Basic requirement
» Legal and regulatory requirements, including Procedures for the regular monitoring and review
data protection, intellectual property right, of agreed services and security requirements
copyright, handling of meta data (see RB-11) as of third parties (e.g. service providers and/or
well as a description as to how they are ensured suppliers of the cloud provider) who contribute
(e. g. site of data processing and liability, see essential parts to the development or operation of
surrounding parameters for transparency) the cloud service are established. The safeguards
include at least the following aspects:
» Requirements for incident and vulnerability
management (especially notifications and » Regular review of service reports (e. g. SLA
collaborations when eliminating malfunctions) reports) if they are provided by third parties
» Review of security-relevant incidents, opera-

tional disruptions or failures and interruptions
that are related to the service
60
» Unscheduled reviews after essential changes to 5.13 Security incident management

the requirements or environment. The essenti-
ality must be assessed by the cloud provider and
documented comprehensibly for audits Objective: ensuring a consistent and
consistent approach regarding the monitoring,
Identified deviations are subjected to a risk anal- recording, assessment, communication
ysis according to requirement OIS-07 in order to and escalation of security incidents.
effectively address them by mitigating safeguards
in a timely manner.
Description of additional requirements SIM-01 Responsibilities and

(confidentiality and availability) procedural model
Interfaces for an automated real-time monitoring Basic requirement

of the service (minimum capacity, availability as
well as elimination of malfunctions) are estab- Policies and instructions with technical and
lished to be able to monitor compliance with organisational safeguards are documented,
the service level agreements agreed upon and to communicated and provided according to SA-01
promptly respond to deviations. At least once a in order to ensure a fast, effective and proper
year, an audit is performed by independent, exter- response to all known security incidents. On
nal auditors or qualified personnel of the cloud the part of the cloud provider, at least the roles
provider in order to review the effectiveness of listed in OIS-03 must be filled, requirements for
the controls established at the service provider, the classification, prioritisation and escalation
which are related to the contract relationship, as of security incidents defined and interfaces with
well as the security requirements agreed upon. the incident management and the business
Evidence can be demonstrated, for example in the continuity management created. In addition to
form of reports according to ISAE 3402/IDW PS this, the cloud provider has established a “com-
951. The prompt addressing of audit findings is puter emergency response team” (CERT), which
followed up by the cloud provider. contributes to the coordinated solution of specific
security incidents. Customers affected by security
incidents are informed in a timely manner and
appropriate form.

(confidentiality)
Instructions are given as to how data of a sus-

picious system can be collected in the event
of a security incident so that it can be used as
evidence. Moreover, there are analysis plans for
typical security incidents as well as an evaluation
method so that the information collected will
not lose its evidentiary value during a subsequent
legal appraisal.
61
SIM-02 Classification of customer systems SIM-05 Security incident event

management
Basic requirement
Basic requirement
All customer systems are classified according to
the agreements (SLA) between the cloud provider Logged incidents are centrally aggregated and
and cloud customer regarding the criticality for consolidated (event correlation). Rules for iden-
the rendering of services. The assignment of tifying relations between incidents and assessing
classifications is reviewed regularly as well as after them according to their criticality are imple-
essential changes/events for all customer systems. mented. These incidents are handled according to
Deviations are followed up and eliminated in a the security incident management process.
timely manner. Moreover, the classification shows
which parameters regarding the recovery of a sys-
tem were agreed upon with the cloud customer. SIM-06 Duty of the users to report
security incident to a central body
SIM-03 Processing of security incidents Basic requirement
Basic requirement The employees and external business partners

are informed of their duties. If necessary, they
Events which could represent a security incident agree to or commit themselves contractually to
are classified, prioritised and subjected to a cause promptly report all security events to a previously
analysis by qualified personnel of the cloud specified central body. Furthermore, information
provider or in connection with external security is provided that “incorrect notifications” of events
service providers. which have not turned out to be incidents after-
wards, do not have any negative consequences for
the employees.
SIM-04 Documentation and reporting of
security incidents
SIM-07 Evaluation and learning process
Basic requirement
Basic requirement
After a security incident has been processed, the
solution is documented according to the contrac- Mechanisms are in place to be able to measure
tual agreements and the report is forwarded for and monitor the type and scope of the security
final information or, if necessary, as confirmation incidents as well as to report them to supporting
to the customers affected. bodies. The information gained from the eval-
uation is used to identify recurring incidents or
Description of additional requirements incidents involving significant consequences and
(confidentiality) to determine the need for advanced safeguards.
The customer can either actively agree to solu- Supplementary information for the basic
tions or the solution is agreed upon after a certain requirement
period of time has expired. Information about
security incidents or confirmed security violations Supporting bodies can be external service
is made available to all affected customers. It is providers or government agencies (in Germany
contractually agreed upon between the cloud for instance the Federal Office for Information
provider and the cloud customer which data is Security (BSI)).
made available to the cloud customer for their
own analysis in the event of security incidents.
62
5.14 Business continuity management » Identification of dependencies, including the

processes (incl. the resources required for this),
applications, business partners and third parties
Objective: strategic establishment and
control of a business continuity management » Identification of threats to critical products and
(BCm). planning, implementing and services
testing business continuity concept as
well as incorporating safeguards in order » Determination of consequences resulting from
to ensure and maintain operations. planned and unplanned malfunctions and
changes over time
» Determination of the maximum acceptable

BCM-01 Top management responsibility duration of malfunctions
Basic requirement » Determination of the priorities for the

restoration
The top management (and/or a member of the
top management) is specified as the process » Determination of time-limited targets for
owner of the business continuity and contingency the recovery of critical products and services
management and bears the responsibility for within the maximum acceptable period of time
the establishment of the process in the company (recovery time objective, RTO)
and compliance with the policies. They must
ensure that adequate resources are made avail- » Determination of time-limited targets for the
able for an effective process. Members of the maximum acceptable period of time during
top management and persons in other relevant which data is lost and cannot be restored
leadership positions demonstrate leadership (recovery point objective, RPO)
and commitment with respect to this topic,
for example by asking and/or encouraging the » Estimation of the resources required for
employees to actively contribute to the effective- recovery
ness of the business continuity and contingency
management.
BCM-03 Planning business continuity
BCM-02 Business impact analysis Basic requirement

policies and procedures
Based on the business impact analysis, a uniform
Basic requirement framework for planning the business continuity
and business plan is introduced, documented and
Policies and instructions for determining impacts applied in order to ensure that all plans (e. g. of the
of possible malfunctions of the cloud service or different sites of the cloud provider) are consist-
company are documented, communicated and ent. The planning depends on established stand-
provided according to SA-01. ards which is documented comprehensibly in a
“statement of applicability”. Business continuity
At least the following aspects are taken into plans and contingency plans take the following
consideration: aspects into consideration:
» Possible scenarios based on a risk analysis (e. g. » Defined purpose and scope by taking the
loss of personnel, failure of building, infrastruc- relevant dependencies into account
ture and service providers)
» Identification of critical products and services
63
» Accessibility and comprehensibility of the plans » Function tests

for persons who have to take action in line with
these plans » Plan review
» Ownership by at least one appointed person Drills also take place on the tactical and strategic
who is responsible for review, updating and level. These modules include, for example:
approval
» Tabletop exercise
» Defined communication channels, roles and
responsibilities including the notification of the » Crisis team exercise
customer
» Command post exercise
» Restoration procedures, manual temporary
solutions and reference information (by taking » Communication and alarm exercise
the prioritisation into account for the recov-
ery of cloud infrastructure components and » Simulation of scenarios
services as well as orienting to customers)
» Full scale exercise
» Methods used for the implementation of the
plans After a drill has been performed:
» Continuous improvement process of the plans » Review and possible adjustment of the existing
alert plan
» Interfaces with the security incident
management Description of additional requirements
(availability)
BCM-04 Verification, updating and In addition to the tests, drills are also carried out,
testing of the business continuity which are, among other things, based on scenar-
ios resulting from security incidents that have
Basic requirement already occurred in the past.
The business impact analysis as well as the busi-

ness continuity plans and contingency plans are BCM-05 Supply of the computing centres
verified, updated and tested at regular intervals (at
least once a year) or after essential organisational Basic requirement
or environment-related changes. The tests also
involve affected customers (tenants) and relevant The supply of the computing centres (e. g. water,
third parties (e. g. critical suppliers). The tests are electricity, temperature and moisture control,
documented and results are taken into account telecommunications and Internet connection)
for future business continuity safeguards. is secured, monitored and is maintained and
tested at regular intervals in order to guarantee
Supplementary information for the basic continuous effectiveness. It has been designed
requirement with automatic fail-safe mechanisms and other
redundancies. Maintenance is performed in
Tests take place primarily on the operative level compliance with the maintenance intervals and
and are addressed to operative target groups. targets recommended by the suppliers as well as
These modules include, for example: only by personnel authorised to do so.
Maintenance protocols including any suspected
» Test of the technical preventive measures or detected deficiencies are stored for the dura-
tion of the period of time previously agreed
64
upon. After this period of time has expired, the 5.15 Security check and verification
maintenance protocols are destroyed properly
and permanently.
Objective: Checking and verifying that
Description of additional requirements the information security safeguards
(availability) are implemented and carried out in
accordance with the organisation-
Simulated failures of the supply of computing wide policies and instructions.
centres are integrated into the drills (see BCM-03).
SPN-01 Notification of the top

management
Basic requirement
The top management is informed of the status of

the information security on the basis of security
checks by means of regular reports and is respon-
sible for the prompt elimination of determina-
tions resulting from them.

of IT processes with internal security policies
and standards
Basic requirement
Qualified personnel (e. g. internal revision) of the

cloud provider or expert third parties commis-
sioned by the cloud provider audit the compliance
of the internal IT processes with the correspond-
ing internal policies and standards as well as the
legal, regulatory and statutory prescribed require-
ments relevant to the cloud service on an annual
basis. The deviations identified are prioritised and,
depending on their criticality, safeguards for their
elimination are defined, followed up and imple-
mented in a timely manner.

The audit is carried out at least every six months.

The audit also includes the compliance with the
requirements of C5.
65
SPN-03 Internal audits of the compliance 5.16 Compliance and data protection
of IT systems with internal security policies
and standards
Objective: avoiding violations against
Basic requirement statutory or contractual duties with
respect to information security.
At least on an annual basis, qualified personnel
(e. g. internal revision) of the cloud provider or
expert third parties commissioned by the cloud
provider audit the compliance of the IT systems, COM-01 Identification of applicable legal,
provided that they are completely or partially in contractual and data protection requirements
the cloud provider’s area of responsibility and are
relevant to the development or operation of the Basic requirement
cloud service, with the corresponding internal
policies and standards as well as the legal, reg- Legally, regulatory and statutory prescribed
ulatory and statutory prescribed requirements requirements, as well as the procedure to comply
relevant to the cloud service. The deviations with these requirements and regulations must be
identified are prioritised and, depending on their identified, documented and updated regularly by
criticality, safeguards for their elimination are the cloud provider for the cloud service related to
defined, followed up and implemented in a timely the respective application.
manner.
Description of additional requirements requirement
The documentation of the cloud provider may,
Upon request of the cloud customer, the cloud among other things, refer to the following regula-
provider provides information of the results, tory requirements:
impacts and risks of these audits and assessments
in an appropriate form. The cloud provider com- » Generally accepted accounting principles [Ger-
mits their subcontractors to such audits, asks for man Commercial Code] or IFRS [International
the submission of the audit reports in the same Financial Reporting Standards])
intervals and uses them for their own audits.
» Requirements regarding data access and the
auditability digital documents (in Germany e. g.
according to GDPdU [German principles of data
access and auditability of digital records)
» Requirements for the protection of personal

data (e. g. according to BDSG [German Federal
Data Protection Act] or EU Data Protection
Directive)
» Requirements of the government (in Germany

e. g. according to BSIG [BSI Act] or AktG [Ger-
man Public Companies Act])
66
COM-02 Planning independent, Description of additional requirements

external audits (confidentiality and availability)
Basic requirement Upon request of the cloud customer, the cloud

provider provides information of the results,
Independent audits and assessments of systems impacts and risks of these audits and assessments
or components which contribute to the rendering in an appropriate form. If necessary, unscheduled
of the cloud services are planned by the cloud audits can be carried out by independent third
provider in such a way that the following require- parties.
ments are met:
» There is only read access to software and data.
» Activities which might impair the availability

of the systems or components and thus result
in a violation of the SLA are carried out outside
regular business hours and/or not at load peak
times.
» The activities performed are logged and

monitored.

(availability)
The cloud provider has taken precautions for

unscheduled audits.
COM-03 Carrying out independent,

external audits
Basic requirement
Audits and assessments of processes, IT systems

and IT components, provided that they are
completely or partially in the cloud provider’s
area of responsibility and are relevant to the
development or operation of the cloud service,
are carried out by independent third parties (e. g.
certified public auditor) at least once a year in
order to identify non-conformities with legally,
regulatory and statutory prescribed requirements.
The deviations identified are prioritised and,
depending on their criticality, safeguards for their
elimination are defined, followed up and imple-
mented in a timely manner.
67
5.17 Mobile device management cloud service (among other things, with infor-
mation of the operating system and patch status,
assigned employees, approval regarding BYOD) is
Objective: guaranteeing security when maintained (see AM-01).
using mobile terminal devices in the
cloud provider’s area of responsibility
for the access to it systems in order to
develop and operate the cloud service.
MDM-01 Policies and procedures for

the risk minimisation of access via the
cloud provider’s mobile terminal devices
Basic requirement

organisational safeguards for the proper use of
mobile terminal devices in the cloud provider’s
area of responsibility, which allow access to IT
systems for the development and operation of the
cloud service, are documented, communicated
and provided according to SA-01. These policies
and instructions include at least the following
aspects, insofar as they are applicable to the cloud
provider’s situation:
» Encryption of the devices and data transmission
» Increased access protection
» Extended identity and authorisation

management
» Ban on jailbreaking/rooting
» Installation only of approved applications from

“App Stores” classified as trusted
» Bring your own device (BYOD) minimum

requirements for private terminal devices

Central management and monitoring is per-

formed by means of MDM solutions, including a
possibility for remote deletion. A site plausibility
check of the access is carried out. An inventory
list of mobile terminal devices with access to the
68
Imprint
Published by
Federal Office for Information Security
Godesberger Allee 185–189
D-53175 Bonn
Email: [email protected]
Internet: www.bsi.bund.de/EN/C5
Source
Godesberger Allee 185–189
D-53175 Bonn
Phone: +49 (0) 22899 9582-0
Fax: +49 (0) 22899 9582-5400
Last updated
September 2017
Printed by
Druck- und Verlagshaus Zarbock GmbH & Co. KG
Sontraer Straße 6
63086 Frankfurt am Main
Internet: www.zarbock.de
Content and editing

Image credits
Title: Fotolia
Item number
BSI-Cloud17/202e
This brochure is part of the Federal Office for Information Securityʼs public
relations work. It is provided free of charge and is not intended for sale.
www.bsi.bund.de

Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services

Uploaded by

Copyright:

Available Formats

Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Computing Compliance Controls Catalogue (C5) : Criteria To Assess The Information Security of Cloud Services

Uploaded by

Copyright:

Available Formats

What is the purpose of the C5 Catalogue?

What is the purpose of the C5 Catalogue?

What are the main sections covered in the C5 Catalogue?

What are the main sections covered in the C5 Catalogue?

Cloud Computing Compliance

Controls Catalogue (C5)

1.1 Current situation 10

1.2 Uniform requirements based on existing standards 10

2 Structure and contents of C5 13

2.2 Content-related presentation of the controls areas 14

2.3 Underlying national and international standards 16

3 Proving conformity with the requirements by an independent audit 18

3.2 Auditing standards and criteria 18

3.2.1 ISAE 3000 (Revised) as auditing standard 18

3.3 Subject of the audit including system description 20

3.3.1 Subject of the audit 20

3.4 Audit objective and reporting 23

3.4.1 Audit objective 23

3.5 Separate and supplementary requirements of the BSI 23

3.5.1 Qualification of the auditor 23

3.6 Application notes for potential cloud customers: Regular

4 Framework conditions of the cloud service (surrounding parameters

 UP-01 System description 27

5 Objectives and requirements 30

5.1 Organisation of information security 30

 OIS-01 Information security management system (ISMS) 30

5.2 Security policies and work instructions 33

 SA-01 Documentation, communication and provision of

 HR-01 Security check of the background

5.4 Asset management 37

 AM-01 Asset inventory 37

 AM-02 Assignment of persons responsible

5.5 Physical security 39

 PS-01 Perimeter protection 39

 RB-01 Capacity management – planning 41

 RB-16 Logging and monitoring – availability of the

5.7 Identity and access management 48

 IDM-01 Policy for system and data access

5.8 Cryptography and key management 52

 KRY-01 Policy for the use of encryption procedures and

 KRY-03 Encryption of sensitive data for

5.9 Communication security 54

 KOS-01 Technical safeguards 54

5.10 Portability and interoperability 56

 PI-01 Use of public APIs and industry

5.11 Procurement, development and maintenance of information

 BEI-01 Policies for the development/procurement of

5.12 Control and monitoring of service providers and suppliers 60

 DLL-01 Policies for the handling of and security

5.13 Security incident management 61

 SIM-01 Responsibilities and procedural model 61

5.14 Business continuity management 63

 BCM-01 Top management responsibility 63

5.15 Security check and verification 65

 SPN-01 Notification of the top management 65

5.16 Compliance and data protection 66

 COM-01 Identification of applicable legal, contractual

5.17 Mobile device management 68

 MDM-01 Policies and procedures for the risk

UP-01 System description 27

OIS-01 Information security management system (ISMS) 30

SA-01 Documentation, communication and provision of

HR-01 Security check of the background

AM-01 Asset inventory 37

AM-02 Assignment of persons responsible

PS-01 Perimeter protection 39

RB-01 Capacity management – planning 41

RB-16 Logging and monitoring – availability of the

IDM-01 Policy for system and data access

KRY-01 Policy for the use of encryption procedures and

KRY-03 Encryption of sensitive data for

KOS-01 Technical safeguards 54

PI-01 Use of public APIs and industry

BEI-01 Policies for the development/procurement of

DLL-01 Policies for the handling of and security

SIM-01 Responsibilities and procedural model 61

BCM-01 Top management responsibility 63

SPN-01 Notification of the top management 65

COM-01 Identification of applicable legal, contractual

MDM-01 Policies and procedures for the risk

Responsibilities shared between the cloud pro- OIS-04 Separation of functions

HR-01 Security check of the background